How to Create a VPN on Ubuntu 18.04 with OpenVPN

Introduction

VPN technology allows you to connect VPN servers using an encrypted connection and surf the internet anonymously by keeping your traffic data private. OpenVPN is a free, Open source, and most widely used VPN (virtual private network) solution. OpenVPN allows you to create a local network between multiple computers on varying network segments. You can access company systems that exist within the LAN from the remote location. OpenVPN implements OSI layer 2/3 secure network extension using the SSL/TLS protocol. OpenVPN allows remote users and branch offices to access corporate applications and resources using an encrypted tunnel.

In this tutorial, we are going to explain how to create a VPN on Ubuntu 18.04 with OpenVPN.

Prerequisites

• A fresh Ubuntu 18.04 server installed on your system.
• A static IP address 192.168.0.101 is configured on your server.

Step 1: Getting started

Before starting, you will need to enable IP forwarding to forward network packets properly. You can do this by editing /etc/sysctl.conf file:

nano /etc/sysctl.conf

Change the following line:

net.ipv4.ip_forward=1

Save and close the file, when you are finished. Then, apply the new settings by running the following command:

sysctl -p

Step 2: Install OpenVPN Server

You can install OpenVPN server by just running the following command:

apt-get install openvpn -y

Once the installation has been completed, start the OpenVPN service and enable it to start on boot with the following command:

systemctl start openvpn@server
systemctl enable openvpn@server

Once you have finished, you can proceed to the next step.

Step 3: Install and configure EasyRSA

First, you will need to install EasyRSA to generate all the certificates. You can install EasyRSA with the following command:

apt-get install easy-rsa -y

Next, you will need to copy the EasyRSA directory to /etc/openvpn/ . You can do it with the following command:

cp -r /usr/share/easy-rsa  /etc/openvpn/

Next, change the directory to /etc/openvpn/easy-rsa with the following command:

cd /etc/openvpn/easy-rsa

Next, open vars file and modify it as per your location:

nano vars

Make the following changes:

export KEY_COUNTRY="INDIA"
export KEY_PROVINCE="CA"
export KEY_CITY="Ahmedabad"
export KEY_ORG="Snel"
export KEY_EMAIL="[email protected]"
export KEY_OU="VPN"

Save and close the file. Then, generate the Certificate Authority (CA) certificate and key with the following command:

source vars
./clean-all
./build-ca

Provide all the information as shown below:

Generating a 2048 bit RSA private key
.........+++
..................+++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [INDIA]:
string is too long, it needs to be no more than 2 bytes long
Country Name (2 letter code) [INDIA]:IN
State or Province Name (full name) [CA]:CA
Locality Name (eg, city) [Ahmedabad]:
Organization Name (eg, company) [Snel]:
Organizational Unit Name (eg, section) [VPN]:
Common Name (eg, your name or your server's hostname) [Snel CA]:server
Name [EasyRSA]:
Email Address [[email protected]]:

Next, generate a certificate and private key for the server with the following command:

./build-key-server server

You should see the following output:

Generating a 2048 bit RSA private key
............+++
............+++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [INDIA]:IN
State or Province Name (full name) [CA]:
Locality Name (eg, city) [Ahmedabad]:
Organization Name (eg, company) [Snel]:
Organizational Unit Name (eg, section) [VPN]:
Common Name (eg, your name or your server's hostname) [server]:
Name [EasyRSA]:
Email Address [[email protected]]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:Snel
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
Can't open /etc/openvpn/easy-rsa/keys/index.txt.attr for reading, No such file or directory
140584598217152:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:74:fopen('/etc/openvpn/easy-rsa/keys/index.txt.attr','r')
140584598217152:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:81:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'IN'
stateOrProvinceName   :PRINTABLE:'CA'
localityName          :PRINTABLE:'Ahmedabad'
organizationName      :PRINTABLE:'Snel'
organizationalUnitName:PRINTABLE:'VPN'
commonName            :PRINTABLE:'server'
name                  :PRINTABLE:'EasyRSA'
emailAddress          :IA5STRING:'[email protected]'
Certificate is to be certified until Apr 30 15:08:34 2029 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Next, you will need to create a strong Diffie-Hellman key to use during key exchange. You can do it with the following command:

ls keys/

Output:

ca.crt  ca.key  dh2048.pem  index.txt  index.txt.attr  index.txt.old  serial  serial.old  server.crt  server.csr  server.key

Next, generate secret ta.key with the following command:

openvpn --genkey --secret ta.key

Next, copy all the certificate files in /etc/openvpn/ directory with the following command:

cd keys
cp server.crt server.key ca.crt dh2048.pem /etc/openvpn/
cp /etc/openvpn/easy-rsa/ta.key /etc/openvpn/

Next, you will need to generate client certificate files to your server. You can do it with the following command:

cd /etc/openvpn/easy-rsa/
source vars
./build-key client

You should see the following output:

Generating a 2048 bit RSA private key
.......................+++
...............+++
writing new private key to 'client.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [INDIA]:IN
State or Province Name (full name) [CA]:
Locality Name (eg, city) [Ahmedabad]:
Organization Name (eg, company) [Snel]:
Organizational Unit Name (eg, section) [VPN]:
Common Name (eg, your name or your server's hostname) [client]:
Name [EasyRSA]:
Email Address [[email protected]]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:Snel
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'IN'
stateOrProvinceName   :PRINTABLE:'CA'
localityName          :PRINTABLE:'Ahmedabad'
organizationName      :PRINTABLE:'Snel'
organizationalUnitName:PRINTABLE:'VPN'
commonName            :PRINTABLE:'client'
name                  :PRINTABLE:'EasyRSA'
emailAddress          :IA5STRING:'[email protected]'
Certificate is to be certified until Apr 30 15:17:30 2029 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Once all the server and client certificates have been generated, you can proceed to the next step.

Step 4: Configure OpenVPN

Your server and client certificates are now ready, it’s time to configure OpenVPN service to use all the certificates which you have created earlier.

To do so, copy a sample OpenVPN configuration file into /etc/openvpn/ directory:

cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/

Next, extract the configuration file with the following command:

gzip -d /etc/openvpn/server.conf.gz

Next, you will need to edit /etc/openvpn/server.conf and make some changes:

nano /etc/openvpn/server.conf

Make the following changes:

tls-auth ta.key 0
key-direction 0
cipher AES-256-CBC
auth SHA256
dh dh2048.pem
user nobody
group nogroup
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
ca ca.crt
cert server.crt
key server.key

Save and close the file. Then, restart the OpenVPN service to apply all the changes:

systemctl restart openvpn@server

You can check the status of OpenVPN server with the following command:

systemctl status openvpn@server

Output:

● [email protected] - OpenVPN connection to server
   Loaded: loaded (/lib/systemd/system/[email protected]; disabled; vendor preset: enabled)
   Active: active (running) since Fri 2019-05-03 21:19:02 IST; 40s ago
     Docs: man:openvpn(8)
           https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
           https://community.openvpn.net/openvpn/wiki/HOWTO
 Main PID: 3581 (openvpn)
   Status: "Initialization Sequence Completed"
    Tasks: 1 (limit: 1111)
   CGroup: /system.slice/system-openvpn.slice/[email protected]
           └─3581 /usr/sbin/openvpn --daemon ovpn-server --status /run/openvpn/server.status 10 --cd /etc/openvpn --script-security 2 --config 

May 03 21:19:02 ubuntu1804 ovpn-server[3581]: Could not determine IPv4/IPv6 protocol. Using AF_INET
May 03 21:19:02 ubuntu1804 ovpn-server[3581]: Socket Buffers: R=[212992->212992] S=[212992->212992]
May 03 21:19:02 ubuntu1804 ovpn-server[3581]: UDPv4 link local (bound): [AF_INET][undef]:1194
May 03 21:19:02 ubuntu1804 ovpn-server[3581]: UDPv4 link remote: [AF_UNSPEC]
May 03 21:19:02 ubuntu1804 ovpn-server[3581]: GID set to nogroup
May 03 21:19:02 ubuntu1804 ovpn-server[3581]: UID set to nobody
May 03 21:19:02 ubuntu1804 ovpn-server[3581]: MULTI: multi_init called, r=256 v=256
May 03 21:19:02 ubuntu1804 ovpn-server[3581]: IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
May 03 21:19:02 ubuntu1804 ovpn-server[3581]: IFCONFIG POOL LIST
May 03 21:19:02 ubuntu1804 ovpn-server[3581]: Initialization Sequence Completed

Step 5: Install and configure Openvpn Client

First, log in to Client machine and install OpenVPN with the following command:

apt-get install openvpn -y<

Next, copy sample client configuration file to /etc/openvpn  directory with the following command:

cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/

Next copy all the client certificate files from OpenVPN server to client machine with the following command:

scp [email protected]:/etc/openvpn/easy-rsa/keys/ca.crt /etc/openvpn/
scp [email protected]:/etc/openvpn/easy-rsa/keys/client.key /etc/openvpn/
scp [email protected]:/etc/openvpn/easy-rsa/keys/client.crt /etc/openvpn/
scp [email protected]:/etc/openvpn/ta.key /etc/openvpn/

Next, open client.conf file and define your server IP address and client certificate:

nano /etc/openvpn/client.conf

Make the following changes:

client
remote 192.168.0.101 1194
user nobody
group nogroup
ca ca.crt
cert client.crt
key client.key
tls-auth ta.key 1

Save and close the file. Then, start OpenVPN client service with the following command:

systemctl start openvpn@client

Now, you can see the new IP address received from OpenVPN server with the following command:

ifconfig

Output:

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:2528 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2528 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:228962 (228.9 KB)  TX bytes:228962 (228.9 KB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.8.0.6  P-t-P:10.8.0.5  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:100 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 B)  TX bytes:6681 (6.6 KB)

Conclusion

Congratulations! you have successfully installed OpenVPN server and connect it from client machine. You can now protect your identity, location, and traffic from hackers. You can also connect to OpenVPN server from Windows and macOS using the same client.ovpn file.