OpenVPN on an Ubuntu VPS

Posted on by

Part of my migration off of a dedicated server onto a VPS required recreating the existing setup for OpenVPN.  I put it off because it took me a good bit of time and tinkering to get it working on the old machine, but happily life is considerably easier installing on the current Ubuntu release.

0) Enable TUN/TAP in the VPS control panel (the TUN network device is needed by OpenVPN).

1) Install openvpn

$ apt-get install openvpn

2) Create and install security certificates and keys needed to authenticate logins.

$ cp -r /usr/share/docs/openvpn/examples/easy-rsa /etc/openvpn
$ cd /etc/openvpn/easy-rsa/2.0
$ cp openssl-1.0.0.cnf openssl.cnf
$ source .vars
$ ./clean-all
$ ./build-ca
$ ./build-key-server server
$ ./build-key client1
$ ./build-dh

3) Paste into /etc/openvpn/openvpn.conf the following: 

port 1194
proto udp
dev tun 
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt 
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt 
key /etc/openvpn/easy-rsa/2.0/keys/server.key 
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem 
server 10.8.0.0 255.255.255.0 
push "redirect-gateway def1" 
push "dhcp-option DNS 208.67.222.222" 
push "dhcp-option DNS 208.67.220.220"
client-to-client 
keepalive 10 120 
persist-key 
persist-tun 
user nobody
group nogroup
verb 1
log /var/log/openvpn.log

4) Enable IP gateway services on the server.  First uncomment the line in /etc/sysctl.conf that reads ‘net.ipv4.ip_forward=1’.  Next enable the changes and add the appropriate iptables rule (replace xxx.xxx.xxx.xxx with the IP address of the server):

$ sysctl -p
$ iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j SNAT --to xxx.xxx.xxx.xxx
$ iptables-save > /etc/iptables.rules

To ensure that the iptables changes are applied at startup, add the following to /etc/rc.local, just before the last line (‘exit 0‘):

/sbin/iptables-restore < /etc/iptables.rules 

5) Start openvpn

$ service restart openvpn 

On the client end there are also a few things to set up.

1) Copy the following files from the server to the client:

  • /etc/openvpn/easy-rsa/2.0/keys/ca.crt

  • /etc/openvpn/easy-rsa/2.0/keys/client1.crt

  • /etc/openvpn/easy-rsa/2.0/keys/client1.key

2) In the same directory as the copied file, paste the following contents into openvpn.conf:

remote xxx.xxx.xxx.xxx 1194 udp
pull
tls-client
ns-cert-type server
persist-key
ca ca.crt
ping 60
redirect-gateway def1
ping-restart 120
persist-tun
cert cert.crt
nobind
key key.key
dev tun

3) Start OpenVPN

Comments are closed.