Continuing the series of VPN articles, we now install OpenVPN on Ubuntu 16.04 Server. OpenVPN is well know VPN software from company of the same name. It is is somewhat harder to configure than other VPN software, so we will concentrate on server side configuration, and making ovpn files in this article. This guide is designed to run as non-root user. If you are logged in as root, first we start with adding the non-root user.
Then we give him sudo rights and login as the user
usermod -aG sudo newuser su newuser
You can skip those steps if you already have non-root users, and most likely you do.
Now loged in as newuser or any other non-root user, we will install openvpn
sudo apt-get install openvpn easy-rsa
Server and client Certificates
First of all, we need to make dir for certificate authority and edit vars file is
make-cadir ~/openvpn-ca cd ~/openvpn-ca nano vars
Find the lines that have export KEY_ in them and make them like this
export KEY_COUNTRY="US" export KEY_PROVINCE="New York State" export KEY_CITY="New York City" export KEY_ORG="Linoxide" export KEY_EMAIL="firstname.lastname@example.org" export KEY_OU="LinuxGeeks"
There is also line named KEY_NAME in same file, so we will just put there server as the name
After saving the vars file, next thing we type is:
which should give you the note about ./clean-all command. So therefore, lets type it to be sure we are running the clean environment.
Now we move to certificate creation part:
It will prompt you some questions but since we edited vars the new defaults should be ok so you can press enter on all counts.
Again enter, but not on all counts this time. When it asks you to put password, don't put it, and in the end pres y to create certificate. Next is diffie hellman:
It will take some time, so be patient. Next we need the ta.key to improve the security of the server.
openvpn --genkey --secret keys/ta.key
And then we copy all the relevant files to /etc/openvpn directory, as openvpn only reads from there.
cd ~/openvpn-ca/keys sudo cp ca.crt ca.key server.crt server.key ta.key dh2048.pem /etc/openvpn
We are done with server certificate, so we now create a certificate for client100.
cd ~/openvpn-ca source vars ./build-key client100
The sourced defaults are ok again, so just press enter and y at the end.
For the starting point we copy the sample configuration with following command:
gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | sudo tee /etc/openvpn/server.conf
Next we need to edit server.conf to make our server workable. You can use any editor but we will use sed command now
sudo sed -i 's/;push "redirect-gateway def1 bypass-dhcp"/push "redirect-gateway def1 bypass-dhcp"/g' /etc/openvpn/server.conf sudo sed -i 's/;push "dhcp-option DNS 126.96.36.199"/push "dhcp-option DNS 188.8.131.52"/g' /etc/openvpn/server.conf sudo sed -i 's/;push "dhcp-option DNS 184.108.40.206"/push "dhcp-option DNS 220.127.116.11"/g' /etc/openvpn/server.conf sudo sed -i 's/;user nobody/user nobody/g' /etc/openvpn/server.conf sudo sed -i 's/;group nogroup/group nogroup/g' /etc/openvpn/server.conf sudo sed -i 's/;log-append/log-append/g' /etc/openvpn/server.conf
Things what we did here: We set all trafic to go over OpenVPN, we set group and user to nogroup and nobody, and we set logs to go to /etc/openvpn/openvpn.log. Following that we need one more change about ta.key:
sudo nano /etc/openvpn/server.conf
And find this line
tls-auth ta.key 0 # This file is secret key-direction 0
That is about it for server.conf, next we need to enable packet forwarding for our Ubuntu server
sudo sed -i 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/g' /etc/sysctl.conf sudo sysctl -p
ufw rules also need to be changed to allow masquerading, so add this at the start, before *filter
sudo nano /etc/ufw/before.rules
# START OPENVPN RULES # NAT table rules *nat :POSTROUTING ACCEPT [0:0] # Allow traffic from OpenVPN client to eth0 -A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE COMMIT # END OPENVPN RULES
Note that eth0 part most likely you need to change to reflect real name of your internet-facing network interface, so I highlighted it. Next we enable forwarding in ufw like we did in sysctl:
sudo sed -i 's/DEFAULT_FORWARD_POLICY="DROP"/DEFAULT_FORWARD_POLICY="ACCEPT"/g' /etc/default/ufw
We configure the firewall
sudo ufw allow 1194/udp sudo ufw disable sudo ufw enable
sudo systemctl start openvpn@server sudo systemctl status -l openvpn
If all went well enable start of openvpn at bootup
sudo systemctl enable openvpn@server
With client configuration part, we use certificates that we made already, for example client100. We also need client config files
mkdir -p ~/client-configs/files chmod 700 ~/client-configs/files cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client-configs/base.conf
The file we copied is basic setup, therefore it needs to be edited.
And then find a line that says remote. Change it too point to your server IP address of FQDN.
remote your.serv.ipor.fqdn 1194
Save that, as rest of editing we will do with sed and echo commands:
sudo sed -i 's/;user nobody/user nobody/g' ~/client-configs/base.conf sudo sed -i 's/;group nogroup/group nogroup/g' ~/client-configs/base.conf sudo sed -i 's/ca ca.crt/#ca ca.crt/g' ~/client-configs/base.conf sudo sed -i 's/cert client.crt/#cert client.crt/g' ~/client-configs/base.conf sudo sed -i 's/key client.key/#key client.key/g' ~/client-configs/base.conf sudo echo key-direction 1 >> ~/client-configs/base.conf
So what we did here? We first set user and group to nobody and nogroup. Then we commented out certificate paths, as we will integrate inline certificates in .ovpn file. Then we added key-direction 1 parameter.
Script for making client configs
For embedding the client configuration, keys and certificates into single .ovpn file for easer transfer to remote clients, we are going to usesimple script. Lets do
And then paste this pastebin there. After saving this, we need to add the executable bit, so run this command:
chmod +x ~/client-configs/make_config.sh
Then we can easily create config files
cd ~/client-configs ./make_config.sh client100 ls ~/client-configs/files
Syntax of the command is easy, you need to be inside client-configs dir and run the command with argument that says name of the client that you created earlier. If you need more clients, create more client certificates with another name and rerun this command. If all went well, in client-configs/files directory should have ovpn file(s) in it. You need to transfer those to your client or clients, and connect. I will do it with scp, from my Fedora laptop I did command like this
scp email@example.com:/home/newuser/client-configs/files/client100.ovpn /home/miki/Documents/
From there you can load it on Android phone with an USB cable or over AirDroid, or on Windows VM, or on a Mac. For Linux network manager you would need to disassemble the file
This is it about the server config, next we would need to connect from various clients. For Android we can use OpenVPN Connect, for Mac Tunnelblick, for Windows there is OpenVPN from the official site, and for Linux there is network manager. In some of the following articles we will cover all this.