Ubuntu Install and setup OpenVPN Server

  1. sudo as root

    # sudo su
    [sudo] password for user:

  2. Update repository

    # apt-get update

  3. Install unzip and openvpn

    # apt-get install unzip
    # apt-get install openvpn

  4. Install easy-rsa

    # cd /etc
    # mkdir easy-rsa
    # mkdir easy-rsa/openvpn
    # cd /tmp
    # wget https://github.com/OpenVPN/easy-rsa/archive/master.zip
    # unzip master.zip
    # mv easy-rsa-master/easyrsa3/* /etc/easy-rsa/openvpn/

  5. Setup CA

    # cd /etc/easy-rsa/openvpn
    # ./easyrsa init-pki
    # ./easyrsa build-ca
    Generating a 2048 bit RSA private key
    ………………………+++
    ………….+++
    writing new private key to ‘/etc/easy-rsa/openvpn/pki/private/ca.key’
    Enter PEM pass phrase:
    Verifying – Enter PEM pass phrase:
    —–
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter ‘.’, the field will be left blank.
    —–
    Common Name (eg: your user, host, or server name) [Easy-RSA CA]: OpenVPN CA

    CA creation complete and you may now import and sign cert requests.
    Your new CA certificate file for publishing is at:
    /etc/easy-rsa/openvpn/pki/ca.crt

  6. Setup Server Certificate

    # ./easyrsa gen-req openvpn-server nopass
    Generating a 2048 bit RSA private key
    ……………………..+++
    ……………+++
    writing new private key to ‘/etc/easy-rsa/openvpn/pki/private/openvpn-server.key’
    —–
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter ‘.’, the field will be left blank.
    —–
    Common Name (eg: your user, host, or server name) [openvpn-server]:

    Keypair and certificate request completed. Your files are:
    req: /etc/easy-rsa/openvpn/pki/reqs/openvpn-server.req
    key: /etc/easy-rsa/openvpn/pki/private/openvpn-server.key

  7. Setup Client Certificate, repeat for each client

    #./easyrsa gen-req mbp
    Generating a 2048 bit RSA private key
    …………………….+++
    ………………………………….+++
    writing new private key to ‘/etc/easy-rsa/openvpn/pki/private/mbp.key’
    Enter PEM pass phrase:
    Verifying – Enter PEM pass phrase:
    —–
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter ‘.’, the field will be left blank.
    —–
    Common Name (eg: your user, host, or server name) [mbp]:

    Keypair and certificate request completed. Your files are:
    req: /etc/easy-rsa/openvpn/pki/reqs/mbp.req
    key: /etc/easy-rsa/openvpn/pki/private/mbp.key

  8. Sign each client certificate, repeat for each client

    # ./easyrsa sign client mbp

    You are about to sign the following certificate.
    Please check over the details shown below for accuracy. Note that this request
    has not been cryptographically verified. Please be sure it came from a trusted
    source or that you have verified the request checksum with the sender.

    Request subject, to be signed as a client certificate for 3650 days:

    subject=
    commonName = mbp

    Type the word ‘yes’ to continue, or any other input to abort.
    Confirm request details: yes
    Using configuration from /etc/easy-rsa/openvpn/openssl-1.0.cnf
    Enter pass phrase for /etc/easy-rsa/openvpn/pki/private/ca.key:
    Check that the request matches the signature
    Signature ok
    The Subject’s Distinguished Name is as follows
    commonName :PRINTABLE:’mbp’
    Certificate is to be certified until Feb 4 11:48:22 2025 GMT (3650 days)

    Write out database with 1 new entries
    Data Base Updated

    Certificate created at: /etc/easy-rsa/openvpn/pki/issued/mbp.crt

  9. Sign server certificate

    # ./easyrsa sign server openvpn-server

    You are about to sign the following certificate.
    Please check over the details shown below for accuracy. Note that this request
    has not been cryptographically verified. Please be sure it came from a trusted
    source or that you have verified the request checksum with the sender.

    Request subject, to be signed as a server certificate for 3650 days:

    subject=
    commonName = openvpn-server

    Type the word ‘yes’ to continue, or any other input to abort.
    Confirm request details: yes
    Using configuration from /etc/easy-rsa/openvpn/openssl-1.0.cnf
    Enter pass phrase for /etc/easy-rsa/openvpn/pki/private/ca.key:
    Check that the request matches the signature
    Signature ok
    The Subject’s Distinguished Name is as follows
    commonName :PRINTABLE:’openvpn-server’
    Certificate is to be certified until Feb 4 11:50:26 2025 GMT (3650 days)

    Write out database with 1 new entries
    Data Base Updated

    Certificate created at: /etc/easy-rsa/openvpn/pki/issued/openvpn-server.crt

  10. DH Generation

    #./easyrsa gen-dh

  11. Create folder for OpenVPN configuration

    # cd /etc/openvpn
    # mkdir -p jail/1/ccd
    # mkdir -p jail/1/log

  12. Generate ta.key

    # openvpn –genkey –secret /etc/openvpn/ta.key

  13. Create configuration file

    # cd /etc/openvpn
    # vi openvpn.conf

    Copy and paste the following

    port 1194
    proto udp
    dev tun
    ca /etc/easy-rsa/openvpn/pki/ca.crt
    cert /etc/easy-rsa/openvpn/pki/issued/openvpn-server.crt
    key /etc/easy-rsa/openvpn/pki/private/openvpn-server.key
    dh /etc/easy-rsa/openvpn/pki/dh.pem
    server 192.168.50.0 255.255.255.0
    client-config-dir /etc/openvpn/jail/1/ccd
    # need to push a valid accessible dns server otherwise redirect-gateway will not works
    push “dhcp-option DNS 8.8.8.8”
    keepalive 10 120
    tls-auth /etc/openvpn/ta.key 0
    cipher AES-256-CBC
    comp-lzo
    max-clients 3
    ifconfig-pool-persist /etc/openvpn/jail/1/ipp.txt 10
    persist-key
    persist-tun
    status /etc/openvpn/jail/1/log/openvpn-status.log
    log-append /etc/openvpn/jail/1/log/openvpn.log
    verb 4
    mute 20
    chroot jail/1
    client-to-client
    script-security 2
    reneg-sec 0
    duplicate-cn

  14. If you need assign static vpn ip for client, create a file under /etc/openvpn/jail/1/ccd directory, using common name of the client certificate as filename. If filename not match it won’t work.

    # nano /etc/openvpn/jail/1/ccd/mbp

    Input following line

    ifconfig-push 192.168.50.10 192.168.50.9

    Example above assigned 192.168.50.10 to my macbook pro openvpn client. 192.168.50.9 is the endpoint.

  15. Setup file and directory permission and ownership

    # chmod 700 /etc/openvpn/jail
    # chmod 700 /etc/openvpn/jail/1
    # chmod 700 /etc/openvpn/jail/1/ccd
    # chmod 700 /etc/openvpn/jail/1/log
    # chmod 600 /etc/openvpn/jail/1/ccd/*
    # chmod 600 /etc/openvpn/jail/1/log/*
    # chown -R root:root /etc/openvpn/jail

  16. Setup client

    copy the following files from server to client device

    • /etc/easy-rsa/openvpn/pki/ca.crt
    • /etc/easy-rsa/openvpn/pki/issued/mbp.crt
    • /etc/easy-rsa/openvpn/pki/private/mbp.key
    • /etc/easy-rsa/ta.key
  17. Sample client configuration file

    client
    dev tun
    proto udp
    remote mydomain.com 1194
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    ca ca.crt
    cert mbp.crt
    key mbp.key
    remote-cert-tls server
    tls-auth ta.key 1
    cipher AES-256-CBC
    comp-lzo
    verb 4
    redirect-gateway def1



Leave a Reply

Your email address will not be published. Required fields are marked *