How to Install and Configure OpenVPN on Ubuntu Server
Setting up a VPN can significantly enhance your online privacy and security. OpenVPN is a popular open-source VPN solution that you can easily install and configure on your Ubuntu server. This guide will walk you through each step to get your OpenVPN server up and running. Let’s dive in!
Prerequisites
Before we begin, make sure you have the following:
- A fresh Ubuntu Server (20.04 or later)
- Root or sudo privileges
- A domain name or a public IP address
- Basic understanding of Linux command line
Step 1: Update Your System
Before installing any new packages, itโs always a good idea to update your system to the latest packages. Run the following commands:
sudo apt update
sudo apt upgrade -y
Step 2: Install OpenVPN and Easy-RSA
OpenVPN uses Easy-RSA to create a Public Key Infrastructure (PKI) for key management. Install both packages with the following command:
sudo apt install openvpn easy-rsa -y
Step 3: Set Up the Certificate Authority
Create a directory for the Easy-RSA scripts:
make-cadir ~/openvpn-ca
cd ~/openvpn-ca
Open the vars file using a text editor, such as nano, and set up the environment variables:
nano vars
Modify the file to set values for the following parameters:
set_var EASYRSA_REQ_COUNTRY “US”
set_var EASYRSA_REQ_PROVINCE “CA”
set_var EASYRSA_REQ_CITY “San Francisco”
set_var EASYRSA_REQ_ORG “MyVPN”
set_var EASYRSA_REQ_EMAIL “[email protected]”
set_var EASYRSA_REQ_OU “IT”
Save and exit the file. Next, run the following commands to clean up any previous configuration and create the Certificate Authority (CA):
./easyrsa init-pki
./easyrsa build-ca
You will be prompted to set a passphrase for the CA. Make sure to remember it.
Step 4: Create the Server Certificate and Key
Now, let’s generate the server certificate and key:
./easyrsa gen-req server nopass
./easyrsa sign-req server server
Approve the signing request when prompted.
Step 5: Generate Client Certificates and Keys
You will need a separate certificate and key for each client that connects to the VPN. Create a client certificate:
./easyrsa gen-req client1 nopass
./easyrsa sign-req client client1
Step 6: Generate Diffie-Hellman Parameters and HMAC Key
Diffie-Hellman parameters are necessary for key exchange, while the HMAC key helps prevent DDoS attacks:
./easyrsa gen-dh
openvpn –genkey –secret ta.key
Step 7: Configure the OpenVPN Server
Copy the server configuration file as a starting point:
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
cd /etc/openvpn/
sudo gzip -d server.conf.gz
Edit the server.conf file:
sudo nano server.conf
Adjust the following parameters:
- ca, cert, key, and dh: Update these lines to match the locations of the CA, server, and Diffie-Hellman key files.
Server IP Range: Update the server directive to define the IP address range for clients:
server 10.8.0.0 255.255.255.0
- HMAC Security: Enable the following line to prevent DDoS attacks:
tls-auth ta.key 0
- Enable Compression: Uncomment comp-lzo if you want to enable compression.
Save and close the file.
Step 8: Enable IP Forwarding
To allow VPN traffic to move between the client and the Internet, enable IP forwarding:
sudo nano /etc/sysctl.conf
Uncomment or add this line:
net.ipv4.ip_forward = 1
Apply the change:
sudo sysctl -p
Step 9: Configure Firewall Rules
You need to allow traffic through the VPN and enable masquerading (NAT):
sudo ufw allow 1194/udp
sudo ufw allow OpenSSH
sudo ufw disable
sudo ufw enable
Step 10: Start and Enable OpenVPN Service
Now, start the OpenVPN service and enable it to run at boot:
sudo systemctl start openvpn@server
sudo systemctl enable openvpn@server
Verify that the service is running:
sudo systemctl status openvpn@server
Step 11: Create Client Configuration Files
Create a client configuration file (client.ovpn) that users can download to connect to your VPN. Use the following template:
client
dev tun
proto udp
remote your-server-ip 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
comp-lzo
key-direction 1
Add the ca, cert, key, and tls-auth contents to the client configuration file.
Step 12: Connect to Your VPN
To connect, import the client.ovpn file into your VPN client application. For example, on a Linux client, you can connect using:
sudo openvpn –config client.ovpn
Conclusion
By following this guide, you’ve successfully installed and configured OpenVPN on your Ubuntu server. With this setup, you can secure your online traffic, protect your privacy, and even access your home network from anywhere. Make sure to regularly update your server and keep your OpenVPN version up-to-date for the best security.
Frequently Asked Questions
1. Why is my OpenVPN server not starting?
- Ensure that all paths to the certificate files are correct and that the firewall rules are properly configured.
2. How can I add more clients?
- Repeat Step 5 to create additional client certificates and keys.
3. Can I use OpenVPN on mobile devices?
- Yes, OpenVPN apps are available for both Android and iOS.
By adhering to these detailed instructions, you’ll have a robust VPN solution that suits various use cases.
Thank you for visiting our website! If you want to enhance your skills with Linux systems and would like to read our article on “How to Use Vokoscreen to Record Videos on Ubuntu,” you can find it through the link below. Happy learning! ๐
How to use Vokoscreen to Record Videos on Ubuntu
