How to Setup OpenVPN Server on Ubuntu 15.04

ubuntu_brushes_wallpaper2_by_acousticjacob

Setting up your own OpenVPN server on Ubuntu has never been easier, or for that matter, cheaper than it is today. Thanks to the GNU project, everyone has access to free and high quality software. However, in decades past, you really had to understand tough technical concepts and procedures to configure your operating system.

Ubuntu was one of the first Linux operating systems that succeeded in providing an easy-to-use GUI while still providing an efficient and secure kernel. For this reason, Ubuntu became wildly popular with both power users and novices alike. Though beginners like to use the Ubuntu GUI as often as possible, the command line (i.e. the BASH shell or the terminal) is still the best way to configure software. You simply have greater control over your Ubuntu software than you would if you tried to use the visual interface.

When you’re new to Linux or simply don’t know how to work from the Ubuntu command line, the procedure can seem a little intimidating at first. If you feel apprehensive about working from the command line, take a deep breath and relax. I’ll take you through the process from start to finish.

The following is the procedure you need to follow to install and configure the latest version of OpenVPN server on Ubuntu (version 15.04). Understand that you will want to have root access to your Linux distribution. If you don’t, you will need to precede the following commands with the “sudo” command to successfully run the commands with administrator privileges. However, this is generally tedious and unacceptable. In reality, you need to have root privileges.

Installing the Software and Configuring the Server

The first thing you need to do is to download and install the OpenVPN software by using the following commands:

  • apt-get update
  • apt-get install openvpn easy-rsa

apt-getupdate

Once it has completed and installed, extract the sample server configuration files into the ‘etsy’ directory as follows:

  • gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf

The next thing you are going to want to do is to edit the extracted server.conf file. Simply fire up your favorite text editor – such as vim, nano, gedit, or others – and edit the following file:

  • vim /etc/openvpn/server.conf

Once you have the server.conf file open in your text editor, find the line that says “dh1024.pem” and change it to “dh2048.pem” and save the file. This will double the encryption length setup by the DH (Diffie-Hellman) RSA key for your VPNs. Next, look through the text file and make sure that the following line is uncommented:

  •  push “redirect-gateway def1 bypass-dhcp”

You will also want to add the following two lines of code:

  • push “dhcp-option DNS 208.67.222.222”
  • push “dhcp-option DNS 208.67.220.220”

This will help OpenVPN make DNS queries over the VPN tunnel. The two IP addresses in the preceding code are OpenDNS IPs, but you can add other desired name servers if you prefer. In addition, make sure the following two lines are not commented out in the server.conf file:

  • user nobody
  • group nobody

These two lines will allow OpenVPN to run on a non-administrative account by default (i.e. not be required to use the root account).

Packet Forwarding and Firewall Configurations

Next you will want to enter the following commands to enable packet forwarding:

  • echo 1 > /proc/sys/net/ipv4/ip_forward
  • vim /etc/sysctl.conf

Once you are editing the sysctl.conf file, make sure that the “net.ipv4.ip_forward=1” line is uncommented. Save your work and get ready to configure the firewall. Next you need to edit the firewall as follows:

  • ufw allow ssh
  • ufw allow 1194/udp
  • vim /etc/default/ufw

firewall

In the ufw file, look for the DFAULT_FORWARD_POLICY, which should already be set to ‘DROP.’ Instead, change it to “ACCEPT” using your editor of choice.

DropPolicy

Now you will need to edit the following file:

  • vim /etc/ufw/before.rules

Once opened, add the following code to file after the line that reads “# ufw-before-forward” as follows:

  • # START OPENVPN RULES
  • # NAT table rules
  • *nat
  • :POSTROUTING ACCEPT [0:0]
  • # Allow traffic from OpenVPN client to eth0
  • -A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
  • COMMIT
  • # END OPENVPN RULES

rules-before

Finally, we can enable the firewall:

  • ufw enable

It will prompt you whether or not you want to proceed, so just enter a ‘y.’ To verify your firewall configuration, just use this command:

  • ufw status

You should be able to see the that ports we enabled are open and active. They should be set to “Allow” at this point.

FirewallStatus

Creating the Certificates and Keys

Now we need to configure the keys and certificates the client and server will use to build a trustworthy connection. First, copy the RSA scripts and create a directory for the keys as follows:

  • cp -r /usr/share/easy-rsa/ /etc/openvpn
  • mkdir /etc/openvpn/easy-rsa/keys

Next you will want to create Easy-RSA variables that are unique to your location and will help identify people or businesses. Edit the following file:

  • vim /etc/openvpn/easy-rsa/vars

You can edit the following information to the file as it pertains to you. The only information you need to edit is enclosed in quotes:

  • export KEY_COUNTRY=”US
  • export KEY_PROVINCE=”MO
  • export KEY_CITY=”Kansas City
  • export KEY_ORG=”Company
  • export KEY_EMAIL=”Leeroy@example.com
  • export KEY_OU=”OrganizationalUnit

You can also change the name of the key in the same file by changing the KEY_NAME variable. However, the same variable would need to be updated in the server.key and server.crt files. Editing the same vars file, you can edit the key name:

  • export KEY_NAME=”server”

Now you need to generate the DH (Diffie Hellman) settings:

  • openssl dhparam -out /etc/openvpn/dh2048.pem 2048

For the next step, simply change your directory to where we had moved the scripts. If you need to see your current working directory, just use the pwd command.

  • cd /etc/openvpn/easy-rsa

You also need to fire up the PKI:

  • . ./vars

Be certain that you include a space after the first period. Also make sure that you clear any old or preexisting keys before you build the Certificate Authority with the following commands:

  • ./clean-all
  • ./build-ca

Once you enter the command, you will be prompted for information. If it looks OK, just keep hitting the enter key to proceed to the next value.

Creating the Server’s Certificate and Key Data

Now you will want to actually build the key with the following command:

  • ./build-key-server server

Leave both prompts blank, but sign the certificate and enter ‘y’ for the second prompt.

Next, copy the keys to the following directory:

  • cp /etc/openvpn/easy-rsa/keys/{server.crt,server.key,ca.crt} /etc/openvpn
  • ls /etc/openvpn

The ls command (list) will show you if the copy was indeed successful within you current working directory. So run the following two commands to start the service and verify it is running:

  • service openvpn start
  • service openvpn status

If you were successful, you should see a green dot next to your OpenVPN service.

ubuntustartservice

Generate Keys and Certificates for Client Connections

Understand that the remainder of these steps will only use one client as the configuration parameters. To add extra clients (with separate parameters), you will need to repeat these steps.

For the next few steps, make sure your working directory is the following:

  • /etc/openvpn/easy-rsa

Then build the key by using this command:

  • ./build-key client1

Press enter for the first two prompts to leave them blank, and enter a ‘y’ for the following two prompts. When this procedure completes successfully, you will see the following message:

  • Write out database with 1 new entries
  • Data Base Updated

Also understand that connecting clients will need a file extension of .ovpn. For this reason, we will copy the client configuration to be used as a template.

  • cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/easy-rsa/keys/client.ovpn

Remember, you can repeat these steps for as many unique clients and devices as necessary.

Moving the Keys to Connected Devices

Please note that each connected device will need to download the .key and .cert files. They are located on the server in the following directories:

  • /etc/openvpn/easy-rsa/keys/client1.crt
  • /etc/openvpn/easy-rsa/keys/client1.key

The apps and programs that you use to facilitate the connection is up to you, but they need to use SCP (Secure Copy) or SFTP (Secure File Transfer Protocol) to facilitate the operation. Validate that your connected device has downloaded the following files:

  • client1.crt
  • client1.key
  • client.ovpn
  • ca.crt

Connecting Clients

Now that the server configuration has been completed on your Ubuntu distribution, the last step is connecting clients to your VPN server. There are two general steps to complete this procedure. Firstly, dependent on your client’s operating system, you will need to install the appropriate VPN client. In addition, you will need to copy the keys and certificate from your VPN server. If you run into any questions, please leave comments below, and I will do my best to answer. I hope that this guide has facilitated your OpenVPN setup on Ubuntu.

Extra Troubleshooting Notes

Below are some problems that readers have faced and shared about in the comments section. In case you run into any problems, the solution might be one of the causes listed in the comments. If you have any questions, or would like to share information, please do take the time to comment below.

(Visited 1,384 times, 1 visits today)

7 Comments

  1. Alvin April 12, 2017
  2. smuxed April 18, 2016
    • throwaway April 21, 2016
  3. darksider January 14, 2016
  4. aprog January 7, 2016
  5. Ruth Smith December 30, 2015
  6. Peter Cornelius November 10, 2015

Leave a Reply

Your email address will not be published. Required fields are marked *

Exclusive Offer: Get 49% Discount off ExpressvpnGet this Deal
+