How to setup a VPN server with OpenVPN

OpenVPN logo

OpenVPN is one of the mostly used VPN solutions and the leading open source VPN. Using SSL it allows to create VPN tunnels to encrypt all the traffic going in. Today let’s take a look at how to install and set up a OpenVPN server.

Install OpenVPN

The first step is to install OpenVPN:

Ubuntu/DebianCentOS 7/FedoraOther distributions
$ sudo apt-get update
$ sudo apt-get install openvpn easy_rsa
$ sudo yum update
$ sudo yum install openvpn easy_rsa

Refer to your distribution package manager to install two packages: openvpn and easy_rsa.

Set up the Certificate Authority

In this step you will set up a Certificate Authority, a piece of software that you trust to sign certificates. If you already have a CA in your setup you can skip this step and should use the documentation associated with your CA to emit/revoke certificates.

$ make-cadir ~/openvpn-ca
$ cd ~/openvpn-ca

Now you should edit a file named vars inside the folder you just created. Near the end of the file you will find the following lines, fill them in with your desired configuration using your favorite text editor:

export KEY_COUNTRY=""    # Two-letter country code: e.g. US
export KEY_PROVINCE=""   # Two-letter province code: e.g. NY
export KEY_CITY=""       # Full city name: e.g. "New York City"
export KEY_ORG=""        # Organization name: e.g. "My organization
export KEY_EMAIL=""      # Admin mail: e.g. "[email protected]"
export KEY_OU=""         # Organization Unit: e.g. "Research"
export KEY_NAME=""       # The name of the key: e.g. "RootCA", this line is in the middle of the file rather than the end.

Now that you’ve set all the variables, you can do:

$ source vars
$ ./build-ca

Now that you have the CA up and running you’re ready to start signing certificates.

Set up the Server certificate and the OpenVPN server

The first certificate you will issue will be the one associated with the OpenVPN server. This will make sure your clients will be connected to the RIGHT server rather than an imposter.

$ cd ~/openvpn-ca
$ source vars
$ ./build-key-server server

You will be asked for the usual plethora of confirmations, in the end you will get a signed server certificate. In order to strengthen the encryption you will now generate a Diffie-Hellman keypair (be aware this will take some time):

$ ./build-dh

In addition you can generate a HMAC signature to further increase security:

$ openvpn --genkey --secret keys/ta.key

Now that you have all the pieces in place we can copy them to the server configuration directory (/etc/openvpn):

$ cd ~/openvpn-ca/keys
$ sudo cp ca.crt server.crt server.key ta.key dh2048.pem /etc/openvpn

All that’s missing now is a server configuration file, luckily enough there’s a sample file within your installation. With this command we will extract the file from an archive and copy it to your server configuration directory:

$ gunzip -c /usr/share/doc/openvpn*/examples/sample-config-files/server.conf.gz | sudo tee /etc/openvpn/server.conf

This file can be quite daunting, but it’s full of comments that will help you out. For brevity you can find here a “clean” version of a functioning file:

# Port/protocol
port 1194
proto udp

# Device configuration
dev tun # You can also use TAP, depending on your needs.

# Key configuration
ca ca.crt
cert server.crt
key server.key  
dh dh2048.pem

tls-auth ta.key 0 
cipher AES-256-CBC

# Max clients
;max-clients 100

# Miscellaneous settings
keepalive 10 120
user nobody
group nobody
verb 3
explicit-exit-notify 1

Edit this file according to your needs, remembering that lines starting with a # or a ; are comments.

Setting up network and OpenVPN service

Allow IP Forwarding

In order to be able to route network packets, your Linux kernel must be instructed to do so:

$ echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf
$ sudo sysctl -p

Open firewall ports

In order for the OpenVPN traffic to pass you will need to open ports within your firewall. Change the following commands according to your port/protocol specified in the server.conf file:

Ubuntu/DebianCentOS 7/FedoraOther distributions
$ sudo ufw allow 1194/udp
$ sudo ufw reload
$ sudo firewall-cmd --add-port=1194/udp --permanent
$ sudo firewall-cmd --reload

Refer to your distribution firewall to open the ports defined in the server.conf file.

Setting up masquerading

Ubuntu/DebianCentOS 7/Fedora

Change the default policy so that everything OpenVPN packets won’t get discarded:

$ sudo systemctl restart ufw

Enable masquerading (NAT/PAT):

$ sudo firewall-cmd --add-masquerade --permanent
$ sudo firewall-cmd --add-masquerade
$ sudo firewall-cmd --reload

Starting and enabling OpenVPN at boot

$ sudo systemctl start [email protected]
$ sudo systemctl enable [email protected]

Be mindful that if you used a different name for the server.conf file you should change these commands accordingly.

Generating client certificates

You can simply generate client certificates (that you will use to connect from other devices) by doing:

$ cd ~/openvpn-ca
$ source vars
$ ./build-key client1

This will generate a certificate without password protection, if you’re willing to create a password-protected certificate use ./build-key-pass instead of ./build-key.

Image courtesy of mark | marksei

You may also like...

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.