(Many of the links in this article redirect to a specific reviewed product. Your purchase of these products through affiliate links helps to generate commission for Techsplurge.com, at no extra cost. Learn more)

Prerequisites

Before starting, ensure your Ubuntu system is up to date. This helps prevent potential issues during installation and configuration. Update your system by running:

bash
sudo apt update
sudo apt upgrade -y

Ensure your system's time and date are correct. OpenVPN relies on accurate time for time-based one-time passwords (TOTPs) and certificate management. Set the correct time and date using:

bash
sudo apt install tzdata
sudo dpkg-reconfigure tzdata

If your system lacks a time synchronization tool, consider installing a Network Time Protocol (NTP) client to keep your server's time accurate.

Installing OpenVPN

Install OpenVPN and Easy RSA packages by running:

bash
sudo apt install openvpn easy-rsa

This command installs the necessary packages and their dependencies, including the Easy RSA tool for generating certificates and keys.

Generating Certificates and Keys

OpenVPN uses a Public Key Infrastructure (PKI) to manage certificates and keys. Easy RSA simplifies this process.

Create a Directory for Certificates and Keys

Create a directory to store your certificates and keys:

bash
mkdir /etc/openvpn/easy-rsa
cd /etc/openvpn/easy-rsa

Copy the Easy RSA Configuration Files

Copy the default configuration files from the /usr/share/easy-rsa directory to your newly created directory:

bash
cp -r /usr/share/easy-rsa/* .

Edit the Easy RSA Configuration File

Edit the vars file to customize the settings for your PKI:

bash
nano vars

Generate the Certificate Authority (CA)

Generate the CA certificate using the build-ca script:

bash
./build-ca

Generate Server Certificate and Key

Generate the server certificate and key using the build-key-server script:

bash
./build-key-server server

Generate Diffie-Hellman Parameters

Generate the Diffie-Hellman parameters using the build-dh script:

bash
./build-dh

Generate Client Certificates and Keys (Optional)

If needed, generate client certificates and keys using the build-key script:

bash
./build-key client

Configuring the OpenVPN Server

With certificates and keys generated, configure the OpenVPN server.

Copy the Sample Server Configuration File

Copy the sample server configuration file from the /usr/share/doc/openvpn/examples/sample-config-files/ directory to /etc/openvpn/:

bash
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/server.conf.gz
sudo gzip -d /etc/openvpn/server.conf.gz

Edit the Server Configuration File

Edit the /etc/openvpn/server.conf file to point to the certificates and keys generated earlier:

bash
nano /etc/openvpn/server.conf

Add the following lines:

plaintext
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh2048.pem

Enable IP Forwarding

Enable IP forwarding by uncommenting the following line in /etc/sysctl.conf:

plaintext

net.ipv4.ip_forward=1

Reload the sysctl configuration:

bash
sudo sysctl -p /etc/sysctl.conf

Start the OpenVPN Service

Start the OpenVPN service using:

bash
sudo systemctl start openvpn@server

Enable the OpenVPN Service to Start Automatically

Enable the OpenVPN service to start automatically on boot:

bash
sudo systemctl enable openvpn@server

Configuring the Firewall

Ensure your OpenVPN server is accessible by opening the necessary ports in your firewall. For Ubuntu, use UFW (Uncomplicated Firewall).

Allow OpenVPN Traffic

Allow incoming traffic on UDP port 1194, the default port for OpenVPN:

bash
sudo ufw allow openvpn

Enable UFW

Enable UFW to apply the new rules:

bash
sudo ufw enable

Connecting Clients

Create a client configuration file to connect clients to your OpenVPN server. Use the sample client configuration file provided by OpenVPN.

Copy the Sample Client Configuration File

Copy the sample client configuration file from the /usr/share/doc/openvpn/examples/sample-config-files/ directory to a client-specific directory:

bash
mkdir -p ~/client-configs/files
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client-configs/base.conf

Edit the Client Configuration File

Edit the client configuration file to point to the certificates and keys generated earlier:

bash
nano ~/client-configs/base.conf

Add the following lines:

plaintext
remote 1194
proto udp
resolv-retry infinite
nobind
persist-key
persist-tun
ca /path/to/ca.crt
cert /path/to/client.crt
key /path/to/client.key

Generate Unique Client Configuration Files

Create a script to generate unique client configuration files based on the base configuration file. This script also generates unique certificates and keys for each client.

bash
nano ~/client-configs/generate_client_config.sh

Add the following script:

plaintext
#!/bin/bash

Set the base configuration file path

BASE_CONFIG="/home/user/client-configs/base.conf"

Set the output directory for client configuration files

OUTPUT_DIR="/home/user/client-configs/files"

Set the CA certificate path

CA_CERT="/path/to/ca.crt"

Set the server IP address

SERVER_IP=""

Set the port number

PORT=1194

Set the protocol (UDP or TCP)

PROTOCOL="udp"

Generate unique client configuration files

for i in {1..10}; do # Adjust the number of clients as needed
echo "Creating client configuration for client $i"
cp "$BASE_CONFIG" "$OUTPUT_DIR/client$i.conf"
sed -i "s/remote 1194/remote $SERVER_IP $PORT/" "$OUTPUT_DIR/client$i.conf"
sed -i "s/proto udp/$PROTOCOL/" "$OUTPUT_DIR/client$i.conf"
sed -i "s/ca /path/to/ca.crt/$CA_CERT/" "$OUTPUT_DIR/client$i.conf"
sed -i "s/cert /path/to/client.crt/client$i.crt/" "$OUTPUT_DIR/client$i.conf"
sed -i "s/key /path/to/client.key/client$i.key/" "$OUTPUT_DIR/client$i.conf"
echo "Client configuration created successfully for client $i"
done

Make the Script Executable

Make the script executable by running:

bash
chmod +x ~/client-configs/generate_client_config.sh

Run the Script

Run the script to generate unique client configuration files:

bash
~/client-configs/generate_client_config.sh

Connect Clients

Clients can now connect to the OpenVPN server using the generated configuration files.