Ubuntu Tutorials & How-To's

Ubuntu 10.04 – Install OpenVPN Server

This will show you how to setup an OpenVPN server using routing on Ubuntu 10.04 Lucid Server Edition that forwards all traffic from the client trough the VPN. In this example three clients will be created you will need a client for each computer you want to simultaneously connect.

First install OpenVPN

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
administrator@ubuntu:~$ sudo aptitude install openvpn
The following NEW packages will be installed:
liblzo2-2{a} libpkcs11-helper1{a} openssl-blacklist{a} openvpn openvpn-blacklist{a}
0 packages upgraded, 5 newly installed, 0 to remove and 52 not upgraded.
Need to get 7,963kB of archives. After unpacking 16.3MB will be used.
Do you want to continue? [Y/n/?]
Get:1 http://us.archive.ubuntu.com/ubuntu/ maverick/main openssl-blacklist all 0.5-2 [6,338kB]
Get:2 http://us.archive.ubuntu.com/ubuntu/ maverick/main liblzo2-2 amd64 2.03-2 [59.2kB]
Get:3 http://us.archive.ubuntu.com/ubuntu/ maverick/main libpkcs11-helper1 amd64 1.07-1build1 [48.1kB]
Get:4 http://us.archive.ubuntu.com/ubuntu/ maverick/main openvpn-blacklist all 0.4 [1,068kB]
Get:5 http://us.archive.ubuntu.com/ubuntu/ maverick/main openvpn amd64 2.1.0-3ubuntu1 [450kB]
Fetched 7,963kB in 25s (312kB/s)
Preconfiguring packages ...
Selecting previously deselected package openssl-blacklist.
(Reading database ... 40312 files and directories currently installed.)
Unpacking openssl-blacklist (from .../openssl-blacklist_0.5-2_all.deb) ...
Selecting previously deselected package liblzo2-2.
Unpacking liblzo2-2 (from .../liblzo2-2_2.03-2_amd64.deb) ...
Selecting previously deselected package libpkcs11-helper1.
Unpacking libpkcs11-helper1 (from .../libpkcs11-helper1_1.07-1build1_amd64.deb) ...
Selecting previously deselected package openvpn-blacklist.
Unpacking openvpn-blacklist (from .../openvpn-blacklist_0.4_all.deb) ...
Selecting previously deselected package openvpn.
Unpacking openvpn (from .../openvpn_2.1.0-3ubuntu1_amd64.deb) ...
Processing triggers for man-db ...
Processing triggers for ureadahead ...
ureadahead will be reprofiled on next reboot
Setting up openssl-blacklist (0.5-2) ...
Setting up liblzo2-2 (2.03-2) ...
Setting up libpkcs11-helper1 (1.07-1build1) ...
Setting up openvpn-blacklist (0.4) ...
Setting up openvpn (2.1.0-3ubuntu1) ...
* Restarting virtual private network daemon(s)...                                                *   No VPN is running.
Processing triggers for libc-bin ...
ldconfig deferred processing now taking place

Run the following commands to create the folders that will be used later.

1
2
3
4
5
administrator@ubuntu:~$ sudo mkdir /etc/openvpn/easy-rsa/
administrator@ubuntu:~$ sudo mkdir /etc/openvpn/keys/
administrator@ubuntu:~$ sudo mkdir /etc/openvpn/keys/client1/
administrator@ubuntu:~$ sudo mkdir /etc/openvpn/keys/client2/
administrator@ubuntu:~$ sudo mkdir /etc/openvpn/keys/client3/

Copy the easy-rsa script included with OpenVPN to the folder that was just created and navigate to the folder. Then apply the needed permissions.

1
2
3
4
administrator@ubuntu:~$ sudo cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
administrator@ubuntu:~$ cd /etc/openvpn/easy-rsa/
administrator@ubuntu:/etc/openvpn/easy-rsa$ sudo chown -R root:admin .
administrator@ubuntu:/etc/openvpn/easy-rsa$ sudo chmod g+w .

Open the vars file and scroll to the bottom and edit the lines shown below with your information. Then press Ctrl+X to exit and Y to save.

1
2
3
4
5
6
administrator@ubuntu:/etc/openvpn/easy-rsa$ sudo nano vars
export KEY_COUNTRY="US"
export KEY_PROVINCE="None"
export KEY_CITY="None"
export KEY_ORG="None"
export KEY_EMAIL="admin@domain.com"

Run the command shown below to apply the variables you just edited.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
administrator@ubuntu:/etc/openvpn/easy-rsa$ source ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys

Run the command shown below to build the DH parameters.

[cce]administrator@ubuntu:/etc/openvpn/easy-rsa$ ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
..................................++*++*++*

Run the command show below to build the certificate authority file. Just press enter trough all the options the defaults that you set in the vars should show up except Name which you don't need to set but if you want you can enter a name.

[cce]administrator@ubuntu:/etc/openvpn/easy-rsa$ ./build-ca
Generating a 1024 bit RSA private key
................................++++++
.......++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [None]:
Locality Name (eg, city) [None]:
Organization Name (eg, company) [None]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [None CA]:
Name []:
Email Address [admin@domain.com]:

Run the command show below to generate a key for the server just press Enter trough the options until it prompts “[y/n]” enter “y” for both prompts.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
administrator@ubuntu:/etc/openvpn/easy-rsa$ ./build-key-server server
Generating a 1024 bit RSA private key
........++++++
................................................++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [None]:
Locality Name (eg, city) [None]:
Organization Name (eg, company) [None]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [server]:
Name []:
Email Address [admin@domain.com]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :PRINTABLE:'None'
localityName          :PRINTABLE:'None'
organizationName      :PRINTABLE:'None'
commonName            :PRINTABLE:'server'
emailAddress          :IA5STRING:'admin@domain.com'
Certificate is to be certified until Jan  9 01:43:48 2021 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Run the command below to generate key for the first client. Press Enter trough the options until it prompts “[y/n]” enter “y” for both prompts.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
administrator@ubuntu:/etc/openvpn/easy-rsa$ ./build-key client-1
Generating a 1024 bit RSA private key
....++++++
...................++++++
writing new private key to 'client-1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [None]:
Locality Name (eg, city) [None]:
Organization Name (eg, company) [None]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [client-1]:
Name []:
Email Address [admin@domain.com]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :PRINTABLE:'None'
localityName          :PRINTABLE:'None'
organizationName      :PRINTABLE:'None'
commonName            :PRINTABLE:'client-1'
emailAddress          :IA5STRING:'admin@domain.com'
Certificate is to be certified until Jan  9 01:44:38 2021 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Run the command below to generate key for the second client. Press Enter trough the options until it prompts “[y/n]” enter “y” for both prompts.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
administrator@ubuntu:/etc/openvpn/easy-rsa$ ./build-key client-2
Generating a 1024 bit RSA private key
....................................++++++
.......................++++++
writing new private key to 'client-2.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [None]:
Locality Name (eg, city) [None]:
Organization Name (eg, company) [None]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [client-2]:
Name []:
Email Address [admin@domain.com]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :PRINTABLE:'None'
localityName          :PRINTABLE:'None'
organizationName      :PRINTABLE:'None'
commonName            :PRINTABLE:'client-2'
emailAddress          :IA5STRING:'admin@domain.com'
Certificate is to be certified until Jan  9 01:44:56 2021 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Run the command below to generate key for the third client. Press Enter trough the options until it prompts “[y/n]” enter “y” for both prompts.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
administrator@ubuntu:/etc/openvpn/easy-rsa$ ./build-key client-3
Generating a 1024 bit RSA private key
..++++++
..........................++++++
writing new private key to 'client-3.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [None]:
Locality Name (eg, city) [None]:
Organization Name (eg, company) [None]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [client-3]:
Name []:
Email Address [admin@domain.com]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :PRINTABLE:'None'
localityName          :PRINTABLE:'None'
organizationName      :PRINTABLE:'None'
commonName            :PRINTABLE:'client-3'
emailAddress          :IA5STRING:'admin@domain.com'
Certificate is to be certified until Jan  9 01:45:30 2021 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Navigate to the keys folder and rename the certificate authority files.

1
2
3
administrator@ubuntu:/etc/openvpn/easy-rsa$ cd keys/
administrator@ubuntu:/etc/openvpn/easy-rsa/keys$ sudo mv ca.crt server-ca.crt
administrator@ubuntu:/etc/openvpn/easy-rsa/keys$ sudo mv ca.key server-ca.key

Copy the keys to the correct folders

1
2
3
4
administrator@ubuntu:/etc/openvpn/easy-rsa/keys$ sudo cp server-ca.crt server-ca.key dh1024.pem server.crt server.key /etc/openvpn/
administrator@ubuntu:/etc/openvpn/easy-rsa/keys$ sudo cp server-ca.crt client-1.crt client-1.key /etc/openvpn/keys/client1/
administrator@ubuntu:/etc/openvpn/easy-rsa/keys$ sudo cp server-ca.crt client-2.crt client-2.key /etc/openvpn/keys/client2/
administrator@ubuntu:/etc/openvpn/easy-rsa/keys$ sudo cp server-ca.crt client-3.crt client-3.key /etc/openvpn/keys/client3/

Navigate to the OpenVPN folder and check to make sure all the need files are there. Its best to take the server-ca.key off the server as it is only needed if you want to generate new keys. If an attacker gets the crt and key file they could generate there own keys and access your OpenVPN server. If all the files are there delete the easy-rsa folder which is no longer needed unless you plan on creating more keys if you intend on creating more keys its best to take the easy-rsa folder off the server as it still contains all the client keys, ca.crt and ca.key.

1
2
3
4
administrator@ubuntu:/etc/openvpn/easy-rsa/keys$ cd /etc/openvpn/
administrator@ubuntu:/etc/openvpn$ ls
dh1024.pem  easy-rsa  keys  server-ca.crt  server-ca.key  server.crt  server.key  update-resolv-conf
administrator@ubuntu:/etc/openvpn$ sudo rm -r easy-rsa/

Open the server config and add the text shown below. The 10.8.0.0 is the network that the VPN clients will be placed on it is not the IP address or network that your server is on unless you know what its used for don’t change it.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
administrator@ubuntu:/etc/openvpn$ sudo nano /etc/openvpn/server.conf
port 1194
proto udp
dev tun
ca server-ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway"
keepalive 10 120
max-clients 10
persist-key
persist-tun
verb 0
mute 5

Edit the first clients config file. Change “domain.com” to your serves domain or IP address.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
administrator@ubuntu:/etc/openvpn$ sudo nano /etc/openvpn/keys/client1/client-1.ovpn
client
dev tun
proto udp
remote domain.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca server-ca.crt
cert client-1.crt
key client-1.key
verb 3
mute 5

Edit the second clients config file. Change “domain.com” to your serves domain or IP address.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
administrator@ubuntu:/etc/openvpn$ sudo nano /etc/openvpn/keys/client2/client-2.ovpn
client
dev tun
proto udp
remote domain.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca server-ca.crt
cert client-2.crt
key client-2.key
verb 3
mute 5

Edit the third clients config file. Change “domain.com” to your serves domain or IP address.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
administrator@ubuntu:/etc/openvpn$ sudo nano /etc/openvpn/keys/client3/client-3.ovpn
client
dev tun
proto udp
remote domain.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca server-ca.crt
cert client-3.crt
key client-3.key
verb 3
mute 5

Enable IP forwarding which will be needed for forwarding the traffic to the connected clients. Edit the sysctl.conf file and uncomment the line shown below this will enable IP forwarding when the computer is restarted.

1
2
3
4
administrator@ubuntu:~$ sudo sysctl -w net.ipv4.ip_forward=1
administrator@ubuntu:~$ sudo nano /etc/sysctl.conf
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1

Edit the interfaces file to add the line that starts with “pre-up” it must go below the IP settings for the eth0 interface like it is shown below. Only copy the “pre-up” line the other lines will different depending on your network settings. This is used to save the firewall settings so they don’t need to be applied every time the server is restarted.

1
2
3
4
5
6
7
administrator@ubuntu:~$ sudo nano /etc/network/interfaces
auto eth0
iface eth0 inet static
address 255.255.255.255
netmask 255.255.255.255
gateway 255.255.255.255
pre-up iptables-restore < /etc/iptables.rules

Enter the commands below which will route traffic to the OpenVPN clients which are on the 10.8.0.0 network. If you changed the network address in the server config you must use the same network address here. Enter the next command to check the settings look for the entry in “POSTROUTING”. If the settings are correct save the iptables settings which will be loaded by the command that was added in the interfaces file. If your server is hosted on a VPS and you get an error when entering the first command you will need to load modules required for NAT.

1
2
3
4
5
6
7
8
9
10
11
12
administrator@ubuntu:~$ sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
administrator@ubuntu:~$ sudo iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  10.8.0.0/24 anywhere
administrator@ubuntu:~$ sudo bash -c "iptables-save > /etc/iptables.rules"

Restart OpenVPN and ensure it starts without any errors. If your server is on a VPS and your getting an error you might need to load the modules required for an OpenVPN tunnel interface.

1
2
3
administrator@ubuntu:~$ sudo /etc/init.d/openvpn restart
* Stopping virtual private network daemon(s)...                                                          *   No VPN is running.
* Starting virtual private network daemon(s)...                                                          *   Autostarting VPN 'server'                                                                    [ OK ]

Its best to restart the server the make sure the settings that need to be re-applied on a restart are working. The second command should return a value of 1 idicating IP forwarding is enabled and the third command should have the POSTROUTING entry.

1
2
3
4
5
6
7
8
9
10
11
12
13
administrator@ubuntu:~$ sudo reboot
administrator@ubuntu:~$ sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
administrator@ubuntu:~$ sudo iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  10.8.0.0/24 anywhere

The VPN server should now be working to connect a client you will need to copy the files in one the client folders at “/etc/openvpn/keys/” place the files on the clients machine in the “/etc/openvpn/” folder.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>