OpenVPN is a full-featured, open-source secure socket layer (SSL) virtual private network (VPN) that offers a broad range and rapid development of features that allow you to access the Internet safely and securely through your private server. In this guide, we install OpenVPN on a Ubuntu 20.04 server.
First, update your server, and install OpenVPN from default Ubuntu sources.
$ sudo apt-get install openvpn
Since OpenVPN is an SSL VPN, it uses certificates to encrypt traffic between the server and connected clients. So, we need to install the easy-rsa hosted certificate authority to create and sign new certificates on the server.
$ sudo apt-get install easy-rsa
We need to utilize the easy-rsa template to create our OpenVPN server's Certificate Authority by copying it to a new directory.
$ make-cadir ~/openvpn-ca
Enter the created directory
$ cd openvpn-ca
Now, open the file named
vars through nano or any other editor.
$ nano vars
Locate the following entries, uncomment them by removing the # sign, and enter your details.
#set_var EASYRSA_REQ_COUNTRY "US" #set_var EASYRSA_REQ_PROVINCE "California" #set_var EASYRSA_REQ_CITY "San Francisco" #set_var EASYRSA_REQ_ORG "Copyleft Certificate Co" #set_var EASYRSA_REQ_EMAIL "firstname.lastname@example.org" #set_var EASYRSA_REQ_OU "My Organizational Unit"
Particularly, you should enter your desired country, province, city, company, email, and department. After editing, your file should now look similar to the one below.
set_var EASYRSA_REQ_COUNTRY "US" set_var EASYRSA_REQ_PROVINCE "California" set_var EASYRSA_REQ_CITY "San Francisco" set_var EASYRSA_REQ_ORG "My Example Company" set_var EASYRSA_REQ_EMAIL "email@example.com" set_var EASYRSA_REQ_OU "Marketing"
Save and close the file.
Next, within the
openvpn-ca directory resides a script
easyrsa that lets you perform a series of tasks and commands for building the certificate authority. Execute the script with the argument
inti-pki to ready public key infrastructure on the server.
$ ./easyrsa init-pki Note: using Easy-RSA configuration from: ./vars init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /user/openvpn-ca/pki
Build the CA to create two important files (
ca.key) that make up an SSL certificate.
$ ./easyrsa build-ca nopass
During the build process, you will be asked to enter a common name for your certificate authority, enter a simple name or click enter for a default name.
If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [Easy-RSA CA]:
Now that a CA has been created, you need to build a server certificate and key pair. To do so, run the command below with a custom name for your server. In this case, we use
vpnserver. Replace it with a desired simpler name since it will be required for reference.
$ ./easyrsa gen-req vpnserver nopass
The command will create a new private server key and certificate request file. Now, create a strong Diffie-Hellman key that will be used during the key exchange process.
$ ./easyrsa gen-dh
This may take a few minutes to complete. Once ready, create an HMAC signature to strengthen the TLS certificate integrity verification capabilities:
$ openvpn --genkey --secret ta.key
Finally, copy the created vpnserver, dh, and hmac keys to the OpenVPN directory.
$ sudo cp ~/openvpn-ca/pki/private/vpnserver.key /etc/openvpn/ $ sudo cp ~/openvpn-ca/ta.key /etc/openvpn/ $ sudo cp ~/openvpn-ca/pki/dh.pem /etc/openvpn/ $ sudo cp ~/openvpn-ca/pki/ca.crt /etc/openvpn/
Navigate back to the CA directory and run the easyrsa script with
gen-req, and a simple name for your client.
$ cd ~/openvpnca/ ./easyrsa gen-req client nopass
Press enter to confirm the common name. If you wish to create a user protected with a password, remove the
Now that we've created a certificate authority, we must configure the server. First, copy and extract the sample OpenVPN configuration file to the default directory.
$ gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | sudo tee /etc/openvpn/server.conf
Open the configuration file located at
/etc/openvpn/server.conf and make some changes to it.
$ sudo nano /etc/openvpn/server.conf
Uncomment the following lines:
push "redirect-gateway def1 bypass-dhcp" user nobody group nogroup push "dhcp-option DNS 22.214.171.124" push "dhcp-option DNS 126.96.36.199" tls-auth ta.key 0
Change the user directive to listen for a non-privileged user instead of root.
Now, ensure that OpenVPN is pointing to the right
.key files. Then, change the entries depending on the VPN server name prescribed earlier in this guide.
ca ca.crt cert vpnserver.crt key vpnserver.key # This file should be kept secret
Save and close the file.
Next, to allow connected clients to access the Internet through the OpenVPN server, we need to modify
$ sudo nano /etc/sysctl.conf
Uncomment the line:
Save and close the file, then apply the changes.
$ sysctl -p
$ sudo systemctl enable openvpn@server $ sudo systemctl start openvpn@server
To provide internet access and properly direct traffic, we need to set up a Network Address Translation (NAT) rule with the following command.
$ sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/16 -o eth0 -j MASQUERADE
Congratulations, you have successfully installed OpenVPN on your Ubuntu 20.04 server.