OpenVPN is an open source application which is widely used to create secure virtual private networks over unsecured public Internet. OpenVPN is SSL VPN solution which tunnels your network connection securely through the Internet. OpenVPN works on client server architecture. All the devices connected to a virtual private network behaves as if they are connected to a local area network. The packets sent through the VPN tunnel are encrypted with 256 bit AES encryption making data theft impossible.
In this tutorial we will learn to install OpenVPN server on Ubuntu 16.04. By the end of the guide you will be able to deploy your own VPN server using OpenVPN. We will also learn to setup a client machine using OpenVPN client configuration.
To install OpenVPN, there are no specific hardware requirements. You will only need a Cloud Server or VPS running on Ubuntu 16.04. You will also need access to the root user. If you are logged in as non root user, run
sudo -i to switch to root user or you can also use
sudo command before all administrative commands.
Install OpenVPN Server
Before installing any package it is recommended to update the system and installed packages using the following command.
apt-get update && apt-get -y upgrade
Now we will install required packages needs to set up OpenVPN server. OpenVPN is available in ubuntu's default repository. We will also
easy-rsa package, which will be used for setting up generate SSL/TLS certificates to secure OpenVPN tunnel connections.
apt-get install -y openvpn easy-rsa
Now we will be copying easy-rsa templates into a new directory in which we will be storing our certificates. CA or Certificate Authority is capable of generating certificates, but in our case we will generate self signed certificates using our own simple CA.
make-cadir /var/openvpn-ca cd /var/openvpn-ca
Now we will need to configure CA variables. These variable will be used to generate CSR or Code Signing Request. CSR will be used to generate SSL/TLS certificate.
To edit variable files you can use your favorite text editor. In this tutorial we will be using
nano editor. If you do not have
nano editor, you can install it using
apt-get -y install nano.
Scroll down to find the following lines.
# These are the default values for fields # which will be placed in the certificate. # Don't leave any of these fields blank. export KEY_COUNTRY="US" export KEY_PROVINCE="CA" export KEY_CITY="SanFrancisco" export KEY_ORG="Fort-Funston" export KEY_EMAIL="email@example.com" export KEY_OU="MyOrganizationalUnit"
# X509 Subject Field export KEY_NAME="EasyRSA"
Change the values accordingly. In
KEY_NAME field choose a name using which your private key will be generated. You can see demo values below.
# These are the default values for fields # which will be placed in the certificate. # Don't leave any of these fields blank. export KEY_COUNTRY="IN" export KEY_PROVINCE="RJ" export KEY_CITY="Bikaner" export KEY_ORG="MyOrganisation" export KEY_EMAIL="firstname.lastname@example.org" export KEY_OU="MyOrganizationalUnit"
# X509 Subject Field export KEY_NAME="vpn-server"
Once done we can use the variable values to generate CA certificates. Now source the variable using the following command.
You will see following output.
root@ip-172-31-31-250:/var/openvpn-ca# source vars NOTE: If you run ./clean-all, I will be doing a rm -rf on /var/openvpn-ca/keys
Now clean the environment and previously generated key using the following command.
Now we can build the root Certificate Authorities using the following command.
It will prompt you if you want to change the default values for variables. Simply press enter to proceed further. It will also ask you a challenge password, leave it blank by simply pressing enter. You will see following output.
root@ip-172-31-31-250:/var/openvpn-ca# ./build-ca Generating a 2048 bit RSA private key ...+++ ....................................+++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [IN]: State or Province Name (full name) [RJ]: Locality Name (eg, city) [Bikaner]: Organization Name (eg, company) [MyOrganisation]: Organizational Unit Name (eg, section) [MyOrganizationalUnit]: Common Name (eg, your name or your server's hostname) [MyOrganisation CA]: Name [vpn-server]: Email Address [email@example.com]:
The above command will generate root certificate and key,
/var/openvpn-ca/keys. Once the CA certificate is generated, we can create server certificate and keys using the following command.
source ./vars ./build-key-server server
You will see following output.
root@ip-172-31-31-250:/var/openvpn-ca# ./build-key-server server Generating a 2048 bit RSA private key ..........................+++ ............+++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [IN]: State or Province Name (full name) [RJ]: Locality Name (eg, city) [Bikaner]: Organization Name (eg, company) [MyOrganisation]: Organizational Unit Name (eg, section) [MyOrganizationalUnit]: Common Name (eg, your name or your server's hostname) [server]: Name [vpn-server]: Email Address [firstname.lastname@example.org]:
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password : An optional company name : Using configuration from /var/openvpn-ca/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'IN' stateOrProvinceName :PRINTABLE:'RJ' localityName :PRINTABLE:'Bikaner' organizationName :PRINTABLE:'MyOrganisation' organizationalUnitName:PRINTABLE:'MyOrganizationalUnit' commonName :PRINTABLE:'server' name :PRINTABLE:'vpn-server' emailAddress :IA5STRING:'email@example.com' Certificate is to be certified until Sep 12 09:10:55 2026 GMT (3650 days) Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
This command will create few server certificates and keys in
Now you will need to generate strong Diffie-Hellman key, which will be used during key exchange.
source ./vars ./build-dh
This will generate
dh2048.pem file in
Once we have generated certificates and keys for server, we will also create the certificate and keys for clients. In this tutorial we will generate the certificates client. We have used
client for demonstration purpose only. In actual scenario you may use any name. Run the following commands to do so.
source ./vars ./build-key client
If you want to set a passphrase for the private key of client's private key, you can use the following command.
Now copy the CA and server certificates and keys to OpenVPN directory using the following command.
cd /var/openvpn-ca/keys cp ca.crt ca.key server.crt server.key dh2048.pem /etc/openvpn
Now extract the sample OpenVPN configuration and copy it to OpenVPN directory.
gunzip -d /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf /etc/openvpn
Now modify the configuration file using your favorite text editor.
Find the following lines
# It's a good idea to reduce the OpenVPN # daemon's privileges after initialization. # # You can uncomment this out on # non-Windows systems. ;user nobody ;group nogroup
user nobody and
group nobody line.
Now we will need to modify the configuration file
/etc/sysctl.conf for setting up system variable using your favorite editor.
Find the following lines.
# Uncomment the next line to enable packet forwarding for IPv4 #net.ipv4.ip_forward=1
Uncomment the line
net.ipv4.ip_forward=1. Now save the file and adjust the system variables for current session using the following command.
Now you can start VPN server using following command.
systemctl start openvpn@server
You can enable OpenVPN server to start at boot time, you can run this command.
systemctl enable openvpn@server
You can check the status of OpenVPN server using the following command.
systemctl status openvpn@server
You should see following output.
root@ip-172-31-31-250:~# systemctl status openvpn@server ● firstname.lastname@example.org - OpenVPN connection to server Loaded: loaded (/lib/systemd/system/openvpn@.service; enabled; vendor preset: enabled) Active: active (running) since Wed 2016-09-14 17:57:12 UTC; 8min ago Docs: man:openvpn(8) https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage https://community.openvpn.net/openvpn/wiki/HOWTO Main PID: 4688 (openvpn) CGroup: /email@example.com └─4688 /usr/sbin/openvpn --daemon ovpn-server --status /run/openvpn/server.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/server.co
Sep 14 17:57:12 ip-172-31-31-250 ovpn-server: /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2 Sep 14 17:57:12 ip-172-31-31-250 ovpn-server: /sbin/ip route add 10.8.0.0/24 via 10.8.0.2 Sep 14 17:57:12 ip-172-31-31-250 ovpn-server: GID set to nogroup Sep 14 17:57:12 ip-172-31-31-250 ovpn-server: UID set to nobody Sep 14 17:57:12 ip-172-31-31-250 ovpn-server: UDPv4 link local (bound): [undef] Sep 14 17:57:12 ip-172-31-31-250 ovpn-server: UDPv4 link remote: [undef] Sep 14 17:57:12 ip-172-31-31-250 ovpn-server: MULTI: multi_init called, r=256 v=256 Sep 14 17:57:12 ip-172-31-31-250 ovpn-server: IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0 Sep 14 17:57:12 ip-172-31-31-250 ovpn-server: IFCONFIG POOL LIST Sep 14 17:57:12 ip-172-31-31-250 ovpn-server: Initialization Sequence Completed
As we have our VPN server up and running we can now connect the clients to the server.
While generating the certificates and keys for server, we have already generated the certificates for client too. You can use FTP or SCP to transfer the files from server to client machine. You will need to copy three files for each client. For client you will need to copy
For windows client machine you can download OpenVPN client from here. Once you install the software, copy
C:/Program Files/OpenVPN/sample-config to
config directory. Also move the client certificate and key file with CA certificate into this directory. Now open
client.ovpn using notepad and find the following lines.
# The hostname/IP and port of the server. # You can have multiple remote entries # to load balance between the servers. remote my-server-1 1194 ;remote my-server-2 1194
my-server-1 to the IP address or hostname of your remote server. As we have not configured or changed the port in server, hence the port number will remain same, a sample configuration is given below.
remote 220.127.116.11 1194
In case if you have generated your client certificates with name other than
client.key. You will also need to change these lines accordingly.
# SSL/TLS parms. # See the server config file for more # description. It's best to use # a separate .crt/.key file pair # for each client. A single ca # file can be used for all clients. ca ca.crt cert client.crt key client.key
Once done save the file. To start OpenVPN with this configuration, right click on
client.ovpn file to see options and select Start OpenVPN on this config file. You will see your command prompt will start connecting to your VPN server.
For Linux client machine you can install OpenVPN using the following command.
For CentOS/RHEL/Fedora, run the following commands.
sudo yum -y install epel-release sudo yum -y update sudo yum -y install openvpn
For Ubuntu/Debian run the following commands.
sudo apt-get install openvpn
Now copy the client certificates and keys along with CA certificate on your client machine using SCP or FTP. Move the files into
/etc/openvpn/ directory. Now create a new file using your favorite text editor.
Enter the following content in the file. Change your remote address and client file names accordingly.
client dev tun proto udp remote 18.104.22.168 1194 resolv-retry infinite nobind group nobody persist-key persist-tun comp-lzo verb 3 ca ca.crt cert client.crt key client.key
Now save the file and run OpenVPN client with client configuration using the following command.
sudo openvpn --config client.ovpn
This should run OpenVPN using your client configuration and you will be connected to the remote server using the VPN tunnel.
In this tutorial we have learned to install OpenVPN server into a VPS running Ubuntu 16.04. We also learned to use
easy-rsa to build CA and then generate certificates for server and client. You can now successfully deploy and run OpenVPN server on Ubuntu 16.04. OpenVPN client software is available for many platforms, you can connect the clients to your private network easily.