a virtual private network (vpn) is essential for secure communication over the internet, especially for bypassing geo-restrictions and enhancing privacy. this guide focuses on setting up and configuring openvpn on a debian or ubuntu server.
openvpn is an open-source, secure, and feature-rich ssl/tls vpn solution. this tutorial outlines the steps to configure a vpn server on a vps and to set up client access.
prerequisites
- a server running ubuntu 14.04 or higher, or debian.
- root or sudo user privileges.
- a static ip address or a domain name for the server.
- familiarity with terminal-based configuration.
installing openvpn and easy-rsa
openvpn and easy-rsa are available in default repositories. easy-rsa will be used to create a certificate authority (ca).
update the package list and install the required packages:
sudo apt-get update
sudo apt-get install openvpn easy-rsa
setting up the ca directory
copy the example easy-rsa directory to the openvpn configuration directory and set the necessary permissions:
sudo cp -a /usr/share/doc/openvpn/examples/easy-rsa /etc/openvpn
cd /etc/openvpn/easy-rsa/2.0
sudo chmod 755 *
configuring ca variables
the vars file contains default values for the ca. edit this file to reflect your server’s details:
nano vars
update the variables as follows:
export KEY_COUNTRY="US"
export KEY_PROVINCE="NY"
export KEY_CITY="New York"
export KEY_ORG="ExampleOrg, Ltd."
export KEY_EMAIL="admin@example.com"
export KEY_OU="ITDepartment"
export KEY_NAME="server"
save the file (ctrl+o, enter, ctrl+x).
building the certificate authority (ca)
initialize the environment and create the ca:
source vars
./clean-all
./build-ca
press enter to accept default values during prompts.
generating server certificates and keys
create the server certificate, key, and diffie-hellman parameters:
./build-key-server server
./build-dh
openvpn --genkey --secret keys/ta.key
for the sign the certificate and commit prompts, type y and press enter.
configuring the openvpn server
create the server configuration file:
nano /etc/openvpn/server.conf
add the following configuration:
local <your-server-ip>
port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1
save and exit (ctrl+o, enter, ctrl+x).
enabling ip forwarding and setting up iptables
edit the sysctl configuration to enable ip forwarding:
nano /etc/sysctl.conf
uncomment or add the following line:
net.ipv4.ip_forward = 1
apply the changes:
sudo sysctl -p
configure iptables to allow traffic through the vpn:
sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
sudo iptables-save > /etc/iptables/rules.v4
replace eth0 with your network interface name if different.
starting the openvpn service
start the openvpn service and enable it to run on boot:
sudo systemctl start openvpn@server
sudo systemctl enable openvpn@server
check the status:
sudo systemctl status openvpn@server
generating client configuration
create a client certificate and key pair:
cd /etc/openvpn/easy-rsa/2.0
source vars
./build-key client1
create the client configuration file:
nano client1.ovpn
add the following configuration:
client
dev tun
proto udp
remote <your-server-ip> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
remote-cert-tls server
cipher AES-256-CBC
verb 3
save the file.
deploying the client configuration
zip the client certificates and configuration for distribution:
cd /etc/openvpn/easy-rsa/2.0/keys
zip client1.zip ca.crt client1.crt client1.key client1.ovpn
download the client1.zip file using an sftp client or move it to a web-accessible directory.