In this article, I will document the steps I did to install the latest OpenVPN version on Ubuntu 12.04. The latest version as of this writing is OpenVPN 2.3.2 vs the version of OpenVPN in the Ubuntu repos which is stuck at OpenVPN 2.2.1. I use OpenVPN to get a US IP for Netflix streaming from outside the US, this article explains more. If you are all new to this and don't have time nor idea on how to install software, there is still hope for you, just read this article on how I started accessing geo-locked sites.
I installed this on my RamNode VPS and BlueVM VPS, I have signed up as an affiliate for both services, so if you are in the market for a VPS please use this link or this link to help me out.
Before anything, all VPN will degrade your internet speed because of the overhead of encryption, compression, latency, etc. My experience in having my Asus RT-N16 as the VPN client, I get a performance hit of about 10-15%. So please bear this in mind, that your speed will slow down a bit.
There basic steps in having a OpenVPN Server running on Ubuntu are the following:
- Enable TUN/TAP of your kernel (this is easily done via the SolusVM control panel)
- Add the repos of OpenVPN to your current repos to get the latest version
- Update the repos and install OpenVPN
- Download the Easy-RSA tool
- Configure the necessary certificates for your OpenVPN server
- Configure the Server options for your OpenVPN servers
- Configure/Match the Server options in a configuration (.OVPN) file for your clients.
- Transfer the required client certificates to your client computer, IPad, Android device, etc
- Import the downloaded client certificates to your OpenVPN client
DISCLAIMER: I will not be responsible for any negative results that you may incur. Having said that, I have not experienced anything negative by doing this.
If you want to use PPTP VPN instead of OpenVPN, then I will recommend the excellent script provided in this link. Installling PPTP is a lot easier, and clients are already built in, however, PPTP is not as secure and in my experience, not as reliable as OpenVPN.
Before we start, you should be able to connect to your server. I use the ever reliable Putty to SSH into my server.
Ok, so we have the steps, let's flesh it out.
The first step is to Enable TUN/TAP, if you acquired your VPS from RamNode, then just proceed to your SolusVM control panel (if you can't find it, it is on the upper right hand corner of the RamNode site). Choose your server, and just enable TUN/TAP by setting the TUN/TAP to 'ON'. The server will reboot and the next time you SSH to your server, TUN/TAP should be enabled.
So now we are ready to do the actual installation. The following lines will add the OpenVPN repos to your system, update the list, upgrade the system, and install OpenVPN and OpenSSL. Update: OpenVPN provided an easier way to install the latest version, this is from the official link in installing OpenVPN
$ wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg|apt-key add -
$ echo "deb http://swupdate.openvpn.net/apt precise main" > /etc/apt/sources.list.d/swupdate.openvpn.net.list
$ apt-get update && apt-get -y upgrade && apt-get -y install openvpn openssl
Note: change the 'precise' to the actual version of your ubuntu distro. Check https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos
Next, we download Easy-RSA which will help in generating the keys. As of OpenVPN 2.3, Easy-RSA is no longer a part of the OpenVPN install, so we have to get it separately. We will download it in our home directory. Note: the latest version of Easy-RSA is version 3, we needed the older release version 2.
$ cd ~
$ wget https://github.com/OpenVPN/easy-rsa/archive/release/2.x.zipwget https://github.com/OpenVPN/easy-rsa/archive/release/2.x.zip
$ unzip 2.x.zip
We now put it all together, transferring a copy of Easy-RSA to the openvpn directory.
$ mkdir /etc/openvpn/easy-rsa
$ cp -R ~/easy-rsa-release-2.x/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
$ cd /etc/openvpn/easy-rsa
We need an openssl.cnf to create the certificates, we create this by linking the included sample openssl.cnf in Easy-RSA.
$ ln -s openssl-1.0.0.cnf openssl.cnf
We prepare some customisations for your own server. Go through all the info and change accordingly as needed. I use vim to edit, it may seem confusing but all you have to remember is pressing 'i' to insert and start typing, <esc> to exit insert mode, ':x' to exit and save.
$ vim vars
We now make our vars the source of our certificate and prepare directory where all the certificates will be kept.
$ source vars
With everything done and edited, we are now ready to generate the server certificates. Questions will be asked, either accept everything or change accordingly. When confirmation is requested just answer yes.
$ ./build-key-server server
$ ./build-key client
Almost done, we just now have to create a server configuration.
$ cd /etc/openvpn
$ vim server.conf
Now with vim open, copy the following to your server.conf file and save.
dev tun # create a routed ip tunnel
proto udp # use udp as protocol
port 1194 # port to listen to
ca /etc/openvpn/easy-rsa/keys/ca.crt # point to generated ca certificate
cert /etc/openvpn/easy-rsa/keys/server.crt # point to generated server certificate
key /etc/openvpn/easy-rsa/keys/server.key # point to generated server key
dh /etc/openvpn/easy-rsa/keys/dh2048.pem # point to generated Diffie-Helman file (dh1024.pem or dh2048.pem)
user nobody # user is nobody by default
group nogroup # group is nobody by default
server 10.8.0.0 255.255.255.0 # OpenVPN subnet
status /var/log/openvpn-status.log # location of status log
verb 3 # amount of logging to be done
push "redirect-gateway def1" # all internet will be redirected to the tunnel
#set the dns servers
push "dhcp-option DNS 220.127.116.11" # setting the DNS servers
push "dhcp-option DNS 18.104.22.168" # setting the secondary DNS servers
log-append /var/log/openvpn # location of log file
comp-lzo # compression
#cipher none # disables encryption (use this only if you are just using the vpn for streaming)
Since we are using the VPN tunnel to watch internet streams, we need to redirect all internet to the tunnel.
$ cat >> /etc/sysctl.conf << END
$ sysctl -p
Now we tell the firewall to redirect traffic to your OpenVPN server. For the iptables command, i used venet0 as this is what is reported as my adapter on my OpenVZ machine by issuing an "ifconfig". Don't forget to enter your own IP in the iptables command.
$ iptables -P FORWARD ACCEPT
$ iptables --table nat -A POSTROUTING -o venet0 -j MASQUERADE
if that does not work, try
$ iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j SNAT --to YOUR.VPS.IP
Let's now save our iptables so that on next reboot it will still be available.
$ iptables-save > /etc/iptables.conf
$ cat > /etc/network/if-pre-up.d/iptables <<END
iptables-restore < /etc/iptables.conf
$ chmod +x /etc/network/if-pre-up.d/iptables
The OpenVPN server is done. All we have to do is restart the OpenVPN server by issuing the restart command. You should see it restart and issue an "ok" status.
$ service openvpn restart
Server is done, now we prepare for the client. We now make a client configuration (.OVPN) file, this is just a simple text file that contains parameters that matches the newly created OpenVPN server. The .ovpn files are sent to the client machines and used by OpenVPN clients. We already created our first client when we issued the command ./build-key client, so we will use that as a sample.
$ cd /etc/openvpn/easy-rsa/keys
$ vim client.ovpn
With the editor open, copy the following. Remember to change the remote server to your own server:
Now to transfer the following files to your client machine and place them in one folder. You can install WinSCP to securely copy the files from your remote server to your local machine.
Now, install an OpenVPN client in your machine, and point it to the .ovpn file, import, then connect. That's it. Enjoy your VPN
Alternatively, you can create a singular client configuration by combining all the certificates, keys, etc in XML format in the .ovpn file.
$ cd /etc/openvpn/easy-rsa/keys
$ vim client.ovpn
With the editor open copy code below. See the <ca> .... </ca> pairs, just replace '...' with the actual certificates and keys. Where do find the certs and keys, well, these are the contents of your ca.crt, client.crt, client.key.
- <ca> ... </ca> --->>>> ca.crt
- <cert> ... </cert> --->>>> client.crt
- <key> ... </key> ---->>>> client.key
Make sure to copy from the words '-------- BEGIN CERTIFICATE ---------' to the '---------- END CERTIFICATE ------------------'
Now, after doing all that, the only file you have to give to your machine clients is the client.ovpn, because all the info is already there.
CREATING ADDITIONAL CLIENTS
So now you have a complete setup of your OpenVPN server, it's time to share the connection to your friends and family. Let's go back to server and use Easy-RSA again.
$ cd /etc/openvpn/easy-rsa
$ source vars
We are now ready to create additional client certificates and keys. So for each client, just use the ./build-key command.
$ ./build-key peter
$ ./build-key lois
$ ./build-key chris
$ ./build-key stewie
$ ./build-key brian
No key for Meg!
The client key certificates will now be in the keys directory, then just follow the instructions above regarding creating CLIENT configuration files and transferring the files.
- If you're having problems with your VPN server, it would be good to check the logs. The log as set by the server.conf should be located in the file /var/log/openvpn, open that file and review the errors.
- After doing all the steps, your OpenVPN server won't start, I find that for my VPS, all I have to do is turn off TUN/TAP in my SolusVM Control Panel, it will force a restart, then turn it on again, another restart, and the OpenVPN will now start.
- For mobile devices, the easiest is to create a single .ovpn file (BONUS Section) and emailing it to the device. For IOS, download the OpenVPN Connect app from the App store first before opening the email. For Androids, download it to your SDcard and point OpenVPN Connect to the downloads of your SDCard.
- For clients, there are a lot of OpenVPN clients, but I mostly use the official OpenVPN clients for IOS, Android, Linux and Windows. An alternative for Windows is the open-source OpenVPN client Securepoint OpenVPN client if you don't want to use .Net framework. For Mac, Tunnelbrick seems to do the job. For my router, I use Shibby's TomatoUSB version for my Asus RT-N16.
- If you are going to use this for streaming geo-restricted sites, then you might want to forgo the encryption for performance, but take note disabling encryption removes the security benefits of having the vpn.