OpenVPN is a secure VPN which uses SSL ( Secure Socket Layer ) and offers a broad range of features. In this guide we'll be covering the process of installing OpenVPN on Ubuntu 16 utilizing the easy-rsa hosted certificate authority.
In order to get started, we need some packages installed:
sudo su apt-get update apt-get install openvpn easy-rsa
OpenVPN is a SSL VPN, which means that it acts as Certificate Authority in order to encrypt the traffic between both parties.
We can start with setting up our OpenVPN server's Certificate Authority by running the following command:
We can now switch into our fresh created directory:
Open the file with the name
vars and take a look at the following parameters:
export KEY_COUNTRY="US" export KEY_PROVINCE="NJ" export KEY_CITY="Matawan" export KEY_ORG="Your Awesome Organization" export KEY_EMAIL="me@your_awesome_org.com" export KEY_OU="YourOrganizationUnit"
And edit them with your own values. We also need to look for and edit the following line:
We can now start building our Certificate Authority by running the following command:
These commands might take a few minutes to complete.
Now, we can start building our server's key by running the following command:
server field should be replaced with
KEY_NAME we set in the
vars file earlier. In our case, we can keep
The build process of our server's key might ask a few questions, like the expiration of itself. We answer all these questions with
In the next step, we create a strong
Diffie-Hellman key which will be used during the exchange of our keys. Type in the following command to create one:
We can now create a HMAC signature to strengthen the server's TLS integrity verification:
openvpn --genkey --secret keys/ta.key
Once we've successfully created our own Certificate Authority, we can start with copying all needed files and configuring OpenVPN itself. Now, we're going to copy the generated keys and certificates to our OpenVPN directory:
cd keys cp ca.crt ca.key server.crt server.key ta.key dh2048.pem /etc/openvpn cd ..
Afterwards, we can copy an example OpenVPN config file to our OpenVPN directory by running the following command:
gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | tee /etc/openvpn/server.conf
We can now start editing our config to fit our needs. Open the file
/etc/openvpn/server.conf and uncomment the following lines:
push "redirect-gateway def1 bypass-dhcp" user nobody group nogroup push "dhcp-option DNS 126.96.36.199" push "dhcp-option DNS 188.8.131.52" tls-auth ta.key 0
We also need to add a new line to our config. Place the following line under the
Because we want to allow our clients to access the Internet through our server, we open the following file
/etc/sysctl.conf and uncomment this line:
Now we have to apply the changes:
In order to provide Internet Access to our VPN clients, we also have to create a NAT rule. This rule is a short one-liner which looks like this:
iptables -t nat -A POSTROUTING -s 10.8.0.0/16 -o eth0 -j MASQUERADE
We can now start our OpenVPN server and let clients connect by typing in the following key:
service openvpn start
This concludes our tutorial. Enjoy your new OpenVPN Server!