In this guide, you will learn how to install OpenVPN Server on Ubuntu 24.04. OpenVPN is a robust and highly flexible open-source VPN software that uses all of the encryption, authentication, and certification features of the OpenSSL library to securely tunnel IP networks over a single UDP or TCP port. It facilitates the extension of private network across a public network, access remote sites, make secure point-to-point connections, while maintaining security that would be achieved in a private network.
Table of Contents
Installing OpenVPN Server on Ubuntu 24.04
Run system update
sudo apt update
Install OpenVPN on Ubuntu 24.04
OpenVPN package is available on the default Ubuntu 24.04 repos. Thus, to install OpenVPN server, run the command below;
sudo apt install openvpn
Install Easy-RSA CA Utility on Ubuntu 24.04
Easy-RSA package provides utilities for generating SSL key-pairs that is used to secure VPN connections.
sudo apt install easy-rsa
Create OpenVPN Public Key Infrastructure
Once you have installed easy-rsa, you need to initialize the OpenVPN PKI. The PKI consists of:
- a public key and private key for the server and each client
- a master Certificate Authority (CA) certificate and key which is used to sign each of the server and client certificates.
Before you can proceed, copy the easy-rsa configuration directory to a different location to ensure that that future OpenVPN package upgrades won’t overwrite your modifications.
sudo cp -r /usr/share/easy-rsa /etc/
Next, initialize the PKI.
cd /etc/easy-rsa/
sudo ./easyrsa init-pki
Once the PKI is initialized, /etc/easy-rsa/pki is created.
Generate the Certificate Authority (CA) Certificate and Key
Next, generate the CA certificate and key for signing OpenVPN server and client certificates.
cd /etc/easy-rsa/
sudo ./easyrsa build-caThis will prompt you for the CA key passphrase and the server common name.
No Easy-RSA 'vars' configuration file exists!
Using SSL:
* openssl OpenSSL 3.0.10 1 Aug 2023 (Library: OpenSSL 3.0.10 1 Aug 2023)
Enter New CA Key Passphrase:
Confirm New CA Key Passphrase:
....+..+...+.+...........+.+..............+.+..+......+.+.....+....+.........+........+....+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*....+...+...+..+.+...........+.+...+..+...+....+..+.+............+..+.........+.......+..+.......+...+.....+.......+........+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+....+.....+.........+..........+.....+....+..+....+..+.........+......+.......+.....+......+...............+.+........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
............+...+.....+.+........+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.....+...+..+...+.+.....+..................+...+...+.+...+..+..........+...+..+......+.......+..+......+....+.........+..+....+......+...+......+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.......+....+..+....+...+...+............+...........+.......+..+...+..........+...............+...+..+...+....+..+...+..........+..+...+.......+........+.+......+.....+....+......+.....+...+.+.........+..+.........+.......+...+...........+...................+............+..+......+.......+........+.......+..+.+............+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:kifarunix
Notice
------
CA creation complete. Your new CA certificate is at:
* /etc/easy-rsa/pki/ca.crt
The CA certificate is generated and stored at /etc/easy-rsa/pki/ca.crt.
Generate Diffie Hellman Parameters
Generate Diffie-Hellman keys used for key exchange during the TLS handshake between OpenVPN server and the connecting clients. This command has be executed within the Easy-RSA directory;
sudo ./easyrsa gen-dh
DH parameters of size 2048 created at /etc/easy-rsa/pki/dh.pem.
Generate OpenVPN Server Certificate and Key
To generate a certificate and private key for the OpenVPN server, run the command below;
cd /etc/easy-rsa
sudo ./easyrsa build-server-full server nopass
Enter the CA key passphrase created above to generate the certificates and keys.
nopassdisables the use of passphrase.- server is the name assigned to the server for which the certificate is being generated. You can replace “server” with the actual name you want to give to your server.
An inline file with is also generated, e.g /etc/easy-rsa/pki/inline/server.inline.
Generate Hash-based Message Authentication Code (HMAC) key
TLS/SSL pre-shared authentication key is used as an additional HMAC signature on all SSL/TLS handshake packets to avoid DoS attack and UDP port flooding. This can be generated using the command;
sudo openvpn --genkey secret /etc/easy-rsa/pki/ta.key
Generate OpenVPN Revocation Certificate
To invalidate a previously signed certificate, you need to generate a revocation certificate. Run the script within the Easy-RSA directory;
sudo ./easyrsa gen-crl
The revocation certificate is generated and stored at /etc/easy-rsa/pki/crl.pem.
Copy Server Certificates and Keys to Server Config Directory
Copy all generated server certificates/keys to OpenVPN server configuration directory.
sudo cp -rp /etc/easy-rsa/pki/{ca.crt,dh.pem,ta.key,crl.pem,issued,private} /etc/openvpn/server/
Generate OpenVPN Client Certificates and Keys
OpenVPN clients certificates and private keys can be generated as follows
cd /etc/easy-rsa
sudo ./easyrsa build-client-full gentoo nopass
- where
gentoois the name of the client for which the certificate and keys are generated. - Always use a unique common name for each client that you are generating certificate and keys for.
To generate for the second client,
sudo ./easyrsa build-client-full janedoe nopass
You can see how to use easyrsa command with ./easyrsa --help.
Copy Client Certificates and Keys to Client Directory
Create OpenVPN clients directories. For example, we have generated certificates and key files for two clients, gentoo and janedoe, hence we create directories as;
sudo mkdir /etc/openvpn/client/{gentoo,janedoe}
After that, copy the client generated certificates/keys and server CA certificate to OpenVPN client configuration directory. You can
sudo cp -rp /etc/easy-rsa/pki/{ca.crt,issued/gentoo.crt,private/gentoo.key} /etc/openvpn/client/gentoo
sudo cp -rp /etc/easy-rsa/pki/{ca.crt,issued/janedoe.crt,private/janedoe.key} /etc/openvpn/client/janedoe/
Configure OpenVPN Server on Ubuntu 24.04
The next step is to configure OpenVPN server.
Copy the sample OpenVPN server configuration to /etc/openvpn/server directory as shown below;
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf /etc/openvpn/server/
Extract the configuration and modify it to suite your needs;
sudo vim /etc/openvpn/server/server.conf
The configuration is highly commented to help you understand various option usage.
This is how our sample configurations looks like with no comments.
port 1194
proto udp4
dev tun
ca ca.crt
cert issued/server.crt
key private/server.key # This file should be kept secret
dh dh.pem
topology subnet
server 172.16.20.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
client-to-client
keepalive 10 120
tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1
auth SHA512
Save and exit the config once done editing.
Configure OpenVPN IP Forwarding
To ensure that traffic from the client is routed through the OpenVPN server’s IP address (helps masks the the client IP address), you need to enable IP forwarding on the OpenVPN server.
Uncomment the line, net.ipv4.ip_forward=1, on /etc/sysctl.conf to enable packet forwarding for IPv4
sudo sed -i 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/' /etc/sysctl.conf
Apply the changes without rebooting the server.
sudo sysctl --system
Allow OpenVPN service port through firewall;
sudo ufw allow 1194/udp
You can also limit connection to specific sources only;
sudo ufw allow from <source> to any port 1194 proto udp comment "Allow VPN Clients"Or iptables;
sudo iptables -A INPUT -p udp --dport 1194 -m comment --comment "Allow VPN Client" -j ACCEPTConfigure IP Masquerading on UFW
Find your default interface through which your packets are sent.
ip route get 8.8.8.8
8.8.8.8 via 10.0.2.2 dev enp0s3 src 10.0.2.15 uid 1000
cacheNext, update UFW rules (if you are using UFW);
sudo vim /etc/ufw/before.rulesAdd the following highlighted lines just before the *filter table settings. Note the interface used shoud match the interface name above.
...
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 172.16.20.0/24 -o enp0s3 -j MASQUERADE
COMMIT
# Don't delete these required lines, otherwise there will be errors
*filter
...
Save and exit the config.
Enable UFW packet forwarding;
sudo sed -i 's/DEFAULT_FORWARD_POLICY="DROP"/DEFAULT_FORWARD_POLICY="ACCEPT"/' /etc/default/ufw
If using IPtables then use the command below to enable IP masquerading;
sudo iptables -t nat -A POSTROUTING -s 172.16.20.0/24 -o enp0s3 -j MASQUERADEReload UFW;
ufw reload
Or if you are using iptables;
sudo iptables -A INPUT -p udp --dport 1194 -m comment --comment "Allow VPN Client" -j ACCEPTSave the rule across, across system reboot;
sudo cp /etc/iptables/rules.v4{,.bak}sudo iptables-save | sudo tee /etc/iptables/rules.v4Restart Iptables (ensure iptables-persistent package is installed)
Running OpenVPN Server on Ubuntu 24.04
Start and enable OpenVPN server to run on system boot;
sudo systemctl enable --now openvpn-server@server
Checking the status;
systemctl status openvpn-server@server
● [email protected] - OpenVPN service for server
Loaded: loaded (/usr/lib/systemd/system/[email protected]; enabled; preset: enabled)
Active: active (running) since Wed 2024-02-21 20:34:47 CET; 13min ago
Docs: man:openvpn(8)
https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
https://community.openvpn.net/openvpn/wiki/HOWTO
Main PID: 30867 (openvpn)
Status: "Initialization Sequence Completed"
Tasks: 1 (limit: 4622)
Memory: 1.4M (peak: 1.7M)
CPU: 22ms
CGroup: /system.slice/system-openvpn\x2dserver.slice/[email protected]
└─30867 /usr/sbin/openvpn --status /run/openvpn-server/status-server.log --status-version 2 --suppress-timestamps --config server.conf
Feb 21 20:34:47 noble-numbat systemd[1]: Starting [email protected] - OpenVPN service for server...
Feb 21 20:34:47 noble-numbat systemd[1]: Started [email protected] - OpenVPN service for server.
When OpenVPN service runs, it will create a tunnelling interface, tun0;
ip add s
5: tun0: mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 500
link/none
inet 172.16.20.1/24 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::1a27:fd70:3668:112f/64 scope link stable-privacy
valid_lft forever preferred_lft forever
Also, be sure to check the logs;
sudo tail /var/log/openvpn/openvpn.log
net_iface_mtu_set: mtu 1500 for tun0
net_iface_up: set tun0 up
net_addr_v4_add: 172.16.20.1/24 dev tun0
Socket Buffers: R=[212992->212992] S=[212992->212992]
UDPv4 link local (bound): [AF_INET][undef]:1194
UDPv4 link remote: [AF_UNSPEC]
MULTI: multi_init called, r=256 v=256
IFCONFIG POOL IPv4: base=172.16.20.2 size=253
IFCONFIG POOL LIST
Initialization Sequence Completed
Magnificent. The OpenVPN server is now ready. That marks the end of our guide on installing OpenVPN Server on Ubuntu 24.04.
You can now configure your clients accordingly.
