OpenVPN with Ubuntu Server 14.04

Install OpenVPN and Easy-RSA

Unzip the example file at /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz and place it in /etc/openvpn/

Edit the server config file, replace the line

dh dh1024.pem

with

dh dh2048.pem

Uncomment the following line by removing the ;

push “redirect-gateway def1 bypass-dhcp”

also remove the ; from these lines and change the ip to Googles DNS:

push “dhcp-option DNS 8.8.8.8”
push “dhcp-option DNS 8.8.4.4”

Also uncomment the following lines:

user nobody
group nogroup

Tell the kernel to forward packets to the internet

edit /etc/sysctl.conf

Uncomment this line by removing the #

#net.ipv4.ip_forward=1

Save and exit

Firewall

On this server I had webmin set up so to add firewall rules I used the Linux Firewall module.

Added a new packet filtering – INPUT rule to accept packets comming to port 1194 with UDP.

Added a new nat – POSTROUTING rule to Masquerade packets from 10.8.0.0/8 on output interface eth0

Creating server keys and certificates

For the next part we need root access. This can be emulated with

Copy Easy-RSA generation scripts with

Make a directory for the keys

Edit the file called in the easy-rsa directory and change the variables for the values placed on the certificate

export KEY_COUNTRY=”NO”
export KEY_PROVINCE=”NA”
….
export KEY_OU=”orgUnit”

Also edit the line

export KEY_NAME=”server”

This name needs to be the same as the the name of the keyfiles in the OpenVPN config files.

Run these:

When prompted at ./build-ca just press Enter to use default values.

Run

where server is the parameter you set for the KEY_NAME previously.
Press your way throught the prompts with Enter, and select y when asked to sign and commit.

Copy the servers key and certificate to /etc/openvpn

Start the OpenVPN server

 

Create some client certificates

Still working in /etc/openvpn/easy-rsa

choose a clientname for describing the client this is going to be used on

Confirm all the promts with Enter and sign and commit with y

Copy the sample configuration file from the samples

We change the extention and we’ll use this as a template for other client config files later so just keep the name.

Copy out the following files e.g to your desktop for editing before we transfer them to the device we will be using them on.

/etc/openvpn/easy-rsa/keys/clientname.crt
/etc/openvpn/easy-rsa/keys/clientname.key
/etc/openvpn/easy-rsa/keys/client.ovpn
/etc/openvpn/ca.crt

 

Copy the file client.ovpn and rename it to the name of the device you will be using this config for.

Edit the file and change the following line

remote my-server-1 1194

Change my-server-1 to the ip/hostname of your vpn server.

also uncomment the lines

user nobody
group nogroup

Add a comment (#) to the following lines

ca ca.crt
cert client.crt
key client.key

Add these files to the bottom of the file, inside <ca>,<cert> and <key> tags

<ca>
Insert the content of ca.crt here
</ca>
<cert>
Insert the content of clientname.crt here
</cert>
<key>
Insert the content of clientname.key here
</key>

Now you can transfer this file to the device you intent to use it on and use it with an OpenVPN client.

On Ubuntu you can run this with

 

A lot of this was borrowed from the Digital Ocean tutorial at https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-14-04

 

Be the first to comment

Leave a Reply