How to Install and configure OpenVPN on Ubuntu 14.04 LTS

Introduction This How-To will cover the process of installing OpenVPN Community Edition on a 64-bit Ubuntu 14.04 LTS server. All comma...

Introduction

This How-To will cover the process of installing OpenVPN Community Edition on a 64-bit Ubuntu 14.04 LTS server. All commands are entered from a terminal and root level permissions are assumed.

In this tutorial I will cover the installation and configuration of OpenVPN, the generation of the certificate authority and server-side certificates, as well as the generation of client certificates and the simplification and build of ovpn profiles using client keys and certificates.

When editing text files I use the vim text editor, but you may use whichever text editor you prefer to accomplish the task (vi, nano, emacs, etc...). When I refer to uncommenting a line in a file, it requires deleting either a ";" or "#" character from the beginning of said line.

Steps (19 total)

1

Install the OpenVPN and easy-rsa packages

sudo apt-get update && sudo apt-get install openvpn easy-rsa

2

Decompress and copy the sample server configuration file to the openvpn etc directory

gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf

3

Edit the server configuration file and make the following changes

Change the line: dh dh1024.pem
to: dh dh2048.pem

Uncomment: push "redirect-gateway def1 bypass-dhcp"

Uncomment: push "dhcp-option DNS 208.67.222.222"

Uncomment: push "dhcp-option DNS 208.67.220.220"

Uncomment: user nobody

Uncomment: group nogroup

4

Enable IPv4 Forwarding

echo 1 > /proc/sys/net/ipv4/ip_forward

5

Edit sysctl.conf file to reflect IPv4 Forwarding has been enabled

vim /etc/sysctl.conf

Uncomment: net.ipv4.ip_forward=1

6

Configure Uncomplicated Firewall for OpenVPN access

ufw allow ssh
ufw allow 1194/udp

vim /etc/default/ufw
Change: DEFAULT_FORWARD_POLICY="DROP"
To: DEFAULT_FORWARD_POLICY="ACCEPT"

vim /etc/ufw/before.rules
Add the following directly below the "rules.before" section found at the top of the document:

# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to eth0
-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
COMMIT
# END OPENVPN RULES

7

Enable the new Uncomplicated Firewall configuration

ufw enable (Answer yes to the prompt)

ufw status (Verify configuration changes were passed)

8

Make a copy of the default easy-rsa directy under the openvpn default directory

cp -r /usr/share/easy-rsa /etc/openvpn

9

Create a directory to store your keys

mkdir /etc/openvpn/easy-rsa/keys

10

Edit the easy-rsa variable file and supply the appropriate information

vim /etc/openvpn/easy-rsa/vars

*Supply the appropriate information on the lines referencing COUNTRY, PROVINCE, CITY, ORG, EMAIL, and OU variables.

export KEY_COUNTRY="US"
export KEY_PROVINCE="NY"
export KEY_CITY="Big City"
export KEY_ORG="Company Name"
export KEY_EMAIL="frank@frijoles.com"
export KEY_OU="OrganizationalUnit"

*Set the key name to "server"
export KEY_NAME="server"

11

Generate the Diffie-Hellman parameters for your Certificate Authority

openssl dhparam -out /etc/openvpn/dh2048.pem 2048

12

Move into the easy-rsa directory and initialize the PKI using the previously edited vars file

cd /etc/openvpn/easy-rsa && . ./vars

13

Clear the working directory(/etc/openvpn/easy-rsa/keys) and build the Certificate Authority

./clean-all && ./build-ca

14

Build the server keys and certificate

./build-key-server server

*Confirm all values previously entered in the "vars" file, and answer "y" to sign and commit.

15

Copy the newly created certificates and key to the OpenVPN directory and restart the OpenVPN service

cp /etc/openvpn/easy-rsa/keys/{server.crt,server.key,ca.crt} /etc/openvpn

service openvpn restart

16

Generate client certificates and keys

cd /etc/openvpn/easy-rsa

./build-key client1

*verify values and answer "y" twice to sign and commit the certificate

17

Use the newly create client certificate and key to build a client OVPN profile

cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/easy-rsa/keys/client.ovpn

vim /etc/openvpn/easy-rsa/keys/client.ovpn

Change: remote <server ip address> 1194

Uncomment: user nobody
Uncomment: group nogroup

Comment Out: #ca ca.crt
Comment Out: #cert client.crt
Comment Out: #key client.key

*At the bottom of the file add the following fields:
<ca>
(insert contents of ca.crt here)
</ca>
<cert>
(insert contents of client1.crt here)
</cert>
<key>
(insert contents of client1.key here)
</key>

18

Move the OVPN file to a client and import

Securely transfer the newly created client.ovpn profile to a device you wish to connect to the VPN. Install the appropriate OpenVPN application on the device and import the OVPN profile.

Connect!

19

**OPTIONAL** Build a script to automate the creation of client OVPN profiles

Build a script (or use the one linked... :-D ) to automate the process of client certificate/key creation and ovpn profile compilation. Please see the comments at the top of my script for further information.

Automate Client OVPN Profile Creation: http://community.spiceworks.com/scripts/show/3235-automate-openvpn-ovpn-profile-creation

Conclusion

That's it! You've got a basic VPN setup using OpenVPN. Assuming you have a static ip or dynamic dns configured, you should be able to securely connect to your local network.

This How-To is in many ways, a condensed version of the information provided in the Digital Ocean tutorial referenced below. If you want a more thorough explanation of many of the steps above please visit the referenced link.

References

• RamblingBiped - Let's Build a VPN!
• DigitalOcean - How To Set Up an OpenVPN Server on Ubuntu 14.04