I host a site to teach SQL (databases.pacha.dev) by using Apache in a DigitalOcean droplet. I wanted to install OpenVPN to have a VPN in the same server, and I run this as root
#!/bin/bash
echo "Setting up OpenVPN..."
IP=$(ip addr | grep 'inet' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1)
PROTOCOL=udp
PORT=1194
echo "OpenVPN configuration:"
echo " Listen on: $IP:$PORT"
echo " Protocol : $PROTOCOL"
echo " Resolver : pi.hole (10.8.0.1)"
# Install easy-rsa
EASYRSAURL='
wget -O ~/easyrsa.tgz "$EASYRSAURL" 2>/dev/null || curl -Lo ~/easyrsa.tgz "$EASYRSAURL"
tar xzf ~/easyrsa.tgz -C ~/
mv ~/EasyRSA-3.0.5/ /etc/openvpn/server/
mv /etc/openvpn/server/EasyRSA-3.0.5/ /etc/openvpn/server/easy-rsa/
chown -R root:root /etc/openvpn/server/easy-rsa/
rm -f ~/easyrsa.tgz
cd /etc/openvpn/server/easy-rsa/ || exit 1
sed -i 's/^RANDFILE/#RANDFILE/g' openssl-easyrsa.cnf
patch --ignore-whitespace << 'EOF'
From cdaa4a1fb0851beb17f364febb6e9b1f694baff8 Mon Sep 17 00:00:00 2001
From: Luiz Angelo Daros de Luca <>
Date: Tue, 25 Sep 2018 17:58:03 -0300
Subject: [PATCH] include index.txt.attr as CA files
Remove a warning when the first certificate is generated
Can't open .../easy-rsa/pki/index.txt.attr for reading, No such file or directory
Signed-off-by: Luiz Angelo Daros de Luca <>
--- easyrsa | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/easyrsa b/easyrsa
index de4fe43..969b5d9 100755
--- a/easyrsa
+++ b/easyrsa
@@ -428,7 +428,7 @@ verify_ca_init() { verify_pki_init # verify expected files present:
- for i in serial index.txt ca.crt private/ca.key; do
+ for i in serial index.txt index.txt.attr ca.crt private/ca.key; do if [ ! -f "$EASYRSA_PKI/$i" ]; then [ "$1" = "test" ] && return 1 die "\
@@ -543,6 +543,7 @@ current CA keypair. If you intended to start a new CA, run init-pki first." mkdir -p "$EASYRSA_PKI/$i" || die "$err_file" done printf "" > "$EASYRSA_PKI/index.txt" || die "$err_file"
+ printf "" > "$EASYRSA_PKI/index.txt.attr" || die "$err_file" print "01" > "$EASYRSA_PKI/serial" || die "$err_file" # Default CN only when not in global EASYRSA_BATCH mode:
--
2.17.1
EOF
# Create the PKI, set up the CA and the server and client certificates
./easyrsa init-pki
./easyrsa --batch build-ca nopass
EASYRSA_CERT_EXPIRE=90 ./easyrsa build-server-full server nopass
EASYRSA_CRL_DAYS=90 ./easyrsa gen-crl
# Move the stuff we need
cp pki/ca.crt pki/private/ca.key pki/issued/server.crt pki/private/server.key pki/crl.pem /etc/openvpn/server
# CRL is read with each client connection, when OpenVPN is dropped to nobody
chown nobody:nogroup /etc/openvpn/server/crl.pem
# Generate key for tls-auth
openvpn --genkey --secret /etc/openvpn/server/ta.key
# Create the DH parameters file using the predefined ffdhe2048 group
echo '-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
-----END DH PARAMETERS-----' > /etc/openvpn/server/dh.pem
# Generate server.conf
echo "port $PORT
proto $PROTOCOL" > /etc/openvpn/server/server.conf
echo 'dev tun
sndbuf 0
rcvbuf 0
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-auth ta.key 0
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 10.8.0.1"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
log /var/log/openvpn.log
crl-verify crl.pem' >> /etc/openvpn/server/server.conf
# Enable net.ipv4.ip_forward for the system
echo 'net.ipv4.ip_forward=1' > /etc/sysctl.d/30-openvpn-forward.conf
# Enable without waiting for a reboot or service restart
echo 1 > /proc/sys/net/ipv4/ip_forward
# Add post-routing rule (other required rules already configured)
iptables-restore /etc/iptables/rules.v4
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to-source "$IP"
iptables-save > /etc/iptables/rules.v4
# And finally, enable and start the OpenVPN service
systemctl enable --now
# client-common.txt is created so we have a template to add further users later
echo "client
dev tun
proto $PROTOCOL
sndbuf 0
rcvbuf 0
remote $IP $PORT
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
setenv opt block-outside-dns
key-direction 1
verb 3" > /etc/openvpn/server/client-common.txt
echo "OpenVPN setup complete."
echo "Creating new client config..."
newclient () { cd /etc/openvpn/server/easy-rsa/ || exit 1 EASYRSA_CERT_EXPIRE=90 ./easyrsa build-client-full "$1" nopass # Generates the custom client.ovpn cp /etc/openvpn/server/client-common.txt "/root/$1.ovpn" { echo "<ca>" cat /etc/openvpn/server/easy-rsa/pki/ca.crt echo "</ca>" echo "<cert>" sed -ne '/BEGIN CERTIFICATE/,$ p' "/etc/openvpn/server/easy-rsa/pki/issued/$1.crt" echo "</cert>" echo "<key>" cat "/etc/openvpn/server/easy-rsa/pki/private/$1.key" echo "</key>" echo "<tls-auth>" sed -ne '/BEGIN OpenVPN Static key/,$ p' /etc/openvpn/server/ta.key echo "</tls-auth>" } >> "/root/$1.ovpn"
}
CLIENT="client"
if [ -n "$1" ]
then CLIENT="$1"
fi
newclient "$CLIENT"
THISFILE='/var/lib/cloud/scripts/per-instance/03-create-client-config'
LINKPATH='/root/create-client-config.sh'
if [ ! -f "$LINKPATH" ]
then ln -s "$THISFILE" "$LINKPATH"
fi
echo "Client config creation complete (~/$CLIENT.ovpn)."This is my ufw status (enabled)
Status: active
To Action From
-- ------ ----
OpenSSH ALLOW Anywhere
Apache Full ALLOW Anywhere
5432/tcp ALLOW Anywhere
3306/tcp ALLOW Anywhere
1433/tcp ALLOW Anywhere
4022/tcp ALLOW Anywhere
135/tcp ALLOW Anywhere
1434/tcp ALLOW Anywhere
1434/udp ALLOW Anywhere
1194 ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
Apache Full (v6) ALLOW Anywhere (v6)
5432/tcp (v6) ALLOW Anywhere (v6)
3306/tcp (v6) ALLOW Anywhere (v6)
1433/tcp (v6) ALLOW Anywhere (v6)
4022/tcp (v6) ALLOW Anywhere (v6)
135/tcp (v6) ALLOW Anywhere (v6)
1434/tcp (v6) ALLOW Anywhere (v6)
1434/udp (v6) ALLOW Anywhere (v6)
1194 (v6) ALLOW Anywhere (v6) However, even after doing systemctl stop openvpn I can't open the site that I provide via Apache in that server. I tried both from laptop and mobile.
Ping is working correctly
~ $ ping databases.pacha.dev
PING databases.pacha.dev (164.92.122.20) 56(84) bytes of data.
64 bytes from 164.92.122.20 (164.92.122.20): icmp_seq=1 ttl=47 time=204 ms
64 bytes from 164.92.122.20 (164.92.122.20): icmp_seq=2 ttl=47 time=256 ms
64 bytes from 164.92.122.20 (164.92.122.20): icmp_seq=3 ttl=47 time=250 msAny ideas?
Reset to default