Configure OpenVPN Server on Ubuntu 16.04
Prerequisites
Ssh to your Ubuntu system and update system’s apt cache and update your system packages to latest versions.
sudo apt-get update sudo apt-get upgrade
Install OpenVPN Server
Now install OpenVPN package and also install easy-rsa packages for managing the SSL certificates.
sudo apt-get install openvpn easy-rsa
Copy the demo configuration file for OpenVPN to /etc/openvpn/server.conf file. OpenVPN server configuration file uses it.
gunzip -c /usr/share/doc/openvpn/examples/sample-config-files /server.conf.gz > /etc/openvpn/server.conf
If the above command shows permission denied then apply sudo or you can use sudo bash.
Configure OpenVPN Server
Edit OpenVPN server configuration file in your text editor.
vim /etc/openvpn/server. conf
Remove the “;” to uncomment lines and add new lines for the following entries in the configuration file.
tls-auth ta.key 0 key-direction 0 cipher AES-128-CBC auth SHA256 user nobody group nogroup cert server.crt key server.key
The above settings will allow Virtual Private Network(VPN) connection between systems. Also, uncomment the dhcp-option values.
push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 208.67.222.222" push "dhcp-option DNS 208.67.220.220"
Update Network Configuration
Now do some network settings to allow users access the server on the same network of OpenVPN server.First, and allow IP forwarding on the server by executing the bellowing commands to set net.ipv4.ip_forward value to 1 in /etc/sysctl.conf file.
vim /etc/sysctl. Conf
Uncomment the line net.ipv4.ip_forward = 1
sudo sysctl –p
Manipulate the internet traffic coming from VPN network (10.8.0.0/24) to systems local
network interface (eth0). Where 10.8.0.0 is own VPN network and eth0 is network
interface of own system.
sudo modprobe iptable_nat sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
Setup Certificate Authority
OpenVPN provides us the secure VPN service using TLS/SSL encryption of traffic between server and client. For this, we need to issue the trusted certificates for server and clients to work. To issue the certificates we need to configure Certificate Authority on your system.
Let’s create a directory for certificate authority using mkdir command. This command also initializes directory with all required files.
mkdir /etc/openvpn/openvpn-ca/ cd /etc/ openvpn /openvpn-ca/
Edit vars file in your text editor.
vim vars
and now update the below values as per requirement. These values will be used as the default values to issue the certificates for server and clients. If you want then you can also overwrite these values during the certificate creation process.
export KEY_COUNTRY = "US" export KEY_PROVINCE = "CA" export KEY_CITY = "SanFrancisco" export KEY_ORG = "SalesforceDrillers" export KEY_EMAIL = "drillers@salesforcedrillers.com" export KEY_OU = "Security"
Load the values in the system environment.
source vars
Now execute ./clean-all to remove existing keys and then execute ./build-ca to build CA
certificates under /etc/openvpn/openvpn-ca/ directory.
./clean-all ./build-ca
Sample output of above command:
Generating a 2048 bit RSA private key ...+++ ..........................................+++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blankFor some fields there will be a default value, If you enter '.' , the field will be left blank. ----- Country Name ( 2 letter code) [ US ] : State or Province Name (full name) [ CA ] : Locality Name (eg, city) [ SanFrancisco ] : Organization Name (eg, company) [ TecAdmin ] : Organizational Unit Name (eg, section) [ Security ] : Common Name (eg, your name or your server's hostname) [ TecAdmin CA ] : Name [ EasyRSA ] : Email Address [ drillers@salesforcedrillers.com ] :
Now your system is ready as Certificate Authority to issue the certificates.
Generate Server Certificate Files
Now Firstly create the certificates for the OpenVPN server using the ./build-key-server command followed by keyword server to generate certificates for the server.This will create required certificates, key file under directory named as keys.
cd /etc/openvpn/openvpn-ca/ ./build-key-server server
Sample output of above command:
... ... Signature ok The Subject 's Distinguished Name is as follows countryName :PRINTABLE: 'US ' stateOrProvinceName :PRINTABLE: 'CA ' localityName :PRINTABLE: 'SanFrancisco ' organizationName :PRINTABLE: 'Salesforcedrillers 'organizationalUnitName:PRINTABLE: 'Security ' commonName :PRINTABLE: 'server ' name :PRINTABLE: 'EasyRSA ' emailAddress :IA5STRING: 'drillers@salesforcedrillers.com' Certificate is to be certified until Jan 2 05 : 33 : 24 2028 GMT ( 3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
Now generate a strong Diffie-Hellman key to use for the key exchange using the command. This process completion may take some time using this command.
openssl dhparam -out /etc/openvpn/dh2048 .pem 2048
After that generate a HMAC signature to make much secure TLS integrity verification capabilities of the server.
openvpn --genkey --secret /etc/openvpn/openvpn-ca/keys/ta.key
After creating all files, copy those files to /etc/openvpn directory.
cd /etc/openvpn/openvpn-ca/keys sudo cp ca .crt ta .key server .crt server .key /etc/openvpn
Start OpenVPN Service
OpenVPN server is ready now. Now let’s start the service using the systemctl command. Also,
Check the status of service.
sudo systemctl start openvpn@ server sudo systemctl status openvpn@ server
On the successful service start, you will see results like below.
● openvpn @server .service - OpenVPN connection to server Loaded: loaded ( /lib/ systemd /system/ openvpn@.service; disabled; vendor preset: enabled) Active: active (running) since Thu 2018-01-04 11 : 09 : 51 IST; 6 s ago Docs: man: openvpn( 8 ) https: //community.openvpn.net/openvpn/wiki/Openvpn23ManPage https: //community.openvpn.net/openvpn/wiki/HOWTO Process: 4403 ExecStart= /usr/ sbin /openvpn --daemon ovpn-%i --status / run /openvpn/ %i.status 10 --cd /etc/ openvpn -- Main PID: 4404 (openvpn) CGroup: /system.slice/ system-openvpn.slice /openvpn@server.service
OpenVPN will now create a network interface name tun0 . Execute the below command to see the IP assigned to the interface. Mostly it assigned the first IP of the network defined in server.conf file.
ifconfig tun0
Generate Client Configuration
Your OpenVPN server is ready to use. Now generate the .ovpn client configuration files including the private key, certificates. I have made this process easier for you to generate any number of configurations files using very simple script. Follow the bellowing steps to generate configuration files. Please make sure to use correct directory structure.
mkdir /etc/openvpn/clients cd /etc/openvpn/clients
Create a shell script file as below.
vim make -vpn-client. sh
copy the below mentioned content and remember to update the OPENVPN_SERVER variable with the correct OpenVPN server ip address and save it.
#!/bin/bash
# Generate OpenVPN clients configuration files.
CLIENT_NAME= $1
OPENVPN_SERVER= "192.168.1.237"
CA_DIR=/etc/openvpn/openvpn-ca
CLIENT_DIR=/etc/openvpn/clients
cd ${CA_DIR}
source vars
./build-key ${CLIENT_NAME}
echo "client
dev tun
proto udp
remote ${OPENVPN_SERVER} 1194
user nobody
group nogroup
persist-key
persist-tun
cipher AES-128-CBC
auth SHA256
key-direction 1
remote-cert-tls server
comp-lzo
verb 3" > ${CLIENT_DIR} / ${CLIENT_NAME} .ovpn
cat <( echo -e '' ) \
${CA_DIR} /keys/ca.crt \
<( echo -e ' \n' ) \
${CA_DIR} /keys/ ${CLIENT_NAME} .crt \
<( echo -e ' \n' ) \
${CA_DIR} /keys/ ${CLIENT_NAME} .key \
<( echo -e ' \n' ) \
${CA_DIR} /keys/ta.key \
<( echo -e ' ' ) \
>> ${CLIENT_DIR} / ${CLIENT_NAME} .ovpn
echo -e "Client File Created - ${CLIENT_DIR} / ${CLIENT_NAME} .ovpn"
give executable permission on the newly created script.
chmod + x ./ make -vpn-client. sh
Now use this script to create configuration file for the VPN clients including certificates and keys. You have to pass client name as command line parameter.
./make-vpn-client .sh salesforcedrillers
Now press enter for the default values of the certificate. At the end, it will prompt for the sign the certificate and commit. Press y for both the inputs.
The above script will create client configuration file under the directory /etc/openvpn/clients/ with client name with .ovpn extension as shows in last line of output. Use this file to connect from remote systems.
Now scp the vpn config file from ec2 to local system:
scp -i /directory/to/abc.pem user@your-ip: path/to/file /your/local/directory/files/to/download