🛠 OpenVPN Setup: Ubuntu (server) + Keenetic (client)

In this guide, we’ll go through setting up an OpenVPN server on Ubuntu and connecting a Keenetic router to it. This setup is useful if you need to provide access to your home network or forward services (e.g., PBX or web server) through VPN.

1. Preparing the Ubuntu server

1.1 Installing packages

sudo apt update
sudo apt install -y openvpn easy-rsa iptables-persistent

1.2 Creating PKI (Easy-RSA v3)

make-cadir ~/easy-rsa
cd ~/easy-rsa
./easyrsa init-pki
./easyrsa build-ca nopass

Server keys

./easyrsa gen-req server nopass
./easyrsa sign-req server server
./easyrsa gen-dh

Client keys (for Keenetic)

./easyrsa gen-req keenetic nopass
./easyrsa sign-req client keenetic

TLS key (specifically tls-auth, not tls-crypt)

openvpn --genkey secret ta.key

1.3 Distribute keys

• In /etc/openvpn/server/:

  • server.crt, server.key, dh.pem, ca.crt, ta.key

• In /etc/openvpn/ccd/keenetic (we’ll create later) — LAN routes.

2. OpenVPN server configuration

File /etc/openvpn/server/server.conf:

port 1194
proto udp
dev tun
user nobody
group nogroup
topology subnet

server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt

ca ca.crt
cert server.crt
key server.key
dh dh.pem

# TLS protection
tls-auth ta.key 0
auth SHA256
data-ciphers AES-256-CBC
data-ciphers-fallback AES-256-CBC

keepalive 10 120
persist-key
persist-tun
explicit-exit-notify 1

# Push only necessary routes
push "route 10.8.0.0 255.255.255.0"
push "route 192.168.45.0 255.255.255.0"

# Individual client settings
client-config-dir /etc/openvpn/ccd

status /var/log/openvpn/status.log
log-append /var/log/openvpn/openvpn.log
verb 3

3. Specify network behind Keenetic (CCD)

File /etc/openvpn/ccd/keenetic:

iroute 192.168.45.0 255.255.255.0

4. Enable IP forwarding

echo 'net.ipv4.ip_forward=1' | sudo tee /etc/sysctl.d/99-openvpn.conf
sudo sysctl --system

5. iptables setup (DNAT + SNAT)

Example for:

• Web server: 192.168.45.230:443
• PBX: 192.168.45.235:5060–5065 TCP, 10000–20000 UDP

EXT_IF=enp3s0   # external interface

# DNAT
iptables -t nat -A PREROUTING -i $EXT_IF -p tcp --dport 443        -j DNAT --to-destination 192.168.45.230
iptables -t nat -A PREROUTING -i $EXT_IF -p tcp --dport 5060:5065   -j DNAT --to-destination 192.168.45.235
iptables -t nat -A PREROUTING -i $EXT_IF -p udp --dport 10000:20000 -j DNAT --to-destination 192.168.45.235

# FORWARD (there and back)
iptables -A FORWARD -i $EXT_IF -o tun0 -d 192.168.45.230 -p tcp --dport 443 \
  -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $EXT_IF -o tun0 -d 192.168.45.235 -p tcp --dport 5060:5065 \
  -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $EXT_IF -o tun0 -d 192.168.45.235 -p udp --dport 10000:20000 \
  -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i tun0 -o $EXT_IF \
  -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# SNAT (so responses go through the VPN server)
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -d 192.168.45.0/24 -o tun0 -j MASQUERADE

Save rules:

netfilter-persistent save

6. Keenetic client configuration

File keenetic.ovpn:

client
dev tun
proto udp
remote <PUBLIC_IP_UBUNTU> 1194
resolv-retry infinite
nobind
persist-key
persist-tun

remote-cert-tls server
tls-auth ta.key 1
key-direction 1
auth SHA256
cipher AES-256-CBC
verb 3

<ca>
-----BEGIN CERTIFICATE-----
... ca.crt ...
-----END CERTIFICATE-----
</ca>

<cert>
-----BEGIN CERTIFICATE-----
... keenetic.crt ...
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN PRIVATE KEY-----
... keenetic.key ...
-----END PRIVATE KEY-----
</key>

<tls-auth>
-----BEGIN OpenVPN Static key V1-----
... ta.key ...
-----END OpenVPN Static key V1-----
</tls-auth>

Upload in Keenetic interface: Internet → VPN Clients → OpenVPN → Upload profile.

• Uncheck: “Use for internet access” (otherwise all traffic will go through VPN).

✅ Result

Now the Ubuntu server acts as a VPN gateway, and Keenetic provides access to its local network (192.168.45.0/24). Additionally, port forwarding is set up for services behind the router.