{"id":5664,"date":"2020-05-01T19:28:03","date_gmt":"2020-05-01T16:28:03","guid":{"rendered":"https:\/\/kifarunix.com\/?p=5664"},"modified":"2024-03-14T20:47:54","modified_gmt":"2024-03-14T17:47:54","slug":"install-and-setup-openvpn-server-on-ubuntu-20-04","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/install-and-setup-openvpn-server-on-ubuntu-20-04\/","title":{"rendered":"Install and Setup OpenVPN Server on Ubuntu 20.04"},"content":{"rendered":"\n<p>In this guide, we are going to learn how to install and setup OpenVPN Server on Ubuntu 20.04.&nbsp;<a rel=\"noreferrer noopener\" href=\"https:\/\/openvpn.net\/\" target=\"_blank\">OpenVPN<\/a>&nbsp;is a robust and highly flexible open-source VPN software that uses all of the encryption, authentication, and certification features of the OpenSSL library to securely tunnel IP networks over a single UDP or TCP port.<\/p>\n\n\n\n<p>It facilitates the extension of private network across a public network, access remote sites, make secure point-to-point connections, while maintaining security that would be achieved in a private network.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Installing OpenVPN Server on Ubuntu 20.04<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Run system update<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>apt update<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Install OpenVPN on Ubuntu 20.04<\/h3>\n\n\n\n<p>OpenVPN package is available on the default Ubuntu 20.04 repos. Thus the installation is as simple as running the command below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>apt install openvpn<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Install Easy-RSA CA Utility on Ubuntu 20.04<\/h3>\n\n\n\n<p>Easy-RSA package provides utilities for generating SSL key-pairs that is used to secure VPN connections.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>apt install easy-rsa<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Create OpenVPN Public Key Infrastructure<\/h3>\n\n\n\n<p>Once you have installed easy-rsa, you need to initialize the OpenVPN PKI. The PKI consists of:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>a public key and private key for the server and each client<\/li>\n\n\n\n<li>a master Certificate Authority (CA) certificate and key which is used to sign each of the server and client certificates.<\/li>\n<\/ul>\n\n\n\n<p>Before you can proceed, copy the easy-rsa configuration directory to a different location to ensure that that future OpenVPN package upgrades won\u2019t overwrite your modifications.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>cp -r \/usr\/share\/easy-rsa \/etc\/<\/code><\/pre>\n\n\n\n<p>Next, initialize the PKI.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>cd \/etc\/easy-rsa\/<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>.\/easyrsa init-pki<\/code><\/pre>\n\n\n\n<p>Once the PKI is initialized, <code><strong>\/etc\/easy-rsa\/pki<\/strong><\/code> is created.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Generate the Certificate Authority (CA) Certificate and Key<\/h4>\n\n\n\n<p>Next, generate the CA certificate and key for signing OpenVPN server and client certificates.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>cd \/etc\/easy-rsa\/\n.\/easyrsa build-ca<\/code><\/pre>\n\n\n\n<p>This will prompt you for the CA key passphrase and the server common name.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>Using SSL: openssl OpenSSL 1.1.1f  31 Mar 2020\n\nEnter New CA Key Passphrase: <strong>ENTER PASSWORD<\/strong>\nRe-Enter New CA Key Passphrase: <strong>RE-ENTER PASSWORD<\/strong>\nGenerating RSA private key, 2048 bit long modulus (2 primes)\n...................+++++\n..............+++++\ne is 65537 (0x010001)\nCan't load \/etc\/easy-rsa\/pki\/.rnd into RNG\n139840045897024:error:2406F079:random number generator:RAND_load_file:Cannot open file:..\/crypto\/rand\/randfile.c:98:Filename=\/etc\/easy-rsa\/pki\/.rnd\nYou are about to be asked to enter information that will be incorporated\ninto your certificate request.\nWhat you are about to enter is what is called a Distinguished Name or a DN.\nThere are quite a few fields but you can leave some blank\nFor some fields there will be a default value,\nIf you enter '.', the field will be left blank.\n-----\nCommon Name (eg: your user, host, or server name) [Easy-RSA CA]:<strong>Kifarunix-demo CA<\/strong>\n\nCA creation complete and you may now import and sign cert requests.\nYour new CA certificate file for publishing is at:\n\/etc\/easy-rsa\/pki\/ca.crt\n<\/code><\/pre>\n\n\n\n<p>The CA certificate is generated and stored at&nbsp;<code>\/etc\/easy-rsa\/pki\/ca.crt<\/code>.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Generate Diffie Hellman Parameters<\/h4>\n\n\n\n<p>Generate Diffie-Hellman keys used for key exchange during the TLS handshake between OpenVPN server and the connecting clients. This command has be executed within the Easy-RSA directory;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>.\/easyrsa gen-dh<\/code><\/pre>\n\n\n\n<p>DH parameters of size 2048 created at <code><strong>\/etc\/easy-rsa\/pki\/dh.pem<\/strong><\/code>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Generate OpenVPN Server Certificate and Key<\/h3>\n\n\n\n<p>To generate a certificate and private key for the OpenVPN server, run the command below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>cd \/etc\/easy-rsa<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>.\/easyrsa build-server-full server nopass<\/code><\/pre>\n\n\n\n<p>Enter the CA key passphrase create above to generate the certificates and keys.<\/p>\n\n\n\n<p><strong><code>nopass<\/code><\/strong>&nbsp;disables the use of passphrase.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Generate Hash-based Message Authentication Code (HMAC) key<\/h3>\n\n\n\n<p>TLS\/SSL pre-shared authentication key is used as an additional HMAC signature on all SSL\/TLS handshake packets to avoid DoS attack and UDP port flooding. This can be generated using the command;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>openvpn --genkey secret \/etc\/easy-rsa\/pki\/ta.key<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Generate OpenVPN Revocation Certificate<\/h3>\n\n\n\n<p>To invalidate a previously signed certificate, you need to generate a revocation certificate. Run the script within the Easy-RSA directory;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>.\/easyrsa gen-crl<\/code><\/pre>\n\n\n\n<p>The revocation certificate is generated and stored at&nbsp;<code>\/etc\/easy-rsa\/pki\/crl.pem<\/code>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Copy Server Certificates and Keys to Server Config Directory<\/h3>\n\n\n\n<p>Copy all generated server certificates\/keys to OpenVPN server configuration directory.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>cp -rp \/etc\/easy-rsa\/pki\/{ca.crt,dh.pem,ta.key,crl.pem,issued,private} \/etc\/openvpn\/server\/<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Generate OpenVPN Client Certificates and Keys<\/h3>\n\n\n\n<p>OpenVPN clients certificates and private keys can be generated as follows<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>cd \/etc\/easy-rsa<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>.\/easyrsa build-client-full koromicha nopass<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>where&nbsp;<strong><code>koromicha<\/code><\/strong>&nbsp;is the name of the client for which the certificate and keys are generated.<\/li>\n\n\n\n<li>Always use a unique common name for each client that you are generating certificate and keys for.<\/li>\n<\/ul>\n\n\n\n<p>To generate for the second client,<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>.\/easyrsa build-client-full janedoe nopass<\/code><\/pre>\n\n\n\n<p>You can see how to use <code>easyrsa<\/code> command with <code>.\/easyrsa --help<\/code>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Copy Client Certificates and Keys to Client Directory<\/h3>\n\n\n\n<p>Create OpenVPN clients directories. For example, we have generated certificates and key files for two clients, koromicha and janedoe, hence we create directories as;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>mkdir \/etc\/openvpn\/client\/{koromicha,janedoe}<\/code><\/pre>\n\n\n\n<p>After that, copy the client generated certificates\/keys and server CA certificate to OpenVPN client configuration directory. You can<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>cp -rp \/etc\/easy-rsa\/pki\/{ca.crt,issued\/koromicha.crt,private\/koromicha.key} \/etc\/openvpn\/client\/koromicha<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>cp -rp \/etc\/easy-rsa\/pki\/{ca.crt,issued\/janedoe.crt,private\/janedoe.key} \/etc\/openvpn\/client\/janedoe\/<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Configure OpenVPN Server on Ubuntu 20.04<\/h3>\n\n\n\n<p>The next step is to configure OpenVPN server. Copy the sample OpenVPN server configuration to <code>\/etc\/openvpn\/server<\/code> directory as shown below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>cp \/usr\/share\/doc\/openvpn\/examples\/sample-config-files\/server.conf.gz \/etc\/openvpn\/server\/<\/code><\/pre>\n\n\n\n<p>Extract the configuration and modify it to suite your needs;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>cd \/etc\/openvpn\/server\/\ngunzip server.conf.gz<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>vim \/etc\/openvpn\/server\/server.conf<\/code><\/pre>\n\n\n\n<p>This is how our sample configurations looks like with no comments. The configuration is highly commented to help you understand various option usage.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>port 1194\nproto udp4\ndev tun\nca ca.crt\ncert issued\/server.crt\nkey private\/server.key  # This file should be kept secret\ndh dh.pem\ntopology subnet\nserver 10.8.0.0 255.255.255.0\nifconfig-pool-persist \/var\/log\/openvpn\/ipp.txt\npush \"redirect-gateway def1 bypass-dhcp\"\npush \"dhcp-option DNS 208.67.222.222\"\npush \"dhcp-option DNS 192.168.2.11\"\nclient-to-client\nkeepalive 10 120\ntls-auth ta.key 0 # This file is secret\ncipher AES-256-CBC\npersist-key\npersist-tun\nstatus \/var\/log\/openvpn\/openvpn-status.log\nlog-append  \/var\/log\/openvpn\/openvpn.log\nverb 3\nexplicit-exit-notify 1\nauth SHA512\n<\/code><\/pre>\n\n\n\n<p>Save and exit the config once done editing.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Configure OpenVPN IP Forwarding<\/h3>\n\n\n\n<p>To ensure that traffic from the client is routed through the OpenVPN server&#8217;s IP address (helps masks the the client IP address), you need to enable IP forwarding on the OpenVPN server. <\/p>\n\n\n\n<p>Uncomment the line, <code><strong>net.ipv4.ip_forward=1<\/strong><\/code>, on <code><strong>\/etc\/sysctl.conf<\/strong><\/code> to enable packet forwarding for IPv4 <\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>sed -i 's\/#net.ipv4.ip_forward=1\/net.ipv4.ip_forward=1\/' \/etc\/sysctl.conf<\/code><\/pre>\n\n\n\n<p>Apply the changes without rebooting the server.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>sysctl --system<\/code><\/pre>\n\n\n\n<p>Allow OpenVPN service port through firewall;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ufw allow 1194\/udp<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Configure IP Masquerading on UFW<\/h3>\n\n\n\n<p>Find your default interface through which your packets are sent.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ip route get 8.8.8.8<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>8.8.8.8 via 10.0.2.2 dev <strong>enp0s3<\/strong> src 10.0.2.15 uid 0<\/code><\/pre>\n\n\n\n<p>Next, update UFW rules;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>vim \/etc\/ufw\/before.rules<\/code><\/pre>\n\n\n\n<p>Add the following highlighted lines just before the <strong><code>*filter<\/code><\/strong> table settings. Note the interface used shoud match the interface name above.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>...\n<strong>*nat\n:POSTROUTING ACCEPT [0:0]\n-A POSTROUTING -s 10.8.0.0\/8 -o enp0s3 -j MASQUERADE\nCOMMIT<\/strong>\n# Don't delete these required lines, otherwise there will be errors\n*filter\n...\n<\/code><\/pre>\n\n\n\n<p>Save and exit the config.<\/p>\n\n\n\n<p>Enable UFW packet forwarding;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>sed -i 's\/DEFAULT_FORWARD_POLICY=\"DROP\"\/DEFAULT_FORWARD_POLICY=\"ACCEPT\"\/' \/etc\/default\/ufw<\/code><\/pre>\n\n\n\n<p>Reload UFW;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ufw reload<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Running OpenVPN Server on Ubuntu 20.04<\/h3>\n\n\n\n<p>Start and enable OpenVPN server to run on system boot;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>systemctl enable --now openvpn-server@server<\/code><\/pre>\n\n\n\n<p>Checking the status;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>systemctl status openvpn-server@server<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\u25cf openvpn-server@server.service - OpenVPN service for server\n     Loaded: loaded (\/lib\/systemd\/system\/openvpn-server@.service; enabled; vendor preset: enabled)\n     Active: active (running) since Fri 2020-05-01 16:07:33 UTC; 3s ago\n       Docs: man:openvpn(8)\n             https:\/\/community.openvpn.net\/openvpn\/wiki\/Openvpn24ManPage\n             https:\/\/community.openvpn.net\/openvpn\/wiki\/HOWTO\n   Main PID: 11980 (openvpn)\n     Status: \"Initialization Sequence Completed\"\n      Tasks: 1 (limit: 2281)\n     Memory: 1.0M\n     CGroup: \/system.slice\/system-openvpn\\x2dserver.slice\/openvpn-server@server.service\n             \u2514\u250011980 \/usr\/sbin\/openvpn --status \/run\/openvpn-server\/status-server.log --status-version 2 --suppress-timestamps --config server.conf\n\nMay 01 16:07:33 vpn.kifarunix-demo.com systemd[1]: Starting OpenVPN service for server...\nMay 01 16:07:33 vpn.kifarunix-demo.com systemd[1]: Started OpenVPN service for server.\n<\/code><\/pre>\n\n\n\n<p>When OpenVPN service runs, it will create a tunnelling interface, tun0;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ip add s<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>...\n4: tun0: &lt;POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP&gt; mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100\n    link\/none \n    inet 10.8.0.1\/24 brd 10.8.0.255 scope global tun0\n       valid_lft forever preferred_lft forever\n    inet6 fe80::1989:2bf2:1e7f:7415\/64 scope link stable-privacy \n       valid_lft forever preferred_lft forever\n<\/code><\/pre>\n\n\n\n<p>Also, be sure to check the logs;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>tail \/var\/log\/openvpn\/openvpn.log<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\/sbin\/ip link set dev tun0 up mtu 1500\n\/sbin\/ip addr add dev tun0 10.8.0.1\/24 broadcast 10.8.0.255\nSocket Buffers: R=[212992-&gt;212992] S=[212992-&gt;212992]\nUDPv4 link local (bound): [AF_INET][undef]:1194\nUDPv4 link remote: [AF_UNSPEC]\nMULTI: multi_init called, r=256 v=256\nIFCONFIG POOL: base=10.8.0.2 size=252, ipv6=0\nIFCONFIG POOL LIST\n<strong>Initialization Sequence Completed<\/strong>\n<\/code><\/pre>\n\n\n\n<p>Magnificent. The OpenVPN server is now ready. That marks the end of our guide on how to install OpenVPN Server on Ubuntu 20.04.<\/p>\n\n\n\n<p>You can now configure your clients accordingly.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Related Tutorials<\/h3>\n\n\n\n<p><a rel=\"noreferrer noopener\" href=\"https:\/\/kifarunix.com\/install-and-configure-openvpn-client-on-centos-8-ubuntu-18-04\/\" target=\"_blank\">Install and Configure OpenVPN Client on CentOS 8\/Ubuntu 18.04<\/a><\/p>\n\n\n\n<p><a rel=\"noreferrer noopener\" href=\"https:\/\/kifarunix.com\/configure-openvpn-ldap-based-authentication\/\" target=\"_blank\">Configure OpenVPN LDAP Based Authentication<\/a><\/p>\n\n\n\n<p><a rel=\"noreferrer noopener\" href=\"https:\/\/kifarunix.com\/how-to-configure-ipsec-vpn-using-strongswan-on-ubuntu-18-04\/\" target=\"_blank\">Configure IPSEC VPN using StrongSwan on Ubuntu 18.04<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/configure-strongswan-vpn-client-on-ubuntu-18-04-centos-8\/\" target=\"_blank\" rel=\"noreferrer noopener\">Configure strongSwan VPN Client on Ubuntu 18.04\/CentOS 8<\/a><\/p>\n\n\n\n<p><a rel=\"noreferrer noopener\" href=\"https:\/\/kifarunix.com\/connect-to-cisco-vpn-using-pcf-file-on-ubuntu\/\" target=\"_blank\">Connect to Cisco VPN Using PCF file on Ubuntu<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this guide, we are going to learn how to install and setup OpenVPN Server on Ubuntu 20.04.&nbsp;OpenVPN&nbsp;is a robust and highly flexible open-source VPN<\/p>\n","protected":false},"author":1,"featured_media":12795,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[34,121,282,321],"tags":[1546,1543,283,1545,1544,1542,1200],"class_list":["post-5664","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","category-howtos","category-openvpn","category-vpn","tag-easy-rsa","tag-install-openvpn-ubuntu-20-04","tag-openvpn","tag-openvpn-easyrsa","tag-openvpn-server-ubuntu-20-04","tag-openvpn-ubuntu-20-04","tag-ubuntu-20-04","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/5664"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=5664"}],"version-history":[{"count":10,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/5664\/revisions"}],"predecessor-version":[{"id":21407,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/5664\/revisions\/21407"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/12795"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=5664"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=5664"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=5664"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}