Example OpenVPN Configuration

Enable routing and do NAT out of interface eth0. Save with iptables-persistent.

echo "net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1" | sudo tee /etc/sysctl.d/routing.conf > /dev/null
sudo sysctl --system

sudo iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
sudo iptables-save | sudo tee /etc/iptables/rules.v4 > /dev/null

/etc/openvpn/server.conf

port 1194
proto tcp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh.pem
server 10.0.2.0 255.255.255.0
keepalive 1 5
verb 3
data-ciphers none
topology subnet
duplicate-cn

Create the OpenVPN credentials with easy-rsa.

./easyrsa init-pki
./easyrsa build-ca nopass
./easyrsa gen-req server nopass
./easyrsa --days=36525 sign-req server server
./easyrsa gen-dh
./easyrsa gen-req client nopass
./easyrsa --days=36525 sign-req client client

sudo cp pki/ca.crt /etc/openvpn/ca.crt
sudo cp pki/issued/server.crt /etc/openvpn/server.crt
sudo cp pki/private/server.key /etc/openvpn/server.key
sudo cp pki/dh.pem /etc/openvpn/dh.pem

easy-rsa/doc/EasyRSA-Readme.md at master · OpenVPN/easy-rsa

Enable mptcp on the OpenVPN service, and enable our service.

sudo mptcpize enable openvpn@
sudo systemctl enable openvpn@server