How to Install and Configure an OpenVPN Server on Ubuntu: A Step-by-Step Guide

You are currently viewing How to Install and Configure an OpenVPN Server on Ubuntu: A Step-by-Step Guide

Setting up an OpenVPN server on Ubuntu is a great way to ensure secure internet access and safeguard your data from prying eyes. In this guide, we’ll walk you through the entire process step by step.

Prerequisites

  • A server running Ubuntu (18.04, 20.04, or 22.04)
  • Root or sudo privileges
  • Basic knowledge of command-line operations

Step 1: Update Your Server

First, ensure your server is up-to-date:

sudo apt update
sudo apt upgrade -y

Step 2: Install OpenVPN and Easy-RSA

OpenVPN requires Easy-RSA for managing SSL certificates. Install both packages:

sudo apt install openvpn easy-rsa -y

Step 3: Set Up the Certificate Authority

Create a directory for Easy-RSA and navigate to it:

bashCopier le codemake-cadir ~/openvpn-ca
cd ~/openvpn-ca

Step 3: Set Up the Certificate Authority

  1. Create a directory for Easy-RSA and navigate to it: : make-cadir ~/openvpn-ca cd ~/openvpn-ca
  2. Edit the vars file to set up the necessary variables: nano vars Customize the following variables according to your preferences (example values provided):set_var EASYRSA_REQ_COUNTRY "US" set_var EASYRSA_REQ_PROVINCE "California" set_var EASYRSA_REQ_CITY "San Francisco" set_var EASYRSA_REQ_ORG "MyOrganization" set_var EASYRSA_REQ_EMAIL "[email protected]" set_var EASYRSA_REQ_OU "MyOrganizationalUnit"
  3. Source the vars file and clean up any existing keys: source vars ./clean-all

Step 4: Build the Certificate Authority

Generate the CA certificate and key:

./easyrsa build-ca

You’ll be prompted for a Common Name. You can use MyOpenVPN-CA or any other descriptive name.

Step 5: Create the Server Certificate, Key, and Encryption Files

  1. Generate the server certificate and key: ./easyrsa build-server-full server nopass
  2. Generate Diffie-Hellman parameters: ./easyrsa gen-dh
  3. Generate a HMAC key to secure against DDoS attacks: openvpn --genkey --secret ta.key

Step 6: Configure the OpenVPN Service

  1. Copy the necessary files to the OpenVPN directory: sudo cp pki/ca.crt pki/private/ca.key pki/issued/server.crt pki/private/server.key pki/dh.pem ta.key /etc/openvpn
  2. Copy a sample configuration file to the OpenVPN directory: sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn sudo gzip -d /etc/openvpn/server.conf.gz
  3. Edit the server configuration file: sudo nano /etc/openvpn/server.conf Make the following changes:
    • Uncomment the lines user nobody and group nogroup.
    • Add or modify the following lines: tls-auth ta.key 0 # This file is secret key-direction 0
    • Ensure the cipher and auth directives match the security level you desire. For example: cipher AES-256-CBC auth SHA256

Step 7: Enable IP Forwarding

  1. Edit the sysctl.conf file: sudo nano /etc/sysctl.conf
  2. Uncomment the following line to enable IP forwarding: net.ipv4.ip_forward = 1
  3. Apply the changes: sudo sysctl -p

Step 8: Configure UFW (Uncomplicated Firewall)

  1. Allow traffic through the OpenVPN port (default 1194): sudo ufw allow 1194/udp
  2. Allow forwarding for OpenVPN: Edit the /etc/ufw/before.rules file sudo nano /etc/ufw/before.rules Add the following lines at the top of the file, right after the header comments: *nat :POSTROUTING ACCEPT [0:0] -A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE COMMIT Edit the /etc/default/ufw file: sudo nano /etc/default/ufw Change the DEFAULT_FORWARD_POLICY to ACCEPT: DEFAULT_FORWARD_POLICY="ACCEPT"
  3. Reload UFW to apply the changes: sudo ufw reload

Step 9: Start and Enable OpenVPN

Start the OpenVPN service and enable it to start on boot:

sudo systemctl start openvpn@server
sudo systemctl enable openvpn@server

Step 10: Generate Client Certificates and Configuration

  1. Generate a client certificate and key: cd ~/openvpn-ca ./easyrsa build-client-full client1 nopass
  2. Create a client configuration file:nano ~/client1.ovpn Add the following content, modifying the remote directive to match your server’s public IP or domain:client dev tun proto udp remote your_server_ip 1194 resolv-retry infinite nobind persist-key persist-tun remote-cert-tls server cipher AES-256-CBC auth SHA256 key-direction 1 <ca> -----BEGIN CERTIFICATE----- # Insert the contents of the ca.crt file here -----END CERTIFICATE----- </ca> <cert> -----BEGIN CERTIFICATE----- # Insert the contents of the client1.crt file here -----END CERTIFICATE----- </cert> <key> -----BEGIN PRIVATE KEY----- # Insert the contents of the client1.key file here -----END PRIVATE KEY----- </key> <tls-auth> -----BEGIN OpenVPN Static key V1----- # Insert the contents of the ta.key file here -----END OpenVPN Static key V1----- </tls-auth>

Step 11: Connect to the VPN

Transfer the client configuration file (client1.ovpn) to your client device securely. Use the OpenVPN client software to import the configuration and connect to your VPN server.