Установим OpenVPN и подготовим настройку сертификатов:

apt install openvpn
mkdir /etc/openvpn/keys
cd $_
wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.8/EasyRSA-3.0.8.tgz
tar xvf EasyRSA-3.0.8.tgz
cd /etc/openvpn/keys/EasyRSA-3.0.8
cp vars.example vars

Настроим сертификаты:

cat >> vars << EOF
set_var EASYRSA                 "/etc/openvpn/keys/EasyRSA-3.0.8"
set_var EASYRSA_PKI             "$EASYRSA/pki"

set_var EASYRSA_REQ_COUNTRY    "US"
set_var EASYRSA_REQ_PROVINCE   "California"
set_var EASYRSA_REQ_CITY       "San Francisco"
set_var EASYRSA_REQ_ORG        "Copyleft Certificate Co"
set_var EASYRSA_REQ_EMAIL      "me@example.net"
set_var EASYRSA_REQ_OU         "My Organizational Unit"

set_var EASYRSA_KEY_SIZE        4096
set_var EASYRSA_ALGO            rsa
set_var EASYRSA_CA_EXPIRE       3650
set_var EASYRSA_CERT_EXPIRE     3650
set_var EASYRSA_CRL_DAYS        3650
set_var EASYRSA_DIGEST          "sha512"
EOF

./easyrsa init-pki
./easyrsa build-ca

натройка сертификатов:

# server:

./easyrsa gen-req server nopass
./easyrsa sign-req server server
./easyrsa gen-dh
./easyrsa gen-crl #< для отзыва сертификатов

cp pki/{ca.crt,dh.pem,crl.pem} /etc/openvpn/
cp pki/issued/server.crt /etc/openvpn/
cp pki/private/server.key /etc/openvpn/

cd /etc/openvpn
openvpn --genkey secret ta.key

chmod 644 /etc/openvpn/{ca.crt,crl.pem,dh.pem,server.crt}

# client:

cd /etc/openvpn/keys/EasyRSA-3.0.8
./easyrsa gen-req client1 nopass
./easyrsa sign-req client client1

# server.conf
cat > /etc/openvpn/server.conf << EOF
port 1194
proto udp4
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
crl-verify crl.pem
#server 10.8.0.0 255.255.255.0
server 192.168.1.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
remote-cert-eku "TLS Web Client Authentication"
keepalive 10 120
tls-server
tls-auth ta.key 0
tls-timeout 120
auth SHA512
#cipher BF-CBC
cipher AES-256-GCM
max-clients 10
user gluck
group gluck
persist-key
persist-tun
status openvpn-status.log
#log-append  openvpn.log
#log /dev/null
log /var/log/openvpn.log
#log openvpn.log
verb 0
EOF

настройка маршрутизации (можно создать зону которая будет доступна из вне или вообще все пакеты идут через OpenVPN)

# ip route (server):

iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o end0 -j MASQUERADE
iptables -A FORWARD -i tun0 -o end0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i end0 -o tun0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# netfilter-persistent save

/etc/iptables/rules.v4:

# Generated by iptables-save v1.8.11 (nf_tables) on Fri May 22 23:20:02 2026
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A FORWARD -i tun0 -o end0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i end0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Fri May 22 23:20:02 2026
# Generated by iptables-save v1.8.11 (nf_tables) on Fri May 22 23:20:02 2026
*nat
:PREROUTING ACCEPT [35:3962]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [14:1672]
:POSTROUTING ACCEPT [27:2224]
:DOCKER - [0:0]
-A POSTROUTING -s 192.168.1.0/24 -o end0 -j MASQUERADE
COMMIT

ссылки:

• https://bozza.ru/art-269.html