How to set up openvpn on ubuntu 16 04

Information TechnologyUbuntuLinux

In this article, we will learn how to configure OpenVPN server on Ubuntu Linux. Yes, we can do it using a VPN (Virtual Private network) which allows you to connect to work place from untrusted networks privately and securely. For instance, If you are in a hotel or a coffee shop and wish to access work environment safely and securedly through a Wi-fi network using a Smartphone or laptop

OpenVPN is a full featured and open source secure socket layer (SSL) VPN solution that accommodates wide range of configurations.

Installing OpenVPN

To start the installation, we needed an Ubuntu machine with non-root user with sudo privileges,

Log into the Ubuntu machine using ‘sudo’ user and continue the steps below.

AS OpenVPN is available in Ubuntu’s default repositories, we needed to update the server and we will install the easy-rsa package to get the internal CA (certificate authority) for use with our VPN server.

$ sudo apt-get update

After we update the server, we will install OpenVPN and easy-rsa

$ sudo apt-get install openvpn easy-rsa

Setting up the CA Directory

OpenVPN is a TLS/SSL VPN. This means that it will use certificates in order to encrypt the data traffic between the server and clients. To issue trusted certificates we will set up our own simple certificate authority (CA).

We will copy the easy-rsa template directory to our home directory with the make-cadir command

$ sudo make-cadir ~/openvpn-ca

Change the directory to newly created directory to begin configuring the CA

$ cd ~/openvpn-ca

Configure CA Variables

We need to edit the values in the ‘vars’ file within the directory. Open the file to edit now.

$ source vars

We will find some variables which can be adjusted to determine that how our certificates should be created. In this demo we will change some of them.

We will find some settings that sets the default for the new certificates which looks like the below

. . .
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="me@myhost.mydomain"
export KEY_OU="MyOrganizationalUnit"
. . .

Edit the values to your region and requirement. Below is the information for demo purpose.

. . .
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="in"
export KEY_CITY="Hyderabad"
export KEY_ORG="RIG"
export KEY_EMAIL=""
export KEY_OU="Resource Infomatics Group"
# X509 Subject Field
. . .
We will also edit the KEY_NAME value which is just below this section, for demo purpose we will call as vpn_server
export KEY_NAME="vpn_server"
Save the file and close it.

Building the CA (Certificate Authority)

We can use the variables we set in the easy-ras utilities to build our certificate authority, Change to the CA directory which we created in previous steps, then source the vars file which we edited.

$ cd ~/openvpn-
ca$ source
vars$ ./clean-all
$ ./build-ca

This will create the root certificate and authority key with certificate. Just press ENTER key as we have already given the information in vars file.

Country Name (2 letter code) [US]:
State or Province Name (full name) [NY]:
Locality Name (eg, city) [New York City]:
Organization Name (eg, company) [DigitalOcean]:
Organizational Unit Name (eg, section) [Community]:
Common Name (eg, your name or your server's hostname) [DigitalOcean CA]:
Name [server]:
Email Address []:
Creating the Server Certificate, Key and Encryption Files.
We will create the Server Certificate, Key and Encryption and also some additional files used for the encryption process.
We can use the below command to generate key certificate and key pair.
$ ./build-key-server serverCountry Name (2 letter code) [in]:
State or Province Name (full name) [ap]:
Locality Name (eg, city) [Hyderabad]:
Organization Name (eg, company) [rigaps]:
Organizational Unit Name (eg, section) [RIGAPS]:
Common Name (eg, your name or your server's hostname) [server]:
Name [RIGAPS_EasyRSA]:
Email Address []:
Please enter the following 'extra' attributesto be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /home/ubuntu/openvpn-ca/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :                 PRINTABLE:'in'
stateOrProvinceName :         PRINTABLE:'ap'
localityName :                PRINTABLE:'Hyderabad'
organizationName :            PRINTABLE:'rigaps'
organizationalUnitName:       PRINTABLE:'RIGAPS'
commonName :                  PRINTABLE:'server'
name :                        T61STRING:'RIGAPS_EasyRSA'
emailAddress :                IA5STRING:''
Certificate is to be certified until Jun 4 10:03:24 2026 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Accept the default values by pressing ENTER key. Also don’t enter the password for the setup till the end.

We can generate the Diffie-Hellman keys to use with the key exchange.

$ ./build-dh
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
We will generate HMAC Signature to strengthen the servers TLS integrity verfication.
$ openvpn --genkey --secret keys/ta.key

Generating a Client Certificate and Key Pair

We will generate a client key and certificate using the below command, lets think client1 as a client for demo –

$ cd ~/openvpn-ca
$ source vars
$ ./build-key client1

Configure the OpenVPN Services

We can configure the OpenVPN using the credentials and files just we generated

Copying the files to the OpenVPN Directory

As we needed to copy all the files generated to /etc/openvpn

$ cd ~/openvpn-ca/keys
$ sudo cp ca.crt ca.key server.crt server.key ta.key dh2048.pem /etc/openvpn

Then we needed to copy and unzip the sample Configuration file to the directory.

$ gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | sudo tee /etc/openvpn/server.conf

We needed to modify the server configuration files

$ sudo nano /etc/openvpn/server.conf

Needed to uncomment some directives ” redirect-gateway”

…. push “redirect-gateway def1 bypass-dhcp” …. push “dhcp-option DNS” push “dhcp-option DNS” … tls-auth ta.key 0 # This file is secret


and add below line

key-direction 0

Finally un-comment the below line by removing ‘;’

user nobody
group nogroup

Save and close the file

Setting Server Networking Configuration

As we needed to adjust some settings on the server, networking to route the OpenVPN traffic.

Allowing IP Forward on the server

We will allow the server to forward the incoming traffic, which is an important step for VPN server setup.

To do that we needed to modify the /etc/sysctl.conf file.

$ sudo nano /etc/sysctl.conf

Locate for the line net.ipv4.ip_forward and remove ‘#’ to uncomment the line


Save the file

To apply the changes in the current session use the below command

$ sudo sysctl –p

Start and Enabling the OpenVPN Services

We have to start the OpenVPN services on the server, to do that we will start the OpenVPN server by using the configuration file as an instance for the variables the configuration file is on the server at /etc/openvpn/server.conf and we will add @server to end of the command when we start the server

$ sudo systemctl start openvpn@server

We can check the services status by using the below command

$ sudo systemclt status openvpn@server
$ openvpn@server.service - OpenVPN connection to server
Loaded: loaded (/lib/systemd/system/openvpn@.service; disabled; vendor preset: enabled)
Active: active (running) since Tue 2016-06-06 13:30:05 EDT; 37s ago
Docs: man:openvpn(8)
Process: 5852 ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/%i.conf --writepid /run/openvpn/ (code=exited, sta
Main PID: 5856 (openvpn)
Tasks: 1 (limit: 512)
CGroup: /system.slice/system-openvpn.slice/openvpn@server.service
└─5856 /usr/sbin/openvpn --daemon ovpn-server --status /run/openvpn/server.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/server.conf --writepid /run/openvpn/
June 06 13:30:40 openvpn2 ovpn-server[5856]: /sbin/ip addr add dev tun0 local peer
June 06 13:30:40 openvpn2 ovpn-server[5856]: /sbin/ip route add via
June 06 13:30:40 openvpn2 ovpn-server[5856]: GID set to nogroup
June 06 13:30:40 openvpn2 ovpn-server[5856]: UID set to nobody
June 06 13:30:40 openvpn2 ovpn-server[5856]: UDPv4 link local (bound): [undef]
June 06 13:30:40 openvpn2 ovpn-server[5856]: UDPv4 link remote: [undef]
June 06 13:30:40 openvpn2 ovpn-server[5856]: MULTI: multi_init called, r=256 v=256
June 06 13:30:40 openvpn2 ovpn-server[5856]: IFCONFIG POOL: base= size=62, ipv6=0
June 06 13:30:40 openvpn2 ovpn-server[5856]: IFCONFIG POOL LIST
June 06 13:30:40 openvpn2 ovpn-server[5856]: Initialization Sequence Completed

We can check the OpenVPN tun0 interface by using the below command

$ ip addr show tune0
4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 100
inet peer scope global tun0
valid_lft forever preferred_lft forever

Now we will set the service to start at the boot time automatically.

$ sudo systemctl enable openvpn@server

Creating Client Configuration

We needed to create client home directory to store the files

$ mkdir –p ~/clients/files

For security reason we needed to change the folder permission as this folder contains keys of the client machines

$ chmod 7000 ~/clients/files

Creating Client base Configuration

We can use the sample client configuration for that we needed to copy the file to the current location.

$ cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client/base.conf

Open the configuration file using any text edition

$ vi ~/client/base.conf

We needed to change some changes in the file, search for the remote in the file

Remote server_IP_Address 1194
(Here we needed to add our public IP address)
user nobody
group nogroup
(Here we needed to un-comment the above lines)
# ca ca.crt
# cert client.crt
# key client.key
(We needed to comment the above lines in the configuration file)
Key-direction 1
(We needed to add the key-direction to the file at the end)
Save the file

Generating Script for Creating Configuration files

We will create a simple script to generate the certificates,keys and encrypted files and to compile the base configuration which we edited in before step. Create the file with the below code

$ nano ~/client/
cat ${BASE_CONFIG} \
<(echo -e '<ca>') \
${KEY_DIR}/ca.crt \
<(echo -e '</ca>\n<cert>') \
${KEY_DIR}/${1}.crt \
<(echo -e '</cert>\n<key>') \
${KEY_DIR}/${1}.key \
<(echo -e '</key>\n<tls-auth>') \
${KEY_DIR}/ta.key \
<(echo -e '</tls-auth>') \
> ${OUTPUT_DIR}/${1}.ovpn

After creating the file we needed to make that file executable

$ chmod 7000 ~/client/

Generating the Client Configruations File

We will generate the client certificate and key for client1 using the below command

$ cd ~/clients
$ ./ client1

If all the scripts run well, we will a have client.ovpn file in our ~/client/files directory.

We needed to transfer the client files to the client machine using WinSCP, here we are using Windows machine for a client

Installing the Client Configuration on Windows

We needed to download the OpenVPN software on the windows machine and we needed to copy the .ovpn i.e., client1.ovpn file to c:\Program Files\OpenVPN\config

Note − We needed to run the OpenVPN GUI, on the windows machine with administrator rights, means Run as Administrator.

Once the OpenVPN opens it will initiate the connection and minimize to system tray and right click on the OpenVPN applet icon, and select client1 and choose Connect.

We can use any client OSx , Andriod, IOS. Etc. to connect to the server

We needed to generate the Client Certificate and key pair, generate the client configuration file for a each device.

After this configuration and setup we can connect to the office or environment securely protecting the identity from the snoopers and censors.

Updated on 18-Oct-2019 12:34:33