How To Setup OpenVPN Server In 5 Minutes on Ubuntu Server

I

am a new Ubuntu Linux server user. How do I setup an OpenVPN Server on Ubuntu Linux version 14.04 or 16.04 LTS server to shield my browsing activity from bad guys on public Wi-Fi, and more?

 

OpenVPN is a full-featured SSL VPN (virtual private network). It implements OSI layer 2 or 3 secure network extension using the SSL/TLS protocol. It is an open source software and distributed under the GNU GPL. A VPN allows you to connect securely to an insecure public network such as wifi network at the airport or hotel. VPN is also required to access your corporate or enterprise or home server resources. You can bypass geo-blocked site and increase your privacy or safety online.

This tutorial provides step-by-step instructions for configuring an OpenVPN “road warrior” server on Ubuntu Linux v14.04/16.04 LTS version including ufw/iptables firewall configuration. The steps are as follows:

Find and note down your public IP address

Download openvpn-install.sh script

Run openvpn-install.sh to install OpenVPN server

Connect an OpenVPN server using IOS/Android/Linux/Windows client

Verify your connectivity

Find your public IP address

Use any one of the following command to find out your IPv4 public address. If your internface name is eth0 or eth1, enter:

$ ip addr show eth0

 

OR

$ ip addr show eth1

 

Or use the host command or dig command as follows:

$ host myip.opendns.com resolver1.opendns.com

 

OR

$ dig TXT +short o-o.myaddr.l.google.com @ns1.google.com

 

Sample outputs:

Fig.01: Find out your public IPv4 address using the CLI

 

Note down the public IP address 139.59.1.155 i.e. public ip address of your OpenVPN server.

Download openvpn-install.sh script

Type the following command:

$ wget https://git.io/vpn -O openvpn-install.sh

 

Sample outputs:

–2016-06-27 07:30:25–  https://git.io/vpn

Resolving git.io (git.io)… 23.23.173.104, 54.243.161.116, 23.23.111.66

Connecting to git.io (git.io)|23.23.173.104|:443… connected.

HTTP request sent, awaiting response… 302 Found

Location: https://raw.github.com/Nyr/openvpn-install/master/openvpn-install.sh [following]

–2016-06-27 07:30:26–  https://raw.github.com/Nyr/openvpn-install/master/openvpn-install.sh

Resolving raw.github.com (raw.github.com)… 151.101.100.133

Connecting to raw.github.com (raw.github.com)|151.101.100.133|:443… connected.

HTTP request sent, awaiting response… 301 Moved Permanently

Location: https://raw.githubusercontent.com/Nyr/openvpn-install/master/openvpn-install.sh [following]

–2016-06-27 07:30:27–  https://raw.githubusercontent.com/Nyr/openvpn-install/master/openvpn-install.sh

Resolving raw.githubusercontent.com (raw.githubusercontent.com)… 151.101.100.133

Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.100.133|:443… connected.

HTTP request sent, awaiting response… 200 OK

Length: 13340 (13K) [text/plain]

Saving to: ‘openvpn-install.sh’

 

openvpn-install.sh            100%[==============================================>]  13.03K  80.9KB/s    in 0.2s

 

2016-06-27 07:30:28 (80.9 KB/s) – ‘openvpn-install.sh’ saved [13340/13340]

Run openvpn-install.sh to install OpenVPN server

Type the following command:

$ sudo bash openvpn-install.sh

 

When prompted set IP address to 139.59.1.155 and Port to 1194. Use Google or OpenDNS DNS servers with the vpn. Next, type client name (such as iPhone, Nexus6, LinuxRouter etc). Finally, press [Enter] key to install and setup OpenVPN on your system:

Fig.02: Setting up OpenVPN server on an Ubuntu Linux server v16.04 LTS

 

The script will now generate keys, DH parameters and more as follows:

Okay, that was all I needed. We are ready to setup your OpenVPN server now

Press any key to continue…

Get:1 http://security.ubuntu.com

……

..

–2016-06-27 17:10:38–  https://github.com/OpenVPN/easy-rsa/releases/download/3.0.1/EasyRSA-3.0.1.tgz

Resolving github.com (github.com)… 192.30.252.120

Connecting to github.com (github.com)|192.30.252.120|:443… connected.

HTTP request sent, awaiting response… 302 Found

Location: https://github-cloud.s3.amazonaws.com/releases/4519663/9dab10e8-7b6a-11e5-91af-0660987e9192.tgz?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAISTNZFOVBIJMK3TQ%2F20160627%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20160627T114040Z&X-Amz-Expires=300&X-Amz-Signature=717ae4f606d1999b4c7c164ae06d163c494197f04aafffa9f760a8e0bf136136&X-Amz-SignedHeaders=host&actor_id=0&response-content-disposition=attachment%3B%20filename%3DEasyRSA-3.0.1.tgz&response-content-type=application%2Foctet-stream [following]

–2016-06-27 17:10:40–  https://github-cloud.s3.amazonaws.com/releases/4519663/9dab10e8-7b6a-11e5-91af-0660987e9192.tgz?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAISTNZFOVBIJMK3TQ%2F20160627%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20160627T114040Z&X-Amz-Expires=300&X-Amz-Signature=717ae4f606d1999b4c7c164ae06d163c494197f04aafffa9f760a8e0bf136136&X-Amz-SignedHeaders=host&actor_id=0&response-content-disposition=attachment%3B%20filename%3DEasyRSA-3.0.1.tgz&response-content-type=application%2Foctet-stream

Resolving github-cloud.s3.amazonaws.com (github-cloud.s3.amazonaws.com)… 54.231.72.3

Connecting to github-cloud.s3.amazonaws.com (github-cloud.s3.amazonaws.com)|54.231.72.3|:443… connected.

HTTP request sent, awaiting response… 200 OK

Length: 40960 (40K) [application/octet-stream]

Saving to: ‘/root/EasyRSA-3.0.1.tgz’

 

/root/EasyRSA-3.0.1.tgz       100%[================================================>]  40.00K  38.8KB/s   in 1.0s

 

2016-06-27 17:10:43 (38.8 KB/s) – ‘/root/EasyRSA-3.0.1.tgz’ saved [40960/40960]

 

 

init-pki complete; you may now create a CA or requests.

Your newly created PKI dir is: /etc/openvpn/easy-rsa/pki

Generating a 2048 bit RSA private key

……..+++

…………………………………………………………………………………..+++

writing new private key to  /etc/openvpn/easy-rsa/pki/private/ca.key.BjRh5frdDd


Generating DH parameters, 2048 bit long safe prime, generator 2

This is going to take a long time

….+…..+……………………………………………………………………..+………………………………………………………………………………………………………………………………………………+………………………………..

..

…………………………………………………………………………………………………..+……………………………………………………………………………………………………………………….+……………………………+………………………………………………+…++*++*

 

DH parameters of size 2048 created at /etc/openvpn/easy-rsa/pki/dh.pem

 

Generating a 2048 bit RSA private key

……………………………………………………………..+++

…………………………………………..+++

writing new private key to  /etc/openvpn/easy-rsa/pki/private/server.key.9ieuluTC2R


Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.cnf

Check that the request matches the signature

Signature ok

The Subject s Distinguished Name is as follows

commonName            :ASN.1 12: server

Certificate is to be certified until Jun 25 11:55:48 2026 GMT (3650 days)

 

Write out database with 1 new entries

Data Base Updated

Generating a 2048 bit RSA private key

………+++

………+++

writing new private key to  /etc/openvpn/easy-rsa/pki/private/iphone.key.lokNfOiobc


Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.cnf

Check that the request matches the signature

Signature ok

The Subject s Distinguished Name is as follows

commonName            :ASN.1 12: iphone

Certificate is to be certified until Jun 25 11:55:48 2026 GMT (3650 days)

 

Write out database with 1 new entries

Data Base Updated

Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.cnf

 

An updated CRL has been created.

CRL file: /etc/openvpn/easy-rsa/pki/crl.pem

 

244

 

Looks like your server is behind a NAT!

 

If your server is NATed (e.g. LowEndSpirit), I need to know the external IP

If that s not the case, just ignore this and leave the next field blank

External IP:

That is all. Your OpenVPN server has been configured and ready to use. You can see added firewall rules /etc/rc.local file:

$ cat /etc/rc.local

 

Sample outputs:

iptables -I FORWARD -m state –state RELATED,ESTABLISHED -j ACCEPT

iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT

iptables -I INPUT -p udp –dport 1194 -j ACCEPT

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT –to 139.59.1.155

You can view your openvpn server config file generated by the script as follows (do not edit this file by hand):

$ sudo more /etc/openvpn/server.conf

$ sudo vi /etc/openvpn/server.conf

 

Sample outputs:

port 1194

proto udp

dev tun

sndbuf 0

rcvbuf 0

ca ca.crt

cert server.crt

key server.key

dh dh.pem

tls-auth ta.key 0

topology subnet

server 10.8.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt

push  redirect-gateway def1 bypass-dhcp

push  dhcp-option DNS 8.8.8.8

push  dhcp-option DNS 8.8.4.4

keepalive 10 120

cipher AES-128-CBC

comp-lzo

user nobody

group nogroup

persist-key

persist-tun

status openvpn-status.log

verb 3

crl-verify crl.pem

How do I start/stop/restart OpenVPN server on Ubuntu Linux 16.04 LTS?

Type the following command stop the OpenVPN service:

$ sudo systemctl stop openvpn@server

 

Type the following command start the OpenVPN service:

$ sudo systemctl start openvpn@server

 

Type the following command restart the OpenVPN service:

$ sudo systemctl restart openvpn@server

How do I start/stop/restart OpenVPN server on Ubuntu Linux 14.04 LTS?

Type the following command stop the OpenVPN service:

$ sudo /etc/init.d/openvpn stop

 

Type the following command start the OpenVPN service:

$ sudo /etc/init.d/openvpn start

 

Type the following command restart the OpenVPN service:

$ sudo /etc/init.d/openvpn restart

{Optional} How to configure and use the ufw firewall rules for the OpenVPN server

The default rules added to the /etc/rc.local file should work out of the box. However, if you have complicated firewall settings or prefer ufw to control all firewall settings on Ubuntu Linux server, try the following. First, edit the /etc/rc.local file using a text editor and comment out all firewall rules added by the script. Type the following ufw command to open port 1194 and 22 (ssh):

$ sudo ufw allow 1194/udp

$ sudo ufw allow 22/tcp

 

Edit the file /etc/ufw/before.rules, enter:

$ sudo vi /etc/ufw/before.rules

 

At top of the file add the following rules:

# START OPENVPN RULES by vg

# NAT table rules

*nat

:POSTROUTING ACCEPT [0:0]

#****************************************[README]*****************************************************#

# Allow traffic from OpenVPN client to 139.59.1.155. Replace 139.59.1.155 with your actual IP address*#

#****************************************[README]*****************************************************#

-A POSTROUTING -s 10.8.0.0/24 -j SNAT –to-source  139.59.1.155

COMMIT

# END OPENVPN RULES by vg

Next scroll down and find the comment that read s follows

# ok icmp code for FORWARD

Append the following rules:

#OpenVPN Forward by vg

-A ufw-before-forward -m state –state RELATED,ESTABLISHED -j ACCEPT

-A ufw-before-forward -s 10.8.0.0/24 -j ACCEPT

-A ufw-before-forward -i tun+ -j ACCEPT

-A ufw-before-forward -i tap+ -j ACCEPT

#OpenVPN END by vg

Save and close the file. Next edit the /etc/ufw/sysctl.conf file, enter:

$ sudo vi /etc/ufw/sysctl.conf

 

Find and uncomment the following line to allow this host to route packets between interfaces

net/ipv4/ip_forward=1

 

Save and close the file. Enable ufw or reload if already running:

$ sudo ufw enable

 

OR

$ sudo ufw reload

 

Verify new firewall rules:

$ sudo ufw status

$ sudo iptables -t nat -L -n -v

$ sudo iptables -L FORWARD -n -v

$ sudo iptables -L ufw-before-forward -n -v

Client configuration

On server your will find a client configuration file called ~/iphone.ovpn. All you have to do is copy this file to your local desktop using the scp and provide this file to your OpenVPN client to connect:

$ scp vivek@139.59.1.155:~/iphone.ovpn .

 

Next, you need to download OpenVPN client as per your operating system:

Download OpenVPN client for Apple IOS version 6.x or above and install it.

Download OpenVPN client for Android and install it.

Download OpenVPN client for Apple MacOS (OS X) and install it.

Download OpenVPN client for Windows 8/10 and install it.

MacOS/OS X OpenVPN client configuration

Just double click on iphone.ovpn file and it will open in your tunnelblick client > Click on the “Only me” to install it.

Fig.03: MacOS / OS X openvpn client configuration

 

Once installed click on Connect button and you will be online. Use the following command on MacOS client to verify that your public IP changed to the VPN server IP:

$ dig TXT +short o-o.myaddr.l.google.com @ns1.google.com

 

You can ping to OpenVPN server private IP:

$ ping 10.8.0.1

Linux OpenVPN client configuration

First, install the openvpn client, enter:

$ sudo yum install openvpn

 

OR

$ sudo apt install openvpn

 

Next, copy iphone.ovpn as follows:

$ sudo cp iphone.ovpn /etc/openvpn/client.conf

 

Test connectivity from the CLI:

$ sudo openvpn –client –config /etc/openvpn/client.conf

 

Your Linux system will automatically connect when computer restart using /etc/init.d/openvpn script:

$ sudo /etc/init.d/openvpn start

 

For systemd based system, use the following command:

$ sudo systemctl start openvpn@client

 

Test the connectivity:

$ ping 10.8.0.1 #Ping to OpenVPN server gateway

$ ip route #Make sure routing setup

$ dig TXT +short o-o.myaddr.l.google.com @ns1.google.com #Make sure your public IP set to OpenVPN server

FreeBSD OpenVPN client configuration

First, install the openvpn client, enter:

$ sudo pkg install openvpn

 

Next, copy iphone.ovpn as follows:

$ mkdir -p /usr/local/etc/openvpn/

$ sudo cp iphone.ovpn /usr/local/etc/openvpn/client.conf

 

Edit /etc/rc.conf and add the following:

openvpn_enable= YES

openvpn_configfile= /usr/local/etc/openvpn/client.conf

Start the OpenVPN service:

$ sudo /usr/local/etc/rc.d/openvpn start

 

Verify it:

$ ping 10.8.0.1 #Ping to OpenVPN server gateway

$

$ netstat -nr #Make sure routing setup

$

$ drill myip.opendns.com @resolver1.opendns.com #Make sure your public IP set to OpenVPN server

How do I add a new client?

For demo purpose I added a new device called iphone. Let us add one more device called googlephone by running the script again:

$ sudo bash openvpn-install.sh

 

Sample outputs:

Looks like OpenVPN is already installed

 

What do you want to do?

1) Add a cert for a new user

2) Revoke existing user cert

3) Remove OpenVPN

4) Exit

Select an option [1-4]:

Select option 1 and type googlephone as a client name:

Tell me a name for the client cert

Please, use one word only, no special characters

Client name: googlephone

Generating a 2048 bit RSA private key

………+++

…………………………………………………………………………………….+++

writing new private key to  /etc/openvpn/easy-rsa/pki/private/googlephone.key.FNaDMaP56c


Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.cnf

Check that the request matches the signature

Signature ok

The Subject s Distinguished Name is as follows

commonName            :ASN.1 12: googlephone

Certificate is to be certified until Sep 25 07:31:46 2027 GMT (3650 days)

 

Write out database with 1 new entries

Data Base Updated

 

Client googlephone added, certs available at ~/googlephone.ovpn

Now you can use googlephone.ovpn with Google Android phone. You can add as many users you want using this method.

How do I delete/revoke existing user certificate?

Run the script:

$ sudo bash openvpn-install.sh

 

Sample outputs:

Looks like OpenVPN is already installed

 

What do you want to do?

1) Add a cert for a new user

2) Revoke existing user cert

3) Remove OpenVPN

4) Exit

Select an option [1-4]:

Type 2 option and you will see a list of all the existing client certificate you want to revoke:

Select the existing client certificate you want to revoke

1) iphone6

2) googlephone

3) delllaptop

4) macbook

Select one client [1-4]: 2

Sample outputs when I revoked googlephone certificate:

Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.cnf

Revoking Certificate 09.

Data Base Updated

Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.cnf

 

An updated CRL has been created.

CRL file: /etc/openvpn/easy-rsa/pki/crl.pem

 

 

Certificate for client googlephone revoked

References

OpenVPN project.

OpenVPN road warrior installer Linux.

And there you have it, OpenVPN server installed in five minutes to increase your privacy.

This entry is 1 of 5 in the OpenVPN Tutorial series. Keep reading the rest of the series:

How To Setup OpenVPN Server In 5 Minutes on Ubuntu Server

Install Pi-hole with an OpenVPN to block ads

How to update/upgrade Pi-hole with an OpenVPN

How to install an OpenVPN server on Debian 9/8

How to import a OpenVPN .ovpn file with Network Manager

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *