Surfing the web through an open or public network like a hotel Wi-Fi for example, might potentially be unsafe. Doing online banking or logging into a website with your password can become a huge security risk. To come along this security issues, you can use a virtual private network to tunnel all your internet traffic through a secure and encrypted connection.
There are several ways set up your own VPN. I will show you how to quickly set up a basic working VPN tunnel with OpenVPN on Ubuntu 14.04 server. Most steps in this guide are based one the Ubuntu Server Guide, so don’t wonder if some parts look identical. Anyways, sometimes I’ll do things slightly different or leave out unnecessary stuff. My goal is to get a working OpenVPN tunnel as easy as possible without any bells or whistles.
Please also note that I am not a system administrator nor a network expert. So please write comments and correct me if something is wrong or could be improved.
On Ubuntu 14.04 the OpenVPN sever can be installed with the APT package manager:
Since we’ll use the certificate-based authentication, we first need to set up our own certification authority (CA) to create and sign the server and client certificates later. The easy-rsa package brings everything we need to do this.
To prevent the easy-rsa scripts to get lost when doing server upgrades, switch to your root user and copy them to the /etc/openvpn/ directoy:
Now open the /etc/openvpn/easy-rsa/vars file and adopt the following values according to your needs:
Run the following command to build the certification authority (CA):
If you discover an error while trying to building the CA, please see below in the trouble shooting section for help.
The next step is to generate the Diffie Hellman parameters for the OpenVPN server:
Now we are ready to generate and sign the server certificates. easy-rsa also offers a script which does all the work for you. You’ll have to enter some parameters for the server certificate. Most of the default values from /etc/openvpn/easy-rsa/vars should be correct.
You’ll be asked whether to “Sign the certificate? [y/n]” and “1 out of 1 certificate requests certified, commit? [y/n]”, answer both questions with yes.
The server certificates and keys have been generated into the subdirectory /etc/openvpn/easy-rsa/keys/. Common practice is to copy them to /etc/openvpn/:
Each VPN client will also need a certificate to authenticate itself to the server. Usually you create a different certificate for each client. To create the certificate, enter the following in a terminal while being user root:
Copy the following files to the client using a secure method:
As the client certificates and keys are only required on the client machine, ensure to remove them from the server afterwards.
Along with your OpenVPN installation you got a basic sample config file:
Start with copying and unpacking server.conf.gz to /etc/openvpn/server.conf.
Edit /etc/openvpn/server.conf to make sure the following lines are pointing to the certificates and keys you created in the section above.
That is the minimum you have to configure to get a working OpenVPN server. You can use all the default settings in the sample server.conf file. Now start the server. You will find logging and error messages in your syslog.
Now check if OpenVPN created a tun0 interface:
Routed VPN configuration on server
We still have working OpenVPN server, but in order to get our internet traffic routed from the client through the server we need to change some configurations.
To keeps things simple you’ll find my server.conf here. Edit the config so it looks like the following:
To make the new configuration take effect we need to restart the OpenVPN server:
If you are using a firewall, you may need to open port 1194 to allow connections to your OpenVPN server. Since I am using ufw this can be done by entering the following command in the terminal:
We’re almost done. You should still be able to connect with the client to the OpenVPN server and get an IP address from our local 10.8.0.0/24 subnet. The only problem is that client is limited to his subnet and unable to get an internet connection. Therefore, we need to set up NAT to route all traffic coming from the local OpenVPN subnet on device tun0 to eth0 (and vice versa).
In order to get NAT working we have to activate packet forwarding in sysctl.
Uncomment the following line:
Now we are able add a new POSTROUTING route to iptables to route all the traffic coming from our local 10.8.0.0/24 subnet to the physical network device eth0.
To add a bit more extra security we also add some FORWARD rules to iptables. The first one will only allow incoming connections to the OpenVPN subnet if they have been initial establish by the server. The second rule is to allow all outgoing connections from your server.
You should now be able to establish a secure VPN tunnel between your client and the OpenVPN server. I won’t cover the client configuration here. If you need help on how to configure the VPN client there should be plenty of tutorials out there. Also, the client configuration may vary depending on which client you are using.
You may discover the following error message when trying to build running the ./build-ca command:
To fix this error open /etc/openvpn/easy-rsa/vars and add the following line at the end of the file:
This should do the trick.