fbpx

HOW TO BUILD OPENVPN SERVER ON UBUNTU

Published by Daniel Draga on

This article will show you how to install and setup OpenVPN server on Ubuntu 14.04, with pictures, just follow along, and if you encounter any trouble, just comment below.

Before we dive in the steps, here is a little VPN and OpenVPN’s basic definitions for you.

What is VPN and OpenVPN? VPN stands for Virtual Private Network while OpenVPN is an open-source software application that applies VPN techniques for implementing secure point-to-point connections in routed or bridged configurations and remote access facilities. The VPN server is the underlying component in OpenVPN Access Server that works in the background, responsible for routing, tunneling, encryption, user management, authentication etc. OpenVPN Access Server comes with a Web GUI that helps to manage the underlying components of the VPN server. It is a free mechanism and tool to allow you to browse securely and privately plus it allows you to unblock browsing restriction, avoid website censorship, and to hide your real IP (location).

Now on with the steps.

Requirements

  1. A server / VPS running Ubuntu. In this guide I use Ubuntu 14.04 x64 with 1GB .
  2. You may also need a proper knowledge to useSSH and basic Unix commands.
  3. And if somehow you are using an OpenVZ-based VPS, you have enableTUN/TAP options in your VPS control panel. Xen and KVM users do not need to. And if you need more info on OpenVZ vs KVM, read this article.

Enable TUN/TAP:

0

HOW TO INSTALL OPENVPS SERVER

Step 1 – Login to your server as root:

1

Step 2 – To make sure your Ubuntu’s repository is updated, simply do the apt-get update command:

1 apt-get update

2

Step 3 – And once you get the “Done” message, you can now install OpenVPN and Easy-RSA with this one line command:

1 apt-get install openvpn easy-rsa

Do not forget to answer with Y when asked:

Once done, you’ll see something like this:

3

Step 4 – Now you have to get the configuration file for OpenVPN to work. Issue this command:

1 gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf

This will give no output when its done.

4

Step 5 – Then open that file using your favorite text editor which I prefer to use Nano, just type the command then hit Enter and the text editor will show up :

1 nano /etc/openvpn/server.conf

CONFIGURING OPENVPN SERVER

Step 6 – Next, there are several lines in that file you need to edit (configuring OpenVPN):

6.1 – Look for the section called Diffie hellman parameters:

5

then change dh dh1024.pem to dh dh2048.pem to increase the security encryption.

6.2 – Next, find this section as well:

6

This section tells VPN server to pass on clients’ web traffic to its destination. Simply uncomment that part so it looks like this:

7

6.3 – Now let’s move to the next section just right after the previous one, just move down a bit.

8

again, uncomment the two lines of configuration so it looks like this:

9

That section tells OpenVPN to configure DNS Resolver using OpenDNS, you can change that to Google DNS as well (8.8.8.8 and 8.8.4.4).

6.4 – The last one, look for this section:

10

Uncomment that section:

11

That’s it. Now save changes and exit. If you are using Nano editor like me, simply hit Control+O then Control+X.

Step 7 – You will also need to enable IP forwarding in the file /etc/sysctl.conf need to tell the server’s kernel to forward traffic from client devices out to the Internet. Issue this command:

1 echo 1 > /proc/sys/net/ipv4/ip_forward

it will output nothing

12

next you can edit the sysctl.conf file using Nano or your favorite editor.

1 nano /etc/sysctl.conf

Now Uncomment the line to enable packet forwarding for IPv4:

13

make it like this:

14

Now save changes and exit (Control+O then Control+X in Nano)

Step 8 – Next, issue this two lines of command to tell UFW to allow UDP traffic over port 1194:

1

2

allow ssh

allow UDP traffic over port 1194

15

* UFW = Uncomplicated Firewall, a firewall app comes by default in Ubuntu 14.04

Step 9 – Change UFW’s primary configuration file by setting its forwarding policy using Nano:

1 nano /etc/default/ufw

In that file, look for this line: DEFAULT_FORWARD_POLICY=”DROP”

and replace DROP with ACCEPT

16

Step 10 – Also, you have to add additional UFW rules for network address translation and IP masquerading of connected clients. Issue command below:

1 nano /etc/ufw/before.rules

Then add additional section right after rules.before (near the top). Copy paste this setting:

1

2

3

4

5

6

7

8

# START OPENVPN RULES

# NAT table rules

*nat

:POSTROUTING ACCEPT [0:0]

# Allow traffic from OpenVPN client to eth0

-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE

COMMIT

# END OPENVPN RULES

so it looks like this:

17

Save changes and close the editor (Control+O then Control+X in Nano). Done? Simply enable UFW:

1 ufw enable

answer Y when asked.

18

BUILD THE CERTIFICATE AUTHORITY FOR OPENVPN

Step 11 – You have to copy over the Easy-RSA generation scripts to OpenVPN directory and create a directory called easy-rsa/keys:

1

2

cp -r /usr/share/easy-rsa/ /etc/openvpn

mkdir /etc/openvpn/easy-rsa/keys

19

Step 12 – Now you have to edit few variables using your favorite editor:

1 nano /etc/openvpn/easy-rsa/vars

Scroll down the page a bit and look for default values for fields which will be placed in the certificate, change that according your preferences:

Step 19 – Also look for this line:

1 export KEY_NAME=”EasyRSA”

and change that “EasyRSA” part with “server” for simplicity.

Now save changes and exit the editor.

Step 20 – Next, generate the Diffie-Hellman parameters using this command:

1 openssl dhparam -out /etc/openvpn/dh2048.pem 2048

just wait as it may take few minutes to complete:

22

Step 21 – Now move to easy-rsa directory and initialize the PKI (Public Key Infrastructure). Issue these ones:

1

2

3

cd /etc/openvpn/easy-rsa

. ./vars

./clean-all

The last clean-all command is to clear the working directory of any possible old or example keys hence you can create our new one.

23

Step 22 – Let’s build the Certificate Authority (CA) using this simple one line command:

1 ./build-ca

You’ll be asked a series of question but simply hit Enter for each. Don’t worry it is already set to your entries earlier:

24

Step 23 – Next, build the server’s key with this command:

1 ./build-key-server server

You can replace server with whatever you’ve defined in step 19 above. E.g: if the export KEY_NAME is servermom then it looks like this

1 ./build-key-server servermom

You’ll be again asked with series of question, simply hit Enter until you see a message sayingDatabase Updated.

Step 24 – Now the Server Certificates and Keys are created, you then have to move them in the OpenVPN directory:

1

2

cp /etc/openvpn/easy-rsa/keys/{server.crt,server.key,ca.crt} /etc/openvpn

ls /etc/openvpn

you should now see the three files have been moved

25

Step 25 – That’s it. Now you can start OpenVPN using this simple command:

1 service openvpn start

Then next time you can make sure it is running by issuing this command:

1 service openvpn status

26

USING YOUR OPENVPN SERVER

Step 26 – Before you can use your newly built OpenVPN server, you have to firstly create certificates and keys for each client device which will be connecting to the VPN. Still in the/etc/openvpn/easy-rsa directory, build authentication credentials for a client which in this example we call it client1. Issue this command:

1 ./build-key client1

You can simply press Enter for each question or you may also change its default value but make sure the two last questions are left blank (hit Enter). But do not forget to answer Y for the very last questions.

Step 27 – Now copy the example client configuration file to the Easy-RSA key directory and rename it as client.conf.

1 cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/easy-rsa/keys/client.ovpn

Step 28 – Now download the client1.crt, client1.key, client.ovpn and ca.crt files to your device (PC, Smartphone or Tablet). Remember that ca.crt file is stored in /etc/openvpn/ directory at your server while the other three are in /etc/openvpn/easy-rsa/keys/.

How can you download those files using Filezilla or WinSCP.

28

Step 29 – Once downloaded, open up client.ovpn file using simple text editor like Notepad (In Windows, right-click then Open With..). Look for this line: remote my-server-1 1194. Replace my-server-1 with your server/vps IP address:

29

In this example I use Sublime instead Notepad.

30

Next, this is optional but may needed if you want to use it on your non-Windows device (iOS or Android or Linux), uncomment the user and group section:

31

That’s it. Save changes and exit Sublime.

Categories: Tutorials

0 Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related Posts

Tutorials

How to Deploy ArgoCD on Kubernetes

Let’s get started with deploying ArgoCD on Kubernetes. With the rise of containerization and orchestration technologies, Kubernetes has become the de facto standard for container management. When it comes to Continuous Deployment (CD) in Kubernetes Read more…

Tutorials

How to Convert Images to Text in Ubuntu

In this detailed article, we will guide you step by step on how to convert images to text. Ubuntu, the beloved open-source operating system, is revered by developers, tech enthusiasts, and everyday users for its Read more…

Tutorials

How to Install PrestaShop on CentOS 7

PrestaShop is a widely used, open-source e-commerce platform. With its flexibility, scalability, and rich feature set, it has been adopted by many online retailers around the world. For those using the CentOS 7 operating system, Read more…