Configure OpenVPN Server on Ubuntu 16.04

Prerequisites

Ssh to your Ubuntu system and update system’s apt cache and update your system packages to latest versions.

sudo apt-get update
sudo apt-get upgrade

Install OpenVPN Server

Now install OpenVPN package and also install easy-rsa packages for managing the SSL certificates.

sudo apt-get install openvpn easy-rsa

Copy the demo configuration file for OpenVPN to /etc/openvpn/server.conf file. OpenVPN server configuration file uses it.

gunzip -c /usr/share/doc/openvpn/examples/sample-config-files /server.conf.gz > /etc/openvpn/server.conf

If the above command shows permission denied then apply sudo or you can use sudo bash.
Configure OpenVPN Server

Edit OpenVPN server configuration file in your text editor.

vim /etc/openvpn/server. conf

Remove the “;” to uncomment lines and add new lines for the following entries in the configuration file.

tls-auth ta.key 0
key-direction 0
cipher AES-128-CBC
auth SHA256
user nobody
group nogroup
cert server.crt
key server.key

The above settings will allow Virtual Private Network(VPN) connection between systems. Also, uncomment the dhcp-option values.

push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"

Update Network Configuration

Now do some network settings to allow users access the server on the same network of OpenVPN server.First, and allow IP forwarding on the server by executing the bellowing commands to set net.ipv4.ip_forward value to 1 in /etc/sysctl.conf file.

vim /etc/sysctl. Conf

Uncomment the line net.ipv4.ip_forward = 1

sudo sysctl –p

Manipulate the internet traffic coming from VPN network (10.8.0.0/24) to systems local
network interface (eth0). Where 10.8.0.0 is own VPN network and eth0 is network
interface of own system.

sudo modprobe iptable_nat
sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

Setup Certificate Authority

OpenVPN provides us the secure VPN service using TLS/SSL encryption of traffic between server and client. For this, we need to issue the trusted certificates for server and clients to work. To issue the certificates we need to configure Certificate Authority on your system.
Let’s create a directory for certificate authority using mkdir command. This command also initializes directory with all required files.

mkdir /etc/openvpn/openvpn-ca/
cd /etc/ openvpn /openvpn-ca/

Edit vars file in your text editor.

vim vars

and now update the below values as per requirement. These values will be used as the default values to issue the certificates for server and clients. If you want then you can also overwrite these values during the certificate creation process.


export KEY_COUNTRY = "US"
export KEY_PROVINCE = "CA"
export KEY_CITY = "SanFrancisco"
export KEY_ORG = "SalesforceDrillers"
export KEY_EMAIL = "drillers@salesforcedrillers.com"
export KEY_OU = "Security"

Load the values in the system environment.

source vars

Now execute ./clean-all to remove existing keys and then execute ./build-ca to build CA
certificates under /etc/openvpn/openvpn-ca/ directory.

./clean-all
./build-ca

Sample output of above command:

Generating a 2048 bit RSA private key
...+++
..........................................+++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blankFor some fields there will be a default value,
If you enter '.' , the field will be left blank.
-----
Country Name ( 2 letter code) [ US ] :
State or Province Name (full name) [ CA ] :
Locality Name (eg, city) [ SanFrancisco ] :
Organization Name (eg, company) [ TecAdmin ] :
Organizational Unit Name (eg, section) [ Security ] :
Common Name (eg, your name or your server's hostname) [ TecAdmin CA ] :
Name [ EasyRSA ] :
Email Address [ drillers@salesforcedrillers.com ] :

Now your system is ready as Certificate Authority to issue the certificates.

Generate Server Certificate Files

Now Firstly create the certificates for the OpenVPN server using the ./build-key-server command followed by keyword server to generate certificates for the server.This will create required certificates, key file under directory named as keys.

cd /etc/openvpn/openvpn-ca/
./build-key-server server

Sample output of above command:

...
...
Signature ok
The Subject 's Distinguished Name is as follows
countryName
:PRINTABLE: 'US '
stateOrProvinceName
:PRINTABLE: 'CA '
localityName
:PRINTABLE: 'SanFrancisco '
organizationName
:PRINTABLE: 'Salesforcedrillers 'organizationalUnitName:PRINTABLE: 'Security '
commonName
:PRINTABLE: 'server '
name
:PRINTABLE: 'EasyRSA '
emailAddress
:IA5STRING: 'drillers@salesforcedrillers.com'
Certificate is to be certified until Jan 2 05 : 33 : 24 2028 GMT ( 3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Now generate a strong Diffie-Hellman key to use for the key exchange using the command. This process completion may take some time using this command.

openssl dhparam -out /etc/openvpn/dh2048 .pem 2048

After that generate a HMAC signature to make much secure TLS integrity verification capabilities of the server.

openvpn --genkey --secret /etc/openvpn/openvpn-ca/keys/ta.key

After creating all files, copy those files to /etc/openvpn directory.

cd /etc/openvpn/openvpn-ca/keys
sudo cp ca .crt ta .key server .crt server .key /etc/openvpn

Start OpenVPN Service

OpenVPN server is ready now. Now let’s start the service using the systemctl command. Also,
Check the status of service.

sudo systemctl start openvpn@ server
sudo systemctl status openvpn@ server

On the successful service start, you will see results like below.

● openvpn @server .service - OpenVPN connection to server
Loaded: loaded ( /lib/ systemd /system/ openvpn@.service; disabled; vendor
preset: enabled)
Active: active (running) since Thu 2018-01-04 11 : 09 : 51 IST; 6 s ago
Docs: man: openvpn( 8 )
https: //community.openvpn.net/openvpn/wiki/Openvpn23ManPage
https: //community.openvpn.net/openvpn/wiki/HOWTO
Process: 4403 ExecStart= /usr/ sbin /openvpn --daemon ovpn-%i --status
/ run /openvpn/ %i.status 10 --cd /etc/ openvpn --
Main PID: 4404 (openvpn)
CGroup: /system.slice/ system-openvpn.slice /openvpn@server.service

OpenVPN will now create a network interface name tun0 . Execute the below command to see the IP assigned to the interface. Mostly it assigned the first IP of the network defined in server.conf file.

ifconfig tun0

Generate Client Configuration

Your OpenVPN server is ready to use. Now generate the .ovpn client configuration files including the private key, certificates. I have made this process easier for you to generate any number of configurations files using very simple script. Follow the bellowing steps to generate configuration files. Please make sure to use correct directory structure.

mkdir /etc/openvpn/clients
cd /etc/openvpn/clients

Create a shell script file as below.

vim make -vpn-client. sh

copy the below mentioned content and remember to update the OPENVPN_SERVER variable with the correct OpenVPN server ip address and save it.

#!/bin/bash
# Generate OpenVPN clients configuration files.
CLIENT_NAME= $1
OPENVPN_SERVER= "192.168.1.237"
CA_DIR=/etc/openvpn/openvpn-ca
CLIENT_DIR=/etc/openvpn/clients
cd ${CA_DIR}
source vars
./build-key ${CLIENT_NAME}
echo "client
dev tun
proto udp
remote ${OPENVPN_SERVER} 1194
user nobody
group nogroup
persist-key
persist-tun
cipher AES-128-CBC
auth SHA256
key-direction 1
remote-cert-tls server
comp-lzo
verb 3" > ${CLIENT_DIR} / ${CLIENT_NAME} .ovpn
cat <( echo -e '' ) \
    ${CA_DIR} /keys/ca.crt \
    <( echo -e '\n' ) \
    ${CA_DIR} /keys/ ${CLIENT_NAME} .crt \
    <( echo -e '\n' ) \
    ${CA_DIR} /keys/ ${CLIENT_NAME} .key \
    <( echo -e '\n' ) \
    ${CA_DIR} /keys/ta.key \
    <( echo -e '' ) \
    >> ${CLIENT_DIR} / ${CLIENT_NAME} .ovpn
echo -e "Client File Created - ${CLIENT_DIR} / ${CLIENT_NAME} .ovpn"

give executable permission on the newly created script.

chmod + x ./ make -vpn-client. sh

Now use this script to create configuration file for the VPN clients including certificates and keys. You have to pass client name as command line parameter.

./make-vpn-client .sh salesforcedrillers

Now press enter for the default values of the certificate. At the end, it will prompt for the sign the certificate and commit. Press y for both the inputs.

ovenVPN configuration

The above script will create client configuration file under the directory /etc/openvpn/clients/ with client name with .ovpn extension as shows in last line of output. Use this file to connect from remote systems.

Now scp the vpn config file from ec2 to local system:

scp -i /directory/to/abc.pem user@your-ip: path/to/file /your/local/directory/files/to/download
Subscribe Now