OpenVPN on an Ubuntu VPS

Part of my migration off of a dedicated server onto a VPS required recreating the existing setup for OpenVPN.  I put it off because it took me a good bit of time and tinkering to get it working on the old machine, but happily life is considerably easier installing on the current Ubuntu release.

0) Enable TUN/TAP in the VPS control panel (the TUN network device is needed by OpenVPN).

1) Install openvpn

$ apt-get install openvpn

2) Create and install security certificates and keys needed to authenticate logins.

$ cp -r /usr/share/docs/openvpn/examples/easy-rsa /etc/openvpn
$ cd /
$ cp openssl-1.0.0.cnf openssl.cnf
$ source .vars
$ ./clean-all
$ ./build-ca
$ ./build-key-server server
$ ./build-key client1
$ ./build-dh

3) Paste into /etc/openvpn/openvpn.conf the following: 

port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
push "redirect-gateway def1"
push "dhcp-option DNS"
push "dhcp-option DNS"
keepalive 10 120
user nobody
group nogroup
verb 1
log /var/log/openvpn.log

4) Enable IP gateway services on the server.  First uncomment the line in /etc/sysctl.conf that reads ‘net.ipv4.ip_forward=1’.  Next enable the changes and add the appropriate iptables rule (replace with the IP address of the server):

$ sysctl -p
$ iptables -t nat -A POSTROUTING -s -o venet0 -j SNAT --to
$ iptables-save > /etc/iptables.rules

To ensure that the iptables changes are applied at startup, add the following to /etc/rc.local, just before the last line (‘exit 0‘):

/sbin/iptables-restore < /etc/iptables.rules 

5) Start openvpn

$ service restart openvpn 

On the client end there are also a few things to set up.

1) Copy the following files from the server to the client:

  • /etc/openvpn/easy-rsa/2.0/keys/ca.crt

  • /etc/openvpn/easy-rsa/2.0/keys/client1.crt

  • /etc/openvpn/easy-rsa/2.0/keys/client1.key

2) In the same directory as the copied file, paste the following contents into openvpn.conf:

remote 1194 udp
ns-cert-type server
ca ca.crt
ping 60
redirect-gateway def1
ping-restart 120
cert cert.crt
key key.key
dev tun

3) Start OpenVPN

Comments are closed.