Ubuntu: Setting up OpenVPN

by on Feb.27, 2011, under Linux (Ubuntu)

I’ve used OpenVPN for various reasons in the past. My major purpose was to build up a virtual private network with my server. In addition I also wanted to use my server as a gateway, this way I could surf the web with a German IP address. Anyway, setting everything up was a quite hard job, thus I’m going to write a brief installation instruction explaining the basic steps:

1.) Login to your (Ubuntu) server via SSH. Enter the following commands:

apt-get update
apt-get install sudo
apt-get install iptables
apt-get install -y openvpn --force-yes

This will update your repositories, install sudo (if you don’t already have it installed), install iptables (in order to later forward traffic from your VPN to the WWW) and OpenVPN itself.

2.) Then copy a sample configuration file and gunzip it:

cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
gunzip /etc/openvpn/server.conf.gz
cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/openvpn/easy-rsa2

3.) Now it’s time to edit it. I’ve used my favourite text-editor (vim):

vim /etc/openvpn/easy-rsa2/vars

And change the configuration file according to what applies for you.

export KEY_CITY=Düsseldorf
export KEY_ORG="Vpntest"
export KEY_EMAIL=""

4.) The following commands will create the certificates and keys. Follow the on-screen instructions.

mkdir /etc/openvpn/easy-rsa2/keys
cd /etc/openvpn/easy-rsa2/
source /etc/openvpn/easy-rsa2/vars
sudo -E /etc/openvpn/easy-rsa2/clean-all
sudo -E /etc/openvpn/easy-rsa2/build-ca
sudo -E /etc/openvpn/easy-rsa2/build-key-server server
sudo -E /etc/openvpn/easy-rsa2/build-key ersterclient
sudo -E /etc/openvpn/easy-rsa2/build-dh

5.) Edit the server.conf.

vim /etc/openvpn/server.conf

This is the content of my file. Replace with your server’s IP address:

user    nobody
group   nogroup
dev     tun
port    443
proto   udp
ca      /etc/openvpn/easy-rsa2/keys/ca.crt
cert    /etc/openvpn/easy-rsa2/keys/server.crt
key     /etc/openvpn/easy-rsa2/keys/server.key  # This file should be kept secret
dh      /etc/openvpn/easy-rsa2/keys/dh1024.pem
ifconfig-pool-persist ipp.txt
push "redirect-gateway"
keepalive 10 120
verb 3
log-append      /var/log/openvpn/openvpn.log
plugin  /usr/lib/openvpn/ common-auth
push "dhcp-option DNS"
push "dhcp-option DNS"

6.) Forward traffic to- and from your VPN. Replace with your server’s IP address.

iptables -t nat -A POSTROUTING -s -o venet0 -j SNAT --to

7.) Restart OpenVPN

sudo /etc/init.d/openvpn restart

If something goes wrong while restarting OpenVPN (for instance FAIL) you’re probably using a VPS. In this case the following commands might solve the problem (applies for a few OpenVZ containers):

sudo mkdir -p /dev/net
sudo mknod /dev/net/tun c 10 200
sudo chmod 600 /dev/net/tun
sudo /etc/init.d/openvpn restart

Alright, so the server has been installed successfully. Now it’s time to configure the client.

1.) Install the OpenVPN client for your OS
2.) Go to INSTALLDIR/config/ and copy the ca.crt from your server into this directory.
3.) Edit INSTALLDIR/config/client.ovpn

Here’s the content of my client.ovpn. Replace with your server’s IP address:

dev     tun
proto   udp
remote 443
resolv-retry infinite
ca ca.crt
verb 3
push "dhcp-option DNS"
push "dhcp-option DNS"

And save the file. Finally you should be able to estabilish a connection with your VPN server using a user account from your server. (those user accounts are regular linux users). You’ve successfully setup an Open VPN server and can connect to it via a client.

3 Comments for this entry

Leave a Reply


Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!