## Preconditions

* You need to have `TUN/TAP` enabled

![](http://i.imgur.com/TKLml5o.png)

## Install dependencies

```sh
$ apt-get install openvpn easy-rsa
```

## Make certificates

```sh
$ make-cadir /etc/openvpn/easy-rsa
$ cd /etc/openvpn/easy-rsa
$ source vars
$ ./clean-all
$ ./build-ca
$ ./build-key-server server
$ ./build-key client
$ ./build-dh
```

## Download

```sh
$ scp root@xx.xx.xx.xx:/etc/openvpn/easy-rsa/keys/{ca.crt,client.crt,client.key} .
```

## Prepare forwarding

```sh
$ vim /etc/sysctl.conf # uncomment net.ipv4.ip_forward=1
$ sysctl -p
```

## Configure OpenVPN

```sh
$ vim /etc/openvpn/server.conf
```

```
port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
client-to-client
duplicate-cn
keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
log /var/log/openvpn.log
verb 3
```

## Prepare autostart

```sh
$ vim /etc/rc.local
```

```
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j SNAT --to xx.xx.xx.xx
openvpn /etc/openvpn/server.conf
```

## Restart

```sh
$ reboot
```