This article is outdated and may not work correctly for current operating systems or software.
OpenVPN is a secure VPN which uses SSL ( Secure Socket Layer ) and offers a broad range of features. In this guide we'll be covering the process of installing OpenVPN on Ubuntu 16 utilizing the easy-rsa hosted certificate authority.
In order to get started, we need some packages installed:
sudo su
apt-get update
apt-get install openvpn easy-rsa
OpenVPN is a SSL VPN, which means that it acts as Certificate Authority in order to encrypt the traffic between both parties.
We can start with setting up our OpenVPN server's Certificate Authority by running the following command:
make-cadir ~/ovpn-ca
We can now switch into our fresh created directory:
cd ~/ovpn-ca
Open the file with the name vars and take a look at the following parameters:
export KEY_COUNTRY="US"
export KEY_PROVINCE="NJ"
export KEY_CITY="Matawan"
export KEY_ORG="Your Awesome Organization"
export KEY_EMAIL="me@your_awesome_org.com"
export KEY_OU="YourOrganizationUnit"
And edit them with your own values. We also need to look for and edit the following line:
export KEY_NAME="server"
We can now start building our Certificate Authority by running the following command:
./clean-all
./build-ca
These commands might take a few minutes to complete.
Now, we can start building our server's key by running the following command:
./build-key-server server
While the server field should be replaced with KEY_NAME we set in the vars file earlier. In our case, we can keep server.
The build process of our server's key might ask a few questions, like the expiration of itself. We answer all these questions with y.
In the next step, we create a strong Diffie-Hellman key which will be used during the exchange of our keys. Type in the following command to create one:
./build-dh
We can now create a HMAC signature to strengthen the server's TLS integrity verification:
openvpn --genkey --secret keys/ta.key
./build-key client
Once we've successfully created our own Certificate Authority, we can start with copying all needed files and configuring OpenVPN itself. Now, we're going to copy the generated keys and certificates to our OpenVPN directory:
cd keys
cp ca.crt ca.key server.crt server.key ta.key dh2048.pem /etc/openvpn
cd ..
Afterwards, we can copy an example OpenVPN config file to our OpenVPN directory by running the following command:
gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | tee /etc/openvpn/server.conf
We can now start editing our config to fit our needs. Open the file /etc/openvpn/server.conf and uncomment the following lines:
push "redirect-gateway def1 bypass-dhcp"
user nobody
group nogroup
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
tls-auth ta.key 0
We also need to add a new line to our config. Place the following line under the tls-auth line:
key-direction 0
Because we want to allow our clients to access the Internet through our server, we open the following file /etc/sysctl.conf and uncomment this line:
net.ipv4.ip_forward=1
Now we have to apply the changes:
sysctl -p
In order to provide Internet Access to our VPN clients, we also have to create a NAT rule. This rule is a short one-liner which looks like this:
iptables -t nat -A POSTROUTING -s 10.8.0.0/16 -o eth0 -j MASQUERADE
We can now start our OpenVPN server and let clients connect by typing in the following key:
service openvpn start
This concludes our tutorial. Enjoy your new OpenVPN Server!