First step is install VPN daemon. Best choice for me is to use OpenVPN. It is open source and well known VPN solution with huge community. To install OpenVPN issue following command:

# apt-get install openvpn

And that's it. VPN server software is installed.

To configure OpenVPN server you have to setup following files:

• CA file.
• Diffie-Hellman parameters file.
• Server certificate request file.
• Key file.
• Main configuration file.

First four components are generated cryptography materials. Bow to build them is described in certificates page.

OpenVPN configuration files can be stored anywhere. Best practice is store it in /etc/openvpn directory. I like to create separate directories for CA, keys and configuration files (both server and client, if necessary).

# mkdir /etc/openvpn/ca_certificates /etc/openvpn/certs /etc/openvpn/server

From easyrsa directory, copy CA, DH and key files to VPN server:

easy-rsa/easyrsa3$ scp pki/ca.crt pki/dh.pem root@<server IP>:/etc/openvpn/ca_certificates
easy-rsa/easyrsa3$ scp pki/issued/<server-cert.crt> pki/private/<server-cert.key> root@<server IP>:/etc/openvpn/certs

Adjust following values:

• <server IP> - Actual IP address of your server.
• <server-cert.crt> - Your .crt request file.
• <server-cert.key> - Your .key key file.

Now create configuration file /etc/openvpn/server/central-broker.conf with following content:

/etc/openvpn/server/central-broker.conf

port 1194
proto tcp
dev tun
 
ca <cafile>
cert <crtfile>
key <keyfile>
dh <dhfile>
 
server <network ip address> <network mask>
ifconfig-pool-persist ipp.txt
 
keepalive 10 120
comp-lzo
persist-key
persist-tun
verb 4

Adjust configuration options based on your needs:

• ca - Path to your CA file. For example: /etc/openvpn/ca_certificates/ca.crt.
• cert - Path to your certificate request file. For example: /etc/openvpn/certs/central-broker.crt.
• key - Path to your key file. For example: /etc/openvpn/certs/central-broker.key
• dh - Path to your Diffie-Hellman parameters file. For example: /etc/openvpn/ca_certificates/dh.pem.
• server - Address and mask of your virtual network. For example: 10.9.0.0 255.255.255.0.

To test that OpenVPN is correctly configured, you can run it from console:

# openvpn --cd /etc/openvpn/server --config central-broker.conf

Now you need to configure OpenVPN to automatically establish a connection when your computer boots up. Let's create systemd unit to do this task.

Create template system unit configuration file /etc/systemd/system/openvpn-server@.service with following content:

/etc/systemd/system/openvpn-server@.service

[Unit]
Description=OpenVPN service for %I
After=network.target
Documentation=man:openvpn(8)
Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO

[Service]
Type=simple
ExecStart=/usr/sbin/openvpn --cd /etc/openvpn/server --config %i.conf 
Restart=always
RestartSec=5

[Install]
WantedBy=multi-user.target

This is generic description how to start OpenVPN server process. Template units use %i placeholder for agruments, which creates unit instance. To initiate unit, issue following command:

# systemctl daemon-reload
# systemctl enable openvpn-server\@central-broker.service
# systemctl start openvpn-server\@central-broker.service

If you just created the unit file, don't forget to call daemon-reload command lo load it. Then enable central-broker instance of the template unit to instruct systemd to start it at computer boot. Finally, start the OpenVPN manually with start command.

Note that central-broker is not only name of the instance, but also is used as name of configuration file. If your configuration file has different name, change unit instance name accordingly.