Basically, there are two types of VPN’s: IP route and ethernet bridge. I configured an IP route VPN, based on this document.

First you need to generate certicifcates. The example scripts for that are located in “/usr/share/doc/openvpn/examples/easy-rsa/2.0”. I copied these to /etc/openvpn/easy-rsa for convenience.

Cd to /etc/openvpn/easy-rsa and edit vars to enter the data that is going to be included in your certifcates. You can also set the expiration time and key size here. Then do:

source ./vars
./build-key-server server
./build-key client1
./build-key client2
./build-key client3 (repeat as necessary. You can also name the keys properly, of course)

Then I’d copy the keys dir to /etc/openvpn.

You need to copy the ca.crt file to each client, as well as the clientx.crt and clientx.key, but then per client.

The server conf is this:

port 1194
proto udp
dev tun0
ca keys/ca.crt
cert keys/server.crt
key keys/server.key  # This file should be kept secret
dh dh2048.pem
ifconfig-pool-persist ipp.txt
keepalive 10 120
status openvpn-status.log
verb 3
# Redirect all traffic through VPN by setting 'almost default' gateway
push 'redirect-gateway def1'
# Replace DNS config with a server you specify, which can be access on the VPN.
push "dhcp-option DNS"

Then on the server, you need to configure SNAT (I don’t know if you also need to put “net.ipv4.ip_forward = 0” in /etc/sysctl.conf). If I understand correctly, you need to have such a rule per eth device you have. If you have a machine that has both a WAN and LAN and you want them to allow access on both the local net and internet, you need a rule like this for both ports.

iptables -t nat -A POSTROUTING -s -o lan-eth-device -j MASQUERADE --match comment --comment "Allow VPN users to connect to things on this LAN."

Then on the client:

dev tun0
proto udp
remote <serveraddress> 1194
resolv-retry infinite
ca keys/ca.crt
cert keys/client.crt
key keys/client.key
verb 3

You should then be able to connect. Remember to allow IPtables access on all the machines. Configuring a proper firewall can be tricky. You can’t just use simple connection tracking; you must allow certain forward rules on the server (and client as well, I believe). On the client, you must allow everything on the input with UDP source port 1194. On the server, you must open incoming UDP target port 1194 as well, of course

It depends on the distro you’re using how to include the config into the boot procedure. Debian starts all config files per default (which can be configured in /etc/default/openvpn), Gentoo needs a specially named symlink in /etc/init.d.