In this tutorial, we will show you how to install OpenVPN on Ubuntu 16.04 LTS. For those of you who didn’t know, OpenVPN is an open-source application that is widely used to create secure virtual private networks over the unsecured public Internet. OpenVPN is an SSL VPN solution that drains your system connection securely through the Internet. OpenVPN functions in the client-server structure. All the devices connected to a virtual private network act as if they’re linked to your local area network. The packets sent through the VPN tunnel are encrypted with 256 bit AES encryption making data theft impossible.
This article assumes you have at least basic knowledge of Linux, know how to use the shell, and most importantly, you host your site on your own VPS. The installation is quite simple and assumes you are running in the root account, if not you may need to add ‘sudo‘ to the commands to get root privileges. I will show you through the step-by-step installation of OpenVPN open-source virtual private network on a Ubuntu 16.04 (Xenial Xerus) server.
Install OpenVPN on Ubuntu 16.04 LTS
Step 1. First, make sure that all your system packages are up-to-date by running the following apt-get commands in the terminal.
sudo apt-get update sudo apt-get upgrade
Step 2. Installing OpenVPN on Ubuntu 16.04.
Install OpenVPN using the following command:
apt-get install openvpn easy-rsa
Step 3. Setting Certificate Authority.
The OpenVPN server uses certificates to encrypt traffic between the server and various clients. Thus, we need to set up a certificate authority (CA) on the VPS to create and manage these certificates:
make-cadir ~/openvpn-ca cd ~/openvpn-ca
We’ll be editing some variables toward the end of the file:
nano vars
Change them according to your needs:
# These are the default values for fields # which will be placed in the certificate. # Don't leave any of these fields blank. export KEY_COUNTRY="US" export KEY_PROVINCE="CA" export KEY_CITY="NewYork" export KEY_ORG="Fort-Funston" export KEY_EMAIL="chedelics@idroot.us" export KEY_OU="MyOrganizationalUnit" # X509 Subject Field export KEY_NAME="chedelics"
If there aren’t any errors, you’ll see the following output:
source vars NOTE: If you run ./clean-all, I will be doing a rm -rf on /home/user/openvpn-ca/keys
Now we can clean up the environment and then build up our CA:
./clean-all ./build-ca
Congratulation…..A new RSA key will be created, and you’ll be asked to confirm the details you entered into the vars file earlier. Just hit Enter to confirm.
Step 4. Generating a server key and certificate.
Run the command below in the current directory:
./build-key-server server
We will also need to create a Diffie-Hellman file. The creation of this file will depend on the length of the key. For this default, we will use the 2048 bit key but you can always change it by editing the vars file in the easy-RSA folder:
./build-dh
Finally, you need to generate an HMAC signature to strengthen the certificate:
openvpn --genkey --secret keys/ta.key
Step 5. Create client public/private keys.
This process will create a single client key and certificate:
source vars ./build-key client1
Step 6. Configure the OpenVPN server.
We will now configure the OpenVPN server:
cd ~/openvpn-ca/keys cp ca.crt ca.key vpnserver.crt vpnserver.key ta.key dh2048.pem /etc/openvpn
Next, extract a sample OpenVPN configuration to the default location:
gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | sudo tee /etc/openvpn/server.conf
Now edits to the configuration file:
nano /etc/openvpn/server.conf
Paste the configurations below (you may change the values of port etc.):
local 192.168.77.20 port 443 proto tcp dev tun tun-mtu 1500 tun-mtu-extra 32 mssfix 1450 ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt cert /etc/openvpn/easy-rsa/2.0/keys/server.crt key /etc/openvpn/easy-rsa/2.0/keys/server.key dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem server 10.8.0.0 255.255.255.0 #-ifconfig-pool-persist ipp.txt push "redirect-gateway def1" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 4.2.2.1" keepalive 2 30 comp-lzo persist-key persist-tun status 443status.log log-append 443log.log verb 3
Save the file and enable and start the OpenVPN service:
systemctl enable openvpn@server systemctl start openvpn@server
Step 7. Configure Iptables for OpenVPN.
We will need to enter some IPtables rules to enable internet on the client machine:
sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j MASQUERADE sudo apt-get install iptables-persistent
Congratulations! You have successfully installed OpenVPN. Thanks for using this tutorial for installing the OpenVPN server on Ubuntu 16.04 LTS (Xenial Xerus) system. For additional help or useful information, we recommend you check the official OpenVPN website.
