Setup And Configure OpenVPN Server On Ubuntu 13.10

Introduction

OpenVPN is a robust and highly flexible tunneling application that uses all of the encryption, authentication, and certification features of the OpenSSL library to securely tunnel IP networks over a single TCP/UDP port. OpenVPN is developed by James Yonan of OpenVPN Technologies.

Install OpenVPN Software

Here, I use Ubuntu 13.10 as VPN server, and it’s actual IP address is 192.168.1.101/24.

Log in as root user and Install the OpenVPN software using the following command:

apt-get install openvpn easy-rsa

The easy-rsa scripts are located by default in the /usr/share/easy-rsa/ directory. Create the /etc/openvpn/easy-rsa and Copy the /usr/share/easy-rsa/ to /etc/openvpn/easy-rsa/ directory:

mkdir /etc/openvpn/easy-rsa
cp -rf /usr/share/easy-rsa/* /etc/openvpn/easy-rsa/

Generate CA Certificate and CA key

Edit file /etc/openvpn/easy-rsa/2.0/vars,

vi /etc/openvpn/easy-rsa/vars

And, change the values that matches with your country, state, city, mail id etc.

[...]
# Don't leave any of these fields blank.
export KEY_COUNTRY="IN"
export KEY_PROVINCE="TN"
export KEY_CITY="Erode"
export KEY_ORG="Unixmen"
export KEY_EMAIL="sk@unixmen.com"
export KEY_OU="server"
[...]

Go to the openvpn/easy-rsa directory:

cd /etc/openvpn/easy-rsa/

Enter the following commands one by one to initialize the certificate authority:

cp openssl-1.0.0.cnf openssl.cnf
source ./vars
./clean-all

Then, run the following command to generate CA certificate and CA key:

./build-ca

Sample output:

Generating a 1024 bit RSA private key
......................................................+++
............................................................+++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [IN]: ----> Press Enter
State or Province Name (full name) [TN]: ----> Press Enter
Locality Name (eg, city) [Erode]: ----> Press Enter
Organization Name (eg, company) [Unixmen]: ----> Press Enter
Organizational Unit Name (eg, section) [server]: ----> Press Enter
Common Name (eg, your name or your server's hostname) [Unixmen CA]: ----> Press Enter
Name [EasyRSA]: ----> Press Enter
Email Address [sk@unixmen.com]: ----> Press Enter

We have now generated the CA certificate and CA key. Then create certificate and key for server using the following command:

./build-key-server server

Sample output:

Generating a 1024 bit RSA private key
....................+++
.............+++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [IN]: ----> Press Enter
State or Province Name (full name) [TN]: ----> Press Enter
Locality Name (eg, city) [Erode]: ----> Press Enter
Organization Name (eg, company) [Unixmen]: ----> Press Enter
Organizational Unit Name (eg, section) [server]: ----> Press Enter
Common Name (eg, your name or your server's hostname) [server]: ----> Press Enter
Name [EasyRSA]: ----> Press Enter
Email Address [sk@unixmen.com]: ----> Press Enter

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: ----> Press Enter      
An optional company name []: ----> Press Enter
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'IN'
stateOrProvinceName   :PRINTABLE:'TN'
localityName          :PRINTABLE:'Erode'
organizationName      :PRINTABLE:'Unixmen'
organizationalUnitName:PRINTABLE:'server'
commonName            :PRINTABLE:'server'
name                  :PRINTABLE:'EasyRSA'
emailAddress          :IA5STRING:'sk@unixmen.com'
Certificate is to be certified until Mar 23 12:21:34 2024 GMT (3650 days)
Sign the certificate? [y/n]:y ----> Type Y and Press Enter

1 out of 1 certificate requests certified, commit? [y/n]y ----> Type Y and Press Enter
Write out database with 1 new entries
Data Base Updated

Create certificate and key for VPN clients using the following command:

./build-key client

If you want to create certificate and key files for each client, you should replace the client parameter with an unique identifier.

Sample output:

Generating a 1024 bit RSA private key
.......+++
..................................................................................................+++
writing new private key to 'client.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [IN]: ----> Press Enter
State or Province Name (full name) [TN]: ----> Press Enter
Locality Name (eg, city) [Erode]: ----> Press Enter
Organization Name (eg, company) [Unixmen]: ----> Press Enter
Organizational Unit Name (eg, section) [server]: ----> Press Enter
Common Name (eg, your name or your server's hostname) [client]: ----> Press Enter
Name [EasyRSA]: ----> Press Enter
Email Address [sk@unixmen.com]: ----> Press Enter

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: ----> Press Enter
An optional company name []: ----> Press Enter
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'IN'
stateOrProvinceName   :PRINTABLE:'TN'
localityName          :PRINTABLE:'Erode'
organizationName      :PRINTABLE:'Unixmen'
organizationalUnitName:PRINTABLE:'server'
commonName            :PRINTABLE:'client'
name                  :PRINTABLE:'EasyRSA'
emailAddress          :IA5STRING:'sk@unixmen.com'
Certificate is to be certified until Mar 23 12:23:44 2024 GMT (3650 days)
Sign the certificate? [y/n]:y ----> Type Y and Press Enter

1 out of 1 certificate requests certified, commit? [y/n]y ----> Type Y and Press Enter
Write out database with 1 new entries
Data Base Updated

Generate Diffie Hellman Parameter

Enter the following command to generate DH parameter.

./build-dh

Sample output:

Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time

The necessary keys and certificates will be generated in the /etc/openvpn/easy-rsa/keys/ directory. Copy the following certificate and key files to the /etc/openvpn/ directory.

  • ca.crt
  • dh1024.pem
  • server.crt
  • server.key

Go to the directory /etc/openvpn/easy-rsa/keys/ and enter the following command to transfer the above files to /etc/openvpn/ directory.

cd /etc/openvpn/easy-rsa/keys/
cp dh1024.pem ca.crt server.crt server.key /etc/openvpn/

And then, you must copy all client certificates and keys to the remote VPN clients in order to authenticate to the VPN server. In our case, we have generated certificates and keys to only one client, so we have to copy the following files to the VPN client.

  • ca.crt
  • client.crt
  • client.key

You have to copy the above files to your VPN clients securely. Copy the keys with caution. If anyone have chances to get the keys, they can easily intrude and get full access to your virtual private network.

Remove Client access to VPN server

If you want to remove a user’s access to the VPN server, enter the following command:

. /etc/openvpn/easy-rsa/2.0/vars
. /etc/openvpn/easy-rsa/2.0/revoke-full client

The above commands remove the user who have the certificate to access the VPN server.

Configuring VPN Server

Now, we have to configure our VPN server. Copy the file server.conf.gz file to /etc/openvpn/ directory.

cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/

Extract the file using the following command:

gzip -d /etc/openvpn/server.conf.gz

Edit file server.conf,

vi /etc/openvpn/server.conf

Find and uncomment the following lines to route client systems traffic through OpenVPN server.

[...]

push "redirect-gateway def1 bypass-dhcp"

[...]

Also, Uncomment and change the DNS servers to reflect your own DNS values. Here I am using Google public DNS servers.

[...]

push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

[...]

Uncomment the following lines:

[...]

user nobody
group nogroup

[...]

Save and close the file.

Then we need to copy and edit the client.conf file. We need this file to be transferred to the VPN clients. First copy the file to any location (ex. /home directory).

cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /home/

Edit file client.conf,

vi /home/client.conf

Set the VPN server host name/IP address:

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote 192.168.1.101 1194

Here 192.168.1.101 is my VPN server IP address.

Next, Copy the client.conf file to your client system.

IP forwarding and routing Configuration

Edit sysctl.conf file,

vi /etc/sysctl.conf

Find the following line and set value “1” to enable IP forwarding.

# Controls IP packet forwarding
net.ipv4.ip_forward = 1

Run the following command to apply the sysctl changes.

sysctl -p

Enter the following command to enable IP forwarding:

echo 1 > /proc/sys/net/ipv4/ip_forward

Adjust iptables to forward traffic through VPN properly.

Enter the following commands one by one to forward traffic through OpenVPN:

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

Install iptables-persistent and save the iptables rules:


apt-get install iptables-persistent

Accept the defaults and save the iptables rules.

If you use UFW, you should run the following commands to allow openvpn port 1194:

ufw allow 1194/udp
ufw allow 1194/tcp

Finally, start openvpn service and make it to start automatically on every reboot using the following commands:

service openvpn start

Verify if VPN interface(tun0) is created using ifconfig command:

ifconfig

Sample output:

eth0      Link encap:Ethernet  HWaddr 08:00:27:46:36:62  
          inet addr:192.168.1.2  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::a00:27ff:fe46:3662/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:604 errors:0 dropped:0 overruns:0 frame:0
          TX packets:100 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:44166 (43.1 KiB)  TX bytes:14434 (14.0 KiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

That’s it. Now the VPN server is ready. Cheers!