Configure OpenVPN in Ubuntu
A real virtual private network or Virtual Private Network (VPN) is an encrypted tunnel connected between two networks that connects two trusted points. This is not a web Protocol HTTPS, which is trusted by all clients. To VPN can connect only those customers who have special access keys.
The concept of VPN in our days has become very stretched after the appearance of virtual private networks that are trusted by all and HTTPS distribution. Many of the VPN represent commercial solutions with a minimal number of settings to provide remote access to employees. But not all trust these solutions. Virtual private network connects two networks, for example an office network and a home network of the employee. The VPN server is needed to the server and the client authenticate each other.
Setting up authentication of client and server requires a lot of work, and therefore commercial decisions with minimum settings lose in this regard. But it’s actually not that hard to install OpenVPN server. You will need two nodes in different networks to organize a test environment, for example, you can use several virtual machines or real servers. As you already understood, this article will consider the setup of OpenVPN on Ubuntu to create a complete private virtual network.
Install OpenVPN
On both machines should be installed OpenVPN, it’s a pretty popular program, so you can install it from the official repositories. Also, we need Easy-RSA to work with secret keys. To install programs in Ubuntu use the following command:
sudo apt install openvpn easy-rsa
Both packages must be installed on the server and on the client. They will need to configure the program. The first step in installing and configuring openvpn is completed.
Configuring a certification authority
The first thing to do is to create the right infrastructure for public keys on the server. Server we believe the machine to which users connect. Own certification authority provides several benefits, you will have your own certification authority, which will simplify the key distribution and management. For example, you can revoke the client certificate on the server. Also now you do not need to store all the client certificates that the CA will be enough to know that the certificate is signed by a CA. In addition to a complex system of keys, you can use static keys if you want to provide access to only a few people.
Please note that all secret keys must be located in a safe place. In the OpenVPN public key is called a certificate and has the extension .crt and the private key is called the key, and its extension – .key.
First create a folder to store certificates with Easy-RSA. In fact, the OpenVPN configuration is manual, so the folder can be placed anywhere:
sudo mkdir /etc/openvpn/easy-rsa
Then copy to this folder all the necessary scripts easy-rsa:
sudo cp-R /usr/share/easy-rsa /etc/openvpn/
Next we need to create the CA in this folder. To do this, go into it and run the following commands:
cd /etc/openvpn/easy-rsa/
sudo-i
# source ./vars
# ./clear-all
# ./build-ca
The first command we switched to console as root, the second is loaded the environment variables from a file ./vars. The team ./clear-all keys creates a folder if it is not and clears its contents. And the last command initialisere our certification. Now in the folder .keys had all the necessary keys:
Configuring client certificates
Then you need to repeat the procedure to copy control scripts RSA, as we did on the server:
sudo cp-R /usr/share/easy-rsa /etc/openvpn/
Now we need to copy the certificate file with the extension .crt in folder /etc/openvpn on all clients. For example, download this file to our client using scp:
sudo scp пользователь@хост:/etc/openvpn/easy-rsa/keys/ca.crt /etc/openvpn/easy-rsa/keys
Only now you can create your secret key on the basis of the CA certificate:
cd /etc/openvpn/easy-rsa/
sudo-i
# source ./vars
# build-req Sergiy
Please note that ca.crt should be in the folder with the keys, otherwise it won’t work. Now tool will create the key based on which you will be able to connect to the OpenVPN server, but you still have to sign it on the server. Send received .csr file on the server using the same scp:
scp /etc/openvpn/easy-rsa/keys/Sergiy.csr [email protected]:~/
Then on the server in the folder /etc/openvpn/easy-rsa need to run the command-signing certificate:
./sign-req ~/Sergiy
The signature of the certificate must be confirmed. Then the program will report that it was signed and added to the database. In a folder with a certificate csr file appears .crt, which should be returned back to the client machine:
sudo scp пльзователь@хост:/home/Sergiy.crt /etc/openvpn/easy-rsa/keys
Only after that server and client have all the necessary keys to connect and communicate. There are still several settings. If you plan to use TLS encryption, you must create on the server a dataset Diffie-Huffman, use this command:
./build-dh
Next we will see the configuration for OpenVPN server and client, there are very few to get a working configuration.
Configuring OpenVPN
Now configure the OpenVPN server. The default folder configuration files, OpenVPN nothing. They need to create their own depending on what you plan to configure the server or client. Need a configuration file for OpenVPN can be found at /usr/share/doc/openvpn/examples/sample-config-files/. First, create a configuration file for the server:
zcat /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | sudo tee /etc/openvpn/server.conf
Here you need to configure several settings:
port and proto port and Protocol on which the program will work;
port 1194
proto udp
All the generated keys need to be set in the configuration file. Our keys are stored at /etc/openvpn/easy-rsa/keys:
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/ca.crt
key /etc/openvpn/easy-rsa/keys/ca.key
dh /etc/openvpn/easy-rsa/keys/dh.pem
Configurable address range for the virtual network, our server will be available on the first of them – 10.8.0.1:
server 10.8.0.0 255.255.255.0
Once setup is complete, save the changes to the file, you can either paste the whole configuration yourself, or edit the sample file. Working server config:
port 1194
proto udp
comp-lzo
dev tun
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/ca.crt
dh /etc/openvpn/easy-rsa/2.0/keys/dh2048.pem
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
Setup the OpenVPN server is completed. Then you need to run the OpenVPN server. This can be done directly from the command line, simply specify the address of the configuration file:
openvpn /etc/openvpn/server.conf
Next we need to configure the client computer. You can similarly copy the configuration file from the directory examples, only this time it is not necessary to unpack:
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/client.conf
You can create multiple configuration files client to connect to different servers. Open the configuration file and change it the following parameters:
remote – address is your OpenVPN server, address and port must match the settings configured on the server, for example:
remote 194.67.215.125 1194
ca – key you received from the CA, we placed it in the folder /etc/openvpn/.
cert and key is the public key and the secret key of the client using them, and you’ll connect to the server. As you remember, we saved them in the folder /etc/openvpn/easy-rsa/keys/.
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/Sergiy.crt
key /etc/openvpn/easy-rsa/keys/Sergiy.key
All other settings can be left as is. Here is the configuration file entirely, which you can copy:
client
dev tun
proto udp
remote 194.67.215.125 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/Sergiy.crt
key /etc/openvpn/easy-rsa/keys/Sergiy.key
tls-auth ta.key 1
comp-lzo
verb 3
Save the settings, now the client is ready to connect. Please note that configuration files should be the same, a lack of certain options in one of the files could cause errors. This does not mean that the files are identical, but the basic settings openvpn should be the same. You have to run OpenVPN on this machine using this configuration file:
openvpn /etc/openvpn/client.conf
Ready, now all works, if you run ifconfig, you’ll see that has been added to the tun0 interface:
ifconfig
You can also try to ping the address 10.8.0.1, this is the address we set up for our OpenVPN server, the ping packet will normally go. If the packets are not coming, or something is not working, note the output of both programs, there may be any errors or warnings, also make sure that the server firewall allows access from the outside on udp port 1194. You can still run the server or client by setting the config verbosity to the max once 9. Very often it helps to understand why something is not working. But you still can’t send traffic through the tunnel. For this you need to enable forwarding and add a few iptables rules. First, allow the transit of packages on the server:
sysctl -w net.ipv4.ip_forward=1
Then add these rules. Allow anyone to connect to our server:
iptables -A INPUT -p udp --dport 1194 -j ACCEPT
Allow users OpenVPN access Internet:
iptables-I FORWARD -i tun0 -o eth0 -j ACCEPT
# iptables-I FORWARD-i eth0 -o tun0 -j ACCEPT
# iptables-t nat -A POSTROUTING -o eth0 -j MASQUERADE
Insights
In this article, we discussed how to install and configure OpenVPN in Ubuntu and how to configure openvpn to work with the authentication key. Organization of private virtual networks can be very useful not only in organizations but also for example to exchange data between your two computers, or to increase security in the network.
