How to Install OpenVPN on Ubuntu 16.04 And 18.04

Virtual Private Network or VPN is a private network of securely interconnected computers over the insecure public internet. A user who wants to access this private network as if he is connected to a LAN, must use a VPN. Data transfer within this newly formed private network is encrypted. OpenVPN uses 256 AES encryption (use SSL/TLS certificates) which provides you with a highly secure virtual private network.OpenVPN can be used either in a routed or in a bridged VPN mode. It can also be set up to use TCP or UDP.

logo OPENVPN
In this article you will learn how to deploy and configure the open source OpenVPN server on Ubuntu 18.04 and Ubuntu 16.04 (it also applies to Linux Mint and Debian).

Step 1 : Update system package list

Before we begin, update your system apt cache as well as your system package list to the latest versions by running the commands:

Step 2 – OpenVPN Server installation

Before you install the OpenVPN , you would first need to install easy-rsa packages which manage the SSL certificates that are required for data encryption between the client and the server. Issue the command below :

sudo apt-get install openvpn easy-rsa

Press Y or y when prompted.

Now transfer or copy the OpenVPN sample configuration file to the file /etc/openvpn/server.conf which will be used as the server configuration file of OpenVPN . Issue the commands below :

sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/

sudo gzip -d /etc/openvpn/server.conf.gz

Step 3 – OpenVPN Server configuration

Now Edit the configuration file of the OpenVPN server using nano or using your favorite text editor.

sudo nano /etc/openvpn/server.conf

Now do not uncomment the following entries :

Here you will see the official port number 1194, but this can be configured as well.

And make sure to add the remaining entries from the list below (uncomment when necessary) :

tls-auth ta.key 0

key-direction 0

cipher AES-128-CBC

auth SHA256

user nobody

group nogroup

cert server.crt

key server.key

Uncomment the following :

The settings you made above will enable VPN connection between different systems. They will not however route clients internet traffic through VPN. Make sure also to uncomment the dhcp-option values below.

push “redirect-gateway def1 bypass-dhcp”

push “dhcp-option DNS 208.67.222.222”

push “dhcp-option DNS 208.67.220.220”

So that you obtain :

Now save and exit the file.

You may be interested to read : Network configuration in Ubuntu

Step 4 – Network configuration update

At this stage, you would need to enable users to access the server which is on the same network as the OpenVPN server. Enable IP forwarding feature on the server by running the commands below :

Edit /etc/sysctl.conf using your favorite editor and then uncomment the line below to allow IP forwarding.

#net.ipv4.ip_forward=1

So that you get the following :

Save and exit the file.

You may want to read: How to keep Ubuntu clean
Now you will need to run the command below in order to reload sysctl.

sudo sysctl -p /etc/sysctl.conf

In order to get an operational OpenVPN server, that is the minimum configuration required.

Step 5 : Configuration of certificate authority

Establishing a PKI (public key infrastructure) is the first step in building an OpenVPN configuration. The PKI consists of the following:

  • a public key (which is the separate certificate) and a private key for the clients and the server
  • a master certificate known as the Certificate Authority (CA) used to sign the client and the server certificates.

OpenVPN uses bidirectional certificate-based authentication between the server and the clients.

To setup your own Certificate Authority (CA) and generating certificates and keys for an OpenVPN server and multiple clients first copy the easy-rsa directory to /etc/openvpn. This will ensure that any changes to the scripts will not be lost when the package is updated. From a terminal change to user root and:

mkdir /etc/openvpn/easy-rsa/

And then

cp -r /usr/share/easy-rsa/* /etc/openvpn/easy-rsa/

Next, edit /etc/openvpn/easy-rsa/vars and adjust the following according to your own environment.

Read: Best VPN services for 2020

These will be the default values for issuing the certificates for client and server. You are able also to overwrite these values when the certificates are created.

Save and then exit the file.

Now enter the commands below in order to generate the master certificate Certificate Authority (CA) and key:

cd /etc/openvpn/easy-rsa/

source vars

./clean-all

./build-ca

This will load the values in the system environment.

Which removes existing keys .

Which builds CA certificates.

Here is what we obtained. Your result should be similar (just ignore the first warning)

Once this is done, your system is now ready to issue the certificates as Certificate Authority .

You may be interested to read : How to set up a firewall on Ubuntu 18.04 ?

Step 6 – Server certificate files generation

Using the ./build-key-server command, you will first need to create the certificates for the OpenVPN server. This command will need the keyword server in order to generate server certificates. The key file with the required certificates will then be created under keys directory.

cd /etc/openvpn/easy-rsa/

./build-key-server server

Your output should be similar to ours below :

Fill out the attributes required and enter ‘y’ when prompted with the two queries “Sign the certificate? [y/n]” and “1 out of 1 certificate requests certified, commit? [y/n]”.

You may want to read: How to speed up Linux
This will yield the output below.

Now you need to generate a Diffie-Hellman key which will be used for the key exchange using the command below which :

openssl dhparam -out /etc/openvpn/dh2048.pem 2048

Now an additional HMAC signature would need to be added by the TLS-AUTH directive to all SSL/TLS handshake packets. This is required for integrity verification. A UDP Packet with the incorrect HMAC signature can be dropped permanently.

The TLS-AUTH HMAC signature security level far exceeds that provided by SSL/TLS. It can safely offer a protect against :

  • Port flooding or by SSL/TLS on the OpenVPN UDP port.
  • Port scanning to find out which UDP ports of the server are listening in.
  • Buffer overflow fragility in the SSL/TLS implementation.
  • Unauthorized machines SSL/TLS handshake initiations .

It is required to generate a shared-secret key using TLS-AUTH in addition to the standard RSA certificate/key. Issue the command below to do so :

openvpn –genkey –secret /etc/openvpn/easy-rsa/keys/ta.key

An OpenVPN static key will then be generated written to the file ta.key. This key afterwards should be copied to the server and all client machines over a pre-existing secure channel. It can be inserted in the same folder as the RSA .key and the .crt files. Run the command below to carry out the copy operation :

cd /etc/openvpn/easy-rsa/keys

sudo cp ca.crt ta.key server.crt server.key /etc/openvpn

Here is a simple explanation of the key files :

Filename Needed by Purpose Secret
ca.crt server+ all clients Root CA certificate NO
ca.key key signing machine only Root CA key YES
Dh2048.pem or 01.pem server only Diffie Hellman parameters NO
server.crt server only Server Certificate NO
server.key server only Server Key YES
ta.key server+ all clients Shared secret for TLS Authentication YES


You may be interested to read: How to install OpenSSH server on Ubuntu ?

Step 7 – Start OpenVPN Service

Your OpenVPN server can now be used. You can start the service using the command systemctl.

sudo systemctl start openvpn@server

Check the service status also using the command :

sudo systemctl status openvpn@server

If you want to stop it just replace start with stop :

A new network interface named tun0 will be created by OpenVPN. Run the command below to view the IP assigned to it.

ifconfig tun0

Step 8 – Client configuration generation

As your OpenVPN server is up and running, you can now generate the private key, the certificates and all the client configuration files. run the command below to generate these configuration files for client1:

./build-key client1

Fill in the values like you did earlier and enter ‘y’ to the prompted questions. Now you should see the new files under the keys folder : client1.*


If you like the content, we would appreciate your support by buying us a coffee. Thank you so much for your visit and support.

 

amin nahdy

Amin Nahdy, an aspiring software engineer and a computer geek by nature as well as an avid Ubuntu and open source user. He is interested in information technology especially Linux based ecosystem as well as Windows and MacOS. He loves to share and disseminate knowledge to others in a transparent and responsible way.

Leave a Reply