Hello everyone! Hope everyone is having a good start to summer. I’ve been extremely busy as usual, but I had a moment of time to start this new HOWTO, How to Install OpenVPN in Ubuntu 16.04 so that you can connect to your home machines or browse the Internet safely from anywhere in the world. If you don’t know what a VPN, or Virtual Private Network is, this is a simple answer. Its a Network that allows encrypted information between the VPN server and your machine so that it appears like it is on the same network as the rest of your home equipment, but are over the internet. This is useful if you are working remote and need access to your servers at home, but don’t have them connected directly to the Internet with their own IP address.<\/p>\n
The main reason I am writing this, is because I had to setup a VPN connection to my home lab so that my co-workers could connect to the various network equipment I have in my lab and test on this equipment. So I setup a VPN so that they can connect into my lab, get on the switches, get on the console concentrator, and power up, power down, and work on the switches remotely. It’s extremely secure since I have to give the user a certificate to connect to my VPN server and I control them so that if they don’t need access anymore, I kill that certificate in my Certificate Authority and they can no longer login on my network.<\/p>\n
This HowTo is going to show how I setup OpenVPN on Ubuntu 16.04, and secured the system using UFW so that only 2 ports are exposed to the world to limit the attack surface of my VPN server.First thing I did was install Ubuntu Server 16.04. I used Virtual Machines quite extensively, so that is how this started. I created a VM, made sure to set it’s network interface to my external IP pool, gave it 1GB of RAM and 1 vCPU, 16GB of storage and installed Ubuntu on it. The only other software I installed was OpenSSH-Server and that was completed. I then modified the \/etc\/network\/interfaces file so that it had a static IP address, gateway and DNS server information, subnet range, and what the device was called. This is important since it will come into play when you are setting up the the VPN server so that it knows what to tunnel through for the firewall rules. In this example, the device is ens160, but it will be whatever your system calls it, typically this is eth0.<\/p>\n
After the server was installed, I ran the following to make sure it was all up to date and had the latest repositories:<\/p>\n
I reboot the server after this so that it used the new IP address, and was running with the latest updates.<\/p>\n I than ran I than ran Once that completes, change directory to the CA folder Modify these variables for your needs. Also, find the variable KEY_NAME and change it to the name of your server.<\/p>\n Now, you are ready to build the CA. Run Go ahead and run You will be given a bunch of options, most of which you already set in the\u00a0vars\u00a0<\/em>file, so just hit enter to accept them.<\/p>\n We now are ready to create the server certificate, the key and encryption files. This is done with the command The second one is:<\/p>\n It will update the database and now we are ready to generate the encryption key. Use the command Now we are ready to build the client certificate so that you can connect to your VPN server. While still in the ~\/openvpn-ca directory, and while you are still sourced to vars, run You are now ready to copy the required files to the \/etc\/openvpn directory so that we can configure openvpn to run.<\/p>\n Go into the keys directory:<\/p>\n We are now ready to copy the example server.conf file to the \/etc\/openvpn directory so that we can configure the server. You have to uncompress it first:<\/p>\n Now we have to modify the file so that it works with our environment.<\/p>\n Search for Then below that is the “dhcp-option DNS” settings. Uncomment them and set them to your DNS servers or leave them as the defaults. I changed them to my internal DNS so that users can use my internal names of my systems and get to them easier than searching around for IP addresses. Next, uncomment the HMAC section by searching for Now we have to allow the system to do IP Forwarding and modify the Firewall to secure the system. First, modify \/etc\/sysctl.conf and uncomment Next, modify the \/etc\/ufw\/before.rules so we can setup Masquerading for the VPN server. Right after the Remember when I said to remember your network device from when we were setting up the static IP of the server? After the Now we need to disable and re-enable ufw so that it will read the changes in the files we modified:<\/p>\n Now we are ready to start OpenVPN. Since our configuration is called\u00a0server.conf<\/em>, when we start openvpn, we will tell it Check that it is running by running Now we are ready to setup the clients. First thing I did was create a new directory for the client files so that I could scp them to my colleagues and my different machines and devices (OpenVPN works on Windows, MacOSX, Linux, iPhone, and Android)<\/p>\n Also, because there will be multiple keys in this folder for different machines, I locked it down so that only I had access to that folder: Next, I copied the example configuration for clients to this location:<\/p>\nsudo apt update && sudo apt upgrade -y<\/code><\/p>\nsudo apt install openvpn easy-rsa<\/code>\u00a0to install the required binaries I needed.<\/p>\nmake-cadir ~\/openvpn-ca<\/code>. This command creates the minimum config files and sources so that you can build a Certificate Authority (CA) on the system. This is required to create the certificates that will be used by the server and the clients to connect and verify the systems so that they trust each other.<\/p>\ncd ~\/openvpn-ca<\/code>, and modify the\u00a0vars<\/em> file vi vars<\/code>. Go to the section that looks like this:<\/p>\nexport KEY_COUNTRY=\"US\"\r\nexport KEY_PROVINCE=\"CA\"\r\nexport KEY_CITY=\"SanFrancisco\"\r\nexport KEY_ORG=\"Fort-Funston\"\r\nexport KEY_EMAIL=\"me@myhost.mydomain\"\r\nexport KEY_OU=\"MyOrganizationalUnit\"<\/code><\/pre>\nexport KEY_NAME=\"server\"<\/code><\/p>\nsource vars<\/code>\u00a0and you should get the following output:<\/p>\nNOTE: If you run .\/clean-all, I will be doing a rm -rf on \/home\/wililupy\/openvpn-ca\/keys<\/code><\/p>\n.\/clean-all<\/code> to make sure that the environment is good to go. Now we are ready to build the CA. Run the command .\/build-ca<\/code>.<\/p>\n.\/build-key-server server<\/code>\u00a0where\u00a0server<\/em> is the name of your VPN server. Once again, it looks at the\u00a0vars<\/em> file and uses those for the defaults, and then it will have two prompts you need to answer. The first one is:<\/p>\nCertificate is to be certified until June 13 15:26:11 2026 GMT (3650 days)\r\nSign the certificate? [y\/n]:y<\/code><\/pre>\n1 out of 1 certificate requests certified, commit? [y\/n]y<\/code><\/pre>\n.\/build-dh<\/code>\u00a0to do this. It takes about 2 minutes for this command to complete. You will see …. and * while it randomizes. Lastly, we need to generate the HMAC signature. To do this use the following command:<\/p>\nopenvpn --genkey --secret keys\/ta.key<\/code><\/p>\n.\/build-key client<\/code>\u00a0where\u00a0client<\/em> is the hostname of the client machine\/username. Make sure you say Y at the prompts to sign the certificate and commit the certificate.<\/p>\ncd ~\/openvpn-ca\/keys<\/code>\u00a0and copy the certificates and keys to \/etc\/openvpn<\/p>\nsudo cp ca.crt ca.key server.crt server.key ta.key dh2048.pem \/etc\/openvpn<\/code><\/p>\ngunzip -c \/usr\/share\/doc\/openvpn\/examples\/sample-config-files\/server.conf.gz | sudo tee \/etc\/openvpn\/server.conf<\/code><\/p>\nsudo vi \/etc\/openvpn\/server.conf<\/code><\/p>\nredirect-gateway<\/code>\u00a0and remove the ; to uncomment the setting so that it looks like this:<\/p>\npush \"redirect-gateway def1 bypass-dhcp\"<\/code><\/p>\ntls-auth<\/code>\u00a0and just under that variable, add key-direction 0<\/code>. Last, search for user<\/code>\u00a0and uncomment user nobody<\/code>\u00a0and group nogroup<\/code>\u00a0so that the service knows who to run as.<\/p>\nnet.ipv4.ip_forward=1<\/code>\u00a0and then save the file and run sudo sysctl -p<\/code>\u00a0to make the changes take effect.<\/p>\n# \u00a0ufw-before-forward<\/code>\u00a0option, enter the following:<\/p>\n*nat\r\n:POSTROUTING ACCEPT [0:0]\r\n-A POSTROUTING -s 10.8.0.0\/8 -o ens160 -j MASQUERADE\r\nCOMMIT<\/code><\/pre>\n-o<\/code>\u00a0option in the before-rules file, that is where the name of your device goes. Save the file. Now we have to set UFW to forward by default. Modify the \/etc\/default\/ufw<\/code>\u00a0file and find the DEFAULT_FORWARD_POLICY<\/code>\u00a0and set it to \"ACCEPT\"<\/code>. Save this file and now all we have to do is allow ufw the openvpn port and protocol and enable the ssh variable:<\/p>\nsudo ufw allow 1194\/udp\r\nsudo ufw allow 22\/tcp<\/code><\/pre>\nsudo ufw disable\r\nsudo ufw enable<\/code><\/pre>\n@server<\/code>\u00a0so that it will use that configuration. Nice this about openvpn, is that we can have multiple configuration, and multiple instances of the VPN server running, all we have to do is trail @configname<\/code>\u00a0after it and it will run that config. To start openvpn, run the following command:<\/p>\nsudo systemctl start openvpn@server<\/code><\/p>\nsudo systemctl status openvpn@server<\/code>\u00a0and look for the Active: active (running)<\/code>. If everything looks good, set it to run at startup by running sudo systemctl enable openvpn@server<\/code>.<\/p>\nmkdir -p ~\/client-configs\/files<\/code><\/p>\nchmod 700 ~\/client-configs\/files<\/code>.<\/p>\ncp \/usr\/share\/doc\/openvpn\/examples\/sample-config-files\/client.conf ~\/client-configs\/base.conf<\/code>\u00a0and then edited the file to meet my client needs.<\/p>\n