How to Build OpenVPN Server On Ubuntu

I will show you a step-by-step guide how to install and setup OpenVPN server on Ubuntu 14.04 VPS with screenshot pics as always. I believe you’ll easily understand and be able to implement it all by yourself even you are a really newbie.

As a refresh, what is VPN and OpenVPN? VPN stands for Virtual Private Network while OpenVPN is an open-source software application that implements VPN techniques for creating secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. Shortly saying, it is a free mechanism and tool to allow you to browse securely and privately plus it allows you to unblock browsing restriction, avoid website censorship, and to hide your real IP (location). I posted detailed explanation about it on my previous posts which you may also want to read it:

1. How to Install OpenVPN on CentOS
2. How to Install OpenVPN AS on Ubuntu
3. Easiest Automatic Way to Install OpenVPN on Ubuntu

What You Need

1. A server / VPS running Ubuntu. In this guide I use Ubuntu 14.04 x64 with 1GB RAM from Digital Ocean (DO). As always I use DO for testing purpose as I can simply create and destroy a server without having to pay for a full month. Feel free to use VPS from any provider you want like Ramnode, Crissic, and else.
2. You may also need a proper knowledge to use Putty, SSH and common Unix command.
3. And if somehow you are using an OpenVZ-based VPS, you have enable TUN/TAP options in your VPS control panel (e.g: SolusVM). Xen and KVM users do not need to.

Enable TUN/TAP:

How to Install OpenVPS Server

Step 1 – Login to your server as root:

Step 2 – To make sure your Ubuntu’s repository is updated, simply do the apt-get update command:

apt-get update

Step 3 – And once you get the “Done” message, you can now install OpenVPN and Easy-RSA with this one line command:

apt-get install openvpn easy-rsa

Do not forget to answer with Y when asked:

Once done, you’ll see something like this:

Step 4 – Now you have to get the configuration file for OpenVPN to work. Issue this command:

gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf

This will give no output when it is done.

Step 5 – Then open that file using your favorite text editor which I prefer to use Nano, just type the command then hit Enter and the text editor will show up :

nano /etc/openvpn/server.conf

Configuring OpenVPN Server

Step 6 – Next, there are several lines in that file you need to edit (configuring OpenVPN):

6.1 – Look for the section called Diffie hellman parameters:

then change dh dh1024.pem to dh dh2048.pem to increase the security encryption.

6.2 – Next, find this section as well:

This section tells VPN server to pass on clients’ web traffic to its destination. Simply uncomment that part so it looks like this:

6.3 – Now let’s move to the next section just right after the previous one, just move down a bit.

again, uncomment the two lines of configuration so it looks like this:

That section tells OpenVPN to configure DNS Resolver using OpenDNS, you can change that to Google DNS as well (8.8.8.8 and 8.8.4.4).

6.4 – The last one, look for this section:

Uncomment that section:

That’s it. Now save changes and exit. If you are using Nano editor like me, simply hit Control+O then Control+X.

Step 7 – You will also need to enable IP forwarding in the file /etc/sysctl.conf need to tell the server’s kernel to forward traffic from client devices out to the Internet. Issue this command:

echo 1 > /proc/sys/net/ipv4/ip_forward

it will output nothing

next you can edit the sysctl.conf file using Nano or your favorite editor.

nano /etc/sysctl.conf

Now Uncomment the line to enable packet forwarding for IPv4:

make it like this:

Now save changes and exit (Control+O then Control+X in Nano)

Step 8 – Next, issue this two lines of command to tell UFW to allow UDP traffic over port 1194:

allow ssh
allow UDP traffic over port 1194

pic:

* UFW = Uncomplicated Firewall, a firewall app comes by default in Ubuntu 14.04

Step 9 – Change UFW’s primary configuration file by setting its forwarding policy using Nano:

nano /etc/default/ufw

In that file, look for this line: DEFAULT_FORWARD_POLICY=”DROP”

and replace DROP with ACCEPT

Step 10 – Also, you have to add additional UFW rules for network address translation and IP masquerading of connected clients. Issue command below:

nano /etc/ufw/before.rules

Then add additional section right after rules.before (near the top). Copy paste this setting:

# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0] 
# Allow traffic from OpenVPN client to eth0
-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
COMMIT
# END OPENVPN RULES

so it looks like this:

Save changes and close the editor (Control+O then Control+X in Nano). Done? Simply enable UFW:

ufw enable

answer Y when asked.

Build the Certificate Authority for OpenVPN

Step 11 – You have to copy over the Easy-RSA generation scripts to OpenVPN directory and create a directory called easy-rsa/keys:

cp -r /usr/share/easy-rsa/ /etc/openvpn
mkdir /etc/openvpn/easy-rsa/keys

Step 12 – Now you have to edit few variables using your favorite editor:

nano /etc/openvpn/easy-rsa/vars

Scroll down the page a bit and look for default values for fields which will be placed in the certificate, change that according your preferences:

Step 19 – Also look for this line:

export KEY_NAME="EasyRSA"

and change that “EasyRSA” part with “server” for simplicity.

Now save changes and exit the editor.

Step 20 – Next, generate the Diffie-Hellman parameters using this command:

openssl dhparam -out /etc/openvpn/dh2048.pem 2048

just wait as it may take few minutes to complete:

Step 21 – Now move to easy-rsa directory and initialize the PKI (Public Key Infrastructure). Issue these ones:

cd /etc/openvpn/easy-rsa
. ./vars
./clean-all

The last clean-all command is to clear the working directory of any possible old or example keys hence you can create our new one.

Step 22 – Let’s build the Certificate Authority (CA) using this simple one line command:

./build-ca

You’ll be asked a series of question but simply hit Enter for each. Don’t worry it is already set to your entries earlier:

Step 23 – Next, build the server’s key with this command:

./build-key-server server

You can replace server with whatever you’ve defined in step 19 above. E.g: if the export KEY_NAME is servermom then it looks like this

./build-key-server servermom

You’ll be again asked with series of question, simply hit Enter until you see a message saying Database Updated.

Step 24 – Now the Server Certificates and Keys are created, you then have to move them in the OpenVPN directory:

cp /etc/openvpn/easy-rsa/keys/{server.crt,server.key,ca.crt} /etc/openvpn
ls /etc/openvpn

you should now see the three files have been moved

Step 25 – That’s it. Now you can start OpenVPN using this simple command:

service openvpn start

Then next time you can make sure it is running by issuing this command:

service openvpn status

 

 

Using Your OpenVPN Server

Step 26 – Before you can use your newly built OpenVPN server, you have to firstly create certificates and keys for each client device which will be connecting to the VPN. Still in the /etc/openvpn/easy-rsa directory, build authentication credentials for a client which in this example we call it client1. Issue this command:

./build-key client1

You can simply press Enter for each question or you may also change its default value but make sure the two last questions are left blank (hit Enter). But do not forget to answer Y for the very last questions.

Step 27 – Now copy the example client configuration file to the Easy-RSA key directory and rename it as client.conf.

cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/easy-rsa/keys/client.ovpn

Step 28 – Now download the client1.crt, client1.key, client.ovpn and ca.crt files to your device (PC, Smartphone or Tablet). Remember that ca.crt file is stored in /etc/openvpn/ directory at your server while the other three are in /etc/openvpn/easy-rsa/keys/.

How can you download those files using Filezilla or WinSCP.

Step 29 – Once downloaded, open up client.ovpn file using simple text editor like Notepad (In Windows, right-click then Open With..). Look for this line: remote my-server-1 1194. Replace my-server-1 with your server/vps IP address:

In this example I use Sublime instead Notepad.

Next, this is optional but may needed if you want to use it on your non-Windows device (iOS or Android or Linux), uncomment the user and group section:

That’s it. Save changes and exit the editor (Notepad, Sublime, etc).

OPTIONAL STEP

Basically your client.ovpn configuration file is ready to use now but you have to copy all four files to your OpenVPN Client’s config folder. However you can join / unified all those four files into one single client. ovpn file. To do that, re-open the client.ovpn file using Notepad. Scroll down to the very end of the page and paste below entries:

<ca>
(insert ca.crt here)
</ca>
<cert>
(insert client1.crt here)
</cert>
<key>
(insert client1.key here)
</key>

Next, open the ca.crt file in Notepad, copy and paste all what inside it to client.ovpn file.  Do the same for client1.crt and client1.key. Once done, save changes and exit text editor. You see the example of my unified result here. Save changes and exit text editor

Step 30 – Now copy the configuration file to default OpenVPN config folder (client app). In Windows it should be at C:\Program Files\OpenVPN\config.

Big note: You have to copy all the four files if you have not joined them in single .ovpn file.

That’s it. Now you can open OpenVPN client app and try your newly created VPN for the very first time

Huff.. that’s really a long long steps but it will give you totally different satisfaction to build it yourself. However, if you want to cut all those steps and want easier method to install OpenVPN server then simply read and follow my previous guide about OpenVPN auto-installation on Ubuntu server here. Do not forget to follow me on Twitter to get notified for new posts. Thanks