install VPN monitoring tools to read : https://kifarunix.com/how-to-monitor-openvpn-connections-using-openvpn-monitor-tool/
If you only need a simple OpenVPN configuration, you only need to do step 1 Install OpenVPN on NAT IPv4 VPS
Contents
Installation
two way of installation
Install without Docker
1) Make sure that tun/tap is enabled on your vps. Enable TUN/TAP via SolusVM control panel if present
2) Ssh into your server and run the following command
yum -y update ca-certificates //centos
sudo update-ca-certificates //ubuntu
wget git.io/vpn --no-check-certificate -O openvpn-install.sh; bash openvpn-install.sh
to copy client config to another folder from root dir
sudo cat /root/somefile | cat > ~/somefile
3) Get the OpenVPN client software. For Windows, download the client software from openvpn.net/index.php/download.html
4) Copy ~/client.ovpn into your openvpn config folder
5) Connect to your openvpn server with public shared IP and your assigned port
below here is how to config server port forwarding and iptables, to accept the client to connect to internet througt the server
Setup Forwarding
Edit file /etc/sysctl.conf, lalu uncomment baris berikut ini
net.ipv4.ip_forward=1
Untuk mengaktifkan nya, jalan perintah ini sysctl -p
Pembuatan Rule iptables
Berikut command iptables yang digunakan
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -I INPUT -s 172.16.11.0/24 -i ppp0 -j ACCEPT
iptables -A FORWARD -i eth0 -j ACCEPT
Install with Docker
Install Docker
Make sure docker is installed on Your server. If docker is not present, install with command below
curl -fsSL https://get.docker.com -o get-docker.sh
sudo sh get-docker.sh
After installing Docker, you will need to add your user to the docker group to allow you to run Docker commands without using sudo or logging in as a root user.
sudo usermod -aG docker <username>
You will most likely need to sign out and in again (or restart your SSH session) in order to be able to run Docker commands.
Install OPENVPN for Docker
Using Docker Config
we are using kylemanna/openvpn
docker image
The general Quick Start document can be read here, but because we will use this openvpn to be able to connect to Mikrotik devices, we need to prepare the installation a bit different.
-
Create docker host volume mounts rather than data volumes
docker volume create --name ovpn-data-example --opt type=none --opt device=/home/$USER/path/to/ovpn-data-example --opt o=bind
the path on
/home/$USER/path/to/ovpn-data-example
need to be manually created first -
Refer to the Quick Start document, and substitute
-v $OVPN_DATA:/etc/openvpn
with-v /path/on/host/ovpn-data-example:/etc/openvpn
Quick example that is likely to be out of date, but here's how to get startedmkdir /path/on/host/ovpn-data-example cd /path/on/host/ovpn-data-example docker run --rm -v $PWD:/etc/openvpn kylemanna/openvpn ovpn_genconfig -u udp://$OVPN_HOST:$OVPN_PORT docker run --rm -v $PWD:/etc/openvpn -it kylemanna/openvpn ovpn_initpki
-
Edit Openvpn config file to make mikrotik to be able to connect to this vpn server
nano openvpn.conf
edit it correspond with the OPENVPN SERVER CONFIGURATION on mikrotik section on this article
-
Start the server with
docker run -v $PWD:/etc/openvpn -d -p $OVPN_PORT:1194/udp --cap-add=NET_ADMIN kylemanna/openvpn
-
Generate new client with
docker run --rm -v $PWD:/etc/openvpn -it kylemanna/openvpn easyrsa build-client-full CLIENTNAME nopass docker run --rm -v $PWD:/etc/openvpn kylemanna/openvpn ovpn_getclient CLIENTNAME > CLIENTNAME.ovpn
and for client other than mikrotik, because the server config is set up to support mikrotik client, the tls-auth part is disabled. So make sure that the tls-auth on client.ovpn is disabled/erased
-
to make this docker to start the container on system boot, restart the container if it exits etc, refer to the openvpn docker main article to setup the
Systemd Init Scripts
or use 'docker-compose'
using Docker-compose
-
install docker-compose
sudo curl -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
-
Apply executable permissions to the binary
sudo chmod +x /usr/local/bin/docker-compose
-
test the installation
docker-compose --version
-
Add a new service in docker-compose.yml
version: '2' services: openvpn: cap_add: - NET_ADMIN image: kylemanna/openvpn container_name: openvpn ports: - "11600:1194/udp" restart: always volumes: - ./openvpn-data/conf:/etc/openvpn
I put docker-compose.yml inside /var/docker-compose/
-
Initialize the configuration files and certificates
docker-compose run --rm openvpn ovpn_genconfig -u udp://VPN.SERVERNAME.COM docker-compose run --rm openvpn ovpn_initpki
-
Fix ownership (depending on how to handle your backups, this may not be needed)
sudo chown -R $(whoami): ./openvpn-data
-
Start OpenVPN server process
docker-compose up -d openvpn
-
You can access the container logs with
docker-compose logs -f
-
Generate a client certificate
export CLIENTNAME="your_client_name" # with a passphrase (recommended) docker-compose run --rm openvpn easyrsa build-client-full $CLIENTNAME # without a passphrase (not recommended) docker-compose run --rm openvpn easyrsa build-client-full $CLIENTNAME nopass
-
Retrieve the client configuration with embedded certificates
docker-compose run --rm openvpn ovpn_getclient $CLIENTNAME > $CLIENTNAME.ovpn
-
Revoke a client certificate
# Keep the corresponding crt, key and req files. docker-compose run --rm openvpn ovpn_revokeclient $CLIENTNAME # Remove the corresponding crt, key and req files. docker-compose run --rm openvpn ovpn_revokeclient $CLIENTNAME remove
Debugging Tips
- Create an environment variable with the name DEBUG and value of 1 to enable debug output (using "docker -e").
docker-compose run -e DEBUG=1 -p 1194:1194/udp openvpn
IF YOU JUST NEED A SIMPLE OPENVPN SERVER AND CLIENT, STOP HERE.
below here is how to configure openvpn server to support mikrotik client.
MIKROTIK CLIENT + OPENVPN CONFIGURATION
-
OPENVPN SERVER CONFIGURATION
change server.conf file to represent the configuration belowproto tcp //must tcp ,udp not support #tls-auth #notsupport #tls-crypt #notsupport cipher AES-128-CBC auth SHA1 #md5 or SHA1 is support #comp-lzo no #notsupport
restart openvpn
/etc/init.d/openvpn restart
update 2022
- If you're running systemd, changing files like /etc/default/openvpn and /etc/init.d/openvpn not enough, will require running systemctl on/off at the boot time:
sudo systemctl [enable/disable/start/status/stop] openvpn-server@server.service
- If you're running systemd, changing files like /etc/default/openvpn and /etc/init.d/openvpn not enough, will require running systemctl on/off at the boot time:
-
MIKROTIK OPENVPN CLIENT CONFIGURATION
[profil ppp] name = ovpn-profil use MPLS = default use compression = no use Encryption = yes Change TCP MSS = default Use UPnP = default [ovpn-out-interface] Connect to =
Port = Mode = ip #must ip user = common_name client certificate profil = [name profil ppp is "ovpn-profil"] Certificate = [your certificate client] TLS Version = any (for some reason other than any make it failed to connect) Auth = [match your server configuration] Chipher = [match your server configuration] note : dont forget to import your certificate client on mikrotik (client.crt and client.key, with same passphrase when importing)
update 2022
ros >7 dont need to set profile ppp
ros <7 tls/chipper set to alwasy (i forgot will be added) -
CLIENT OTHER THAN MIKROTIK
For client other than mikrotik, tls-crypt part must be removed from client.ovpn configuration
How to make ovpn client get static ip
- Create ccd folder and create
sudo mkdir /etc/openvpn/ccd
- Change OVPN server configuration
sudo nano /etc/openvpn/server/server.conf
Uncomment the line containing client config parameter
client-config-dir [real-path]ccd
- Create a configuration file for each client and put into directory ccd. As file name, use the same name for the client as used in the CN field of the client certificate.
sudo touch /etc/openvpn/ccd/[client-common-name] sudo nano /etc/openvpn/ccd/[client-common-name]
write the file with
ifconfig-push [IP] [MASK]
example
ifconfig-push 10.8.0.2 255.255.255.0
- restart OpenVPN service
sudo /etc/init.d/openvpn restart
port forwarding / tunneling host server to client port
For `docker-compose` configuration, follow Docker route to Host with static ip section below
Using Iptables
Enable Forwarding
make sure that systcl is forwarding ovpn trafic on runtime, check using
sysctl -p
make sure line net.ipv4.ip_forward=1 is present,
if not, Edit file /etc/sysctl.conf, add/uncomment
net.ipv4.ip_forward=1
configure iptables,
below here is example, change the ip and port using the desired configuration.
iptables -t nat -A PREROUTING -p tcp --dport 11600 -j DNAT --to-destination 10.8.0.5:80
to delete iptables rules, change -A to -D
if you never did masquarade the rule before, run this too
iptables -t nat -A POSTROUTING -j MASQUERADE
save iptables-persistent, to make iptables not reset after reboot
sudo netfilter-persistent save
sudo netfilter-persistent reload
if iptables-persistance is not installed, install it first
sudo apt install iptables-persistent
to delete iptables rules, change -A to -D and run iptables-persistent again
to Check iptables or print the change on iptables, type
iptables -L -n -t nat
Using Apache Reverse Proxy
with virtualhost, combine lamp virtualhost article and leave the servername option intact
example :
< VirtualHost *:80>
ServerName example.com
...
Mikrotik nat forwarding
if you want to forward trafic from mikrotik to another host, just make a firewall nat redirection as usual.
example :
ip fi nat add chain=dstnat dst-address=[ovpn-client-ip] dst-port=[desired incoming port] action=dst-nat to-address=[host-destination-ip] to-ports=[destination-ports]
Openvpn Command List
-
show connected client
sudo killall -USR2 openvpn ;sudo tail -f /var/log/syslog
-
show last n(number) user command (ubuntu script)
n = change with number list you want to showlast -n
-
Show log error
tail -f /var/log/syslog
-
start/stop openvpn server (installed using openvpn_setup.sh)
sudo systemctl start openvpn-server@server.service sudo systemctl stop openvpn-server@server.service
-
show used ports
sudo netstat -tuln | grep PORT_NUMBER
-
track error
sudo journalctl -xeu openvpn-server@server.service
Start openvpn client on boot
- Move the ovpn file to `/etc/openvpn`
- rename to `openvpn.ovpn`
- `sudo nano /etc/default/openvpn`
Uncomment `AUTOSTART="all"` - `sudo service openvpn start`
Tips and Tricks
How to make client ignore redirect gateway and blocking dns
add this config below to client config file
pull-filter ignore redirect-gateway
pull-filter ignore "block-outside-dns"




Docker route to Host with static ip
Using docker-compose
TL/DR :
- make a `networks` section on yml config
- add a `networks` section on `services` item that use previously configured networks
- make a script that has an iptables command
- copy that file to container
- run the script inside container
this code below on `docker-compose.yml` is an example configuration to make container to be able to communicate with host,
take note that on `command` section, for multi line command, we nedd to add one more empty line.
on this example, i copy manually the script sh file to a persistent volume.
services :
openvpn:
...
image: kylemanna/openvpn
container_name: openvpn
...
command:
- /bin/bash
- -c
- |
sh /etc/openvpn/iptables.sh
ovpn_run
networks:
- hostnet
networks:
hostnet:
name: hostnet
ipam:
driver: default
config:
- subnet: "172.168.3.0/24"
gateway: "172.168.3.1"




file `iptables.sh`
#!/bin/bash
#iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#!/bin/bash
# masquarade all port to eth0, all vpn client can connect to host port
# NOT RECOMMENDED
#iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# PORT FORWARD TO CERTAIN PORT, NEED MASQUARADE BELOW
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 172.168.3.1:80
iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination 172.168.3.1:443
iptables -t nat -A PREROUTING -p udp --dport 1812 -j DNAT --to-destination 172.168.3.1:1812
iptables -t nat -A PREROUTING -p udp --dport 1813 -j DNAT --to-destination 172.168.3.1:1813
# MASQUARADE FORWARDED PORT
iptables -A POSTROUTING -t nat -p tcp -d 172.168.3.1 --dport 80 -j MASQUERADE
iptables -A POSTROUTING -t nat -p tcp -d 172.168.3.1 --dport 443 -j MASQUERADE
iptables -A POSTROUTING -t nat -p udp -d 172.168.3.1 --dport 1812 -j MASQUERADE
iptables -A POSTROUTING -t nat -p udp -d 172.168.3.1 --dport 1813 -j MASQUERADE
#echo "iptables executed " > /root/iptables_echo


Using docker config
add this option on docker run
--add-host=host.docker.internal:host-gateway
How to access subnet from Open VPN server (Ubuntu) to VPN client RouterOS
If you want to reach a subnet which is behind an openvpn client, you need two things (this applies only for routing-based (tun device) VPNs):
-
set route,
-
either you can add route `ip route` via gateway, ex :
sudo ip route add 192.168.200.0/24 via 10.8.4.5 dev tun0
-
or add this line below to openvpn server.conf with the desired ip/subnet, ex :
push "route 192.168.200.0 255.255.255.0"
-
- activate client specific configuration (--client-config-dir)
- inside the configuration of the correct client, use the --iroute switch to tell openvpn that it shall route the subnet inside the tunnel
- example ccd files for vpn client (ex:ccd/clientMikrotikA)
ifconfig-push 10.8.0.11 255.255.255.0 iroute 192.168.200.0 255.255.255.0
after that, you need to activate ip forwarding on the client - and adapt the firewall. That should be it...
- example ccd files for vpn client (ex:ccd/clientMikrotikA)