OpenVPN

Setting up OpenVPN on Ubuntu 18.04

Introduction

Would you like to securely access the Internet from your smartphone or laptop when you connect to an untrustworthy network (e.g., WiFi in a hotel or coffee shop)? Luckily, there is a way to grant you your wishes. You can securely connect to an untrusted network as if you are on a private network using a Virtual Private Network (VPN).

What is a VPN?

VPN stands for a Virtual Private Network. It offers the possibility to open a secure tunnel to a trustworthy server. All requests are then sent and received via this server. The advantage is securing your access and transactions when using public networks such as free WiFi in a hotel.

Through the VPN, all data is encrypted and processed via the server. Devices that hang in between, such as third-party routers and the like, have no way of redirecting the traffic to unwanted destinations. Also, once the connection has been successfully established, you are a part of the server’s network. Other servers, computers or devices such as printers that would normally only be accessible in the server’s local network can now also be reached through the VPN tunnel. However, since not all data has to be sent through an encrypted tunnel, it is possible to configure the VPN client so that only a defined part of the requests is sent through the VPN tunnel. The rest of the traffic is processed normally over the Internet.

In this tutorial, we will walk you through the steps of setting up an OpenVPN server on Ubuntu 18.04.

Requirements

You need to have access to an Ubuntu 18.04 server to host your OpenVPN service to complete this tutorial. Before starting this guide, you also need to configure a non-root user with sudo permissions. You can easily install your server by following our tutorial on setting up an Ubuntu server.

In addition, you will need a separate computer to act as a certification authority (CA). Technically, you can use your OpenVPN server or your local computer as a certification authority. However, we don’t recommend this as it will expose your VPN to security flaws. According to the official OpenVPN documentation, you should place the certification authority on a separate computer dedicated to importing and signing certificate requests. So, we assume that your certification authority is on a separate Ubuntu 18.04 server that also has a non-root user with sudo permissions and a basic firewall. Throughout this guide, all installation and configuration steps will be as simple as possible for each of the installations. You can also take a look at our tutorial on how to set up an Open VPN server under Docker.

Step 1 – Install OpenVPN and EasyRSA

First, update your VPN server’s package index and install OpenVPN. You can  install OpenVPN using apt because it is available in the default Ubuntu repositories:

Step 2: Create a certification authority

Create a simple certification authority (CA) to issue trusted certificates for the OpenVPN server. To do this, download the latest version of EasyRSA on both your CA machine and OpenVPN server using wget. To get the latest version, go to the Releases page of the official EasyRSA GitHub project, copy the download link for the file ending in .tgz and paste it into the following command:

Then, extract the tarball:

 OpenVPN EasyRSA software

At this point, all required software has been successfully installed on your CA computer and server.

Step 3 – Configure EasyRSA variables and build the CA

EasyRSA comes with a configuration file that you can edit to define a number of variables for your CA using this command:

There is a file in the directory with the name vars.example. Make a copy of this file, and name the copy vars without a file extension:

Use your preferred text editor to open this new file:

Next, find the settings that set field defaults for new certificates. It will be similar to this:

Update these variables to whatever you like as shown below:

Save and close the file once you are ready. The next step is to call the easyrsa script and run it with the init-pki option to initiate the public key infrastructure on the CA server:

easyrsa init-pki

Next, run the build-ca command with the nopass option so that you will not be prompted for a password every time you interact with your CA:

In the output, you’ll be asked to confirm the common name for your CA:

 OpenVPN build-ca

With that, your CA is in place and it’s ready to start signing certificate requests.

Step 4 – Generate server certificate, key, and encryption files

After the CA is ready, you can generate the private key and certificate request from the server and then send it to the CA for signature by creating the required certificate. First, navigate to the EasyRSA directory on the OpenVPN server:

From there, run the easyrsa script with the init-pki option. Although you have already run this command on the CA computer, this command must be run here as well. That’s because the PKI directories of the server and the CA are different:

Then call the easyrsa script again, this time with the gen-req option, followed by the computer’s generic name:

This will create a private key for the server and a certificate request file named server.req. Copy the server key to the /etc/openvpn/ directory:

Transfer the server.req file to your CA computer using a secure method (such as SCP in the following example):

Next, navigate to the EasyRSA directory on your CA computer:

Use the easyrsa script again to import the server.req file and add its common name after the file path:

Then, sign the request by running the easyrsa script with the sign-req option followed by the request type and common name. For the certificate request of the OpenVPN server, make sure that you use the server request type:

The output prompts you to verify that the request is from a trusted source. Type yes and press Enter to confirm. Please check the details shown below to ensure accuracy. Please note that this request has not yet been password verified.

Request the subject and sign it as a server certificate for 3650 days:

 OpenVPN sign certificate for server

If you have encrypted the CA key, you will be asked for the password at this point. Next, use a secure method to transfer the signed certificate back to your VPN server:

Transfer the ca.rt file to the server before you log out from the CA computer:

Next, log in to your OpenVPN server again and copy the files server.crt and ca.crt to your /etc/openvpn/ directory:

Then, navigate to your EasyRSA directory:

Enter the following code to create a strong Diffie-Hellman key you can use during the key exchange:

When done, generate an HMAC signature to improve the server’s TLS health check functionality:

When the command is complete, copy the two new files to the / etc / openvpn / directory:

In this way, all certificates and key files required by the server are generated. Now, you can create the appropriate certificate and key that the client computer will use to access the OpenVPN server.

Step 4 – Generate client certificate and key pair

Next, we will create a client key and several certificates. If you have multiple clients, you can repeat this process for each client. Note, however, that you must pass a unique name value to the script for each client. In this tutorial, we will name the first certificate/key pair client1. First, create a directory structure in your home directory to store client certificates and key files:

Since you save the certificate/key pair and the client’s configuration file in this directory for security reasons, you should now revoke the permissions:

Then navigate back to the EasyRSA directory and run the easyrsa script with the options gen-req and nopass as well as the generic name of the client:

Press Enter to confirm the common name. After that, copy the client1.key file into the previously created / client-configs / keys / directory:

Next, use a secure method to transfer the client1.req file to your CA computer:

Log in to your CA computer, navigate to the EasyRSA directory and import the certificate request:

import client.req

Then, as in the previous step, sign the request on the server. But this time you need to specify the client request type:

At the prompt, type yes to confirm that you want to sign the certificate request and that the certificate request is from a trusted source. Please enter the word “yes” to continue or enter anything else to be discarded:

sign certificate

If you have encrypted the CA key, you will also be asked to enter the password here. This will create a client certificate file named client1.crt. Transfer this file back to the server:

SSH back to your OpenVPN server and copy the client certificate to the / client-configs / keys / directory:

Next, copy the ca.crt and ta.key files into the / client-configs / keys / directory:

At the same time, all certificates and keys of the server and the client were generated and saved in the corresponding directories on the server. Now you can continue to set up OpenVPN on the server.

 Step 5 – Configuring the OpenVPN service

After generating the client and server certificates, you can configure the OpenVPN service to use these credentials. First, copy the OpenVPN sample configuration file into your configuration directory and then extract it to use it for the setup basis:

Open the server configuration file in your preferred text editor:

Then, find the HMAC part by looking for the tls-auth command:

Find the password part by looking for the commented out password line. AES-256-CBC encryption offers a good level of encryption and is well supported. The line should not be commented, but if it isn’t, delete the “;” before:

Below that, add an Auth command to select the HMAC message-digest algorithm. SHA256 is a good choice for this:

Next, find the line with the dh statement that defines the Diffie-Hellman parameters. Due to some recent changes to EasyRSA, the Diffie-Hellman key filename may be different from the filename listed in the sample server configuration file. If necessary, change the filename listed here by deleting 2048 to align it with the previous step’s key:

Finally, find the user and group settings and delete the “;” at the beginning of each line:

So far, the changes you made to the sample server.conf file should allow OpenVPN to work.

Step 6 – Server network configuration

Configure IP forwarding to properly route traffic through the VPN.  This is essential for the VPN functionality your server provides:

Look for the commented line that sets net.ipv4.ip_forward. Remove the “#” character from the beginning of the line to uncomment this setting:

Save the file and close it once you are through. To read the file and adjust the values for the current session, type:

sysctl -p

Next, add the public network interface of your machine:

Your public interface is the string within this command’s output that follows the word “dev”. For example, this result shows the interface named ens3.

default ip route

Open the /etc/ufw/before.rules file to add the relevant configuration:

Towards the top of the file, add the highlighted lines below to set the default policy for the POSTROUTING chain in the nat table and masquerade any traffic coming from the VPN. Change ens3 in the -A POSTROUTING line below with the interface you found in the above command:

Save the file and close it once you are through. Next, you need to tell UFW to allow forwarded packets by default as well. To do this, open the /etc/default/ufw file:

Inside, find the DEFAULT_FORWARD_POLICY directive and change the value from DROP to ACCEPT:

Save and close the file when you are through. Next, adjust the firewall to enable traffic to OpenVPN. If you did not change the port and protocol in the /etc/openvpn/server.conf file, you will need to open up UDP traffic to port 1194. If you modified the port and/or protocol, substitute the values you selected here. In case you forgot to add the SSH port when following the prerequisite tutorial, add it here as well:

After adding those rules, disable and re-enable UFW to restart it and load the changes from all of the files you’ve modified:

ufw commands

Congratulations, your server is now configured to correctly handle OpenVPN traffic!

Conclusion

If you followed this tutorial all the way through, you are now able to browse through the Internet safely. You will be able to keep your identity, location and traffic away from prying eyes.

Happy Computing!