~configuring openvpn on debian and ubuntu

March 2, 2017

a virtual private network (vpn) is essential for secure communication over the internet, especially for bypassing geo-restrictions and enhancing privacy. this guide focuses on setting up and configuring openvpn on a debian or ubuntu server.

openvpn is an open-source, secure, and feature-rich ssl/tls vpn solution. this tutorial outlines the steps to configure a vpn server on a vps and to set up client access.

prerequisites

  1. a server running ubuntu 14.04 or higher, or debian.
  2. root or sudo user privileges.
  3. a static ip address or a domain name for the server.
  4. familiarity with terminal-based configuration.

installing openvpn and easy-rsa

openvpn and easy-rsa are available in default repositories. easy-rsa will be used to create a certificate authority (ca).

update the package list and install the required packages:

sudo apt-get update sudo apt-get install openvpn easy-rsa

setting up the ca directory

copy the example easy-rsa directory to the openvpn configuration directory and set the necessary permissions:

sudo cp -a /usr/share/doc/openvpn/examples/easy-rsa /etc/openvpn cd /etc/openvpn/easy-rsa/2.0 sudo chmod 755 *

configuring ca variables

the vars file contains default values for the ca. edit this file to reflect your server’s details:

nano vars

update the variables as follows:

export KEY_COUNTRY="US" export KEY_PROVINCE="NY" export KEY_CITY="New York" export KEY_ORG="ExampleOrg, Ltd." export KEY_EMAIL="admin@example.com" export KEY_OU="ITDepartment" export KEY_NAME="server"

save the file (ctrl+o, enter, ctrl+x).


building the certificate authority (ca)

initialize the environment and create the ca:

source vars ./clean-all ./build-ca

press enter to accept default values during prompts.


generating server certificates and keys

create the server certificate, key, and diffie-hellman parameters:

./build-key-server server ./build-dh openvpn --genkey --secret keys/ta.key

for the sign the certificate and commit prompts, type y and press enter.


configuring the openvpn server

create the server configuration file:

nano /etc/openvpn/server.conf

add the following configuration:

local <your-server-ip> port 1194 proto udp dev tun ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt cert /etc/openvpn/easy-rsa/2.0/keys/server.crt key /etc/openvpn/easy-rsa/2.0/keys/server.key dh /etc/openvpn/easy-rsa/2.0/keys/dh2048.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" keepalive 10 120 cipher AES-256-CBC user nobody group nogroup persist-key persist-tun status openvpn-status.log verb 3 explicit-exit-notify 1

save and exit (ctrl+o, enter, ctrl+x).


enabling ip forwarding and setting up iptables

edit the sysctl configuration to enable ip forwarding:

nano /etc/sysctl.conf

uncomment or add the following line:

net.ipv4.ip_forward = 1

apply the changes:

sudo sysctl -p

configure iptables to allow traffic through the vpn:

sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE sudo iptables-save > /etc/iptables/rules.v4

replace eth0 with your network interface name if different.


starting the openvpn service

start the openvpn service and enable it to run on boot:

sudo systemctl start openvpn@server sudo systemctl enable openvpn@server

check the status:

sudo systemctl status openvpn@server

generating client configuration

create a client certificate and key pair:

cd /etc/openvpn/easy-rsa/2.0 source vars ./build-key client1

create the client configuration file:

nano client1.ovpn

add the following configuration:

client dev tun proto udp remote <your-server-ip> 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert client1.crt key client1.key remote-cert-tls server cipher AES-256-CBC verb 3

save the file.


deploying the client configuration

zip the client certificates and configuration for distribution:

cd /etc/openvpn/easy-rsa/2.0/keys zip client1.zip ca.crt client1.crt client1.key client1.ovpn

download the client1.zip file using an sftp client or move it to a web-accessible directory.