Home>Software and Apps>Effortlessly Set Up OpenVPN on Ubuntu
Software and Apps
Effortlessly Set Up OpenVPN on Ubuntu
Modified: September 5, 2024
Learn how to easily set up OpenVPN on Ubuntu with our step-by-step guide. Secure your network and access your favorite software and apps with confidence.
(Many of the links in this article redirect to a specific reviewed product. Your purchase of these products through affiliate links helps to generate commission for Techsplurge.com, at no extra cost. Learn more)
Table of Contents
Prerequisites
Before starting, ensure your Ubuntu system is up to date. This helps prevent potential issues during installation and configuration. Update your system by running:
bash
sudo apt update
sudo apt upgrade -y
Ensure your system's time and date are correct. OpenVPN relies on accurate time for time-based one-time passwords (TOTPs) and certificate management. Set the correct time and date using:
bash
sudo apt install tzdata
sudo dpkg-reconfigure tzdata
If your system lacks a time synchronization tool, consider installing a Network Time Protocol (NTP) client to keep your server's time accurate.
Installing OpenVPN
Install OpenVPN and Easy RSA packages by running:
bash
sudo apt install openvpn easy-rsa
This command installs the necessary packages and their dependencies, including the Easy RSA tool for generating certificates and keys.
Generating Certificates and Keys
OpenVPN uses a Public Key Infrastructure (PKI) to manage certificates and keys. Easy RSA simplifies this process.
Create a Directory for Certificates and Keys
Create a directory to store your certificates and keys:
bash
mkdir /etc/openvpn/easy-rsa
cd /etc/openvpn/easy-rsa
Copy the Easy RSA Configuration Files
Copy the default configuration files from the /usr/share/easy-rsa
directory to your newly created directory:
bash
cp -r /usr/share/easy-rsa/* .
Edit the Easy RSA Configuration File
Edit the vars
file to customize the settings for your PKI:
bash
nano vars
Generate the Certificate Authority (CA)
Generate the CA certificate using the build-ca
script:
bash
./build-ca
Generate Server Certificate and Key
Generate the server certificate and key using the build-key-server
script:
bash
./build-key-server server
Generate Diffie-Hellman Parameters
Generate the Diffie-Hellman parameters using the build-dh
script:
bash
./build-dh
Generate Client Certificates and Keys (Optional)
If needed, generate client certificates and keys using the build-key
script:
bash
./build-key client
Configuring the OpenVPN Server
With certificates and keys generated, configure the OpenVPN server.
Copy the Sample Server Configuration File
Copy the sample server configuration file from the /usr/share/doc/openvpn/examples/sample-config-files/
directory to /etc/openvpn/
:
bash
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/server.conf.gz
sudo gzip -d /etc/openvpn/server.conf.gz
Edit the Server Configuration File
Edit the /etc/openvpn/server.conf
file to point to the certificates and keys generated earlier:
bash
nano /etc/openvpn/server.conf
Add the following lines:
plaintext
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
Enable IP Forwarding
Enable IP forwarding by uncommenting the following line in /etc/sysctl.conf
:
plaintext
net.ipv4.ip_forward=1
Reload the sysctl configuration:
bash
sudo sysctl -p /etc/sysctl.conf
Start the OpenVPN Service
Start the OpenVPN service using:
bash
sudo systemctl start openvpn@server
Enable the OpenVPN Service to Start Automatically
Enable the OpenVPN service to start automatically on boot:
bash
sudo systemctl enable openvpn@server
Configuring the Firewall
Ensure your OpenVPN server is accessible by opening the necessary ports in your firewall. For Ubuntu, use UFW (Uncomplicated Firewall).
Allow OpenVPN Traffic
Allow incoming traffic on UDP port 1194, the default port for OpenVPN:
bash
sudo ufw allow openvpn
Enable UFW
Enable UFW to apply the new rules:
bash
sudo ufw enable
Connecting Clients
Create a client configuration file to connect clients to your OpenVPN server. Use the sample client configuration file provided by OpenVPN.
Copy the Sample Client Configuration File
Copy the sample client configuration file from the /usr/share/doc/openvpn/examples/sample-config-files/
directory to a client-specific directory:
bash
mkdir -p ~/client-configs/files
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client-configs/base.conf
Edit the Client Configuration File
Edit the client configuration file to point to the certificates and keys generated earlier:
bash
nano ~/client-configs/base.conf
Add the following lines:
plaintext
remote
proto udp
resolv-retry infinite
nobind
persist-key
persist-tun
ca /path/to/ca.crt
cert /path/to/client.crt
key /path/to/client.key
Generate Unique Client Configuration Files
Create a script to generate unique client configuration files based on the base configuration file. This script also generates unique certificates and keys for each client.
bash
nano ~/client-configs/generate_client_config.sh
Add the following script:
plaintext
#!/bin/bash
Set the base configuration file path
BASE_CONFIG="/home/user/client-configs/base.conf"
Set the output directory for client configuration files
OUTPUT_DIR="/home/user/client-configs/files"
Set the CA certificate path
CA_CERT="/path/to/ca.crt"
Set the server IP address
SERVER_IP="
Set the port number
PORT=1194
Set the protocol (UDP or TCP)
PROTOCOL="udp"
Generate unique client configuration files
for i in {1..10}; do # Adjust the number of clients as needed
echo "Creating client configuration for client $i"
cp "$BASE_CONFIG" "$OUTPUT_DIR/client$i.conf"
sed -i "s/remote
sed -i "s/proto udp/$PROTOCOL/" "$OUTPUT_DIR/client$i.conf"
sed -i "s/ca /path/to/ca.crt/$CA_CERT/" "$OUTPUT_DIR/client$i.conf"
sed -i "s/cert /path/to/client.crt/client$i.crt/" "$OUTPUT_DIR/client$i.conf"
sed -i "s/key /path/to/client.key/client$i.key/" "$OUTPUT_DIR/client$i.conf"
echo "Client configuration created successfully for client $i"
done
Make the Script Executable
Make the script executable by running:
bash
chmod +x ~/client-configs/generate_client_config.sh
Run the Script
Run the script to generate unique client configuration files:
bash
~/client-configs/generate_client_config.sh
Connect Clients
Clients can now connect to the OpenVPN server using the generated configuration files.