How to Install & Update OpenVPN on Ubuntu 16
Using OpenVPN allows you to securely and safely access the internet, especially when you’re connected to a public or untrusted network. OpenVPN is a solution that will enable you to create a wide array of network configurations; the configurations allow customized private network solutions that can meet a variety of needs. OpenVPN is an open-source software that employs Secure Socket Layer (SSL) protocols for additional security.
OpenVPN allows authentication through pre-shared secret keys, certificates, or a username and password combination. Through this authentication, secure point-to-point connections are established with high-level encryption protocols.
Getting Started
When you decide to install and update OpenVPN on Ubuntu 16.04, you will first need a node running Linux Ubuntu 16.04 LTS; the node you choose can be on a cloud server or a dedicated server. It’s important to verify that your operating system is running the most recent version, including any updates or patches that may need to be installed.
Update OpenVPN on Ubuntu 16
The first step in any successful implementation is updating the system, verifying that all necessary updates have been pushed and the install itself is clean. You can check this by running the following commands:
$ apt-get update
$ apt-get upgrade
Once the updates are pushed, you can then proceed with installing OpenVPN and EasyRSA on your node:
$ apt-get install openvpn easy-rsa
Now that OpenVPN and EasyRSA have been installed, it’s time to set up the CA Directory and then move to it:
$ make-cadir ~/openvpn-ca && cd ~/openvpn-ca
You will need to edit the vars file to match the information you have:
$ nano vars
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="me@myhost.mydomain"
export KEY_OU="MyOrganizationalUnit"
If needed or if you choose, you can edit the keyname as well:
export KEY_NAME="server"
After setting up the directory, editing the vars file, and editing the keyname if you chose to do so, it’s time to build the CA Authority:
$ source vars
$ ./clean-all
$ ./build-ca
At this point you will receive a set of prompts, you may type Enter at each prompt.
When the prompts have completed, it’s time to create the server certificate, the key, and the encryption files. If you opted to change the KEY_NAME value earlier, you would need to verify that you’re building the correct key at this time:
$ ./build-key-server server
Make sure to accept the default entry during the build.
Now it’s time to generate the DH Key:
$ ./build-dh
After generating the DH Key, the TLS Key will need to be generated:
$ openvpn --genkey --secret keys/ta.key
There are two options for building a certificate here, once that generates a password and one that does not create a password.
No Password Option
It’s time to generate a client key pair and certificate, replacing “client” with the name of your generated certificate:
$ cd ~/openvpn-ca
$ source vars
$ ./build-key client
Password Option
If you would prefer to have a password assigned to your certificate during this build, follow the below commands:
$ cd ~/openvpn-ca
$ source vars
$ ./build-key-pass client
Now that the certificate has been built, with or without a password, the OpenVPN server can be configured. During this configuration, make sure to match KEY_NAME with the correct name:
$ cd ~/openvpn-ca/keys
$ cp ca.crt server.crt server.key ta.key dh2048.pem /etc/openvpn
$ gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | tee /etc/openvpn/server.conf
We need to edit the openvpn.conf file to continue the configuration, following all of the steps and commands outlined below, as applicable:
$ nano /etc/openvpn/server.conf
Once the edits are complete, it’s time to configure the server to forward traffic through the VPN:
$ nano /etc/sysctl.conf
add:
net.ipv4.ip_forward=1
Reload sysctl
$ sysctl -p
First, we need to locate the primary interface:
$ ip route | grep default
default via 192.168.65.254 dev eth0 onlink
After the primary interface is located, the UFW rules will need to be altered:
$ nano /etc/ufw/before.rules
# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to eth0 (change to the interface you discovered!)
-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
COMMIT
# END OPENVPN RULES
During this alteration, the default UFW rules will also need to be edited:
$ nano /etc/default/ufw
DEFAULT_FORWARD_POLICY="ACCEPT"
When the necessary edits are complete, it’s time to open the firewall port on OpenVPN:
$ ufw allow 1194/udp
$ ufw allow OpenSSH
$ ufw disable
$ ufw enable
It’s time to start and enable the OpenVPN server. When the server is enabled, make sure to check the server status:
$ systemctl start openvpn@server
$ systemctl enable openvpn@server
$ systemctl status openvpn@server
We need to create the client configuration file, making a few minor edits and adding some comments:
$ mkdir -p ~/client-configs/files
$ chmod 700 ~/client-configs/files
$ cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client-configs/base.conf
$ nano ~/client-configs/base.conf
Edit the following lines:
remote server_IP_address 1194
proto udp
user nobody
group nogroup
Comment out these lines by adding “#”:
#ca ca.crt
#cert client.crt
#key client.key
Then add:
cipher AES-128-CBC
auth SHA256
key-direction 1
After completing the edits and comments, you will need to create a script that generates the config file, making sure to run the following commands and include any necessary changes:
$ nano ~/client-configs/make_config.sh
Then add:
KEY_DIR=~/openvpn-ca/keys
OUTPUT_DIR=~/client-configs/files
BASE_CONFIG=~/client-configs/base.conf
cat ${BASE_CONFIG} \
<(echo -e '
${KEY_DIR}/ca.crt \
<(echo -e '
${KEY_DIR}/${1}.crt \
<(echo -e '
${KEY_DIR}/${1}.key \
<(echo -e '
${KEY_DIR}/ta.key \
<(echo -e '
> ${OUTPUT_DIR}/${1}.ovpn
Change the permissions:
chmod 700 ~/client-configs/make_config.sh
Finally, it’s time to generate the client file:
cd ~/client-configs
./make_config.sh client_name
You should be able to access the client file:
ls ~/client-configs/files
Conclusion
Congratulations, you’ve successfully installed and updated OpenVPN on your node running Ubuntu 16.04 LTS. You’re now ready to run your OpenVPN instance and begin securely connecting and transmitting data over a variety of networks; make sure to update OpenVPN as needed or when critical updates are pushed. If you found this guide helpful, please share it with other users engaging in similar setups.