#1: Installing OpenVPN
We can start with installing using terminal, install open vpsn and easy-rsa
$ sudo apt-get update $ sudo apt-get install openvpn easy-rsa
# 2: Setting Certificate
We need to setup certificate on our server, also manage this certificates
$ make-cadir ~/openvpn-ca $ cd ~/openvpn-ca
Edit vars using nano editor other editior
$ nano vars
change key name, following below
export KEY_COUNTRY="US" export KEY_PROVINCE="CA" export KEY_CITY="Tustin" export KEY_ORG="SSD Nodes" export KEY_EMAIL="[email protected]" export KEY_OU="Marketing" # X509 Subject Field export KEY_NAME="vpnserver"
you can get this result, No other errors you have
$ source vars NOTE: If you run ./clean-all, I will be doing a rm -rf on /home/user/openvpn-ca/keys
Then clean and build new environment
$ ./clean-all $ ./build-ca
Next up, you need to create the server certificate and key pair. When you run the below command you can change
[server] to the name of your choice. Later, you’ll need to reference this name. For the sake of this tutorial, we’re choosing with
Note: When prompted, do not enter a password.
Finally, you’ll be asked two questions about signing the certificate and committing it. Hit
y and then
Enter for both, and you’ll be done.
$ ./build-key-server [server]
Next, you need to build Diffie-Hellman keys.
Finally, you need to generate an HMAC signature to strengthen the certificate.
$ openvpn --genkey --secret keys/ta.key
Step 4: Create the client public/private keys
This process will create a single client key and certificate. If you have multiple users, you’ll want to create multiple pairs.
When running the below command, hit
Enter to confirm the variables we set and then leave the password field blank.
$ source vars $ ./build-key client1
If you want to create password-protected credentials, use
$ source vars $ ./build-key-pass client1
Step 5: Configure the OpenVPN server
First, you need to copy the keyfiles we created in
~/openvpn-ca into the
/etc/openvpn directory. Note: change the
vpnserver.key files according to the [server] name you chose earlier.
cd ~/openvpn-ca/keys sudo cp ca.crt ca.key vpnserver.crt vpnserver.key ta.key dh2048.pem /etc/openvpn
Now, extract a sample OpenVPN configuration to the default location.
$ gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | sudo tee /etc/openvpn/server.conf
We now need to make some edits to the configuration file.
sudo nano /etc/openvpn/server.conf
First, let’s ensure that OpenVPN is looking for the right
ca ca.crt cert server.crt key server.key # This file should be kept secret
After (change according to the [server] name you chose earlier):
ca ca.crt cert vpnserver.crt key vpnserver.key # This file should be kept secret
Next, enforce identical HMAC between clients and the server.
;tls-auth ta.key 0 # This file is secret
tls-auth ta.key 0 # This file is secret key-direction 0
Because we are going to use this VPN to route our traffic to the internet, we need to uncomment a few lines to help us establish DNS. You should also remove
bypass-dhcp from the first line in question.
If you would prefer to use a DNS other than opendns, you should change the two lines that begin with
If enabled, this directive will configure all clients to redirect their default network gateway through the VPN, causing all IP traffic such as web browsing and and DNS lookups to go through the VPN (The OpenVPN server machine may need to NAT or bridge the TUN/TAP interface to the internet in order for this to work properly). ;push "redirect-gateway def1 bypass-dhcp" Certain Windows-specific network settings can be pushed to clients, such as DNS or WINS server addresses. CAVEAT: http://openvpn.net/faq.html#dhcpcaveats The addresses below refer to the public DNS servers provided by opendns.com. ;push "dhcp-option DNS 220.127.116.11" ;push "dhcp-option DNS 18.104.22.168"
If enabled, this directive will configure all clients to redirect their default network gateway through the VPN, causing all IP traffic such as web browsing and and DNS lookups to go through the VPN (The OpenVPN server machine may need to NAT or bridge the TUN/TAP interface to the internet in order for this to work properly). push "redirect-gateway def1" Certain Windows-specific network settings can be pushed to clients, such as DNS or WINS server addresses. CAVEAT: http://openvpn.net/faq.html#dhcpcaveats The addresses below refer to the public DNS servers provided by opendns.com. push "dhcp-option DNS 22.214.171.124" push "dhcp-option DNS 126.96.36.199"
Then we need to select the ciphers to use. Uncomment the
AES cipher and change it to
256, and then add
auth SHA512 at the bottom of the block.
# Select a cryptographic cipher. # This config item must be copied to # the client config file as well. ;cipher BF-CBC # Blowfish (default) ;cipher AES-128-CBC # AES ;cipher DES-EDE3-CBC # Triple-DES
# Select a cryptographic cipher. # This config item must be copied to # the client config file as well. ;cipher BF-CBC # Blowfish (default) cipher AES-256-CBC # AES ;cipher DES-EDE3-CBC # Triple-DES auth SHA512
Finally, let’s have OpenVPN use a non-privileged user account instead of root, which isn’t particularly secure.
user openvpn group nogroup
You can now save and close this file in order to create that user:
$ sudo adduser --system --shell /usr/sbin/nologin --no-create-home openvpn
The OpenVPN server should now be set up!
Step 6: Start up the OpenVPN server
Before we configure our clients, let’s make sure the OpenVPN server is running as we hope it will.
Make sure to turn on TUN/TAP in the SSD Nodes dashboard.
$ sudo systemctl enable [email protected] $ sudo systemctl start [email protected]
You can double-check that OpenVPN is running with the
systemctl status command:
$ sudo systemctl status [email protected]
If you’re having problems getting OpenVPN to start, commenting out the
/lib/systemd/system/[email protected], as discovered in this Ask Ubuntu thread may be useful. You’ll then need to run
sudo systemctl daemon-reload and then
sudo systemctl start [email protected].
You will also need to set up
iptables to properly direct traffic. First, look for the default interface.
$ sudo ip route | grep default default dev venet0 scope link
venet0 field is what we’re looking for. And then we set up
iptables. In order to ensure this rule is persistent between reboots, isntall the
iptables-persistent package, which will prompt you to save existing rules. Choose
Yes and your rules will be persisted movign forward.
$ sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j MASQUERADE $ sudo apt-get install iptables-persistent
Step 7: Configure clients
Lastly, you need to create client configurations. You can store these in any folder you’d like—they don’t need to be kept secret—as long as it isn’t the
/etc/openvpn folder. We’ll create a directory in home for this purpose.
$ cd ~ $ mkdir openvpn-clients cd openvpn-clients
Now, copy the sample client configuration into this new directory, and then open it in
nano for editing.
$ cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/openvpn-clients/base.conf $ nano base.conf
Look for the following block of lines. You’ll need to change the
my-server-1 to the public IP address of this VPS. You can find this information in the SSD Nodes dashboard, or by typing in the
ifconfig command and looking for the
inet field that does not look like
# The hostname/IP and port of the server. # You can have multiple remote entries # to load balance between the servers. remote my-server-1 1194 ;remote my-server-2 1194
Next, uncomment the following two lines by removing the semicolon.
# Downgrade privileges after initialization (non-Windows only) ;user nobody ;group nogroup
group nogroupuser nobody
Because we’ll be adding keys and certificates directly into the
.ovpn file, let’s comment out the following lines by adding semicolons to the beginning.
SSL/TLS parms. See the server config file for more description. It's best to use a separate .crt/.key file pair for each client. A single ca file can be used for all clients. ca ca.crt cert client.crt key client.key
SSL/TLS parms. See the server config file for more description. It's best to use a separate .crt/.key file pair for each client. A single ca file can be used for all clients. ;ca ca.crt ;cert client.crt ;key client.key
Finally, jump to the bottom of the file and add the following lines. The first two mirror the cipher/auth options we added to the
server.conf file earlier, and the third establishes that this files will be used to connect to the server, not the other way around.
We’re also adding three commented-out files that should be uncommented for Linux-based systems that use
Added lines via SSD Nodes tutorial cipher AES-256-CBC auth SHA512 key-direction 1 script-security 2 up /etc/openvpn/update-resolv-conf down /etc/openvpn/update-resolv-conf
Finally, you need to embed the keys and certificates into an
.ovpn file using
base.conf as a framework. Copy this entire command and execute it to embed the keys and create a final
$ cat base.conf <(echo -e '<ca>') ~/openvpn-ca/keys/ca.crt <(echo -e '</ca>') <(echo -e '<cert>') ~/openvpn-ca/keys/client1.crt <(echo -e '</cert>n') <(echo -e '<key>') ~/openvpn-ca/keys/client1.key <(echo -e '</key>n') <(echo -e '<tls-auth>') ~/openvpn-ca/keys/ta.key <(echo -e '</tls-auth>') >> client1.ovpn
This tutorial won’t cover client configurations in detail, but we’ll share one easy way to transfer the
.ovpn file to your Linux or OS X client. This command will ssh into your VPS, and then use
cat to write a new
client1.ovpn file on your local machine.
$ ssh [email protected] "cat ~/openvpn-clients/client1.ovpn" > client1.ovpn
Once you configure your client, you should be able to connect to the VPN and access the wider internet through it. Congratulations!