Linux (Ubuntu)
Ubuntu: Setting up OpenVPN
by admin on Feb.27, 2011, under Linux (Ubuntu)
I’ve used OpenVPN for various reasons in the past. My major purpose was to build up a virtual private network with my server. In addition I also wanted to use my server as a gateway, this way I could surf the web with a German IP address. Anyway, setting everything up was a quite hard job, thus I’m going to write a brief installation instruction explaining the basic steps:
1.) Login to your (Ubuntu) server via SSH. Enter the following commands:
apt-get update apt-get install sudo apt-get install iptables apt-get install -y openvpn --force-yes
This will update your repositories, install sudo (if you don’t already have it installed), install iptables (in order to later forward traffic from your VPN to the WWW) and OpenVPN itself.
2.) Then copy a sample configuration file and gunzip it:
cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/ gunzip /etc/openvpn/server.conf.gz cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/openvpn/easy-rsa2
3.) Now it’s time to edit it. I’ve used my favourite text-editor (vim):
vim /etc/openvpn/easy-rsa2/vars
And change the configuration file according to what applies for you.
export KEY_COUNTRY=DE export KEY_PROVINCE=NRW export KEY_CITY=Düsseldorf export KEY_ORG="Vpntest" export KEY_EMAIL="dontspamme@myhomepage.net"
4.) The following commands will create the certificates and keys. Follow the on-screen instructions.
mkdir /etc/openvpn/easy-rsa2/keys cd /etc/openvpn/easy-rsa2/ source /etc/openvpn/easy-rsa2/vars sudo -E /etc/openvpn/easy-rsa2/clean-all sudo -E /etc/openvpn/easy-rsa2/build-ca sudo -E /etc/openvpn/easy-rsa2/build-key-server server sudo -E /etc/openvpn/easy-rsa2/build-key ersterclient sudo -E /etc/openvpn/easy-rsa2/build-dh
5.) Edit the server.conf.
vim /etc/openvpn/server.conf
This is the content of my file. Replace xxx.xx.xxx.xxx with your server’s IP address:
user nobody group nogroup dev tun local xxx.xx.xxx.xxx port 443 proto udp ca /etc/openvpn/easy-rsa2/keys/ca.crt cert /etc/openvpn/easy-rsa2/keys/server.crt key /etc/openvpn/easy-rsa2/keys/server.key # This file should be kept secret dh /etc/openvpn/easy-rsa2/keys/dh1024.pem server 10.66.66.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "redirect-gateway" client-to-client keepalive 10 120 comp-lzo persist-tun persist-key verb 3 log-append /var/log/openvpn/openvpn.log plugin /usr/lib/openvpn/openvpn-auth-pam.so common-auth client-cert-not-required username-as-common-name push "dhcp-option DNS 208.67.222.222" push "dhcp-option DNS 208.67.220.220"
6.) Forward traffic to- and from your VPN. Replace xxx.xx.xxx.xxx with your server’s IP address.
iptables -t nat -A POSTROUTING -s 10.66.66.0/24 -o venet0 -j SNAT --to xxx.xx.xxx.xxx
7.) Restart OpenVPN
sudo /etc/init.d/openvpn restart
If something goes wrong while restarting OpenVPN (for instance FAIL) you’re probably using a VPS. In this case the following commands might solve the problem (applies for a few OpenVZ containers):
sudo mkdir -p /dev/net sudo mknod /dev/net/tun c 10 200 sudo chmod 600 /dev/net/tun sudo /etc/init.d/openvpn restart
Alright, so the server has been installed successfully. Now it’s time to configure the client.
1.) Install the OpenVPN client for your OS
2.) Go to INSTALLDIR/config/ and copy the ca.crt from your server into this directory.
3.) Edit INSTALLDIR/config/client.ovpn
Here’s the content of my client.ovpn. Replace xxx.xx.xxx.xxx with your server’s IP address:
client dev tun proto udp remote xxx.xx.xxx.xxx 443 resolv-retry infinite nobind persist-key persist-tun auth-user-pass ca ca.crt comp-lzo verb 3 push "dhcp-option DNS 208.67.222.222" push "dhcp-option DNS 208.67.220.220"
And save the file. Finally you should be able to estabilish a connection with your VPN server using a user account from your server. (those user accounts are regular linux users). You’ve successfully setup an Open VPN server and can connect to it via a client.