Linux.com

Home Learn Linux Linux Tutorials Install and Configure OpenVPN Server on Linux

Install and Configure OpenVPN Server on Linux

The VPN is very often critical to working within a company. With working from home being such a popular draw to many industries, it is still necessary to be able to access company folders and hardware that exists within the LAN. When outside of that LAN, one of the best ways to gain that access is with the help of a VPN. Many VPN solutions are costly, and/or challenging to set up and manage. Fortunately, for the open source/Linux community, there is a solution that is actually quite simple to set up, configure, and manage. OpenVPN is that solution and here you will learn how to set up the server end of that system.

What Is Needed

I will be setting OpenVPN up on a Ubuntu 11.04, using Public Key Infrastructure with a bridged Ethernet interface. This setup allows for the quickest route to getting OpenVPN up and running, while maintaining a modicum of security.

The first step (outside of having the operating system installed) is to install the necessary packages. Since I will installing on Ubunutu, the installation is fairly straightforward:

  1. Open up a terminal window.
  2. Run sudo apt-get install openvpn to install the OpenVPN package.
  3. Type the sudo password and hit Enter.
  4. Accept any dependencies.

There is only one package left to install — the package that allows the enabling of bridged networking. Setting up the bridge is simple, once you know how. But before the interface can be configured to handle bridged networking, a single package must be installed. Do the following:

  1. Install the necessary package with the command sudo apt-get install bridge-utils.
  2. Edit the /etc/network/interfaces file to reflect the necessary changes (see below).
  3. Restart networking with the command sudo /etc/init.d/networking restart .

Open up the /etc/network/interfaces file and make the necessary that apply to your networking interface, based on the sample below:

 


auto lo
iface lo inet loopback

auto br0
iface br0 inet static
        address 192.168.100.10
        network 192.168.100.0
        netmask 255.255.255.0
        broadcast 192.168.100.255
        gateway 192.168.100.1
        bridge_ports eth0
        bridge_fd 9
        bridge_hello 2
        bridge_maxage 12
        bridge_stp off

 

Make sure to configure the bridge section (shown above) to match the correct information for your network. Save that file and restart networking. Now it's time to start configuring the VPN server.

Creating Certificates

The OpenVPN server will rely on certificate authority for security. Those certificates must first be created and then placed in the proper directories. To do this, follow these steps:

  1. Create a new directory with the command sudo mkdir /etc/openvpn/easy-rsa/.
  2. Copy the necessary files with the command sudo cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/.
  3. Change the ownership of the newly copied directory with the command sudo chown -R $USER /etc/openvpn/easy-rsa/.
  4. Edit the file /etc/openvpn/easy-rsa/vars and change the variables listed below.

The variables to edit are:

 


export KEY_COUNTRY="US"
export KEY_PROVINCE="KY"
export KEY_CITY="Louisville"
export KEY_ORG="Monkeypantz"
export KEY_EMAIL="
 This e-mail address is being protected from spambots. You need JavaScript enabled to view it
 "

Once the file has been edited and saved, we'll run several commands must be entered in order to create the certificates:

  • cd /etc/openvpn/easy-rsa/
  • source vars
  • ./clean-all
  • ./build-dh
  • ./pkitool --initca
  • ./pkitool --server server
  • cd keys
  • sudo openvpn --genkey --secret ta.key
  • sudo cp server.crt server.key ca.crt dh1024.pem ta.key /etc/openvpn/

Client Certificates

The clients will need to have certificates in order to authenticate to the server. To create these certificates, do the following:

  1. cd /etc/openvpn/easy-rsa/
  2. source vars
  3. ./pkitool hostname

Here the hostname is the actual hostname of the machine that will be connecting to the VPN.

Now, certificates will have to be created for each host needing to connecting to the VPN. Once the certificates have been created, they will need to be copied to the respective clients. The files that must be copied are:

  • /etc/openvpn/ca.crt
  • /etc/openvpn/ta.key
  • /etc/openvpn/easy-rsa/keys/hostname.crt (Where hostname is the hostname of the client).
  • /etc/openvpn/easy-rsa/keys/hostname.key (Where hostname is the hostname of the client).

Copy the above using a secure method, making sure they are copied to the /etc/openvpn directory.

Configuring VPN Server

It is time to configure the actual VPN server. The first step is to copy a sample configuration file to work with. This is done with the command sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/. Now decompress the server.conf.gz file with the command sudo gzip -d /etc/openvpn/server.conf.gz. The configuration options to edit are in this file. Open server.conf up in a text editor (with administrative privileges) and edit the following options:


local 192.168.100.10
dev tap0
up "/etc/openvpn/up.sh br0"
down "/etc/openvpn/down.sh br0"
server-bridge 192.168.100.101 255.255.255.0 192.168.100.105 192.168.100.200
push "route 192.168.100.1 255.255.255.0"
push "dhcp-option DNS 192.168.100.201"
push "dhcp-option DOMAIN example.com"
tls-auth ta.key 0 # This file is secret
user nobody
group nogroup

If you're unsure of any of the options, here:

  • The local address is the IP address of the bridged interface.
  • The server-bridge is needed in the case of a bridged interface.
  • The server will push out the IP address range of 192.168.100.105-200 to clients.
  • The push directives are options sent to clients.

Bringing The VPN Up And Down

Before the VPN is started (or restarted) a couple of scripts will be necessary to add the tap interface to the bridge (If bridged networking is not being used, these scripts are not necessary.) These scripts will then be used by the executable for OpenVPN. The scripts are /etc/openvpn/up.sh and /etc/openvpn/down.sh.


#!/bin/sh
#This is /etc/openvpn/up.sh

BR=$1
DEV=$2
MTU=$3
/sbin/ifconfig $DEV mtu $MTU promisc up
/usr/sbin/brctl addif $BR $DEV


#!/bin/sh
#This is/etc/openvpn/down.sh


BR=$1
DEV=$2


/usr/sbin/brctl delif $BR $DEV
/sbin/ifconfig $DEV down

 

Both of the scripts will need to be executable, which is done with the chmod command:

  • sudo chmod 755 /etc/openvpn/down.sh
  • sudo chmod 755 /etc/openvpn/up.sh

Finally, restart OpenVPN with the command sudo /etc/init.d/openvpn restart. The VPN server is now ready to accept connections from clients (the topic of my next tutorial.)

Details, Details

One thing that is a must for a VPN is that the machine hosting the VPN has to be accessible to the outside world — assuming users are coming in from the outside world. This can be done by either giving the server an external IP address or by routing traffic from the outside in with NAT rules (which can be accomplished in various ways). It will also be critical to employ best security practices (especially if the server has an external IP address) to prevent any unwanted traffic or users from getting into the server.

 

Comments

Subscribe to Comments Feed
  • Konstantin Said:

    Slightly changed config & user script for tap device server.conf: # .... script-security 2 up "/etc/openvpn/tapctl up br0" down "/etc/openvpn/tapctl down br0" # .... /etc/openvpn/tapctl : pastebin.com/PBtJpbY8

  • Knut E Said:

    Socket bind failed on local address [AF_INET]192.168.100.10:1194: Cannot assign requested address Something with the interface / networking ? It is started,and restarted with [OK].

  • papertigerv5 Said:

    hi, i found in your topic, the client must provide its ip and hostname. But the client's ip will be provided by dhcp. What u will do if u face such solution?

  • Mono Said:

    Hi, thanks for the tutorial. It was very helpful! However, I'd like my (windows and linux) computers to connect to my VPN, and have ALL traffic sent through the VPN. That is: - how could I configure the VPN to forward all data sent to external (non-LAN) IPs, and - How can I convince my client not to use the regular connection but send everything over VPN?

  • Matt Said:

    im getting the following error when i run this to create hostname certs cd /etc/openvpn/easy-rsa/ source vars ./pkitool hostname matthew@matthew-HP-EliteBook-2530p:/etc/openvpn/easy-rsa$ ./pkitool hostname Using Common Name: changeme Generating a 1024 bit RSA private key ...................................................++++++ ....++++++ writing new private key to 'hostname.key' ----- Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'US' stateOrProvinceName :PRINTABLE:'KY' localityName :PRINTABLE:'Louiseville' organizationName :PRINTABLE:'Monkeypantz' organizationalUnitName:PRINTABLE:'changeme' commonName :PRINTABLE:'changeme' name :PRINTABLE:'changeme' emailAddress :IA5STRING:'mail@host.domain' Certificate is to be certified until Jul 14 17:52:48 2023 GMT (3650 days) failed to update database TXT_DB error number 2

  • Vance Said:

    Nice guide Jack thanks. The easier it is for people to setup a VPN server these days the better with all the privacy concerns popping up. I have written a guide as well that has a little different spin and will be easier for the beginner. I have used Webmin and the OpenVPN module on Ubuntu 13.04 to setup, configure and manage OpenVPN. It is extremely easy and takes less than 15 minutes. I have also included a video guide to make it as easy as possible. The guide can be seen here >> http://www.ioflare.com/portal/knowledgebase/3/Install-Webmin-And-OpenVPN-On-Your-Ubuntu-Cloud-Server.html

  • saman Said:

    hi folks i wanna create network based this topologi http://prntscr.com/2f55xb i wanna ask how can client to remove dmz server while the server dmz as client also from openvpn server? openvpn server put on router

  • Best Proxy Server Said:

    Valuable info here, thanks for the share. If you want to hide what you are doing online then you should be using a VPN. There are some good ones here http://thebestproxyserver.com

  • DamienMather Said:

    Really good site dude. I found the best VPN for a mobile device here http://thebestproxyserver.com

  • Nikos Said:

    Hi, I am not sure what to put in for my own network settings(/etc/network/interfaces), can you explain how to get all those ips etc

Upcoming Linux Foundation Courses

  1. LFS230 Linux Network Management
    06 Oct » 09 Oct - Virtual
    Details
  2. LFS416 Linux Security
    06 Oct » 09 Oct - Washington
    Details
  3. LFD331 Developing Linux Device Drivers
    13 Oct » 17 Oct - Virtual
    Details

View All Upcoming Courses

Become an Individual Member
Check out the Friday Funnies

Sign Up For the Linux.com Newsletter


Who we are ?

The Linux Foundation is a non-profit consortium dedicated to the growth of Linux.

More About the foundation...

Frequent Questions

Join / Linux Training / Board