Install OpenVPN with Ubuntu 18.04

A VPN is a network that allows users to encrypt data that is being sent or received over public networks. This is incredibly useful when accessing the internet over untrusted access points such as coffee shops and hotels to protect your data.

For the purpose of this article, I will be using OpenVPN because it’s an open-sourced, full-featured tool. I will also be setting up OpenVPN on a Ubuntu server. Once we set up OpenVPN we can use the client on Windows, macOS, and Android.

Prerequisites

  • Ubuntu 18.04 as a host for OpenVPN. You will need to create a user with sudo privileges, this user should not be the root user. You should also have your firewall set up prior to starting this tutorial.
  • You also need to spin up a separate server for certificate authority. The user you set up for this server will also need to be a non-root sudo user.

It is recommended to generate SSH keypair for these two servers as having the passwords disabled opens you up to security vulnerabilities. To enable both servers for access you will need to add the public key from the CA machine to the VPN’s authorized_keys file and the same for CA’s authorized_keys file.

 

Install OpenVPN

The first thing we need to do is install OpenVPN.

sudo apt-get update
sudo apt-get install openvpn

 

Install EasyRSA

Since OpenVPN uses TLS/SSL it uses certificates to encrypt your data as it travels from the source to destination. We will use a standalone server, EasyRSA, to issue these certificates using a simple certificate authority (CA). You need to install EasyRSA on both your CA server and your VPN server

wget -P ~/ https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.4/EasyRSA-3.0.6.tgz

To extract the tarball (.tgz) use the following:
cd ~
tar xvf EasyRSA-3.0.4.tgz

 

Create CA and Configure EasyRSA

On the machine, you are setting up your CA on

cd ~/EasyRSA-3.0.6/

There is a file named vars.example. You will need to copy this file without the .example extension

cp vars.example vars

Now, edit the file (I use VI, but feel free to use whichever editor you like)

vi vars

In this file, there are default settings that need to be updated for the server it is for. Also, this section needs to have the ‘#’ removed so that EasyRSA knows to read this part.

set_var EASYRSA_REQ_COUNTRY    "US"

set_var EASYRSA_REQ_PROVINCE   "California"

set_var EASYRSA_REQ_CITY       "San Francisco"

set_var EASYRSA_REQ_ORG        "Copyleft Certificate Co"

set_var EASYRSA_REQ_EMAIL      "me@example.net"

set_var EASYRSA_REQ_OU         "My Organizational Unit"

Save and close this file.

Now we need to initiate the public key on the CA server

./easyrsa init-pki

 

Next, build the ca with the build-ca option. This will create two files ca.crt and ca.key which are your public and private parts of your SSL certificate.

               Note: nopass allows for you to interact with your ca without being prompted for a password each time

./easyrsa build-ca nopass

 

Make Server Certificate

First, go to your VPN server and go to the EasyRSA directory

cd EasyRSA-3.0.6/

Next, we need to initialize easyrsa.

./easyrsa init-pki

Let’s call the EasyRSA again, this time to create the private key and certificate (server.req and server.key) for the server. Copy that file into /etc/openvpn/

./easyrsa gen-req server nopass

                Note: the above command is so that you do not have to enter your password every time you need to use CA. It is optional but recommended 

sudo cp ~/EasyRSA-3.0.6/pki/private/server.key /etc/openvpn/

               Note: “server” is a simple name for OpenVpn’s name. Feel free to change it to what you like, but keep in mind that you will need to continue to use the name you choose when following this article.

Next, use a secure method to copy the server.req file to the CA machine

scp ~/EasyRSA-3.0.4/pki/reqs/server.req your_username@CA_ip:/tmp

On the CA machine go to the EasyRSA directory again

cd EasyRSA-3.0.6/

Import the server.req script you just copied over

./easyrsa import-req /tmp/server.req server

Let’s sign this request

./easyrsa sign-req server server

               Note: For this example, the first “server” is the request type, which can be either client or server, and the second “server” is a common name.

From there you will be prompted to verify the request. Enter “yes”

Now we need to copy the signed certificate over the VPN server

scp pki/issued/server.crt your_username@server_ip:/tmp

Make sure to move over the ca.crt as well

scp pki/ca.crt your_username@server_ip:/tmp

Log into the VPN machine and copy server.cry and ca.crt to /etc/openvpn

sudo cp /tmp/{server.crt,ca.crt} /etc/openvpn/

Go to EasyRSA and create a Diffie-Hellman key.

               Note: Using a Diffie-Hellman key will provide a strongly encrypted key that will keep your data encrypted during exchanges.

./easyrsa gen-dh

Get a cup of coffee, tea, or sparkling water as this might take a few minutes.

Once that key has been created using an HMAC signature to ensure the integrity of the TLS verification and copy the new files to /etc/openvpn

openvpn --genkey --secret ta.key
sudo cp ~/EasyRSA-3.0.6/ta.key /etc/openvpn/
sudo cp ~/EasyRSA-3.0.6/pki/dh.pem /etc/openvpn/

 

Generate Certificate

Let’s start by setting up the directory to store the client’s certificates and keys.

mkdir -p ~/client-configs/keys
chmod -R 700 ~/client-configs

Go back to the EasyRSA directory, we will be making a client-side keys and certificates

cd ~/EasyRSA-3.0.6/
./easyrsa gen-req client1 nopass
cp pki/private/client1.key ~/client-configs/keys/

Like we have been doing, we need to transfer this key over to the CA server

scp pki/reqs/client1.req your_username@CA_ip:/tmp

Log into the CA server so we can import and sign the certificate request

ssh your_username@CA_ip
cd EasyRSA-3.0.6/
./easyrsa import-req /tmp/client1.req client1
./easyrsa sign-req client client1

Enter “yes” to verify the certificate came from a trusted source and copy the client1.crt file back over to the VPN server

scp pki/issued/client1.crt your_username@server_ip:/tmp

Log back into your VPN server and copy the client certificates, ca.crt and ta.key to /client-configs/keys

cp /tmp/client1.crt ~/client-configs/keys/
cp ~/EasyRSA-3.0.4/ta.key ~/client-configs/keys/
sudo cp /etc/openvpn/ca.crt ~/client-configs/keys/

 

Configure OpenVPN

Copy over the example configuration from OpenVPN, unzip it and start to edit the file.

sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
sudo gzip -d /etc/openvpn/server.conf.gz
sudo vi /etc/openvpn/server.conf

Uncomment tls-auth directive and the cipher lines by removing the `;`

tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC

Next, let’s add the auth directive SHA256

auth SHA256

Look for the DH directive and make sure that the directive listed in the example configuration matches the key you generated before. Usually, you just need to remove the 2048 from this line

dh dh.pem

Uncomment the user and group lines by removing the `;`

user nobody
group nogroup

 

If you do not have a need to tunnel your traffic feel free to skip to the “Configure Server Network” step. If not, buckle up buttercup.

Now we are going to make some extra edits to the configuration file we have been working in previously.

Let’s start by uncommenting a few lines by removing the `;`

push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"

Now, we will adjust the port since OpenVPN uses a default port of 1194 as well as UDP protocol when accepting client connections. Unless you have a specific port you need to use 443 is usually what you want to go with.

port 443

I would also recommend changing the protocol to TCP since UDP is restricted for port 443. When you do this you also need to change the `explicit-exit-notify` value from`1` to `0`.

proto tcp

explicit-exit-notify 0

Save and close the configuration file.

 

Configure Server Network

Edit the file `/etc/sysctl.conf`

sudo vi /etc/sysctl.conf

Remove the `#` to uncomment the line ` net.ipv4.ip_forward`

net.ipv4.ip_forward

Save and close this file.

 

To make our lives easier first find the public network interface of the machine you are in.

ip route | grep default

 

Now, let’s edit your firewall rules

sudo vi /etc/ufw/before.rules

 Somewhere at the beginning of the file place the following:

# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to wlp11s0 (change to the interface you discovered!)
-A POSTROUTING -s 10.8.0.0/8 -o [your_network_interface] -j MASQUERADE
COMMIT
# END OPENVPN RULES

Save and close the file.

 

Next, edit `/etc/default/ufw` file and change the DEFAULT_FORWARD_POLICY from DROP to ACCEPT.

DEFAULT_FORWARD_POLICY="ACCEPT"

Save and close the file.

 

Start OpenVPN

Now we are ready to finally start OpenVPN. To do so we need to tell OpenVPN which configuration file name to read. If you have been following along your server name should `server`

sudo systemctl start openvpn@server

To check that OpenVPN has started run the following:

ip addr show tun

Enable the service to force it to start on boot.

sudo systemctl enable openvpn@server

 

Generate Client Configuration files

For each client, we need to have a configuration file, but for this article, we will go over creating one client configuration. Feel free to use this as a base for making configuration files for different clients.

Make a directory to place your configuration file

mkdir -p ~/client-configs/files

Copy the sample configuration file.

cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client-configs/base.conf

Edit the configuration file

sudo vi  ~/client-configs/base.conf

Find the remote directive line and update it to have your server’s IP and change 1194 to the port you choose

remote server_ip 1194

Remove the `;` from user and group lines and make sure that the protocol you chose is being used.

user nobody
group nogroup
proto udp

Next, find the ca, cert, key, and tls-auth lines. You will need to comment these out since we previously made these

#ca ca.crt
#cert client.crt
#key client.key
#tls-auth ta.key 1

 While you are in her check the cipher and auth setting to make sure they are what we set up previously. 

Technically you can add the key direction anywhere in the file, but I added it to the end of the file.

key-direction 1

Save and close this file. 

We need to now transfer this file ~/client-configs/base.conf over to the machine that will be the client. Let’s use the following command:

scp your_username@server_ip:client-configs/files/base.conf ~/

 

Install Client

From here things get more straight forward as you will basically be following the instructions from OpenVPN to install the client. 

Windows

  • Copy your configuration file over to C:Program FilesOpenVPNconfig
  • OpenVPN needs to have Admin rights to work properly
  • Once you follow the instructions for the client you are installing you are all set.

Leave a Reply

Your email address will not be published. Required fields are marked *