Openvpn 2.3 on Ubuntu VPS Print
Written by FHM   
Wednesday, 12 June 2013 15:52

In this article, I will document the steps I did to install the latest OpenVPN version on Ubuntu 12.04. The latest version as of this writing is OpenVPN 2.3.2 vs the version of OpenVPN in the Ubuntu repos which is stuck at OpenVPN 2.2.1. I use OpenVPN to get a US IP for Netflix streaming from outside the US, this article explains more.  If you are all new to this and don't have time nor idea on how to install software, there is still hope for you, just read this article on how I started accessing geo-locked sites.

I installed this on my RamNode VPS and BlueVM VPS, I have signed up as an affiliate for both services, so if you are in the market for a VPS please use this link or this link to help me out.

Before anything, all VPN will degrade your internet speed because of the overhead of encryption, compression, latency, etc.  My experience in having my Asus RT-N16 as the VPN client, I get a performance hit of about 10-15%.  So please bear this in mind, that your speed will slow down a bit.

There basic steps in having a OpenVPN Server running on Ubuntu are the following:

  1. Enable TUN/TAP of your kernel (this is easily done via the SolusVM control panel)
  2. Add the repos of OpenVPN to your current repos to get the latest version
  3. Update the repos and install OpenVPN
  4. Download the Easy-RSA tool
  5. Configure the necessary certificates for your OpenVPN server
  6. Configure the Server options for your OpenVPN servers
  7. Configure/Match the Server options in a configuration (.OVPN) file for your clients.
  8. Transfer the required client certificates to your client computer, IPad, Android device, etc
  9. Import the downloaded client certificates to your OpenVPN client
  10. Connect

 

DISCLAIMER: I will not be responsible for any negative results that you may incur.  Having said that, I have not experienced anything negative by doing this.

 

If you want to use PPTP VPN instead of OpenVPN, then I will recommend the excellent script provided in this link.  Installling PPTP is a lot easier, and clients are already built in, however, PPTP is not as secure and in my experience, not as reliable as OpenVPN.

Before we start, you should be able to connect to your server.  I use the ever reliable Putty to SSH into my server.

Ok, so we have the steps, let's flesh it out.

 

SERVER CONFIGURATION

The first step is to Enable TUN/TAP, if you acquired your VPS from RamNode, then just proceed to your SolusVM control panel (if you can't find it, it is on the upper right hand corner of the RamNode site). Choose your server, and just enable TUN/TAP by setting the TUN/TAP to 'ON'. The server will reboot and the next time you SSH to your server, TUN/TAP should be enabled.

 

So now we are ready to do the actual installation. The following lines will add the OpenVPN repos to your system, update the list, upgrade the system, and install OpenVPN and OpenSSL. Update:  OpenVPN provided an easier way to install the latest version, this is from the official link in installing OpenVPN

 

wget -O - http://repos.openvpn.net/repos/repo-public.gpg|apt-key add -
cd /etc/apt/sources.list.d
wget http://repos.openvpn.net/repos/apt/conf/repos.openvpn.net-precise-snapshots.list
apt-get update && apt-get -y upgrade && apt-get -y install openvpn openssl
$ wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg|apt-key add -
$ echo "deb http://swupdate.openvpn.net/apt precise main" > /etc/apt/sources.list.d/swupdate.openvpn.net.list
$ apt-get update && apt-get -y upgrade && apt-get -y install openvpn openssl

Note: change the 'precise' to the actual version of your ubuntu distro. Check https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos

Next, we download Easy-RSA which will help in generating the keys.  As of OpenVPN 2.3, Easy-RSA is no longer a part of the OpenVPN install, so we have to get it separately.  We will download it in our home directory.  Note: the latest version of Easy-RSA is version 3, we needed the older release version 2.

 

$ cd ~

$ wget https://github.com/OpenVPN/easy-rsa/archive/release/2.x.zipwget https://github.com/OpenVPN/easy-rsa/archive/release/2.x.zip

$ unzip 2.x.zip

 

We now put it all together, transferring a copy of Easy-RSA to the openvpn directory.

 

$ mkdir /etc/openvpn/easy-rsa

$ cp -R ~/easy-rsa-release-2.x/easy-rsa/2.0/* /etc/openvpn/easy-rsa/

$ cd /etc/openvpn/easy-rsa

 

We need an openssl.cnf to create the certificates, we create this by linking the included sample openssl.cnf in Easy-RSA.

 

$ ln -s openssl-1.0.0.cnf openssl.cnf

 

We prepare some customisations for your own server.  Go through all the info and change accordingly as needed.  I use vim to edit, it may seem confusing but all you have to remember is pressing 'i' to insert and start typing, <esc> to exit insert mode, ':x' to exit and save.

 

$ vim vars

 

We now make our vars the source of our certificate and prepare directory where all the certificates will be kept.

 

$ source vars

$ ./clean-all

 

With everything done and edited, we are now ready to generate the server certificates.  Questions will be asked, either accept everything or change accordingly.  When confirmation is requested just answer yes.

 

$ ./build-ca

$ ./build-key-server server

$ ./build-key client

$ ./build-dh

 

Almost done, we just now have to create a server configuration.

 

$ cd /etc/openvpn

$ vim server.conf

 

Now with vim open, copy the following to your server.conf file and save.

 

dev tun                                     # create a routed ip tunnel

proto udp                                   # use udp as protocol

port 1194                                   # port to listen to

ca /etc/openvpn/easy-rsa/keys/ca.crt        # point to generated ca certificate

cert /etc/openvpn/easy-rsa/keys/server.crt  # point to generated server certificate

key /etc/openvpn/easy-rsa/keys/server.key   # point to generated server key

dh /etc/openvpn/easy-rsa/keys/dh2048.pem    # point to generated Diffie-Helman file (dh1024.pem or dh2048.pem)

user nobody                                 # user is nobody by default

group nogroup                               # group is nobody by default

server 10.8.0.0 255.255.255.0               # OpenVPN subnet

persist-key

persist-tun

status /var/log/openvpn-status.log          # location of status log

verb 3                                      # amount of logging to be done

client-to-client

push "redirect-gateway def1"                # all internet will be redirected to the tunnel

#set the dns servers

push "dhcp-option DNS 8.8.8.8"              # setting the DNS servers

push "dhcp-option DNS 8.8.4.4"              # setting the secondary DNS servers

log-append /var/log/openvpn                 # location of log file

comp-lzo                                    # compression

#cipher none                                # disables encryption (use this only if you are just using the vpn for streaming)

 

 

Since we are using the VPN tunnel to watch internet streams, we need to redirect all internet to the tunnel.

 

$ cat >> /etc/sysctl.conf << END

net.ipv4.ip_forward=1

END

$ sysctl -p

 

Now we tell the firewall to redirect traffic to your OpenVPN server.  For the iptables command, i used venet0 as this is what is reported as my adapter on my OpenVZ machine by issuing an "ifconfig".  Don't forget to enter your own IP in the iptables command.

 

$ iptables -P FORWARD ACCEPT

$ iptables --table nat -A POSTROUTING -o venet0 -j MASQUERADE

 

if that does not work, try

$ iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j SNAT --to YOUR.VPS.IP

 

Let's now save our iptables so that on next reboot it will still be available.

 

$ iptables-save > /etc/iptables.conf


$ cat > /etc/network/if-pre-up.d/iptables <<END

#!/bin/sh

iptables-restore < /etc/iptables.conf

END


$ chmod +x /etc/network/if-pre-up.d/iptables

 

The OpenVPN server is done.  All we have to do is restart the OpenVPN server by issuing the restart command.  You should see it restart and issue an "ok" status.

 

$ service openvpn restart

 

CLIENT CONFIGURATION

Server is done, now we prepare for the client.  We now make a client configuration (.OVPN) file, this is just a simple text file that contains parameters that matches the newly created OpenVPN server.   The .ovpn files are sent to the client machines and used by OpenVPN clients.  We already created our first client when we issued the command ./build-key client, so we will use that as a sample.

 

$ cd /etc/openvpn/easy-rsa/keys

$ vim client.ovpn

 

With the editor open, copy the following.  Remember to change the remote server to your own server:

 

dev tun

client

proto udp

remote YOUR.VPS.IP

resolv-retry infinite

nobind

ca ca.crt

cert client.crt

key client.key

persist-key

persist-tun

comp-lzo

verb 3

key-direction 1

#cipher none

 

Now to transfer the following files to your client machine and place them in one folder.  You can install WinSCP to securely copy the files from your remote server to your local machine.

  • ca.crt
  • client.crt
  • client.key
  • client.ovpn

Now, install an OpenVPN client in your machine, and point it to the .ovpn file, import, then connect.   That's it.  Enjoy your VPN

 

Bonus:

Alternatively, you can create a singular client configuration by combining all the certificates, keys, etc in XML format  in the .ovpn file.

 

$ cd /etc/openvpn/easy-rsa/keys

$ vim client.ovpn

 

With the editor open copy code below.  See the <ca> .... </ca> pairs, just replace '...' with the actual certificates and keys.  Where do find the certs and keys, well, these are the contents of your ca.crt, client.crt, client.key.

  • <ca> ... </ca> --->>>> ca.crt
  • <cert> ... </cert> --->>>> client.crt
  • <key> ... </key> ---->>>> client.key

Make sure to copy from the words '-------- BEGIN CERTIFICATE ---------' to the '---------- END CERTIFICATE ------------------'

 

dev tun

client

proto udp

remote YOUR.VPS.IP

resolv-retry infinite

nobind

persist-key

persist-tun

comp-lzo

verb 3

<ca>

....

</ca>

<cert>

....

</cert>

<key>

....

</key>

 

 

Now, after doing all that, the only file you have to give to your machine clients is the client.ovpn, because all the info is already there.

 

CREATING ADDITIONAL CLIENTS

 

So now you have a complete setup of your OpenVPN server, it's time to share the connection to your friends and family.  Let's go back to server and use Easy-RSA again.

 

$ cd /etc/openvpn/easy-rsa

$ source vars

 

We are now ready to create additional client certificates and keys.   So for each client, just use the ./build-key command.

 

$ ./build-key peter

$ ./build-key lois

$ ./build-key chris

$ ./build-key stewie

$ ./build-key brian

 

No key for Meg!

 

The client key certificates will now be in the keys directory, then just follow the instructions above regarding creating CLIENT configuration files and transferring the files.

 

 

TIPS

  1. If you're having problems with your VPN server, it would be good to check the logs.  The log as set by the server.conf should be located in the file /var/log/openvpn, open that file and review the errors.
  2. After doing all the steps, your OpenVPN server won't start, I find that for my VPS, all I have to do is turn off TUN/TAP in my SolusVM Control Panel, it will force a restart, then turn it on again, another restart, and the OpenVPN will now start.
  3. For mobile devices, the easiest is to create a single .ovpn file (BONUS Section) and emailing it to the device.  For IOS, download the OpenVPN Connect app from the App store first before opening the email.  For Androids, download it to your SDcard and point OpenVPN Connect to the downloads of your SDCard.
  4. For clients, there are a lot of OpenVPN clients, but I mostly use the official OpenVPN clients for IOS, Android, Linux and Windows.  An alternative for Windows is the open-source OpenVPN client Securepoint OpenVPN client if you don't want to use .Net framework.  For Mac, Tunnelbrick seems to do the job.  For my router, I use Shibby's TomatoUSB version for my Asus RT-N16.
  5. If you are going to use this for streaming geo-restricted sites, then you might want to forgo the encryption for performance, but take note disabling encryption removes the security benefits of having the vpn.

 

 

 

 

 

Last Updated on Wednesday, 07 January 2015 11:28
 
Comments (1)
Problem with ta.key
1 Sunday, 04 January 2015 20:45
Michael Amponsah
I cant find the ta.key in my /etc/opevpn/easy-rsa directory
Administrator's reply:
Re: Problem with ta.key
Wednesday, 07 January 2015 11:25
Administrator
Oops, sorry, I removed the use of the static key, as this was not recommended by OpenVPN and is optional. Please remove any references to ta.key in your server and client profiles. I have edited the doc to remove also any references to ta.key.
yvComment v.1.22.0