This how to is a summary of the How to you can find on the official site of OpenVPN.

You can follow this step by step and should success to create your VPN

Preliminaries

These are the assumptions

  1. We have two computers each with two NICs One connected to the Internet the other to an internal network
  2. I have installed Debian on both of them.

Both PCs have only the base system installed, but you can install the graphical interface if you want to.

Install the necessary software

I am going to configure openVPN as routing and not as Bridge.

Enter these commands on both the server and the client.

apt-get install openvpn openssl rdate

Now on the server side issue these commands

cd /usr/share/doc/openvpn/examples/easy-rsa/ cp * /etc/openvpn -R cd /etc/openvpn . ./vars ./clean-all ./build-ca

The output you will see will be something like this

Generating a 1024 bit RSA private key
.++++++
..........................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [KG]:bo
State or Province Name (full name) [NA]:bo
Locality Name (eg, city) [BISHKEK]:santacruz
Organization Name (eg, company) [OpenVPN-TEST]:go2linux.org
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:OpenVPN-CA
Email Address [me@myhost.mydomain]:webmaster@go2linux.org

Now create the certificates for the server

./build-key-server server

And the output will look like this

Generating a 1024 bit RSA private key
.++++++
................................++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [KG]:bo
State or Province Name (full name) [NA]:bo
Locality Name (eg, city) [BISHKEK]:santacruz
Organization Name (eg, company) [OpenVPN-TEST]:go2linux.org
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:server
Email Address [me@myhost.mydomain]:webmaster@go2linux.org

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:challenge   
An optional company name []:go2linux.org
Using configuration from /etc/openvpn/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'bo'
stateOrProvinceName   :PRINTABLE:'bo'
localityName          :PRINTABLE:'santacruz'
organizationName      :PRINTABLE:'go2linux.org'
commonName            :PRINTABLE:'server'
emailAddress          :IA5STRING:'webmaster@go2linux.org'
Certificate is to be certified until Jul 11 14:14:14 2017 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Now create the certificate for the client site <p class="codigo"> ./build-key home</p>

you can call it anything, I called it home

The output will be,

Generating a 1024 bit RSA private key
...............++++++
.........++++++
writing new private key to 'home.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [KG]:bo
State or Province Name (full name) [NA]:bo
Locality Name (eg, city) [BISHKEK]:santacruz
Organization Name (eg, company) [OpenVPN-TEST]:go2linux.org
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:home
Email Address [me@myhost.mydomain]:webmaster@go2linux.org

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:challenge
An optional company name []:go2linux.org
Using configuration from /etc/openvpn/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'bo'
stateOrProvinceName   :PRINTABLE:'bo'
localityName          :PRINTABLE:'santacruz'
organizationName      :PRINTABLE:'go2linux.org'
commonName            :PRINTABLE:'home'
emailAddress          :IA5STRING:'webmaster@go2linux.org'
Certificate is to be certified until Jul 11 14:22:34 2017 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

you can create as many keys as you need from this point for as many clients as you want, once you have finished issue this command. <p class="codigo"> ./build-dh </p> The more keys you are generating the longer the output will be, and will look like this.

Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
..........................+......................................++*++*++*

Configure the server side <p class="codigo"> cd /usr/share/doc/openvpn/examples/sample-config-files/ cp server.conf.gz /etc/openvpn/ cd /etc/openvpn/ gunzip server.conf.gz vim server.conf </p> Look for these lines

ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh1024.pem

and change to these ones

ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key  # This file should be kept secret
dh /etc/openvpn/keys/dh1024.pem

uncomment the client-to-client directive to enable clients to be able to connect to each others through the VPN, and not only to the server.

To improve security uncomment these two lines

user nobody group nogroup

Configure the client

First you need to copy the certificates from the server to the client, be sure to make this in a secure way, either using scp or a USB Key in order to keep your files secure.

the needed files are:

ca.crt home.crt home.key (should be kept secret)

and they are in the server’s directory /etc/openvpn/keys/

now you have copied all these files to the client open a console on the client and <p class="codigo"> cd /usr/share/doc/openvpn/examples/sample-config-files/ cp client.conf /etc/openvpn/ cd /etc/openvpn/ vi client.conf </p>

Look for this lines and uncomment them to increase security

user nobody
group nogroup

Look for these lines

ca ca.crt
cert client.crt
key client.key
remote my-server-1 1194

and change them for these ones.

ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/home.crt
key /etc/openvpn/keys/home.key
remote [the.ip.of.server] 1194

that is all, unless you have made some other changes on the server side, as for example change from UDP to TCP to the default port, so you will have to change that also on the client side.

Start the server

openvpn /etc/openvpn/server.conf

if everything goes ok, you should see something like this,

Sat Jul 14 11:12:11 2007 OpenVPN 2.0.9 i486-pc-linux-gnu [SSL] [LZO] [EPOLL] built on Jan 21 2007
Sat Jul 14 11:12:11 2007 Diffie-Hellman initialized with 1024 bit key
Sat Jul 14 11:12:11 2007 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sat Jul 14 11:12:11 2007 TUN/TAP device tun0 opened
Sat Jul 14 11:12:11 2007 /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Sat Jul 14 11:12:11 2007 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Sat Jul 14 11:12:11 2007 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Sat Jul 14 11:12:11 2007 GID set to nogroup
Sat Jul 14 11:12:11 2007 UID set to nobody
Sat Jul 14 11:12:11 2007 UDPv4 link local (bound): [undef]:1194
Sat Jul 14 11:12:11 2007 UDPv4 link remote: [undef]
Sat Jul 14 11:12:11 2007 MULTI: multi_init called, r=256 v=256
Sat Jul 14 11:12:11 2007 IFCONFIG POOL: base=10.8.0.4 size=62
Sat Jul 14 11:12:11 2007 IFCONFIG POOL LIST
Sat Jul 14 11:12:11 2007 Initialization Sequence Completed

Start the client

openvpn /etc/openvpn/client.conf

the output should look like this

Sat Jul 14 15:40:36 2007 OpenVPN 2.0.9 i486-pc-linux-gnu [SSL] [LZO] [EPOLL] built on Jan 21 2007
Sat Jul 14 15:40:36 2007 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Sat Jul 14 15:40:36 2007 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Sat Jul 14 15:40:36 2007 LZO compression initialized
Sat Jul 14 15:40:36 2007 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sat Jul 14 15:40:36 2007 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Sat Jul 14 15:40:36 2007 Local Options hash (VER=V4): '41690919'
Sat Jul 14 15:40:36 2007 Expected Remote Options hash (VER=V4): '530fdded'
Sat Jul 14 15:40:36 2007 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Sat Jul 14 15:40:36 2007 UDPv4 link local: [undef]
Sat Jul 14 15:40:36 2007 UDPv4 link remote: 200.87.61.90:1194
Sat Jul 14 15:40:36 2007 TLS: Initial packet from 200.87.61.90:1194, sid=408d696e 88814e22
Sat Jul 14 15:40:37 2007 VERIFY OK: depth=1, /C=bo/ST=bo/L=santacruz/O=go2linux.org/CN=OpenVPN-CA/emailAddress=gerencia@alketech.com
Sat Jul 14 15:40:37 2007 VERIFY OK: depth=0, /C=bo/ST=bo/O=go2linux.org/CN=server/emailAddress=gerencia@alketech.com
Sat Jul 14 15:40:38 2007 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Jul 14 15:40:38 2007 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Jul 14 15:40:38 2007 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Jul 14 15:40:38 2007 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Jul 14 15:40:38 2007 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Sat Jul 14 15:40:38 2007 [server] Peer Connection Initiated with 200.87.61.90:1194
Sat Jul 14 15:40:39 2007 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Sat Jul 14 15:40:39 2007 PUSH: Received control message: 'PUSH_REPLY,route 10.8.0.0 255.255.255.0,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
Sat Jul 14 15:40:39 2007 OPTIONS IMPORT: timers and/or timeouts modified
Sat Jul 14 15:40:39 2007 OPTIONS IMPORT: --ifconfig/up options modified
Sat Jul 14 15:40:39 2007 OPTIONS IMPORT: route options modified
Sat Jul 14 15:40:39 2007 TUN/TAP device tun0 opened
Sat Jul 14 15:40:39 2007 /sbin/ifconfig tun0 10.8.0.6 pointopoint 10.8.0.5 mtu 1500
Sat Jul 14 15:40:39 2007 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.5
Sat Jul 14 15:40:39 2007 GID set to nogroup
Sat Jul 14 15:40:39 2007 UID set to nobody
Sat Jul 14 15:40:39 2007 Initialization Sequence Completed

If you arrived to this point you have your VPN stablished, I will later update this How-To to show you how to use this vpn to access files as if you were in your office.

If you have one of these problems

TLS Error: Unroutable control packet received

Connection refused (code=111)

try this openvpn solution