How to install OpenVPN on your own Ubuntu server from scratch.
OpenVPN is an open source VPN project that creates a secure connection between your device and the internet by encrypting and routing your data through a private VPN server. Your data transmits securely to and from the OpenVPN server by passing through a Secure Socket Layer (SSL) encryption process that uses trusted certificates to verify that requests are only readable for your client device. This ensures your data privacy and security particularly when using nonsecure, public networks like when in a library or restaurant.
Perhaps the most compelling aspect of OpenVPN is hinted at right in the name--its code base is open source, meaning there are no third parties that you’ll need to trust with your data. Simply set up a server in the location of your choice and you’ll be in complete control over your data. If you’re not sure how to do that, you’re in the right place. This tutorial will provide you with step by step instructions on how to install OpenVPN to create your own VPN server from scratch. Enjoy!
To install OpenVPN, first and foremost you require a server. For this tutorial, we will be demonstrating on an Ubtuntu server. You need to have a non-root account with sudo privileges in the server.
SSH on to your Ubuntu server with the following command:
ssh <user>@<IP address>
Depending on how you have set up your SSH access you may have to enter a public key or a password. Please provide the required credentials.
To make sure that your server is having the latest version, let’s run the following command.
sudo apt-get update
The command will take several minutes to run as it will update all your packages. Once the update process is completed we can go ahead and install OpenVPN with the following command.
sudo apt-get install openvpn
As mentioned previously, OpenVPN is a TLS/SSL VPN. Therefore you have to create your own Certificate Authority (CA) to issue trusted certificates and build your Public Key Infrastructure (PKI).
The following command will install the easy-rsa package which will help you in building the CA:
sudo apt-get install easy-rsa
Once completed, you can copy the template directory of easy-rsa to the home directory using the following command:
Navigate into the created directory:
You are required to change some values of the vars configuration file. Let’s open a terminal text editor so that we can make the changes.
You'll see many configuration parameters with their default values. Keep them as is for now. Navigate towards the bottom of the config file to find a list of parameters that look like below.
export KEY_EMAIL="[email protected]"
These parameters should be changed to match your information.
Just below this section, there is a parameter called
KEY_NAME. You can give it a name of your liking.
Once completed, exit the text editor. Make sure you are still in the CA directory and source the vars file:
If you come across an error such as the message below,
"No /root/openvpn-ca/openssl.cnf file could be found"
...further invocations will fail. To resolve the problem, create a symbolic link.
ln -s openssl-1.0.0.cnf openssl.cnf
Once you run source vars again, the problem should have resolved and the output should say:
"NOTE: If you run ./clean-all, I will be doing a rm -rf on /root/openvpn-ca/keys"
To clean up the operating environment, let’s run
After these steps are completed, we can go ahead and build our CA using the following command
Press enter for all the options to leave the default values that we configured in the vars config file.
Great! Now you have successfully created a CA that can be used to create the rest of the files required for your OpenVPN server.
Continue by creating the OpenVPN server certificate and key pair with the following command:
The certificate will build on the values we entered in the vars configuration file. Do not enter a challenge password for the setup.
Building the DH Keys
This might take several minutes to complete. We will generate an HMAC signature to add an extra layer of security
openvpn --genkey --secret keys/ta.key
Ideally, this step should be performed at the client machine and should be signed by the CA. For the sake of demonstration, in this tutorial, this step will be performed on the server-side as well.
The following command will build client credentials without a password to facilitate automated connections
If you would want to build client credentials with a password, use the following command
If you have more than one client, repeat the steps mentioned making sure that you enter a unique name for each client.
In the previous steps, we created many certificates and keys. All of these are placed in the ~/openvpn-ca/keys directory. We need to move the CA cert, server cert and key, the DH file and the HMAC key to /etc/openvpn directory.
To do so, let’s go into the keys directory, copy the content and paste at the location.
cp ca.crt server.crt server.key ta.key dh2048.pem /etc/openvpn
Open a sample configuration file using the following command:
gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | /etc/openvpn/server.conf
Open the configuration file in an editor:
Find the HMAC section by looking for the tls-auth directive. Remove the “;” to uncomment the tls-auth line.
Find the cipher line and below it and add the following line to add an auth line to select the HMAC message digest algorithm:
Find the user and group settings and remove the “;” at the beginning to uncomment the following lines.
We need to allow the server to forward traffic. Let’s adjust this by modifying the /etc/sysctl.conf file:
sudo nano /etc/sysctl.conf
Look for the line which sets net.ipv4.ip_forward. Uncomment the setting. Save and close the file. Run the following command to read the updated file and adjust the values accordingly.
sudo sysctl -p
Once all the steps are followed, we are finally able to start the VPN service. Use the command below.
sudo systemctl start [email protected]
(It is important to note that server is the name of the server configuration file in /etc/openvpn directory. If you have a different name, please use that name instead)
You can check if OpenVPN is running successfully by entering the following command:
sudo systemctl status [email protected]
And that's it! Nice job. Now that everything is up and running, your VPN clients can download the client certificates that you created and connect to your server.