A Virtual Private Network (VPN) is used to create a secure connection for the untrusted networks as if it is being used on a private network address. If we want to access the internet with security when connected to some Wi-Fi connection of a restaurant or a shopping mall, a VPN provides the best solution.
OpenVPN is an open-source VPN software and VPN protocol that contains a wide range of configurations as a fully-featured Secure Socket Layer (SSL). People use it for secure VPN connections, and it works across multiple platforms.
This tutorial will be explaining the installation of the OpenVPN server on an Ubuntu 18.04 server. The tutorial contains commands along with snapshots to make the configuration steps as simple as possible.
Table of Contents
Step 1. Installation of OpenVPN
We will start with the installation process of both OpenVPN and easy-rsa. These are requirements for setting up the certificates in the next steps.
As OpenVPN is available in Ubuntu’s default repositories, so we can use Sudo apt update sudo apt install for installation.
$ sudo apt-get update $ sudo apt-get install openvpn easy-rsa
Step 2. Creation of Certificate Authority
A certificate is used by OpenVPN for the traffic encryption between server and clients.
Thus a) is to be set up for the creation and management of these certificates.
- Now copying the easy-rsa template to a new directory, and then we need to enter that directory for configuration.
$ make-cadir ~/openvpn-ca $ cd ~/openvpn-ca
- We will be using one editor, nano (or any other editor of your choice), for opening the file and editing few variables that will help in certificate creation.
$ nano vars
After those commands, the following section will be edited according to our needs. The default fields for these variables should be changed. Just make sure the fields should not be left in default state or blank.
This is the nano editor with default values of variables.
After making few changes in the above section:
NOTE: To perform any operation in nano editor, for example searching or justifying, you can get help from the operations mentioned in the bottom of screen.
To exit the nano editor use Ctrl+X.
- Now we will source the vars file, we have just edited.
If we don’t have any errors then the following output would be displayed.
$ source vars NOTE: If you run ./clean-all, I wil be doing a rm –rf on /home/user/openvpn-ca/keys
Okay! We can clean up the environment for the building of the Certificate Authority (CA).
$ ./clean-all $ ./build-ca
We are having a new RSA key now, and we will confirm the details of the vars file by just hitting the ENTER on your keyboard.
Step 3. Creation of Server Public/Private Keys
In this step, we will create the server certificate and key pair.
Finally, a question will be displayed about signing the certificate request and committing it. We will hit y and then ENTER, and we’re done.
- Now run the following command. But you can change the [server] to the name of your choice in this command.
We’re keeping it as [server] for this tutorial.
$ ./build-key-server [server]
- Next, we will build strong Diffie-Hellman keys.
- And now, we need to generate the HMAC signature for strengthening the certificate.
$ openvpn --genkey --secret keys/ta.key
Step 4. Creation of Client Public/Private Keys
This step is for the creation of a single client key and certificate.
For running the following commands, hit ENTER to confirm like previously, and please leave the field for a password blank.
$ source vars $ ./build-key client1
NOTE: You can create password-protected credentials as well. Just use build-key-pass instead of build-key.
Step 5. Configuration of OpenVPN server
- After step 4, We will copy the key files we have created in ~/OpenVPN-ca into the directory /etc/OpenVPN.
$ cd ~/openvpn-ca/keys $ sudo cp ca.crt ca.key [server].crt [server].key ta.key dh2048.pem /etc/openvpn
NOTE: You can change the [server].crt and [server].key names according to the [server] name you assigned in previous step no 3.
If you have trouble remembering what name you assigned, you can simply use this command and get the following output for your assistance.
- We will extract sample OpenVPN configuration to the default location.
$ gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | sudo tee /etc/openvpn/server.conf
NOTE: Please be careful about the spellings and the spaces in the command; otherwise, it would be displaying an error.
- It’s time for the edits in the configuration file. We will go to the nano editor.
$ sudo nano /etc/openvpn/server.conf
NOTE: In the nano editor, we will search any keyword by using Ctrl+W.
 We will first check if OpenVPN has the right .crt and .key files.
We have just corrected it by using the name we assigned in previous step 3, i.e., [server]
 We will now add identical HMAC between clients and servers.
We just need to add,
Key-direction 0 under the line Tls-Auth Key.
 Now, we will uncomment the few lines to help establish DNS.
We will be removing the ; (semi-colon) sign before the following lines.
After removing the sign, we have these lines:
 Now we will select ciphers to use.
Just uncomment the AES cipher and add auth SHA512.
 Finally, we will remove the root user account of OpenVPN and convert it into a non-privileged user account.
Just remove the ; (semi-colon) sign before the following lines.
- In the last step of this section, we will save and close this file so that the user will be created.
$ sudo adduser --system --shell /usr/sbin/nologin --no-create-home openvpn
The OpenVPN server has been set up now!
Step 6. Starting Up the OpenVPN server
- We will check if the OpenVPN server is working up to the mark or not.
$ ip route | grep default $ sudo sysctl net.ipv4.ip_forward $ sudo sysctl -w net.ipv4.ip_forward=1 $ sudo sysctl -p $ sudo sysctl net.ipv4.ip_forward
We will be getting output like this.
- Now we will start the OpenVPN server and will see the status with the following commands.
$ sudo systemctl start [email protected] $ sudo systemctl status [email protected]
We will get the following output, and it is a happy picture to see.
- One more command is to be done in the next step to get such output in the result.
$ ip add show tun0
Step 7. Configuration of Clients
Okay! This is the last step. We will create a client configuration file for OpenVPN Client.
- We are going to create a directory for storing these configurations.
$ cd ~ $ mkdir openvpn-clients cd openvpn-clients
- We will now be copying the client configuration on the new directory and go for editing in nano.
$ cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/openvpn-clients/base.conf $ nano base.conf
Now we will be editing few sections in nano editor.
 We will uncomment the following lines by removing the semi-colon sign.
 Here we will change my-server-1 to the public IP address.
 Let’s convert the following lines in comments by adding # in the starting in order to add keys and certificates directly into the .ovpn file.
 Now we will jump to the bottom and edit these lines by adding key-direction 1.
Also, we will make tls-auth ta.key as a comment.
 We will select cipher to use and add the auth SHA512.
Finally, we just need to embed the keys and certificates in the .ovpn file.
After the configuration of your client, we are able to access and connect to the VPN solution.
You can easily set up the OpenVPN by following the above guidelines carefully and noting down the little short keys of the process.
Once after the configuration of clients, one can easily get the OpenVPN access and link the internet through it by connecting to VPN.