The purpose of OpenVPN is simple; it allows connecting to other devices within one secure network. It allows to keep online data safe by tunneling them through encrypted servers. So if you’re looking for a reliable, easy-to-use system that is adaptable enough to deal with any operating system, then OpenVPN is a no-brainer.
Presented by VEXXHOST, provider of Openstack based Public and Private Cloud Infrastructure
https://vexxhost.com/
2. • OpenVPN is one of the most popular and widely used open source software application that
implements virtual private network (VPN) technologies for creating secure point-to-point or site-to-site
connections in routed or bridged configurations and remote access facilities.
• It uses a custom security protocol that utilizes SSL/TLS for key exchange.
• The purpose of OpenVPN is simple; it allows connecting to other devices within one secure network.
• It allows to keep online data safe by tunneling them through encrypted servers.
• So if you’re looking for a reliable, easy-to-use system that is adaptable enough to deal with any
operating system, then OpenVPN is a no-brainer.
2
3. System Preparation
• We are going to setup OpenVPN on the base operating system of Ubuntu Server 14.04. Let’s prepare
the base environment before the startup of OpenVPN installation.
• The only prerequisite is that you have installed Ubuntu 14.04 Operating System and you have
sufficient root level privileges for performing general maintenance on your server.
3
4. System Preparation
• Update your system to refresh the local repository database with the command below.
root@ubuntu-14:~# apt-get update
• If you are using an old version of your operating system and need to upgrade all of your installed
packages with Operating system, then run the command below.
root@ubuntu-14:~# apt-get upgrade
4
5. OpenVPN and RSA Installation
• Once your system is updated with the latest updates then install Open VPN and Easy-RSA by running
the following command with root user.
root@ubuntu-14:~# apt-get install openvpn easy-rsa
• The command will install the new packages with its dependencies.
• Before the installation process starts, you will be asked to confirm the installation process by typing `Y`
for yes and `N` for no.
5
7. OpenVPN Server Configuration
• There are some sample VPN server configuration files that can be extracted to `/etc/openvpn`
folder for further usage.
• Now, point to the directory where these example VPN configurations are placed and extract the
archive into the required directory with below command.
root@ubuntu-14:~# gunzip -c /usr/share/doc/openvpn/examples/sample-
config-files/server.conf.gz > /etc/openvpn/server.conf
7
8. OpenVPN Server Configuration
• Now, to configure its configuration parameters in the `server.conf` file, open with any editor and do the
required changes.
root@ubuntu-14:~# vim /etc/openvpn/server.conf
• To configure the `Diffie Hellman parameters` in the configurations file, we will update its value to
double the RSA key length used when generating server and client keys.
#dh dh1024.pem
dh dh2048.pem
8
9. OpenVPN Server Configuration
• To configure the parameters so that the VPN server can pass in the client’s web traffic to its
destination, we will uncomment the below line in `server.conf` file.
;push "redirect-gateway def1 bypass-dhcp”
push "redirect-gateway def1 bypass-dhcp”
• To configure the Public DNS servers provided by opendns.com, uncomment the two line under this
section that looks like this.
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
9
10. OpenVPN Server Configuration
• OpenDNS is the default DNS resolvers used by OpenVPN, we can also use whichever DNS
service we want to use. Once the necessary parameters have been configured, save the changes
and close the file with `:wq!` in case you are using vim editor.
10
11. Setup the Certificate Authority
• We are going to setup certificate authority that allows your server to generate public and private
certificates for other computers.
• This is one the most important step to setup encrypted communication between the different
computers.
• We will use Easy RSA’s scripts and copy the Easy-RSA generation scripts into the `openvpn`
directory.
root@ubuntu-14:~# cp -r /usr/share/easy-rsa/ /etc/openvpn
11
12. Setup the Certificate Authority
• If you list the easy-rsa directory, you will see its different certificate files and directories.
• Under the easy-rsa directory, we will make a new key storage directory.
root@ubuntu-14:~#mkdir /etc/openvpn/easy-rsa/keys
12
13. Setup the Certificate Authority
• Next, edit `/etc/openvpn/easy-rsa/vars` adjusting the information to your environment, this
information is copied to the certificates and keys, and will help identify the keys later.
root@ubuntu-14:/etc/openvpn/easy-rsa# vim vars
13
14. Setup the Certificate Authority
# X509 Subject Field
export KEY_NAME="EasyRSA”
• The variables shown in red should be updated according to your own environment. You would also
need to update the OpenVPN configuration files that reference to `server.crt` and `server.key`
according to your `KEY_NAME` Otherwise, openvpn service will not start.
root@ubuntu-14:/etc/openvpn# vim server.conf
#cert server.crt
cert EasyRSA.crt #key server.key # This file should be kept secret key EasyRSA.key
14
15. Setup the Certificate Authority
• Now we are going to generate the
Diffie-Hellman parameters by
executing the below command. It
might take a few minutes to
complete the process.
root@ubuntu-14:/etc/openvpn/easy-rsa# openssl dhparam -out /etc/openvpn/dh2048.pem 2048 15
16. Setup the Certificate Authority
• We’ll clear the working directory of any possible old or test keys to make way for the new ones by
executing the below command.
root@ubuntu-14:/etc/openvpn/easy-rsa# ./clean-all
• Now we build the certificate authority (CA) by invoking an interactive OpenSSL command. You can
accept the default settings at the prompt as we have already configured in the previous steps so
simply press `enter` to configure each of the option. If you need to update any of the option then
you can also update the settings from here.
root@ubuntu-14:/etc/openvpn/easy-rsa# ./build-ca
16
18. Creating Server Certificate
• Now, we are going to set up the public and private keys for the actual server. This allows the server to
set up its end of the encrypted tunnel between itself and any other computer.
root@ubuntu-14:/etc/openvpn/easy-rsa# ./build-key-server EasyRSA
• So working in the same directory, we entered the command to build the server’s key with its export
key name as we configured earlier.
• This will be generating a 2048 bit RSA private key where we will be asked to enter the information
that will be incorporated into your certificate request.
18
19. Creating Server Certificate
• In addition to the similar options
that we had already configured
previously, you will be asked to
enter some extra attributes as
shown.
19
20. • The output shows that we have successfully installed and configured an operation openvpn server. Now in the next
steps we will show you about its client setup.
Creating Server Certificate
• So, we had successfully created the new certificates for the server, now we have to copy these certificates into the
`/etc/openvpn` directory.
root@ubuntu-14:/etc/openvpn/easy-rsa/keys# cp EasyRSA.crt EasyRSA.key ca.crt /etc/openvpn/
20
21. OpenVPN Client Configurations
• We are going to setup openvpn client that will be used to connect to the openvpn server, so we are starting with its
package installation on the client machine which is also running with Ubuntu 14.04 operating system.
• Use the following command to start the installation of OpenVPN as shown.
root@ubuntu-client:~# apt-get install openvpn
21
23. OpenVPN Client Configurations
• Now copy the `client.conf` file from the openvpn example files into the `/etc/openvpn/` directory of your
openvpn client host.
root@ubuntu-client:~# cp /usr/share/doc/openvpn/examples/sample-config-
files/client.conf /etc/openvpn/
• You can repeat this section for the new clients by replacing the name of each device with the appropriate
client name.
23
24. OpenVPN Client Key and Certs Building
• As we did for OpenVPN servers key and certificates building, we will repeat the step for the new client certificates and
keys generation.
• So, to create separate authentication credentials for each device that we want to connect to the VPN, we will have to
generate the new certificates with its separate name.
root@ubuntu-14:/etc/openvpn/easy-rsa# ./build-key client1
24
26. Transferring Certs and Keys to Client Device
• Now we need to transfer the client certificate, key, and profile template files to a folder on our client device.
• You can also use the below `scp` command to import the files from your server to client machine by giving the source path and
destination path.
root@ubuntu-14:/etc/openvpn/easy-rsa/keys# scp client1.crt client1.key
root@xx.xx.xx.xx:/etc/openvpn/
26
28. Transferring Certs and Keys to Client Device
• Let’s do some configuration changes in the `client.conf` with the correct certs and keys name as following.
root@ubuntu-client:/etc/openvpn# vim client.conf
ca ca.crt
cert client1.crt
key client1.key
• Also change the following line with openvpn’s hostname or IP address with port to connect from the client
device.
remote xx.xx.xx.xx 1194
28
29. • Transferring Certs and Keys to Client Device
• Now, save the changes with `:wq!` and start `openvpn` service on client device.
root@ubuntu-client:/etc/openvpn# service openvpn start
29
30. Transferring Certs and Keys to Client Device
• You should see in your ifconfig that a `tun` interface appeared.
30
31. Transferring Certs and Keys to Client Device
• Similarly, if you check in openvpn server side, there will also be a new `tun0` interface present.
31
32. Firewall Rules to Connect VPN Server
• In order to allow the VPN client to connect to machines behind the VPN server, we must add a couple of routes to the
server. First, you’ll want to enable IP forwarding by running the following command.
root@ubuntu-14:~# sysctl -w net.ipv4.ip_forward=1
root@ubuntu-client:~# sysctl -w net.ipv4.ip_forward=1
net.ipv4.ip_forward = 1
• Now we only need to make few firewall rules and configuration changes and then re-enable the firewall.
• So first we will allow the SSH and the port 1194 to both machines with following command.
#ufw allow ssh
#ufw allow 1194/udp
32
33. Firewall Rules to Connect VPN Server
• Set the default forward policy to ACCEPT, DROP or REJECT by changing this will most likely want to adjust your
rules as follow.
root@ubuntu-X:~# vim /etc/default/ufw
#DEFAULT_FORWARD_POLICY="DROP"
DEFAULT_FORWARD_POLICY="ACCEPT”
• Now, we will add some additional `ufw` rules for network address translation and IP masquerading of connected
clients by adding some rules in `ufw` `before.rules` file as below.
root@ubuntu-14:~# vim /etc/ufw/before.rules
33
35. Firewall Rules to Connect VPN Server
• After adding the new rules, enable the `ufw` and then check its status as shown in below. You will be able to see the
status of newly added allowed ports.
35
36. Firewall Rules to Connect VPN Server
• We have almost done the OpenVPN Server and Client setup.
• Now, finally make sure your routes are working on either your default gateway or your clients. You can use wireshark
or tcpdump to check that whether your incoming traffic is fine.
• You can also manually check the routes on Linux or Windows by issuing the command “route”.
36
37. Conclusion
• In this detailed article, you have learned about OpenVPN Server and Client setup with installation and
configurations using Ubuntu 14.04.
• You can also install OpenVPN client profiles on the cross platform.
37
https://vexxhost.com/