i Setting up OpenVPN server on ubuntu server – All things in moderation

Setting up OpenVPN server on ubuntu server

Requirements

  • System runing ubuntu 14.04 or 16.04

Install and config OpenVPN Server

1. Install openVPN server

sudo apt-get update
sudo apt-get install openvpn easy-rsa

2. Config CA

Create ca directory

make-cadir ~/openvpn-ca
cd ~/openvpn-ca

Config ca vars

vi ~/openvpn-ca/vars

Edit the values in quotes to whatever you’d prefer:

. . .
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="[email protected]"
export KEY_OU="MyOrganizationalUnit"
export KEY_NAME="server"
. . .

Build the Certificate Authority

srource ./vars
./clean-all
./build-ca

Create the Server Certificate, Key, and Encryption Files

source ./vars
 ./pkitool --initca
./build-key-server server


./build-dh
openvpn --genkey --secret keys/ta.key

Generate a Client Certificate and Key Pair

cd ~/openvpn-ca
source vars
./build-key client
./build-key-pass client

3. Configure the OpenVPN Service

cd ~/openvpn-ca/keys
sudo cp ca.crt server.crt server.key ta.key dh2048.pem /etc/openvpn

Copy and unzip a sample OpenVPN configuration file into configuration directory:

sudo gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | sudo dd of=/etc/openvpn/server.conf

OpenVPN server Configuration

/etc/openvpn/server.conf

Remove the “;” to uncomment to config following:

...
push "redirect-gateway def1 bypass-dhcp"
...
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
...
tls-auth ta.key 1
...
cipher AES-128-CBC
...
user nobody
group nogroup
...
# change the port and protocol, default port 1194 udp
port 1194 
proto upd 

4. Server Networking Configuration

Config iptable:

sudo iptables -I INPUT -p udp --dport 1194 -j ACCEPT
sudo iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
sudo iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

5. Start and enable openvpn server

Config to allow the server to forward traffic:

    sudo vi /etc/sysctl.conf

Remove the “#” character from the beginning of the line to uncomment fllowing setting:

** net.ipv4.ip_forward=1**

Config ufw to allow forwarded packets by default :

/etc/default/ufw

edit DEFAULT_FORWARD_POLICY to DEFAULT_FORWARD_POLICY=”ACCEPT”

Update rule configured:

sudo ufw allow 1194/udp

You also can disable/enable ufw by following command:

sudo ufw disable
sudo ufw enable

Client connect

Generate client by following script, save as make_client.sh

#!/bin/bash
cp /etc/openvpn/client-common.txt ~/$1.ovpn
echo "" >> ~/$1.ovpn
cat /etc/openvpn/easy-rsa/pki/ca.crt >> ~/$1.ovpn
echo "" >> ~/$1.ovpn
echo "" >> ~/$1.ovpn
cat /etc/openvpn/easy-rsa/pki/issued/client.crt >> ~/$1.ovpn
echo "" >> ~/$1.ovpn
echo "" >> ~/$1.ovpn
cat /etc/openvpn/easy-rsa/pki/private/client.key >> ~/$1.ovpn
echo "" >> ~/$1.ovpn
echo "" >> ~/$1.ovpn
cat /etc/openvpn/ta.key >> ~/$1.ovpn
echo "" >> ~/$1.ovpn

Usage : run sudo ./ make_client.sh [client_name]

Download OpenVPN from: https://openvpn.net/index.php/open-source/downloads.html

Using file config .ovpn generated by make_client.sh to connect to openVPN network.

Reference:

Automation script running install and configure OpenVPN on ubuntu, debian: https://raw.githubusercontent.com/Nyr/openvpn-install/master/openvpn-install.sh

Leave a Reply