How to Install OpenVPN on Ubuntu 18.04

02 August 2020 | Category : Ubuntu

How to Install OpenVPN on Ubuntu 18.04

What is OpenVPN?

VPN or Virtual Private Network is a group of computers network which connected to the private network over the public network (internet). These days, one of VPN most popular is OpenVPN, OpenVPN is Open-Source software which implements VPN techniques to create a secure point-to-point or site-to-site connections over the public network.

VPN mostly used to secure connections when System Administration does remote into their server. This connection with VPN will be encrypted during remote to the server, and it will make get off from attacking MITM (Man In The Middle). In this article, we will share about How to Install OpenVPN on Ubuntu 18.04, let’s check this.

Install OpenVPN on Ubuntu 18.04

Here is step by step to install OpenVPN on Ubuntu 18.04 server, configuration OpenVPN and also create OpenVPN client.

  1. Install OpenVPN and dependency

To install OpenVPN and the dependency you can follow this command :

sudo apt install -y openvpn easy-rsa

After successful install you can copy server configuration template from documentation openvpn in path /usr/share/doc/openvpn/examples/sample-config-files to folder openvpn configuration on path /etc/openvpn with below command :

sudo gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf
  1. Configuration OpenVPN

When the configuration has been copied to path configuration OpenVPN in /etc/openvpn. Now, you can edit that file server configuration with command:

sudo vim /etc/openvpn/server.conf

In the existing file configuration server.conf, uncomment some line with delete ‘;’ in front of line configurations OpenVPN Server for uncommenting. The line which you must uncomment is this :

tls-auth ta.key 0
cipher AES-256-CBC
comp-lzo
user nobody
group nogroup
cert server.crt
key server.key
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"

And in the last line configuration, you must add this line on the server configuration

key-direction 0
auth SHA256
  1. Enable IP Forwarding & Add Routing

Next, when finished edit configuration of OpenVPN configuration, you must allow IP Forwarding on kernel configuration with this command :

sudo echo "net.ipv4.ip_forward=1" >> /etc/sysctl.confsudo sysctl -p

When running sysctl -p you will output like this, which mean the kernel now has been allowed to IP Forwarding

sudo sysctl -p
net.ipv4.ip_forward = 1

Then you need to add Routing the IP Private Connection VPN to Public Connection (Internet) with this command :

sudo modprobe iptable_natsudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

That routing will allow you accessing the internet when you connected over VPN

  1. Setting & Generate Certificate Authority

OpenVPN securing traffic connection VPN between server and client using SSL/TLS Encryption. So, for that, we must create a trusted Certificate Authority in the server. To do create Certificate Authority you can follow this step.

First, to create Certificate Authority we need a folder to save the Certificate Authority. You can run this command to create the folder and move into the inside of the folder :

make-cadir /etc/openvpn/openvpn-cacd /etc/openvpn/openvpn-ca/

When running command make-cadir it will auto-generate files which needed when creating Certificate Authority. The first file needs and must modify is vars, in this file have a component configuration which used when you start generating Certificate Authority. Use this command to edit the vars file

vim vars

The line you must edit is this, this is component when used generate Certificate Authority :

export KEY_COUNTRY="ID"
export KEY_PROVINCE="D.I.Yogyakarta"
export KEY_CITY="Yogyakarta"
export KEY_ORG="Linux-iD.net"
export KEY_EMAIL="me@linux-id.net"
export KEY_OU="Linux-ID.net"

Note: you can adjust the above configuration to your details need

Next, to implement the new configuration in vars you need to run this command :

source vars

And the output of that command will like this

source vars
**************************************************************
No /etc/openvpn/openvpn-ca/openssl.cnf file could be found
Further invocations will fail
**************************************************************
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/openvpn-ca/keys

After that, we can start to generate the Certificate Authority, but you need copy file of openssl-1.0.0.cnf into openssl.cnf with this command :

cp openssl-1.0.0.cnf openssl.cnf

Then you can run the command of remove existing key and run command to generate the Certificate Authority with bellow command :

./clean-all./build-ca

The output of command build-ca will be showing like this :

./build-ca 
Can't load /root/.rnd into RNG
139771245736384:error:2406F079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:88:Filename=/root/.rnd
Generating a RSA private key
.........+++++
.............+++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [ID]:
State or Province Name (full name) [D.I.Yogyakarta]:
Locality Name (eg, city) [Yogyakarta]:
Organization Name (eg, company) [Linux-iD.net]:
Organizational Unit Name (eg, section) [Linux-ID.net]:
Common Name (eg, your name or your server's hostname) [Linux-iD.net CA]:
Name [EasyRSA]:
Email Address [me@linux-id.net]:

In section Country Name until Email the default values will use the configuration on vars file. But if you want to use different details you can fill that with other details you want.

Now your system have a new Certificate Authority for generating the Certificate which will be used VPN

  1. Generate the OpenVPN Server Certificate

As we say before OpenVPN uses SSL/TLS for encryption. so in this section, we will generate the Certificate for the OpenVPN Server. To generate the Certificate files for OpenVPN Server you can run the command below:

cd /etc/openvpn/openvpn-ca/./build-key-server server

The output command will be showing this :

./build-key-server server
…
… 
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'ID'
stateOrProvinceName   :PRINTABLE:'D.I.Yogyakarta'
localityName          :PRINTABLE:'Yogyakarta'
organizationName      :PRINTABLE:'Linux-iD.net'
organizationalUnitName:PRINTABLE:'Linux-ID.net'
commonName            :PRINTABLE:'server'
name                  :PRINTABLE:'EasyRSA'
emailAddress          :IA5STRING:'me@linux-id.net'
Certificate is to be certified until Aug  5 06:59:40 2030 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Next, you need to generate a strong diffie-hellman key to use for key exchange. To generate the diffie-hellman key you can use this command :

openssl dhparam -out /etc/openvpn/dh2048.pem 2048

When running the above command it will take a few moments until finished. And the output will see like below:

openssl dhparam -out /etc/openvpn/dh2048.pem 2048
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
..............................................................................................
..............................................................................................
.........................+....................................................................
..........................................+........+...............+..........................
..................................................................................+......+....
..............................................................................................
..............................................+...............................................
........+..........................................+..........................................
....................................................................................+.........
................+.............................................................................
...............................+.....................................................+........
.....................+........................................................................
.........................................................................+....................
..............................................................................................
...................................................................+..........................
..............................................................................................
........+..........................++*++*++*++*

For more securing the OpenVPN, you can generate an HMAC signature to make TLS integrity verification capabilities of the server. So, you can run this command :

openvpn --genkey --secret /etc/openvpn/openvpn-ca/keys/ta.key

After the Certificate OpenVPN for Server created, you can move it into the folder /etc/openvpn with command:

cd /etc/openvpn/openvpn-ca/keyssudo cp ca.crt ta.key server.crt server.key /etc/openvpn
  1. Start OpenVPN Service on Server

When you successful installing OpenVPN by default the service still not running, to make the service running you can follow this command :

systemctl start openvpnsystemctl status openvpn

When running the status service command you will see the output like this :

systemctl status openvpn
? openvpn.service - OpenVPN service
Loaded: loaded (/lib/systemd/system/openvpn.service; enabled; vendor preset: enabled)
Active: active (exited) since Fri 2020-08-07 07:05:20 UTC; 6s ago
Process: 15114 ExecStart=/bin/true (code=exited, status=0/SUCCESS)
Main PID: 15114 (code=exited, status=0/SUCCESS)

Aug 07 07:05:20 shukuma systemd[1]: Starting OpenVPN service...
Aug 07 07:05:20 shukuma systemd[1]: Started OpenVPN service.

And if the service running well, make sure if the interface of OpenVPN is available with the command :

ifconfig tun0

If the interface OpenVPN available it will show the output like this :

ifconfig tun0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
  inet 10.8.0.1  netmask 255.255.255.255  destination 10.8.0.2
  inet6 fe80::18ed:8b80:a894:d1b9  prefixlen 64  scopeid 0x20<link>
  unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
  RX packets 0  bytes 0 (0.0 B)
  RX errors 0  dropped 0  overruns 0  frame 0
  TX packets 3  bytes 144 (144.0 B)
  TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Right now your OpenVPN server has been ready to use.

  1. Generates the Client OpenVPN Configuration

The last step configuration OpenVPN is creating Client OpenVPN Configuration files including the private key and certificate. To do that we make an easier step with a simple script, you can follow this below step.

To make easier organize the files Client OpenVPN configuration we create folder clients in /etc/openvpn with this command :

mkdir /etc/openvpn/clientscd /etc/openvpn/client

After created folder clients and move to the inside of the folder, now you can create a simple script for helping you create a Client OpenVPN Configuration. To make it you can follow this step :

touch make-vpn-client.shvim make-vpn-client.sh

In the file make-vpn-client.sh you can insert this script. Remember in line OPENVPN_SERVER you must change the IP 192.168.10.1 to your IP Public or IP Server.

#!/bin/bash

# Generate OpenVPN clients configuration files.

CLIENT_NAME=$1
OPENVPN_SERVER="192.168.10.1"
CA_DIR=/etc/openvpn/openvpn-ca
CLIENT_DIR=/etc/openvpn/clients
      
cd ${CA_DIR}
source vars
./build-key ${CLIENT_NAME}
      
echo "client
dev tun
proto udp
remote ${OPENVPN_SERVER} 1194
user nobody
group nogroup
persist-key
persist-tun
cipher AES-128-CBC
auth SHA256
key-direction 1
remote-cert-tls server
comp-lzo
verb 3" > ${CLIENT_DIR}/${CLIENT_NAME}.ovpn
      
cat <(echo -e '<ca>') \
    ${CA_DIR}/keys/ca.crt \
    <(echo -e '</ca>\n<cert>') \
    ${CA_DIR}/keys/${CLIENT_NAME}.crt \
    <(echo -e '</cert>\n<key>') \
    ${CA_DIR}/keys/${CLIENT_NAME}.key \
    <(echo -e '</key>\n<tls-auth>') \
    ${CA_DIR}/keys/ta.key \
    <(echo -e '</tls-auth>') \
    >> ${CLIENT_DIR}/${CLIENT_NAME}.ovpn
      
echo -e "Client File Created - ${CLIENT_DIR}/${CLIENT_NAME}.ovpn"

Note: The source of the script above from Tecadmin

Next, if the script has been created you can give the permission file for execute with this command :

chmod +x make-vpn-client.sh

And now, to create the Client OpenVPN Configuration you just run this command :

./make-vpn-client.sh vpn-sg

Note: the command above when running will generate the client file configuration with the name vpn-sg, so you change it to the other name.

When running the script above it’s will show output like below:

./make-vpn-client.sh vpn-sg
…
… 
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'ID'
stateOrProvinceName   :PRINTABLE:'D.I.Yogyakarta'
localityName          :PRINTABLE:'Yogyakarta'
organizationName      :PRINTABLE:'Linux-iD.net'
organizationalUnitName:PRINTABLE:'Linux-ID.net'
commonName            :PRINTABLE:'vpn-sg'
name                  :PRINTABLE:'EasyRSA'
emailAddress          :IA5STRING:'me@linux-id.net'
Certificate is to be certified until Aug  5 07:12:18 2030 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Client File Created - /etc/openvpn/clients/vpn-sg.ovpn

Now, your Client OpenVPN configuration has been created and saved in the folder /etc/openvpn/clients with the name vpn-sg.ovpn

  1. Download the Client OpenVPN file configuration

If you use Linux as a client OpenVPN and want to download file Client OpenVPN from the server, you can use command sftp like command below:

sftp -P 22 root@192.168.10.1
cd /etc/openvpn/clients && ls
get vpn-sg.ovpn 

Or if you use Windows as a client OpenVPN you can download file Client OpenVPN from the server with WinSCP or another program.

Conclusion

When you used OpenVPN your connection will be encrypted and more secure. OpenVPN also can be securing connection point-to-point or site-to-site, this is usually implemented on a big company that has a complex system and need secure connection. Or OpenVPN can secure connection when you doing a remote server and only allow connection from the OpenVPN.

Share this article :