How to Create an OpenVPN Server on Ubuntu 16.04

Introduction

OpenVPN is a secure VPN which uses SSL ( Secure Socket Layer ) and offers a broad range of features. In this guide we’ll be covering the process of installing OpenVPN on Ubuntu 16 utilizing the easy-rsa hosted certificate authority.

Install

In order to get started, we need some packages installed:

sudo su
apt-get update
apt-get install openvpn easy-rsa

Certificate Authority

OpenVPN is a SSL VPN, which means that it acts as Certificate Authority in order to encrypt the traffic between both parties.

Setup

We can start with setting up our OpenVPN server’s Certificate Authority by running the following command:

make-cadir ~/ovpn-ca

We can now switch into our fresh created directory:

cd ~/ovpn-ca

Configure

Open the file with the name vars and take a look at the following parameters:

export KEY_COUNTRY="US"
export KEY_PROVINCE="NJ"
export KEY_CITY="Matawan"
export KEY_ORG="Your Awesome Organization"
export KEY_EMAIL="me@your_awesome_org.com"
export KEY_OU="YourOrganizationUnit"

And edit them with your own values. We also need to look for and edit the following line:

export KEY_NAME="server"

Build

We can now start building our Certificate Authority by running the following command:

./clean-all
./build-ca

These commands might take a few minutes to complete.

Server-Key

Now, we can start building our server’s key by running the following command:

./build-key-server server

While the server field should be replaced with KEY_NAME we set in the vars file earlier. In our case, we can keep server.

The build process of our server’s key might ask a few questions, like the expiration of itself. We answer all these questions with y.

Strong Key

In the next step, we create a strong Diffie-Hellman key which will be used during the exchange of our keys. Type in the following command to create one:

./build-dh

HMAC

We can now create a HMAC signature to strengthen the server’s TLS integrity verification:

openvpn --genkey --secret keys/ta.key

Generate a Client Key

./build-key client

Configure the Server

Once we’ve successfully created our own Certificate Authority, we can start with copying all needed files and configuring OpenVPN itself. Now, we’re going to copy the generated keys and certificates to our OpenVPN directory:

cd keys
cp ca.crt ca.key server.crt server.key ta.key dh2048.pem /etc/openvpn
cd ..

Afterwards, we can copy an example OpenVPN config file to our OpenVPN directory by running the following command:

gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | tee /etc/openvpn/server.conf

Edit the Config

We can now start editing our config to fit our needs. Open the file /etc/openvpn/server.conf and uncomment the following lines:

push "redirect-gateway def1 bypass-dhcp"
user nobody
group nogroup
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
tls-auth ta.key 0

We also need to add a new line to our config. Place the following line under the tls-auth line:

key-direction 0

Allow Forwarding

Because we want to allow our clients to access the Internet through our server, we open the following file /etc/sysctl.conf and uncomment this line:

net.ipv4.ip_forward=1

Now we have to apply the changes:

sysctl -p

NAT

In order to provide Internet Access to our VPN clients, we also have to create a NAT rule. This rule is a short one-liner which looks like this:

iptables -t nat -A POSTROUTING -s 10.8.0.0/16 -o eth0 -j MASQUERADE

Start

We can now start our OpenVPN server and let clients connect by typing in the following key:

service openvpn start

Conclusion

This concludes our tutorial. Enjoy your new OpenVPN Server!