Data Structure
Networking
RDBMS
Operating System
Java
MS Excel
iOS
HTML
CSS
Android
Python
C Programming
C++
C#
MongoDB
MySQL
Javascript
PHP
- Selected Reading
- UPSC IAS Exams Notes
- Developer's Best Practices
- Questions and Answers
- Effective Resume Writing
- HR Interview Questions
- Computer Glossary
- Who is Who
Set Up OpenVPN on Ubuntu 16.04
In this article, we will learn how to configure OpenVPN server on Ubuntu Linux. Yes, we can do it using a VPN (Virtual Private network) which allows you to connect to work place from untrusted networks privately and securely. For instance, If you are in a hotel or a coffee shop and wish to access work environment safely and securedly through a Wi-fi network using a Smartphone or laptop
OpenVPN is a full featured and open source secure socket layer (SSL) VPN solution that accommodates wide range of configurations.
Installing OpenVPN
To start the installation, we needed an Ubuntu machine with non-root user with sudo privileges,
Log into the Ubuntu machine using ‘sudo’ user and continue the steps below.
AS OpenVPN is available in Ubuntu’s default repositories, we needed to update the server and we will install the easy-rsa package to get the internal CA (certificate authority) for use with our VPN server.
$ sudo apt-get update
After we update the server, we will install OpenVPN and easy-rsa
$ sudo apt-get install openvpn easy-rsa
Setting up the CA Directory
OpenVPN is a TLS/SSL VPN. This means that it will use certificates in order to encrypt the data traffic between the server and clients. To issue trusted certificates we will set up our own simple certificate authority (CA).
We will copy the easy-rsa template directory to our home directory with the make-cadir command
$ sudo make-cadir ~/openvpn-ca
Change the directory to newly created directory to begin configuring the CA
$ cd ~/openvpn-ca
Configure CA Variables
We need to edit the values in the ‘vars’ file within the directory. Open the file to edit now.
$ source vars
We will find some variables which can be adjusted to determine that how our certificates should be created. In this demo we will change some of them.
We will find some settings that sets the default for the new certificates which looks like the below
. . . export KEY_COUNTRY="US" export KEY_PROVINCE="CA" export KEY_CITY="SanFrancisco" export KEY_ORG="Fort-Funston" export KEY_EMAIL="[email protected]" export KEY_OU="MyOrganizationalUnit" . . .
Edit the values to your region and requirement. Below is the information for demo purpose.
. . . # These are the default values for fields # which will be placed in the certificate. # Don't leave any of these fields blank. export KEY_COUNTRY="in" export KEY_PROVINCE="AP" export KEY_CITY="Hyderabad" export KEY_ORG="RIG" export KEY_EMAIL="[email protected]" export KEY_OU="Resource Infomatics Group" # X509 Subject Field . . .
We will also edit the KEY_NAME value which is just below this section, for demo purpose we will call as vpn_server export KEY_NAME="vpn_server" Save the file and close it.
Building the CA (Certificate Authority)
We can use the variables we set in the easy-ras utilities to build our certificate authority, Change to the CA directory which we created in previous steps, then source the vars file which we edited.
$ cd ~/openvpn- ca$ source vars$ ./clean-all $ ./build-ca
This will create the root certificate and authority key with certificate. Just press ENTER key as we have already given the information in vars file.
Country Name (2 letter code) [US]: State or Province Name (full name) [NY]: Locality Name (eg, city) [New York City]: Organization Name (eg, company) [DigitalOcean]: Organizational Unit Name (eg, section) [Community]: Common Name (eg, your name or your server's hostname) [DigitalOcean CA]: Name [server]: Email Address [[email protected]]: Creating the Server Certificate, Key and Encryption Files. We will create the Server Certificate, Key and Encryption and also some additional files used for the encryption process. We can use the below command to generate key certificate and key pair. $ ./build-key-server serverCountry Name (2 letter code) [in]: State or Province Name (full name) [ap]: Locality Name (eg, city) [Hyderabad]: Organization Name (eg, company) [rigaps]: Organizational Unit Name (eg, section) [RIGAPS]: Common Name (eg, your name or your server's hostname) [server]: Name [RIGAPS_EasyRSA]: Email Address [[email protected]]: Please enter the following 'extra' attributesto be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /home/ubuntu/openvpn-ca/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName : PRINTABLE:'in' stateOrProvinceName : PRINTABLE:'ap' localityName : PRINTABLE:'Hyderabad' organizationName : PRINTABLE:'rigaps' organizationalUnitName: PRINTABLE:'RIGAPS' commonName : PRINTABLE:'server' name : T61STRING:'RIGAPS_EasyRSA' emailAddress : IA5STRING:'[email protected]' Certificate is to be certified until Jun 4 10:03:24 2026 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
Accept the default values by pressing ENTER key. Also don’t enter the password for the setup till the end.
We can generate the Diffie-Hellman keys to use with the key exchange.
$ ./build-dh $./build-dh Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time ............................................................................................................+................++*++* We will generate HMAC Signature to strengthen the servers TLS integrity verfication. $ openvpn --genkey --secret keys/ta.key
Generating a Client Certificate and Key Pair
We will generate a client key and certificate using the below command, lets think client1 as a client for demo –
$ cd ~/openvpn-ca $ source vars $ ./build-key client1
Configure the OpenVPN Services
We can configure the OpenVPN using the credentials and files just we generated
Copying the files to the OpenVPN Directory
As we needed to copy all the files generated to /etc/openvpn
$ cd ~/openvpn-ca/keys $ sudo cp ca.crt ca.key server.crt server.key ta.key dh2048.pem /etc/openvpn
Then we needed to copy and unzip the sample Configuration file to the directory.
$ gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | sudo tee /etc/openvpn/server.conf
We needed to modify the server configuration files
$ sudo nano /etc/openvpn/server.conf
Needed to uncomment some directives ” redirect-gateway”
…. push “redirect-gateway def1 bypass-dhcp” …. push “dhcp-option DNS 208.67.222.222” push “dhcp-option DNS 208.67.220.220” … tls-auth ta.key 0 # This file is secret
….
and add below line
key-direction 0 ....
Finally un-comment the below line by removing ‘;’
user nobody group nogroup
Save and close the file
Setting Server Networking Configuration
As we needed to adjust some settings on the server, networking to route the OpenVPN traffic.
Allowing IP Forward on the server
We will allow the server to forward the incoming traffic, which is an important step for VPN server setup.
To do that we needed to modify the /etc/sysctl.conf file.
$ sudo nano /etc/sysctl.conf
Locate for the line net.ipv4.ip_forward and remove ‘#’ to uncomment the line
Net.ipv4.ip_forward=1
Save the file
To apply the changes in the current session use the below command
$ sudo sysctl –p
Start and Enabling the OpenVPN Services
We have to start the OpenVPN services on the server, to do that we will start the OpenVPN server by using the configuration file as an instance for the variables the configuration file is on the server at /etc/openvpn/server.conf and we will add @server to end of the command when we start the server
$ sudo systemctl start openvpn@server
We can check the services status by using the below command
$ sudo systemclt status openvpn@server
$ [email protected] - OpenVPN connection to server Loaded: loaded (/lib/systemd/system/[email protected]; disabled; vendor preset: enabled) Active: active (running) since Tue 2016-06-06 13:30:05 EDT; 37s ago Docs: man:openvpn(8) https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage https://community.openvpn.net/openvpn/wiki/HOWTO Process: 5852 ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/%i.conf --writepid /run/openvpn/%i.pid (code=exited, sta Main PID: 5856 (openvpn) Tasks: 1 (limit: 512) CGroup: /system.slice/system-openvpn.slice/[email protected] ??5856 /usr/sbin/openvpn --daemon ovpn-server --status /run/openvpn/server.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/server.conf --writepid /run/openvpn/server.pid June 06 13:30:40 openvpn2 ovpn-server[5856]: /sbin/ip addr add dev tun0 local 192.168.0.1 peer 192.168.0.2 June 06 13:30:40 openvpn2 ovpn-server[5856]: /sbin/ip route add 192.168.0.0/24 via 192.168.0.2 June 06 13:30:40 openvpn2 ovpn-server[5856]: GID set to nogroup June 06 13:30:40 openvpn2 ovpn-server[5856]: UID set to nobody June 06 13:30:40 openvpn2 ovpn-server[5856]: UDPv4 link local (bound): [undef] June 06 13:30:40 openvpn2 ovpn-server[5856]: UDPv4 link remote: [undef] June 06 13:30:40 openvpn2 ovpn-server[5856]: MULTI: multi_init called, r=256 v=256 June 06 13:30:40 openvpn2 ovpn-server[5856]: IFCONFIG POOL: base=192.168.0.4 size=62, ipv6=0 June 06 13:30:40 openvpn2 ovpn-server[5856]: IFCONFIG POOL LIST June 06 13:30:40 openvpn2 ovpn-server[5856]: Initialization Sequence Completed
We can check the OpenVPN tun0 interface by using the below command
$ ip addr show tune0 4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 100 link/none inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0 valid_lft forever preferred_lft forever
Now we will set the service to start at the boot time automatically.
$ sudo systemctl enable openvpn@server
Creating Client Configuration
We needed to create client home directory to store the files
$ mkdir –p ~/clients/files
For security reason we needed to change the folder permission as this folder contains keys of the client machines
$ chmod 7000 ~/clients/files
Creating Client base Configuration
We can use the sample client configuration for that we needed to copy the file to the current location.
$ cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client/base.conf
Open the configuration file using any text edition
$ vi ~/client/base.conf
We needed to change some changes in the file, search for the remote in the file
……. Remote server_IP_Address 1194 (Here we needed to add our public IP address) …. user nobody group nogroup (Here we needed to un-comment the above lines) …. # ca ca.crt # cert client.crt # key client.key (We needed to comment the above lines in the configuration file) …. …. Key-direction 1 (We needed to add the key-direction to the file at the end) Save the file
Generating Script for Creating Configuration files
We will create a simple script to generate the certificates,keys and encrypted files and to compile the base configuration which we edited in before step. Create the file with the below code
$ nano ~/client/generate_config.sh
KEY_DIR=~/openvpn-ca/keys
OUTPUT_DIR=~/client-configs/files
BASE_CONFIG=~/client-configs/base.conf
cat ${BASE_CONFIG} \
<(echo -e '<ca>') \
${KEY_DIR}/ca.crt \
<(echo -e '</ca>
<cert>') \
${KEY_DIR}/${1}.crt \
<(echo -e '</cert>
<key>') \
${KEY_DIR}/${1}.key \
<(echo -e '</key>
<tls-auth>') \
${KEY_DIR}/ta.key \
<(echo -e '</tls-auth>') \
> ${OUTPUT_DIR}/${1}.ovpn
After creating the file we needed to make that file executable
$ chmod 7000 ~/client/generate_config.sh
Generating the Client Configruations File
We will generate the client certificate and key for client1 using the below command
$ cd ~/clients $ ./generate_config.sh client1
If all the scripts run well, we will a have client.ovpn file in our ~/client/files directory.
We needed to transfer the client files to the client machine using WinSCP, here we are using Windows machine for a client
Installing the Client Configuration on Windows
We needed to download the OpenVPN software on the windows machine and we needed to copy the .ovpn i.e., client1.ovpn file to c:\Program Files\OpenVPN\config
Note − We needed to run the OpenVPN GUI, on the windows machine with administrator rights, means Run as Administrator.
Once the OpenVPN opens it will initiate the connection and minimize to system tray and right click on the OpenVPN applet icon, and select client1 and choose Connect.
We can use any client OSx , Andriod, IOS. Etc. to connect to the server
We needed to generate the Client Certificate and key pair, generate the client configuration file for a each device.
After this configuration and setup we can connect to the office or environment securely protecting the identity from the snoopers and censors.
551 Views
