Setup OpenVPN on Ubuntu 18.04 Server


Deprecated: Function create_function() is deprecated in /var/www/magazinelinux.com/wp-content/plugins/codecolorer/lib/geshi.php on line 4698

A VPN access is the best way to reach your server through a secure connection . You may access it from everywhere without worrying about internet security issues. You may use it as a secure access to internet too, i.e. you may connect trough a free internet access point but in a secure way , trough an encrypted tunnel , and local hackers couldn’t spy on your passwords and online transactions.

Install the packages

Let’s install openvpn packages required.

sudo apt-get update
sudo apt-get install openvpn easy-rsa

First we will create  a security certificate authority for our new VPN access . We should create a template folder in our home directory with the following command:

make-cadir ~/openvpn-ca
cd ~/openvpn-ca

To customize our CA , we must edit the vars file in the recently created directory:

nano vars

Towards the bottom of the file, look for the configuration that sets the field defaults for the new certificates.
Edit the values as you want, but do not leave them blank:

~/openvpn-ca/vars
. . .
export KEY_COUNTRY="US"
export KEY_PROVINCE="NY"
export KEY_CITY="New York City"
export KEY_ORG="DigitalOcean"
export KEY_EMAIL="admin@example.com"
export KEY_OU="Community"

...

export KEY_NAME="server"

Now, we can use the variables that we set and the easy-rsa utilities to build our certification authority. Make sure that it’s in the openvpn-CA directory, and then generate the vars file that you just edited:

cd ~/openvpn-ca
source vars
...
Output
...
NOTE: If you run ./clean-all, I will be doing a rm -rf on /home/sammy/openvpn-ca/keys

Ubuntu 18.04 requires an openssl.cnf file. In the certificates’ folder there are 3 templates for that file. We should copy the template 1.0.0 as openssl.cnf

<span class="">cp openssl-1.0.0.cnf openssl.cnf</span></span>

Make sure the you will follow with a clean environment and then build your own CA.

./clean-all

./build-ca

This will start the process of creating the root certificate authority key and the certificate. Since we fill the vars file, all values must be filled in automatically. Simply press Enter through the indications to confirm the selections.

Output
Generating a 2048 bit RSA private key
..........................................................................................+++
...............................+++
writing new private key to 'ca.key'

Now we have a CA that can be used to create the rest of the files we need.

./build-key-server server

Do not enter a challenge password for this configuration. At the end, you will have to enter “yes” to the two questions to sign and confirm the certificate:

Next, we need to generate some other elements. We can generate a strong Diffie-Hellman key to use during the exchange of keys by writing:

./build-dh

Then, we can generate an HMAC signature to strengthen the server’s TLS integrity verification capabilities:

openvpn --genkey --secret keys/ta.key

Next, we can generate a client certificate and a pair of keys. Although this can be done on the client machine and then we can sign it by the server , in this guide the key signed on the server will be generated for simplicity reasons .

We will generate a unique user key-certificate for this guide, but if you have more than one user, you can repeat this process as many times as you wish. Passing a unique value to the script for each client.

To generate credentials without a password, to help with automated connections, use the build-key command like this:

cd ~/openvpn-ca
source vars
./build-key client1

Next, we can start settiup up the OpenVPN service using the credentials and the files we have generated. To start, we need to copy some files to the / etc / openvpn configuration directory.

We can start with all the files that we just generated. These were placed inside the ~ / openvpn-ca / keys directory . We need to move our cert and CA key, our cert and server key, the HMAC signature, and the Diffie-Hellman file:

cd ~/openvpn-ca/keys
sudo cp ca.crt ca.key server.crt server.key ta.key dh2048.pem  /etc/openvpn

Next, we need to copy and unzip an OpenVPN template configuration file into the configuration directory, so we can use it as a base for our configuration:

gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | sudo tee /etc/openvpn/server.conf

Now that our files are in the right place, we can change the server configuration file:

sudo nano /etc/openvpn/server.conf

First, find the HMAC section by looking for the tls-auth directive. Delete the “;” To uncomment the tls-auth line. Below this, add the key-direction parameter by setting it to “0”:

/etc/openvpn/server.conf
tls-auth ta.key 0 # This file is secret
key-direction 0

Next, find the section on cryptographic encryption looking for the commented lines of cipher. The AES-128-CBC encryption offers a good level of encryption and is well supported. Delete the “;” To uncomment the AES-128-CBC cipher line:

cipher AES-128-CBC

Below this line, add an auth line to select the HMAC message summary algorithm. For this, SHA256 is a good option:

auth SHA256

Finally, look for the user and group settings and remove the “;” at the beginning of the line :

user nobody
group nogroup

Upload DNS Changes to Redirect All Traffic Through VPN


The previous configuration will create the VPN connection between the two machines, but will not force any connection to use the tunnel. If you want to use the VPN to route all your traffic, you may want to upload the DNS settings to the client computers.
You can do this by uncommenting some policies that will setup client machines to redirect all web traffic through the VPN. Find the redirect-gateway section and remove the semicolon “;” From the beginning of the redirect-gateway line :

/etc/openvpn/server.conf
push "redirect-gateway def1 bypass-dhcp"

Just below this line,you’ll  find the dhcp-option section. Again, remove the “;” From the front of both lines to uncomment them:

/etc/openvpn/server.conf
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"

This should help  clients to reconfigure their DNS settings to use the VPN tunnel as the default gateway.

Next, we need to adjust some aspects of the server’s network so that OpenVPN can correctly route the traffic.

First, we need to allow the server to redirect traffic. This is quite essential for the functionality we want our VPN server to provide.
We can adjust this configuration by modifying the file /etc/sysctl.conf

sudo nano /etc/sysctl.conf

In the file, look for the line that sets up net.ipv4.ip_forward . Remove the “#” character from the beginning of the line to uncomment that configuration:

/etc/sysctl.conf
net.ipv4.ip_forward=1

Save and close the file then run the following command

sudo sysctl -p

Set Up a Basic Firewall

~/client-configs/base.conf
# script-security 2
# up /etc/openvpn/update-resolv-conf
# down /etc/openvpn/update-resolv-conf

If your client runs Linux and has an / etc / openvpn / update-resolv-conf file, you must uncomment these lines from the generated OpenVPN client configuration file.

Next, we will create a simple script to compile our base configuration with the relevant certificate, key and encryption files. This will place the configuration generated in the directory ~ / client-configs / files.Cree and open a file called make_config.sh inside the directory ~ / client-configs:

#!/bin/bash
# First argument: Client identifier
KEY_DIR=~/openvpn-ca/keys
OUTPUT_DIR=~/client-configs/files
BASE_CONFIG=~/client-configs/base.conf
cat ${BASE_CONFIG} \
&lt;(echo -e '&lt;ca&gt;') \
${KEY_DIR}/ca.crt \
&lt;(echo -e '&lt;/ca&gt;\n&lt;cert&gt;') \
${KEY_DIR}/${1}.crt \
&lt;(echo -e '&lt;/cert&gt;\n&lt;key&gt;') \
${KEY_DIR}/${1}.key \
&lt;(echo -e '&lt;/key&gt;\n&lt;tls-auth&gt;') \
${KEY_DIR}/ta.key \
&lt;(echo -e '&lt;/tls-auth&gt;') \
&gt; ${OUTPUT_DIR}/${1}.ovpn

Change the file permissions to  executable, by typing:

chmod 700 ~/client-configs/make_config.sh

Now, we can easily generate client configuration files. If you continued with the guide, you created a client certificate and a key named client1.crt and client1.key respectively by executing the command ./build-key client1. We can generate a configuration for these credentials by moving to our directory ~ / client-configs and using the script we have made:

cd ~/client-configs
./make_config.sh client1

If everything went fine, we should have a client1.ovpn file in our directory ~ / client-configs / files: client1.ovpn

We need to transfer the client configuration file to the corresponding device. For example, this could be your local computer or a mobile device. Although the exact applications used to perform this transfer will depend on your choice and the operating system of the device, if you want the application to use SFTP (SSH file transfer protocol) o SCP (Secure Copy) on the server. This will transport the VPN authentication files of your client through an encrypted connection.

Here is an example of SFTP command using our example client1.ovpn. This command can be executed from your local computer. Place the .ovpn file in your personal directory:

sftp username@openvpn_server_ip:client-configs/files/client1.ovpn ~/

Setting up the client computer

sudo apt-get update
sudo apt-get install openvpn

Check if your distribution includes the script / etc / openvpn / update-resolv-conf:

ls /etc/openvpn

Next, edit the configuration file of the OpenVPN client that you have transferred:

 

nano client1.ovpn

Uncomment the three lines that we place to adjust the DNS configuration if we could find an update-resolv-conf file:

client1.ovpn
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

Finally , establish the vpn connection from the command line typing the following command:

sudo openvpn client_sen.ovpn