Paul Ligocki

How to Build an Open VPN Server from Scratch on Ubuntu 16

OpenVPN on Ubuntu 16

How to Build an Open VPN Server on Ubuntu Server 16.04

This has also been tested with Ubuntu 17.

Server

Ubuntu Logo

We will start off with a fresh clean onstall of Ubuntu Server 16.04. The ISO file was obtained from here.

Then for the sake of making this walkthrough easier we switch to root.

sudo -s

Then we make sure everything is up to date before we begin.

apt-get update; apt-get upgrade

Now lets install Open VPN and Easy RSA.

apt-get -y install openvpn easy-rsa

Open VPN comes with sample config, key and script files. They can be found at.

ls /usr/share/doc/openvpn/examples

Now lets get the sample server config file “server.conf” and copy it to /etc/openvpn/server.conf

gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf

Now lets change some configuration settings in the “/etc/openvpn/server.conf” file. We will be changing the following settings

  1. Diffie hellman parameters: By default it is set to 1024
  2. Redirect Gateway
  3. DNS
  4. Nobody user and group

nano /etc/openvpn/server.conf

Diffie hellman

replace dh1024.pem with dh2048.pem. (In Ubuntu 17 2048 is already the default)

It should look like this.

# Diffie hellman parameters.
# Generate your own with:
# openssl dhparam -out dh2048.pem 2048
dh dh2048.pem

Redirect Gateway

Uncomment/ remove the ; from the redirect gateway section so change.

;push “redirect-gateway def1 bypass-dhcp”

to

push “redirect-gateway def1 bypass-dhcp”

DNS

Uncomment and change the DHCP DNS options find the two lines below

;push “dhcp-option DNS 208.67.222.222”
;push “dhcp-option DNS 208.67.220.220”

and change it to.

push “dhcp-option DNS 8.8.8.8”
push “dhcp-option DNS 8.8.4.4”

to the a DNS server of your choosing.

User & Group

Reduce OpenVPNs privileges find the two lines below

;user nobody
;group nogroup

Change it to.

user nobody
group nogroup

Save and Exit

Enable Packet Forwarding

echo 1 > /proc/sys/net/ipv4/ip_forward

To make it persistant and to survive reboots go into /etc/sysctl.conf

nano /etc/sysctl.conf

and uncomment the line below from

#net.ipv4.ip_forward=1

to

net.ipv4.ip_forward=1

Save and exit.

Configure the Firewall

We will be using the ufw meaning “Uncomplicated Firewall”


ufw allow ssh
ufw allow 1194/udp
nano /etc/default/ufw

Find the line below

DEFAULT_FORWARD_POLICY=”DROP”

and change it to.

DEFAULT_FORWARD_POLICY=”ACCEPT”

Now lets add in some routing rules into “/etc/ufw/before.rules”

nano /etc/ufw/before.rules

Add the following 3 lines near the top just after the comments around after line 10.

*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE

Now we need to enable the ufw firewall.

ufw enable

Now we need to setup some cryptographic keys and configure the Open VPN Server.

The following directory hold all the scripts to make generating keys easy “/usr/share/easy-rsa”.

Lets copy them over from The Easy RSA directory over to the Open VPN directory

cp -r /usr/share/easy-rsa/ /etc/openvpn/

Now lets make a directory under “/etc/openvpn/”

mkdir /etc/openvpn/easy-rsa/keys

Setting up Default Variables:

To speed things up when creating subsequent keys we will edit the following config file “/etc/openvpn/easy-rsa/vars”

nano /etc/openvpn/easy-rsa/vars

Locate the following.

export KEY_COUNTRY=”US”
export KEY_PROVINCE=”CA”
export KEY_CITY=”SanFrancisco”
export KEY_ORG=”Fort-Funston”
export KEY_EMAIL=”me@myhost.mydomain”
export KEY_OU=”MyOrganizationalUnit”
# X509 Subject Field
export KEY_NAME=”EasyRSA”

Change them to what suits you. These will allow you to just press “enter” when creating keys without having to provide the values.

export KEY_COUNTRY=”AU”
export KEY_PROVINCE=”VIC”
export KEY_CITY=”Melbourne”
export KEY_ORG=”OpenVPN”
export KEY_EMAIL=”me@OpenVPN.org”
export KEY_OU=”OpenVPN”
# X509 Subject Field
export KEY_NAME=”server”

Save and exit.

openssl dhparam -out /etc/openvpn/dh2048.pem 2048

Now lets generate some keys.

. ./vars

./clean-all

./build-ca

./build-key-server server

Now lets copy over the keys to the Open VPN directory

cd /etc/openvpn/easy-rsa/keys/
cp server.crt server.key ca.crt /etc/openvpn/
cd /etc/openvpn/

Now we have everything we need to start the Open VPN Server. So lets start it.

service openvpn start
service openvpn status

Now for the Client Side

If you want to use just one client certificate for all your clients

nano /etc/openvpn/server.conf

Uncomment the line below
#duplicate-cn
so it looks like the line below
duplicate-cn

Client:

Create the Client Key:

/etc/openvpn/easy-rsa/build-key client

mkdir ~/client
or
mkdir /home/user/client

Copy Client Config Files

cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client/

mv client.conf client.ovpn

cp /etc/openvpn/easy-rsa/keys/ca.crt ~/client/
cp /etc/openvpn/easy-rsa/keys/client.crt ~/client/
cp /etc/openvpn/easy-rsa/keys/client.key ~/client/

Now you need to know the public address of the Server

sudo nano /home/user/client/client.ovpn

Change
remote my-server-1 1194
To
remote X.X.X.X 1194

And uncomment

;user nobody
;group nogroup

to look like

user nobody
group nogroup

Comment out the 3 lines below. This is because we will be making a consolidated single file.
#ca ca.crt
#cert client.crt
#key client.key

Consolidated Client Config File

Create a Consolidated Client File:
echo "" >> /home/user/client/client.ovpn
cat ca.crt >> /home/user/client/client.ovpn
echo "" >> /home/user/client/client.ovpn

echo "" >> /home/user/client/client.ovpn
cat client.cert >> /home/user/client/client.ovpn
echo "" >> /home/user/client/client.ovpn

echo "" >> client.ovpn
echo "" >> client.ovpn

OpenVPN on Ubuntu 16

 

 

 

 

 

 

paulligocki