June 13, 2011

Install and Configure OpenVPN Server on Linux

The VPN is very often critical to working within a company. With working from home being such a popular draw to many industries, it is still necessary to be able to access company folders and hardware that exists within the LAN. When outside of that LAN, one of the best ways to gain that access is with the help of a VPN. Many VPN solutions are costly, and/or challenging to set up and manage. Fortunately, for the open source/Linux community, there is a solution that is actually quite simple to set up, configure, and manage. OpenVPN is that solution and here you will learn how to set up the server end of that system.

What Is Needed

I will be setting OpenVPN up on a Ubuntu 11.04, using Public Key Infrastructure with a bridged Ethernet interface. This setup allows for the quickest route to getting OpenVPN up and running, while maintaining a modicum of security.

The first step (outside of having the operating system installed) is to install the necessary packages. Since I will installing on Ubunutu, the installation is fairly straightforward:

  1. Open up a terminal window.
  2. Run sudo apt-get install openvpn to install the OpenVPN package.
  3. Type the sudo password and hit Enter.
  4. Accept any dependencies.

There is only one package left to install — the package that allows the enabling of bridged networking. Setting up the bridge is simple, once you know how. But before the interface can be configured to handle bridged networking, a single package must be installed. Do the following:

  1. Install the necessary package with the command sudo apt-get install bridge-utils.
  2. Edit the /etc/network/interfaces file to reflect the necessary changes (see below).
  3. Restart networking with the command sudo /etc/init.d/networking restart .

Open up the /etc/network/interfaces file and make the necessary that apply to your networking interface, based on the sample below:


auto lo
iface lo inet loopback

auto br0
iface br0 inet static
        bridge_ports eth0
        bridge_fd 9
        bridge_hello 2
        bridge_maxage 12
        bridge_stp off


Make sure to configure the bridge section (shown above) to match the correct information for your network. Save that file and restart networking. Now it's time to start configuring the VPN server.

Creating Certificates

The OpenVPN server will rely on certificate authority for security. Those certificates must first be created and then placed in the proper directories. To do this, follow these steps:

  1. Create a new directory with the command sudo mkdir /etc/openvpn/easy-rsa/.
  2. Copy the necessary files with the command sudo cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/.
  3. Change the ownership of the newly copied directory with the command sudo chown -R $USER /etc/openvpn/easy-rsa/.
  4. Edit the file /etc/openvpn/easy-rsa/vars and change the variables listed below.

The variables to edit are:


export KEY_CITY="Louisville"
export KEY_ORG="Monkeypantz"
export KEY_EMAIL="
 This e-mail address is being protected from spambots. You need JavaScript enabled to view it

Once the file has been edited and saved, we'll run several commands must be entered in order to create the certificates:

  • cd /etc/openvpn/easy-rsa/
  • source vars
  • ./clean-all
  • ./build-dh
  • ./pkitool --initca
  • ./pkitool --server server
  • cd keys
  • sudo openvpn --genkey --secret ta.key
  • sudo cp server.crt server.key ca.crt dh1024.pem ta.key /etc/openvpn/

Client Certificates

The clients will need to have certificates in order to authenticate to the server. To create these certificates, do the following:

  1. cd /etc/openvpn/easy-rsa/
  2. source vars
  3. ./pkitool hostname

Here the hostname is the actual hostname of the machine that will be connecting to the VPN.

Now, certificates will have to be created for each host needing to connecting to the VPN. Once the certificates have been created, they will need to be copied to the respective clients. The files that must be copied are:

  • /etc/openvpn/ca.crt
  • /etc/openvpn/ta.key
  • /etc/openvpn/easy-rsa/keys/hostname.crt (Where hostname is the hostname of the client).
  • /etc/openvpn/easy-rsa/keys/hostname.key (Where hostname is the hostname of the client).

Copy the above using a secure method, making sure they are copied to the /etc/openvpn directory.

Configuring VPN Server

It is time to configure the actual VPN server. The first step is to copy a sample configuration file to work with. This is done with the command sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/. Now decompress the server.conf.gz file with the command sudo gzip -d /etc/openvpn/server.conf.gz. The configuration options to edit are in this file. Open server.conf up in a text editor (with administrative privileges) and edit the following options:

dev tap0
up "/etc/openvpn/up.sh br0"
down "/etc/openvpn/down.sh br0"
push "route"
push "dhcp-option DNS"
push "dhcp-option DOMAIN example.com"
tls-auth ta.key 0 # This file is secret
user nobody
group nogroup

If you're unsure of any of the options, here:

  • The local address is the IP address of the bridged interface.
  • The server-bridge is needed in the case of a bridged interface.
  • The server will push out the IP address range of to clients.
  • The push directives are options sent to clients.

Bringing The VPN Up And Down

Before the VPN is started (or restarted) a couple of scripts will be necessary to add the tap interface to the bridge (If bridged networking is not being used, these scripts are not necessary.) These scripts will then be used by the executable for OpenVPN. The scripts are /etc/openvpn/up.sh and /etc/openvpn/down.sh.

#This is /etc/openvpn/up.sh

/sbin/ifconfig $DEV mtu $MTU promisc up
/usr/sbin/brctl addif $BR $DEV

#This is/etc/openvpn/down.sh


/usr/sbin/brctl delif $BR $DEV
/sbin/ifconfig $DEV down


Both of the scripts will need to be executable, which is done with the chmod command:

  • sudo chmod 755 /etc/openvpn/down.sh
  • sudo chmod 755 /etc/openvpn/up.sh

Finally, restart OpenVPN with the command sudo /etc/init.d/openvpn restart. The VPN server is now ready to accept connections from clients (the topic of my next tutorial.)

Details, Details

One thing that is a must for a VPN is that the machine hosting the VPN has to be accessible to the outside world — assuming users are coming in from the outside world. This can be done by either giving the server an external IP address or by routing traffic from the outside in with NAT rules (which can be accomplished in various ways). It will also be critical to employ best security practices (especially if the server has an external IP address) to prevent any unwanted traffic or users from getting into the server.

Click Here!