Wednesday, December 4, 2024

Step-by-step guide to install and configure an OpenVPN server on Ubuntu

Step-by-step guide to install and configure an OpenVPN server on Ubuntu, followed by instructions for connecting to it using a mobile client.

Step 1: Update Your System

Before installing OpenVPN, ensure your system is up to date.


sudo apt update && sudo apt upgrade -y

Step 2: Install OpenVPN and Easy-RSA

Install OpenVPN and the Easy-RSA package, which will be used to set up a Certificate Authority (CA).


sudo apt install openvpn easy-rsa -y

Step 3: Set Up the Easy-RSA Directory

Create and configure the Easy-RSA directory.

make-cadir ~/easy-rsa
cd ~/easy-rsa

Step 4: Configure Variables

Edit the vars file to set custom values for your certificates.

nano vars

Modify the following lines as needed:


set_var EASYRSA_REQ_COUNTRY    "US"
set_var EASYRSA_REQ_PROVINCE   "State"
set_var EASYRSA_REQ_CITY       "City"
set_var EASYRSA_REQ_ORG        "YourOrg"
set_var EASYRSA_REQ_EMAIL      "email@example.com"
set_var EASYRSA_REQ_OU         "MyOrganizationalUnit"

Save and exit the editor (Ctrl+O, Enter, then Ctrl+X).

Step 5: Build the Certificate Authority (CA)

Clean up the directory and build the CA.


./easyrsa clean-all
./easyrsa init-pki
./easyrsa build-ca

When prompted, set a password for the CA and confirm it.

Step 6: Generate Server and Client Certificates

Generate the server certificate and key.


./easyrsa gen-req server nopass
./easyrsa sign-req server server

Generate client certificates for the first client (e.g., client1).


./easyrsa gen-req client1 nopass
./easyrsa sign-req client client1

Step 7: Generate Diffie-Hellman Parameters and TLS Key

Generate Diffie-Hellman parameters and a static key for encryption.


./easyrsa gen-dh
openvpn --genkey --secret ta.key

Step 8: Configure the OpenVPN Server

Copy the generated certificates, keys, and other necessary files to the OpenVPN directory.


sudo cp pki/ca.crt pki/issued/server.crt pki/private/server.key pki/dh.pem ta.key /etc/openvpn

Create a server configuration file.

sudo nano /etc/openvpn/server.conf

Add the following configuration:


port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh none
;tls-auth ta.key 0
tls-crypt ta.key
topology subnet
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
cipher AES-256-GCM
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3

Save and exit.

Step 9: Start and Enable the OpenVPN Service

Start the OpenVPN server and enable it to start on boot.


sudo systemctl start openvpn@server
sudo systemctl enable openvpn@server

Step 10: Configure Firewall Rules

Allow OpenVPN traffic through the firewall.


sudo ufw allow 1194/udp
sudo ufw allow OpenSSH
sudo ufw enable

Enable IP forwarding by editing the following file:


sudo nano /etc/sysctl.conf

Uncomment or add the following line:


net.ipv4.ip_forward=1

Apply the changes:


sudo sysctl -p

Step 11: Generate Client Configuration

Create a client configuration file:


nano client1.ovpn

Add the following content:


client
dev tun
proto udp
remote <YOUR_SERVER_IP> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-GCM
auth SHA256
key-direction 1
verb 3

<ca>
# Insert the content of ca.crt
</ca>
<cert>
# Insert the content of client1.crt
</cert>
<key>
# Insert the content of client1.key
</key>

<tls-crypt>
# Insert the content of ta.key
</tls-crypt>

Replace YOUR_SERVER_IP with your server's public IP address.

Export the client configuration to your client device. For example:


scp client1.ovpn user@client-device:/path/to/destination

Step 12: Connect from a Mobile Client

  1. Download the OpenVPN app on your mobile device.
  2. Transfer the client1.ovpn file to your mobile.
  3. Open the OpenVPN app, import the configuration file, and connect.
Posted by at No comments:
Subscribe to: Posts (Atom)