Important information

      • Control panel: control panel is avaible at cba.pl/panel/.
      • Mail: mail is avaible at cba.pl/mail/.
      • FTP: you can easily enter your FTP using our filemanager, which is avaible at cba.pl/ftp/.
      • Forum: if you need help, you can ask for it on our forum, which is avaible at cba.pl/forum/.

      General information

      • Terms of Service are avaible at cba.pl/en/terms-of-service/.
      • To enter control panel use your username, /your website's address/ or email and a password that was set when you created an account.
      • To use mailbox you need to create an email account in the control panel first.
      • For example, if you have an account "happy", a web site happy.cba.pl and you create an email account named “user”, your login to the mailbox and your email will look like this: "user@happy.cba.pl".

        You can send and receive emails using an external program like Microsoft Outlook, Mozilla Thunderbird or other. Login and password are the same as for mailbox in browser.

      • Mail server is mail.cba.pl.
      • FTP server is your website's address (e.g. happyuser.cba.pl)
      • If you already own a domain and you create a new hosting account for this domain, all needed information will be automatically added. The only thing left for you to do is enter our DNS servers in the control panel of the registrator of your domain:
        • ns1.cba.pl
        • ns2.cba.pl
        • ns3.cba.pl
      • You do not need to change information about the DNS servers in case you have registered your domain on our hosting — it will be configured automatically and added to the chosen account.

      • All rules for the accounts with our domains are valid for accounts with domains that were not registered on our hosting.
      • For example, your FTP login will look like this: "happy@happyuser.cba.pl", if you create FTP account named “happy” and you own a domain happyuser.cba.pl. The main domain (connected, for example, to the FTP logins) is always the first domain of the hosting account, the one that was chosen while creating the hosting account. In the email account names created for this hosting account the part after "@" may be picked among all the domains connected to this hosting account.

      • In case you have any troubles visit our forum to find help.

      Frequently asked questions

      • Is the usage of the FREE account really free of charge?

        YES, you do NOT have to pay for the usage of FREE accounts on our hosting. But there will be a banner with advertisement located on the top of your webpage.

      • I do not like the banner with the advertisement on my web site, may I change its location or remove it completely?

        This banner is located on the top of the page on purpose, you can not change its location or remove it on your own. Thanks to this banner you have a possibility to use our services for free.
        Advertisements are automatically adjusted to the webpage background (a background parameter for body or CSS style). You can change this parameter, changing the color of the banner at the same time.
        You can remove advertisements completely by upgrading to Pro or VIP account. Banners are not displayed on the webpage from the moment you pay for the upgrade and till the end of validity period of the service package.

      • How many accounts may I create on CBA.pl?

        You can create one hosting account (profile) per one email address.
        One profile in the control panel may include many hosting accounts. Each account is an independent website with independent domains, MySQL accounts, FTP accounts, mailbox and other.

      • If I buy PRO or VIP service package, will it be active for all my hosting accounts in the control panel?

        No. Each account is an independently functioning website. Service packages and upgrades you buy for each of them are active only on the account for which they were bought. This system has been created for those users who want to manage different kinds of sites from one control panel. They have a possibility to adjust hosting parameters for each site. Each hosting account may include many independent domains (sites), there is a separated catalog on FTP and individual FTP account for each of them.

      • Can I receive from you a VAT invoice and pro forma invoice? Can I receive an invoice for my company?

        Unfortunately, we do not provide VAT invoices, we can give you only an invoice without VAT included. You can get it both as a privat person and for your company. When payment is done, your invoice will be available for downloading in the Payments section in the control panel. If you need a pro forma invoice, contact us: {supportMail}, and we will give you an invoice to pay in 7 or 14 days.

      • I can not log in to my hosting account/FTP account/database/email account, what should I do?

        If you forgot a password to your hosting account, try to reset your password. If you do not have an access to the email account to which you are suppose to receive a link to confirm resetting a password - contact us: {supportMail}.

        If you forgot a password to your FTP account, you can set a new password in the FTP Accounts section in the user panel.

        If you forgot a password to your database, you can set a new password in the Databases section in the user panel. But be aware that after this there will be an error connecting to database shown on your website. You need to change the password in the files of your website accordingly (or in your CMS).

        If you forgot a password to your email account, you can set a new one in the Email Accounts section in the user panel.

      • I would like to contact hosting administrators, how can I do that?

        You can contact hosting administrators in three different ways:

        • On forum, where few users are in direct contact with administrators and they will let them know if needed;
        • Via email: {supportMail}, you will get an answer from the customer support service;
        • You can create a new topic in the control panel (Support -> Create), you will also get an answer from the customer support service
        • On our Facebook page: www.facebook.com/hostingcba.

      • I have found an error on the hosting or I have problems with some functions, what should I do?

        Let us know using any method mentioned above.

      • I received an email from the CBA.pl administration with the demand to provide my login and password to the control panel/database, what should I do?

        Administators of CBA.pl never send emails to their users, especially with the demand to provide logins and passwords. This email is from cheater, who is trying to get your data to access your account.

      • I have found a site that violates the hosting rules! / I have found a site that plagiates my own site!

        Let us know in this topic on the forum.

      • How to create a database? Where can I find data to access my MySQL database? How many database users may I create?

        You can create a database in the control panel in Databases section. Click "+ Add", set up login and password. The database name will be created automatically, it will be based on your site’s address (special symbols will be changed to "_"). For example, for the site happyuser.cba.pl database will have following parameters:

        • MySQL server: mysql.cba.pl
        • Server MySQL for external connections: your domain (e.g. happyuser.cba.pl). Attention: you can set up an external connections only if you have a Pro/VIP account.
        • Port: 3306 (phpBB By Przemo: 80)
        • Login, password: same as you set up when you created your database
        • Database name: created automatically, it is based on your site’s address, for example: happyuser_aba_ae

      • How to create FTP account? Where can I find data to access my FTP? What are the limits?

        When you create a hosting account the FTP account for it is created automatically. It is a common account, its name and login to it look like this: admin@pageaddress (e.g. admin@happyuser.cba.pl). The password to this account by default is the same as the password for your control panel.
        From this general profile FTP account you have an access to all catalogs of all domains from all hosting accounts you have in your profile. You can manage your FTP accounts in the control panel in FTP accounts section. There is a possibility to add and delete them, and you can change passwords there.
        You can access your FTP server using our filemanager or an external program, for example FileZilla.
        You can create FTP account with the access only to the chosen domain — in FTP accounts section in control panel you can click “+Add” and choose a domain you want to create this kind of account for. Login to this account will look like this: login@siteaddress.cba.pl.
        Data for accessing your FTP:

        • FTP server: your site’s address (e.g. happyuser.cba.pl)
        • Login: by default admin@sitesaddress (e.g. admin@happyuser.cba.pl)
        • Password: by default it is the same as for control panel (if you have not changed it)
        • Port: 21 or 210
        • Mode: passive

        The limit of simultaneous connections to one FTP account is four at once. In case you exceed this limit session will be blocked by server for a few seconds — you have to wait a bit and try again with the less number of connections (usually you can configure this in your FTP client’s configuration).
        Maximal size of the file you can upload to FTP is:

        • For FREE accounts: 10 MB
        • For PRO and VIP accounts: 1 GB
      • What kind of domains are avaible on CBA.pl?

        Domains .com, .biz, .net, .org, .info, .de, .uk, .co.uk, .tv and .xyz are avaible on CBA.pl.

      • I have registered a domain and now I want to connect it with my account on CBA.pl / I want to buy a domain and create an account for it or connect it with the existing account on CBA.pl, how to do it?

        When creating an account enter your domain (which you have registrated before at another domain name registrar’s service).
        Enter our DNS servers in the control panel of your domain name registrar:

        • ns1.cba.pl
        • ns2.cba.pl
        • ns3.cba.pl

        After DNS servers are updated (it may take some time, but not more that 48 hours usually) your domain will be active and connected with the hosting account.

        If you are registering a domain at CBA.pl (or creating a new hosting account and registering a domain for it at the same time), all the settings will be set up automatically right after the payment is done.

        Both after purchasing a domain and after connecting the domain to the account there is a 48-hours period during which your domain would not be working as it should. This is the time when the information about the changed DNS servers is spreaded around the web. Usually it lasts way shorter than 48 hours, it may last only for a few hours.

      • How to activate an SSL certificate? Can I use it for domains that do not point to cba.pl servers?

        To buy an SSL certificate, go to the Domains section in the user panel and click on 'SSL' in front of the proper domain. SSL certificates may be enabled only for domains that point to our servers. You can buy SSL certificate only for one year or more.

        If you have a free domain (e.g. happyuser.{brandingNameLC}) and a subdomain/subdomains (e.g. very.happyuser.{brandingNameLC}) and you buy a certificate for it, SSL certificate will be active for both domain and all subdomains. But if you have bought an SSL certificate for a free domain (e.g. happyuser.{brandingNameLC}) and added a subdomain afterwards, SSL certificate will not be active for this subdomain (it is active only for subdomains that exist at the moment when you buy it). If you need an SSL certificate for a newly added subdomain, you can buy it - just press "SSL" in front of this subdomain in the Domains section in user panel and follow the instructions.

      • How to make a domain reassignment?

        To reassign a domain registered on our hosting, fill in this Domain Reassignment Form, sign, scan and send to us: {supportMail}. After that all data will be changed on WHOIS and domain will become a property of the new owner.

      • I enter my site’s address in browser, but my site is not displayed!

        Make sure you uploaded the index.html (may also be .php or .htm) file to the main catalog in your FTP. The same applies to any subpage — for example, when you create a link to subpage.html but you forget to upload this file, you will be redirected to 404 error page.

      • My statistics are not displayed, why?

        Most likely, you are checking them the same day you have created an account. Statistics are updated every night at 3 a.m. Please, wait till that time and they will appear.

      • I have a FREE account and I am trying to upload a 15 MB file. I can not do it, what is the reason?

        Maximal size of the file you can upload is 10 MB. If you need to upload bigger files, upgrade to Pro or VIP — for those accounts this limit is increased to 1 GB.

      • Why there is a CBA.pl logo instead of my pictures on the different sites?

        Because it is a hotlink, and this violates the hosting rules. You are allowed to hotlink only if you have Pro or VIP account.

      • My Pro account has changed to Free before the expiration date, why?

        If the data transmission limit on Pro account has been reached, you account is automatically changed to Free. You need to pay for additional data transmission to go back to Pro.

      • After uploading files or after changing configurations of my protected areas a window with login and password request appears and than I get a message: "Authorization Required"

        Most likely, you have downloaded some .htaccess file together with other files and you do not know the right login and password for it. Enter you FTP using a client which allows hidden files to be visible and rename or delete all .htaccess files.

      • I have a problem with mail, what should I do?

        There is no universal solution for this. Please, copy the error message and create a new topic on our forum in "CBA.pl Customer Support" section or describe your problem in already existing topic. You can also create new ticket in Support section in your control panel or write us an email {supportMail}

      • How to configure my mail client so I could receive email from the *@*cba.pl address?

        Incoming mail server: mail.cba.pl
        Outgoing mail server: mail.cba.pl
        SMTP - port 587 - STARTTLS
        IMAP - port 993 - SSL/TLS
        POP3 - port 995 - SSL/TLS
        Authorization: password (PLAIN/LOGIN)
        Login in your email address.

      • I have a Free account and I am using PHP mail() function, but seems like my emails are not being sent, what may be the reason?

        To use PHP mail() function on Free account you need to create a mailbox in the Mail section in the panel and add it as a sender address in the header From.

        • $to = 'nobody@example.com';
        • $subject = 'the subject';
        • $message = 'hello';
        • $headers = 'From: webmaster@happyuser.cba.pl';
        • mail($to, $subject, $message, $headers);

      • I registered a domain in the control panel and now I want to change DNSes and MX records. How to do it?

        In the Domains section in the control panel click "Edit" in front of the domain. In the popup window choose "No hosting" in the field "Attach to the hosting account". Down there will appear fields where you can change DNS and MX records.

  • Main
  • CMS
  • Troubleshooting

VPN on our VPS

For this article we will use Ubuntu 16.04 and commands mostly related to deb based distros. OpenVPN installation: To install openvpn and easy-rsa we need to execute:
# apt update && apt upgrade 
# apt install easy-rsa openvpn -y
For command will update vps, second will install VPN server. Set Up the CA Directory: OpenVPN is an TLS/SSL VPN. This means that it utilizes certificates in order to encrypt traffic between the server and clients. In order to issue trusted certificates, we will need to set up our own simple certificate authority (CA). To begin, we can copy the easy-rsa template directory into our home directory with the make-cadir command:
$ make-cadir ~/openvpn-ca
Move into the newly created directory to begin configuring the CA:
$ cd ~/openvpn-ca
Configure the CA Variables: To configure the values our CA will use, we need to edit the vars file within the directory. Open that file now in your text editor:
$ nano vars
Inside, you will find some variables that can be adjusted to determine how your certificates will be created. We only need to worry about a few of these. Towards the bottom of the file, find the settings that set field defaults for new certificates. It should look something like this:
. . .
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="me@myhost.mydomain"
export KEY_OU="MyOrganizationalUnit"
. . .
Edit the values in red to whatever you'd prefer, but do not leave them blank:
. . .
export KEY_PROVINCE="Warsaw"
export KEY_CITY="Warsaw"
export KEY_ORG="ABC Hosting"
export KEY_EMAIL="admin@cba.pl"
export KEY_OU="Community"
. . .
While we are here, we will also edit the KEY_NAME value just below this section, which populates the subject field. To keep this simple, we'll call it server in this guide:
export KEY_NAME="server"
When you are finished, save and close the file. To close and save in nano use: ctrl + o and hit enter to save current file and ctrl + x to exit editor. Build the Certificate Authority: Now, we can use the variables we set and the easy-rsa utilities to build our certificate authority. Ensure you are in your CA directory, and then source the vars file you just edited:
$ cd ~/openvpn-ca
$ source vars
You should see the following if it was sourced correctly: NOTE: If you run
, I will be doing a
rm -rf on /home/sammy/openvpn-ca/keys
Make sure we're operating in a clean environment by typing:
$ ./clean-all
Now, we can build our root CA by typing:
$ ./build-ca
This will initiate the process of creating the root certificate authority key and certificate. Since we filled out the vars file, all of the values should be populated automatically. Just press ENTER through the prompts to confirm the selections:
Sample output:
Generating a 2048 bit RSA private key
writing new private key to 'ca.key'
You are about to be asked to enter information that will be incorporated 
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [PL]:
State or Province Name (full name) [Warsaw]:
Locality Name (eg, city) [Warsaw]:
Organization Name (eg, company) [ABC Hosting]:
Organizational Unit Name (eg, section) [Community]:
Common Name (eg, your name or your server's hostname) [ABC Hosting CA]:
Name [server]:
Email Address [admin@cba.pl]:
We now have a CA that can be used to create the rest of the files we need. Create the Server Certificate, Key, and Encryption Files Next, we will generate our server certificate and key pair, as well as some additional files used during the encryption process. Start by generating the OpenVPN server certificate and key pair. We can do this by typing: Note: If you choose a name other than server here, you will have to adjust some of the instructions below. For instance, when copying the generated files to the /etc/openvpn directroy, you will have to substitute the correct names. You will also have to modify the /etc/openvpn/server.conf file later to point to the correct .crt and .key files.
$ ./build-key-server server
Once again, the prompts will have default values based on the argument we just passed in (server) and the contents of our vars file we sourced. Feel free to accept the default values by pressing ENTER. Do not enter a challenge password for this setup. Towards the end, you will have to enter y to two questions to sign and commit the certificate:
Sample output:
. . .

Certificate is to be certified until May  1 17:51:16 2026 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Next, we'll generate a few other items. We can generate a strong Diffie-Hellman keys to use during key exchange by typing:
$ ./build-dh
This might take a few minutes to complete. Afterwards, we can generate an HMAC signature to strengthen the server's TLS integrity verification capabilities:
$ openvpn --genkey --secret keys/ta.key
Generate a Client Certificate and Key Pair Next, we can generate a client certificate and key pair. Although this can be done on the client machine and then signed by the server/CA for security purposes, for this guide we will generate the signed key on the server for the sake of simplicity. We will generate a single client key/certificate for this guide, but if you have more than one client, you can repeat this process as many times as you'd like. Pass in a unique value to the script for each client. Because you may come back to this step at a later time, we'll re-source the vars file. We will use client1 as the value for our first certificate/key pair for this guide. To produce credentials without a password, to aid in automated connections, use the build-key command like this:
$ cd ~/openvpn-ca
$ source vars
$ ./build-key client1
If instead, you wish to create a password-protected set of credentials, use the build-key-pass command:
$ cd ~/openvpn-ca
$ source vars
$ ./build-key-pass client1
Again, the defaults should be populated, so you can just hit ENTER to continue. Leave the challenge password blank and make sure to enter y for the prompts that ask whether to sign and commit the certificate. Configure the OpenVPN Service Next, we can begin configuring the OpenVPN service using the credentials and files we've generated. Copy the Files to the OpenVPN Directory To begin, we need to copy the files we need to the /etc/openvpn configuration directory. We can start with all of the files that we just generated. These were placed within the
directory as they were created. We need to move our CA cert and key, our server cert and key, the HMAC signature, and the Diffie-Hellman file:
$ cd ~/openvpn-ca/keys
$ sudo cp ca.crt ca.key server.crt server.key ta.key dh2048.pem /etc/openvpn
Next, we need to copy and unzip a sample OpenVPN configuration file into configuration directory so that we can use it as a basis for our setup:
# gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | sudo tee /etc/openvpn/server.conf
Adjust the OpenVPN Configuration Now that our files are in place, we can modify the server configuration file:
$ sudo nano /etc/openvpn/server.conf
Basic Configuration First, find the HMAC section by looking for the tls-auth directive. Remove the ";" to uncomment the tls-auth line. Below this, add the key-direction parameter set to "0":
tls-auth ta.key 0 # This file is secret
key-direction 0
Next, find the section on cryptographic ciphers by looking for the commented out cipher lines. The AES-128-CBC cipher offers a good level of encryption and is well supported. Remove the ";" to uncomment the cipher AES-128-CBC line:
cipher AES-128-CBC
Below this, add an auth line to select the HMAC message digest algorithm. For this, SHA256 is a good choice:
auth SHA256
Finally, find the user and group settings and remove the ";" at the beginning of to uncomment those lines:
user nobody
group nogroup
(Optional) Push DNS Changes to Redirect All Traffic Through the VPN The settings above will create the VPN connection between the two machines, but will not force any connections to use the tunnel. If you wish to use the VPN to route all of your traffic, you will likely want to push the DNS settings to the client computers. You can do this, uncomment a few directives that will configure client machines to redirect all web traffic through the VPN. Find the redirect-gateway section and remove the semicolon ";" from the beginning of the redirect-gateway line to uncomment it:
push "redirect-gateway def1 bypass-dhcp"
Just below this, find the dhcp-option section. Again, remove the ";" from in front of both of the lines to uncomment them:
push "dhcp-option DNS"
push "dhcp-option DNS"
This should assist clients in reconfiguring their DNS settings to use the VPN tunnel for as the default gateway. (Optional) Adjust the Port and Protocol By default, the OpenVPN server uses port 1194 and the UDP protocol to accept client connections. If you need to use a different port because of restrictive network environments that your clients might be in, you can change the port option. If you are not hosting web content your OpenVPN server, port 443 is a popular choice since this is usually allowed through firewall rules.
# Optional!
port 443
Often if the protocol will be restricted to that port as well. If so, change proto from UDP to TCP:
# Optional!
proto tcp
If you have no need to use a different port, it is best to leave these two settings as their default. (Optional) Point to Non-Default Credentials If you selected a different name during the ./build-key-server command earlier, modify the cert and key lines that you see to point to the appropriate .crt and .key files. If you used the default server, this should already be set correctly:
cert server.crt
key server.key
When you are finished, save and close the file. Adjust the Server Networking Configuration Next, we need to adjust some aspects of the server's networking so that OpenVPN can correctly route traffic. Allow IP Forwarding First, we need to allow the server to forward traffic. This is fairly essential to the functionality we want our VPN server to provide. We can adjust this setting by modifying the /etc/sysctl.conf file:
# sudo nano /etc/sysctl.conf
Inside, look for the line that sets net.ipv4.ip_forward. Remove the "#" character from the beginning of the line to uncomment that setting:
Save and close the file when you are finished. To read the file and adjust the values for the current session, type:
# sudo sysctl -p
Then we need to install iptables and adjust firewall rules:
# apt install iptables
To adjust rules execute following: # iptables -A INPUT -i eth0 -m state --state NEW -p udp --dport 1194 -j ACCEPT # iptables -A INPUT -i tun+ -j ACCEPT # iptables -A FORWARD -i tun+ -j ACCEPT # iptables -A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT # iptables -A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT # iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE # iptables -A OUTPUT -o tun+ -j ACCEPT Also, please execute this to fix systemd service file for openvpn:
$ sudo sed -i 's/LimitNPROC=10 /#LimitNPROC=10 /' /lib/systemd/system/openvpn@.service
We need to start the OpenVPN server by specifying our configuration file name as an instance variable after the systemd unit file name. Our configuration file for our server is called /etc/openvpn/server.conf, so we will add @server to end of our unit file when calling it:
$ sudo systemctl start openvpn@server
If everything went well, your output should look something that looks like this:
● openvpn@server.service - OpenVPN connection to server
   Loaded: loaded (/lib/systemd/system/openvpn@.service; disabled; vendor preset: enabled)
   Active: active (running) since Tue 2016-05-03 15:30:05 EDT; 47s ago
     Docs: man:openvpn(8)
  Process: 5852 ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/%i.conf --writepid /run/openvpn/%i.pid (code=exited, sta
 Main PID: 5856 (openvpn)
    Tasks: 1 (limit: 512)
   CGroup: /system.slice/system-openvpn.slice/openvpn@server.service
           └─5856 /usr/sbin/openvpn --daemon ovpn-server --status /run/openvpn/server.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/server.conf --writepid /run/openvpn/server.pid

May 03 15:30:05 openvpn2 ovpn-server[5856]: /sbin/ip addr add dev tun0 local peer
May 03 15:30:05 openvpn2 ovpn-server[5856]: /sbin/ip route add via
May 03 15:30:05 openvpn2 ovpn-server[5856]: GID set to nogroup
May 03 15:30:05 openvpn2 ovpn-server[5856]: UID set to nobody
May 03 15:30:05 openvpn2 ovpn-server[5856]: UDPv4 link local (bound): [undef]
May 03 15:30:05 openvpn2 ovpn-server[5856]: UDPv4 link remote: [undef]
May 03 15:30:05 openvpn2 ovpn-server[5856]: MULTI: multi_init called, r=256 v=256
May 03 15:30:05 openvpn2 ovpn-server[5856]: IFCONFIG POOL: base= size=62, ipv6=0
May 03 15:30:05 openvpn2 ovpn-server[5856]: IFCONFIG POOL LIST
May 03 15:30:05 openvpn2 ovpn-server[5856]: Initialization Sequence Completed
You can also check that the OpenVPN tun0 interface is available by typing:
$ ip addr show tun0
You should see a configured interface:
4: tun0: POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP mtu 1500 qdisc noqueue state UNKNOWN group default qlen 100
    inet peer scope global tun0
       valid_lft forever preferred_lft forever
Create Client Configuration Infrastructure Next, we need to set up a system that will allow us to create client configuration files easily. Creating the Client Config Directory Structure Create a directory structure within your home directory to store the files:
$ mkdir -p ~/client-configs/files
Since our client configuration files will have the client keys embedded, we should lock down permissions on our inner directory:
$ chmod 700 ~/client-configs/files
Creating a Base Configuration Next, let's copy an example client configuration into our directory to use as our base configuration:
$ cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client-configs/base.conf
Open this new file in your text editor:
$ nano ~/client-configs/base.conf
Inside, we need to make a few adjustments. First, locate the remote directive. This points the client to our OpenVPN server address. This should be the public IP address of your OpenVPN server. If you changed the port that the OpenVPN server is listening on, change 1194 to the port you selected:
. . .
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote server_IP_address 1194
. . .
Be sure that the protocol matches the value you are using in the server configuration:
proto udp
Next, uncomment the user and group directives by removing the ";":
# Downgrade privileges after initialization (non-Windows only)
user nobody
group nogroup
Find the directives that set the ca, cert, and key. Comment out these directives since we will be adding the certs and keys within the file itself:
# SSL/TLS parms.
# See the server config file for more
# description.  It's best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
#ca ca.crt
#cert client.crt
#key client.key
Mirror the cipher and auth settings that we set in the /etc/openvpn/server.conf file:
cipher AES-128-CBC
auth SHA256
Next, add the key-direction directive somewhere in the file. This must be set to "1" to work with the server:
key-direction 1
Finally, add a few commented out lines. We want to include these with every config, but should only enable them for Linux clients that ship with a /etc/openvpn/update-resolv-conf file. This script uses the resolvconf utility to update DNS information for Linux clients.
# script-security 2
# up /etc/openvpn/update-resolv-conf
# down /etc/openvpn/update-resolv-conf
If your client is running Linux and has an /etc/openvpn/update-resolv-conf file, you should uncomment these lines from the generated OpenVPN client configuration file. Save the file when you are finished. Creating a Configuration Generation Script Next, we will create a simple script to compile our base configuration with the relevant certificate, key, and encryption files. This will place the generated configuration in the ~/client-configs/files directory. Create and open a file called make_config.sh within the ~/client-configs directory:
$ nano ~/client-configs/make_config.sh
Inside, paste the following script:
# First argument: Client identifier

cat ${BASE_CONFIG} \
    <(echo -e '') \
    ${KEY_DIR}/ca.crt \
    <(echo -e '\n') \
    ${KEY_DIR}/${1}.crt \
    <(echo -e '\n') \
    ${KEY_DIR}/${1}.key \
    <(echo -e '\n') \
    ${KEY_DIR}/ta.key \
    <(echo -e '') \
    > ${OUTPUT_DIR}/${1}.ovpn
Save and close the file when you are finished. Mark the file as executable by typing:
$ chmod 700 ~/client-configs/make_config.sh
Step 11: Generate Client Configurations Now, we can easily generate client configuration files. If you followed along with the guide, you created a client certificate and key called client1.crt and client1.key respectively by running the ./build-key client1 command in step 6. We can generate a config for these credentials by moving into our ~/client-configs directory and using the script we made:
$ cd ~/client-configs
$ ./make_config.sh client1
If everything went well, we should have a client1.ovpn file in our ~/client-configs/files directory:
$ ls ~/client-configs/files
Output: client1.ovpn Transferring Configuration to Client Devices We need to transfer the client configuration file to the relevant device. For instance, this could be your local computer or a mobile device. While the exact applications used to accomplish this transfer will depend on your choice and device's operating system, you want the application to use SFTP (SSH file transfer protocol) or SCP (Secure Copy) on the backend. This will transport your client's VPN authentication files over an encrypted connection. Here is an example SFTP command using our client1.ovpn example. This command can be run from your local computer (OS X or Linux). It places the .ovpn file in your home directory:
$ scp sammy@openvpn_server_ip:client-configs/files/client1.ovpn ~/
Here are several tools for securely transferring files from the server to a local computer:
OVPN file can be used if GUI client for OpenVPN on Windows or Mac OS. Linus has Network Manager GUI that can work with .ovpn files.