# OpenVPN server on Ubuntu 18.04 **Apt Repo** $sudo su #wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg|apt-key add - #echo "deb http://build.openvpn.net/debian/openvpn/stable bionic main" > /etc/apt/sources.list.d/openvpn-aptrepo.list **Install Easy-Rsa 3.0.x** #wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.7/EasyRSA-3.0.7.tgz #tar zxf EasyRSA-3.0.7.tgz #cd ./EasyRSA-3.0.7 #cp vars.example vars #nano vars *change/add* set_var EASYRSA_ALGO ec set_var EASYRSA_CURVE secp521r1 set_var EASYRSA_DIGEST "sha512" set_var EASYRSA_REQ_COUNTRY "US" set_var EASYRSA_REQ_PROVINCE "California" set_var EASYRSA_REQ_CITY "San Francisco" set_var EASYRSA_REQ_ORG "Copyleft Certificate Co" set_var EASYRSA_REQ_EMAIL "me@example.net" set_var EASYRSA_REQ_OU "My Organizational Unit" set_var EASYRSA_KEY_SIZE 4096 #./easyrsa init-pki #./easyrsa build-ca #./easyrsa gen-req server nopass #./easyrsa sign-req server server #./easyrsa gen-dh gen-dh can take a while..go get a coffee openvpn --genkey --secret /etc/openvpn/ta.key **Useful Commands** $sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE $sudo iptables --append FORWARD -i tun0 -j ACCEPT $sudo tcpdump -i tun0 $sudo apt install iptables-persistent **Install DoH client on server** https://github.com/nextdns/nextdns/wiki/Debian-Based-Distribution cat /etc/nextdns.conf bogus-priv true use-hosts true timeout 5s cache-size 1024MB discovery-dns detect-captive-portals false log-queries false hardened-privacy false report-client-info false cache-max-age 0s max-ttl 5s setup-router false auto-activate true listen 10.8.0.1:53 control /var/run/nextdns.sock config <id>yours</id> **for LXC containers** comment out the LimitNPROC line in /lib/systemd/system/openvpn@.service. **Some Logging** Tue Aug 04 08:35:31 2020 Outgoing Control Channel Authentication: Using 512 bit message hash 'BLAKE2b512' for HMAC authentication Tue Aug 04 08:35:31 2020 Incoming Control Channel Authentication: Using 512 bit message hash 'BLAKE2b512' for HMAC authentication Tue Aug 04 08:35:32 2020 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA Tue Aug 04 08:35:33 2020 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1) Tue Aug 04 08:35:33 2020 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,block-outside-dns,dhcp-option DNS 10.8.0.1,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM' Tue Aug 04 08:35:33 2020 Data Channel: using negotiated cipher 'AES-256-GCM' Tue Aug 04 08:35:33 2020 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Tue Aug 04 08:35:33 2020 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key