How To Set Up an OpenVPN Server on UbuntuHow To Set Up an OpenVPN Server on UbuntuHow To Set Up an OpenVPN Server on Ubuntu
Posted: 3 months ago         
By: kashif    
Share


Intorduction:

Detail:

Introduction
Want to access the Internet safely and securely from your smartphone or laptop when connected to an untrusted network such as the WiFi of a hotel or coffee shop? A Virtual Private Network (VPN) allows you to traverse untrusted networks privately and securely as if you were on a private network. The traffic emerges from the VPN server and continues its journey to the destination.

When combined with HTTPS connections, this setup allows you to secure your wireless logins and transactions. You can circumvent geographical restrictions and censorship, and shield your location and any unencrypted HTTP traffic from the untrusted network.

OpenVPN is a full-featured, open-source Secure Socket Layer (SSL) VPN solution that accommodates a wide range of configurations. In this tutorial, you will set up an OpenVPN server on an Ubuntu 18.04 server and then configure access to it from Windows, macOS, iOS and/or Android. This tutorial will keep the installation and configuration steps as simple as possible for each of these setups.

Prerequisites
To complete this tutorial, you will need access to an Ubuntu 18.04 server to host your OpenVPN service. You will need to configure a non-root user with sudo privileges before you start this guide. You can follow our Ubuntu 18.04 initial server setup guide to set up a user with appropriate permissions. The linked tutorial will also set up a firewall, which is assumed to be in place throughout this guide.

Additionally, you will need a separate machine to serve as your certificate authority (CA). While itís technically possible to use your OpenVPN server or your local machine as your CA, this is not recommended as it opens up your VPN to some security vulnerabilities. Per the official OpenVPN documentation, you should place your CA on a standalone machine thatís dedicated to importing and signing certificate requests. For this reason, this guide assumes that your CA is on a separate Ubuntu 18.04 server that also has a non-root user with sudo privileges and a basic firewall.

Please note that if you disable password authentication while configuring these servers, you may run into difficulties when transferring files between them later on in this guide. To resolve this issue, you could re-enable password authentication on each server. Alternatively, you could generate an SSH keypair for each server, then add the OpenVPN serverís public SSH key to the CA machineís authorized_keys file and vice versa. See How to Set Up SSH Keys on Ubuntu 18.04 for instructions on how to perform either of these solutions.

When you have these prerequisites in place, you can move on to Step 1 of this tutorial.

Step 1 ó Installing OpenVPN and EasyRSA
To start off, update your VPN serverís package index and install OpenVPN. OpenVPN is available in Ubuntu's default repositories, so you can use apt for the installation:

sudo apt update
sudo apt install openvpn
OpenVPN is a TLS/SSL VPN. This means that it utilizes certificates in order to encrypt traffic between the server and clients. To issue trusted certificates, you will set up your own simple certificate authority (CA). To do this, we will download the latest version of EasyRSA, which we will use to build our CA public key infrastructure (PKI), from the projectís official GitHub repository.

As mentioned in the prerequisites, we will build the CA on a standalone server. The reason for this approach is that, if an attacker were able to infiltrate your server, they would be able to access your CA private key and use it to sign new certificates, giving them access to your VPN. Accordingly, managing the CA from a standalone machine helps to prevent unauthorized users from accessing your VPN. Note, as well, that itís recommended that you keep the CA server turned off when not being used to sign keys as a further precautionary measure.

To begin building the CA and PKI infrastructure, install the latest version of EasyRSA from the official GitHub project on both your CA machine and your OpenVPN server with the following command:

wget -P ~/ https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.4/EasyRSA-3.0.4.tgz
Then extract the tarball:

cd ~
tar xvf EasyRSA-3.0.4.tgz
You have successfully installed all the required software on your server and CA machine. Continue on to configure the variables used by EasyRSA and to set up a CA directory, from which you will generate the keys and certificates needed for your server and clients to access the VPN.

Step 2 ó Configuring the EasyRSA Variables and Building the CA
EasyRSA comes installed with a configuration file which you can edit to define a number of variables for your CA.

On your CA machine, navigate to the EasyRSA directory:

cd ~/EasyRSA-3.0.4/
Inside this directory is a file named vars.example. Make a copy of this file, and name the copy vars without a file extension:

cp vars.example vars
Open this new file using your preferred text editor:

nano vars
Find the settings that set field defaults for new certificates. It will look something like this:

~/EasyRSA-3.0.4/vars
. . .

#set_var EASYRSA_REQ_COUNTRY "US"
#set_var EASYRSA_REQ_PROVINCE "California"
#set_var EASYRSA_REQ_CITY "San Francisco"
#set_var EASYRSA_REQ_ORG "Copyleft Certificate Co"
#set_var EASYRSA_REQ_EMAIL "me@example.net"
#set_var EASYRSA_REQ_OU "My Organizational Unit"

. . .
Uncomment these lines and update the highlighted values to whatever you'd prefer, but do not leave them blank:

~/EasyRSA-3.0.4/vars
. . .

set_var EASYRSA_REQ_COUNTRY "US"
set_var EASYRSA_REQ_PROVINCE "NewYork"
set_var EASYRSA_REQ_CITY "New York City"
set_var EASYRSA_REQ_ORG "DigitalOcean"
set_var EASYRSA_REQ_EMAIL "admin@example.com"
set_var EASYRSA_REQ_OU "Community"

. . .
When you are finished, save and close the file.

Within the EasyRSA directory is a script called easyrsa which is called to perform a variety of tasks involved with building and managing the CA. Run this script with the init-pki option to initiate the public key infrastructure on the CA server:

./easyrsa init-pki
Output
. . .
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /home/sammy/EasyRSA-3.0.4/pki
After this, call the easyrsa script again, following it with the build-ca option. This will build the CA and create two important files ó ca.crt and ca.key ó which make up the public and private sides of an SSL certificate.

ca.crt is the CAís public certificate file which, in the context of OpenVPN, the server and the client use to inform one another that they are part of the same web of trust and not someone performing a man-in-the-middle attack. For this reason, your server and all of your clients will need a copy of the ca.crt file.
ca.key is the private key which the CA machine uses to sign keys and certificates for servers and clients. If an attacker gains access to your CA and, in turn, your ca.key file, they will be able to sign certificate requests and gain access to your VPN, impeding its security. This is why your ca.key file should only be on your CA machine and that, ideally, your CA machine should be kept offline when not signing certificate requests as an extra security measure.
If you donít want to be prompted for a password every time you interact with your CA, you can run the build-ca command with the nopass option, like this:

./easyrsa build-ca nopass
In the output, youíll be asked to confirm the common name for your CA:

Output
. . .
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:
The common name is the name used to refer to this machine in the context of the certificate authority. You can enter any string of characters for the CAís common name but, for simplicityís sake, press ENTER to accept the default name.

With that, your CA is in place and itís ready to start signing certificate requests.

Step 3 ó Creating the Server Certificate, Key, and Encryption Files
Now that you have a CA ready to go, you can generate a private key and certificate request from your server and then transfer the request over to your CA to be signed, creating the required certificate. Youíre also free to create some additional files used during the encryption process.

Start by navigating to the EasyRSA directory on your OpenVPN server:

cd EasyRSA-3.0.4/
From there, run the easyrsa script with the init-pki option. Although you already ran this command on the CA machine, itís necessary to run it here because your server and CA will have separate PKI directories:

./easyrsa init-pki
Then call the easyrsa script again, this time with the gen-req option followed by a common name for the machine. Again, this could be anything you like but it can be helpful to make it something descriptive. Throughout this tutorial, the OpenVPN serverís common name will simply be ďserverĒ. Be sure to include the nopass option as well. Failing to do so will password-protect the request file which could lead to permissions issues later on:

Note: If you choose a name other than ďserverĒ here, you will have to adjust some of the instructions below. For instance, when copying the generated files to the /etc/openvpn directory, you will have to substitute the correct names. You will also have to modify the /etc/openvpn/server.conf file later to point to the correct .crt and .key files.

./easyrsa gen-req server nopass
This will create a private key for the server and a certificate request file called server.req. Copy the server key to the /etc/openvpn/ directory:

sudo cp ~/EasyRSA-3.0.4/pki/private/server.key /etc/openvpn/
Using a secure method (like SCP, in our example below), transfer the server.req file to your CA machine:

scp ~/EasyRSA-3.0.4/pki/reqs/server.req sammy@your_CA_ip:/tmp
Next, on your CA machine, navigate to the EasyRSA directory:

cd EasyRSA-3.0.4/
Using the easyrsa script again, import the server.req file, following the file path with its common name:

./easyrsa import-req /tmp/server.req server
Then sign the request by running the easyrsa script with the sign-req option, followed by the request type and the common name. The request type can either be client or server, so for the OpenVPN serverís certificate request, be sure to use the server request type:

./easyrsa sign-req server server
In the output, youíll be asked to verify that the request comes from a trusted source. Type yes then press ENTER to confirm this:

You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a server certificate for 3650 days:

subject=
commonName = server


Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
If you encrypted your CA key, youíll be prompted for your password at this point.

Next, transfer the signed certificate back to your VPN server using a secure method:

scp pki/issued/server.crt sammy@your_server_ip:/tmp
Before logging out of your CA machine, transfer the ca.crt file to your server as well:

scp pki/ca.crt sammy@your_server_ip:/tmp
Next, log back into your OpenVPN server and copy the server.crt and ca.crt files into your /etc/openvpn/ directory:

sudo cp /tmp/{server.crt,ca.crt} /etc/openvpn/
Then navigate to your EasyRSA directory:

cd EasyRSA-3.0.4/
From there, create a strong Diffie-Hellman key to use during key exchange by typing:

./easyrsa gen-dh
This may take a few minutes to complete. Once it does, generate an HMAC signature to strengthen the server's TLS integrity verification capabilities:

openvpn --genkey --secret ta.key
When the command finishes, copy the two new files to your /etc/openvpn/ directory:

sudo cp ~/EasyRSA-3.0.4/ta.key /etc/openvpn/
sudo cp ~/EasyRSA-3.0.4/pki/dh.pem /etc/openvpn/
With that, all the certificate and key files needed by your server have been generated. Youíre ready to create the corresponding certificates and keys which your client machine will use to access your OpenVPN server.

Step 4 ó Generating a Client Certificate and Key Pair
Although you can generate a private key and certificate request on your client machine and then send it to the CA to be signed, this guide outlines a process for generating the certificate request on the server. The benefit of this is that we can create a script which will automatically generate client configuration files that contain all of the required keys and certificates. This lets you avoid having to transfer keys, certificates, and configuration files to clients and streamlines the process of joining the VPN.

We will generate a single client key and certificate pair for this guide. If you have more than one client, you can repeat this process for each one. Please note, though, that you will need to pass a unique name value to the script for every client. Throughout this tutorial, the first certificate/key pair is referred to as client1.

Get started by creating a directory structure within your home directory to store the client certificate and key files:

mkdir -p ~/client-configs/keys
Since you will store your clientsí certificate/key pairs and configuration files in this directory, you should lock down its permissions now as a security measure:

chmod -R 700 ~/client-configs
Next, navigate back to the EasyRSA directory and run the easyrsa script with the gen-req and nopass options, along with the common name for the client:

cd ~/EasyRSA-3.0.4/
./easyrsa gen-req client1 nopass
Press ENTER to confirm the common name. Then, copy the client1.key file to the /client-configs/keys/ directory you created earlier:

cp pki/private/client1.key ~/client-configs/keys/
Next, transfer the client1.req file to your CA machine using a secure method:

scp pki/reqs/client1.req sammy@your_CA_ip:/tmp
Log in to your CA machine, navigate to the EasyRSA directory, and import the certificate request:

ssh sammy@your_CA_IP
cd EasyRSA-3.0.4/
./easyrsa import-req /tmp/client1.req client1
Then sign the request as you did for the server in the previous step. This time, though, be sure to specify the client request type:

./easyrsa sign-req client client1
At the prompt, enter yes to confirm that you intend to sign the certificate request and that it came from a trusted source:

Output
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Again, if you encrypted your CA key, youíll be prompted for your password here.

This will create a client certificate file named client1.crt. Transfer this file back to the server:

scp pki/issued/client.crt sammy@your_server_ip:/tmp
SSH back into your OpenVPN server and copy the client certificate to the /client-configs/keys/ directory:

cp /tmp/client1.crt ~/client-configs/keys/
Next, copy the ca.crt and ta.key files to the /client-configs/keys/ directory as well:

cp EasyRSA-3.0.4/ta.key ~/client-configs/keys/
sudo cp /etc/openvpn/ca.crt ~/client-configs/keys/
With that, your server and clientís certificates and keys have all been generated and are stored in the appropriate directories on your server. There are still a few actions that need to be performed with these files, but those will come in a later step. For now, you can move on to configuring OpenVPN on your server.

Step 5 ó Configuring the OpenVPN Service
Now that both your client and serverís certificates and keys have been generated, you can begin configuring the OpenVPN service to use these credentials.

Start by copying a sample OpenVPN configuration file into the configuration directory and then extract it in order to use it as a basis for your setup:

sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
sudo gzip -d /etc/openvpn/server.conf.gz
Open the server configuration file in your preferred text editor:

sudo nano /etc/openvpn/server.conf
Find the HMAC section by looking for the tls-auth directive. This line should already be uncommented, but if isnít then remove the ";" to uncomment it. Below this line, add the key-direction parameter, set to "0":

/etc/openvpn/server.conf
tls-auth ta.key 0 # This file is secret
key-direction 0
Next, find the section on cryptographic ciphers by looking for the commented out cipher lines. The AES-256-CBC cipher offers a good level of encryption and is well supported. Again, this line should already be uncommented, but if it isnít then just remove the ";" preceding it:

/etc/openvpn/server.conf
cipher AES-256-CBC
Below this, add an auth directive to select the HMAC message digest algorithm. For this, SHA256 is a good choice:

/etc/openvpn/server.conf
auth SHA256
Next, find the line containing a dh directive which defines the Diffie-Hellman parameters. Because of some recent changes made to EasyRSA, the filename for the Diffie-Hellman key may be different than what is listed in the example server configuration file. If necessary, change the file name listed here by removing the 2048 so it aligns with the key you generated in the previous step:

/etc/openvpn/server.conf
dh dh.pem
Finally, find the user and group settings and remove the ";" at the beginning of each to uncomment these lines:

/etc/openvpn/server.conf
user nobody
group nogroup
The changes youíve made to the sample server.conf file up to this point are necessary in order for OpenVPN to function. The changes outlined below are optional, though they too are needed for many common use cases.

(Optional) Push DNS Changes to Redirect All Traffic Through the VPN
The settings above will create the VPN connection between the two machines, but will not force any connections to use the tunnel. If you wish to use the VPN to route all of your traffic, you will likely want to push the DNS settings to the client computers.

There are a few directives in the server.conf file which you must change in order to enable this functionality. Find the redirect-gateway section and remove the semicolon ";" from the beginning of the redirect-gateway line to uncomment it:

/etc/openvpn/server.conf
push "redirect-gateway def1 bypass-dhcp"
Just below this, find the dhcp-option section. Again, remove the ";" from in front of both of the lines to uncomment them:

/etc/openvpn/server.conf
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
This will assist clients in reconfiguring their DNS settings to use the VPN tunnel for as the default gateway.
Conclusion:







    How To Set Up an OpenVPN Server on UbuntuHow To Set Up an OpenVPN Server on UbuntuHow To Set Up an OpenVPN Server on Ubuntu
Posted: 3 months ago         
By: kashif    
Share


Intorduction:

How To Set Up an OpenVPN Server on UbuntuHow To Set Up an OpenVPN Server on UbuntuHow To Set Up an OpenVPN Server on Ubuntu
Prerquisite:

How To Set Up an OpenVPN Server on UbuntuHow To Set Up an OpenVPN Server on UbuntuHow To Set Up an OpenVPN Server on Ubuntu
Detail:

How To Set Up an OpenVPN Server on UbuntuHow To Set Up an OpenVPN Server on UbuntuHow To Set Up an OpenVPN Server on Ubuntu
Conclusion:







    How To Set Up an OpenVPN Server on UbuntuHow To Set Up an OpenVPN Server on UbuntuHow To Set Up an OpenVPN Server on Ubuntu
Posted: 2 months ago         
By: kashif    
Share


Intorduction:

Detail:

Conclusion:







    How To Set Up an OpenVPN Server on UbuntuHow To Set Up an OpenVPN Server on UbuntuHow To Set Up an OpenVPN Server on Ubuntu
Posted: 48 years ago         
By:     
Share


Intorduction:

Detail:

Conclusion:







    How To Set Up an OpenVPN Server on UbuntuHow To Set Up an OpenVPN Server on UbuntuHow To Set Up an OpenVPN Server on Ubuntu
Posted: 48 years ago         
By:      26
Share


Intorduction:

Detail:

Conclusion:










Most Viewed Tutorials