Cyber Month Deal - up to 36% OFF

How to Install a Private OpenVPN Server on Ubuntu 22.04 [Step-by-Step]

Published on Jul 24, 2024 Updated on Dec 2, 2024

OpenVPN grants the ability to establish secure tunnels through a single UDP or TCP port, employing OpenSSL encryption, authentication, and certification methods. In this tutorial, I’ll guide you through the process of setting up and configuring an OpenVPN server on Ubuntu.

With this guide's help, you can easily establish point-to-point connections with the same security level achieved by private networks. You will also be able to allow private networks to access remote websites safely.

What is a private OpenVPN server?

Let's start with understanding what a private OpenVPN server is. We can define it as a VPN server that runs on OpenVPN, an open-source software. However, it's private, which means it was set up by organizations for their exclusive use. Even individuals can set them up for their personal use.

The fundamental thing about private OpenVPN servers is that strict controls are in place for accessing them. Only users who have been granted permission and have the proper credentials can use the network.

Another great thing about private OpenVPN servers is that you can significantly customize them. You can adjust them for security features, network setups, and permissions based on your requirements.

Prerequisites

Ensure that your Ubuntu system meets the necessary requirements before proceeding with the configuration of an OpenVPN server.

  • Ubuntu 22.04 system: Make sure that your Ubuntu 22.04 system is operational and accessible. Administrative or root privileges are required here;

  • Terminal access: You can connect directly or use SSH for remote access;

  • Basic command line proficiency: Familiarity with command line operations is necessary to follow the instructions in this article;

  • Understanding of networking concepts: This will help you configure the server correctly. You must specifically comprehend IP addresses, subnets, and firewalls.

Once you have all the requirements, you can continue by following the instructions provided in this article.

Install a private OpenVPN server on Ubuntu: Step-by-step

Although installing a private OpenVPN server on Ubuntu involves many steps, you'll find it straightforward as you follow the instructions below. The entire process typically takes less than an hour. I'll cover how to update your system, install the necessary software, configure server and client certificates, and adjust server settings to ensure a secure VPN connection.

Step 1: System update

Begin by updating the package list. Performing this step guarantees the installation of the latest software versions and security updates. Run the provided command to update your system's package list.

sudo apt update

Output:

update system packages

Step 2: Install OpenVPN and Easy-RSA

OpenVPN is the leading software for establishing and handling VPN connections. Meanwhile, Easy-RSA serves as a utility designed to simplify the generation of essential SSL certificates and keys for secure communication.

You can install these two software by using the commands provided below.

Install the OpenVPN:

sudo apt install openvpn

Output:

installing openvpn

Install the Easy-RSA:

sudo apt install easy-rsa

Output:

installing easy-ra

Step 3: Initialize the Easy-RSA PKI

Once Easy-RSA is installed, you have to initialize the Public Key Infrastructure. This step is necessary to set up the certificate authority and generate the certificates and keys needed for OpenVPN.

Initially, copy the Easy-RSA configuration directory to an alternate location. This precaution will safeguard your alterations from being overwritten by future package upgrades.

sudo cp -r /usr/share/easy-rsa /etc/

Output:

copying easy-rsa config dir

Navigate to the copied directory and initialize the Public Key Infrastructure.

cd  /etc/easy-rsa/

navigating to copied dir

sudo ./easyrsa init-pki

Output:

initializing public key infrastructure

Step 4: Generate the certificate authority

In this step, you will generate the Certificate Authority certificate and key.

sudo ./easyrsa build-ca

Output:

generating certificate authority

Here you'll be prompted to enter a password and a common name for the Certificate Authority key for security. The CA key should be kept secure as it signs certificates for your VPN.

Step 5: Generate Diffie-Hellman parameters

With Diffie-Hellman keys, you can establish secure connections with strong encryption. However, It is possible to skip this step entirely, but you would leave your VPN setup less secure.

sudo ./easyrsa gen-dh

Output:

securing connection with keys

Step 6: Generate OpenVPN server certificate and key

In this step, you generate the server certificate and key for your OpenVPN server.

Here, you first have to change the current working directory to the Easy-RSA directory.

cd  /etc/easy-rsa

navigate to easy-rsa dir

Feel free to exchange "server" with a different server name in the provided code. This name will be used for client connections to identify the server.

sudo ./easyrsa build-server-full server nopass

Output:

generating server certificate and key

The nopass flag disables passphrase protection.

Step 7: Generate HMAC key

The TLS/SSL pre-shared authentication key adds an extra layer of security by including an HMAC signature on every SSL/TLS handshake packet. This measure helps prevent potential DoS attacks and UDP port flooding. Although not mandatory, I strongly advise you to consider this step, particularly if you intend to safeguard against specific attacks.

sudo openvpn --genkey secret /etc/easy-rsa/pki/ta.key

generating HMAC key

Step 8: Generate OpenVPN revocation certificate

Generate a revocation certificate to invalidate previously signed certificates.

sudo ./easyrsa gen-crl

Output:

generating revocation certificate

Step 9: Copy server certificates and keys

In this step, copy the generated server certificates and keys to the OpenVPN server's configuration directory. These files are necessary for establishing secure connections between the server and clients.

sudo cp -rp /etc/easy-rsa/pki/{ca.crt,dh.pem,ta.key,crl.pem,issued,private} /etc/openvpn/server/

Output:

copying server certificates and keys

Step 10: Generate OpenVPN client certificates and keys

This step involves creating certificates and keys for each client that will connect to the OpenVPN server. These certificates and keys are unique to each client and are used for authentication. Use the client's actual name instead of "clientname" in the code below.

cd /etc/easy-rsa

navigate to easy-rsa dir

sudo ./easyrsa build-client-full clientname nopass

Output:

generate client certificates and keys

Step 11: Create client directories and copy files

Create directories for each client and copy their certificates and keys. Change "clientname" to the real name of the client you are configuring. Every client must have their own directory. Organizing client-specific directories ensures that each client has a designated place to store their credentials. This separation increases security and simplifies management.

sudo mkdir /etc/openvpn/client/clientname

create client dir

After that, specific client_related files must be copied to your client's directory.

sudo cp -rp /etc/easy-rsa/pki/{ca.crt,issued/clientname.crt,private/clientname.key} /etc/openvpn/client/clientname/

copy client files to new dir

Step 12: Configure OpenVPN server

Here, you're copying a sample server configuration file to the OpenVPN server configuration directory. This file contains settings that control how the OpenVPN server operates.

sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf /etc/openvpn/server/

copying server config file

Step 13: Edit the server configuration file

To modify the server configuration, you'll need to utilize a text editor such as nano. The included configuration file offers several adjustable parameters that cater to your preferences. These parameters oversee various aspects, like the server's listening port, tunnel device type, encryption preferences, and more.

sudo nano /etc/openvpn/server/server.conf

edit server config file

Enter following instructions:

port 1194  
proto udp4  
dev tun  
ca ca.crt  
cert issued/server.crt  
key private/server.key # This file should be kept secret  
dh dh.pem  
topology subnet  
server 172.16.20.0 255.255.255.0  
ifconfig-pool-persist /var/log/openvpn/ipp.txt  
push "redirect-gateway def1 bypass-dhcp"  
push "dhcp-option DNS 208.67.222.222"  
push "dhcp-option DNS 208.67.220.220"  
client-to-client  
keepalive 10 120  
tls-auth ta.key 0 # This file is secret  
cipher AES-256-CBC  
persist-key  
persist-tun  
status /var/log/openvpn/openvpn-status.log  
log-append /var/log/openvpn/openvpn.log  
verb 3  
explicit-exit-notify 1  
auth SHA512

Modify the file based on your preferences. Refer to the explanations below:

  • port 1194: The port on which OpenVPN will listen for incoming connections.

  • proto udp4: Specifies the use of UDP as the transport protocol for communication.

  • dev tun: Defines the type of tunnel network device to be used.

  • ca ca.crt: Specifies the Certificate Authority certificate file to verify the authenticity of remote peers.

  • cert issued/server.crt: The server's certificate file is used for authentication.

  • key private/server.key: The server's private key file, which must be kept confidential.

  • dh dh.pem: The Diffie-Hellman parameters file used for key exchange.

  • topology subnet: Sets the topology to the subnet, allowing OpenVPN to route traffic between clients.

  • server 172.16.20.0 255.255.255.0: Defines the server's virtual IP address pool and subnet mask.

  • ifconfig-pool-persist /var/log/openvpn/ipp.txt: Stores persistent IP assignments in the specified file.

  • push "redirect-gateway def1 bypass-dhcp": Redirects the client's default gateway through the VPN tunnel.

  • push "dhcp-option DNS 208.67.222.222" and push "dhcp-option DNS 208.67.220.220": Configures DNS servers for clients.

  • client-to-client: Allows communication between clients connected to the same OpenVPN server.

  • keepalive 10 120: Sets a 10-second interval for ping/keepalive messages.

  • tls-auth ta.key 0: Utilizes a secret TLS authentication key for added security.

  • cipher AES-256-CBC: Specifies the encryption cipher for data transmission.

  • persist-key and persist-tun: Ensures that OpenVPN's encryption keys and tunnel network device settings persist across restarts.

  • status /var/log/openvpn/openvpn-status.log: Specifies the file to store runtime status information.

  • log-append /var/log/openvpn/openvpn.log: Appends log output to the specified log file.

  • verb 3: Sets the verbosity level of OpenVPN's logging.

  • explicit-exit-notify 1: Informs clients to explicitly send an exit notification when disconnecting.

  • auth SHA512: Specifies the message digest algorithm for data integrity.

The file looks like this:

updated server config file

This configuration sets up an OpenVPN server using UDP on port 1194 with various security measures, network settings, and logging options. It's configured to route all client traffic through the VPN and uses encryption for secure communication.

Step 14: Enable IP forwarding and configure the firewall

Enable IP forwarding in the sysctl configuration. This step allows the server to route traffic between its interfaces. It's an important step for proper VPN operation.

sudo sed -i 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/' /etc/sysctl.conf

enabling ip forwarding

Apply the changes without rebooting the server.

sudo sysctl --system

updating the changes

You should also configure the firewall to allow traffic on UDP port 1194, which is the default port used by OpenVPN.

sudo ufw allow 1194/udp

configuring firewall

If desired, you can restrict connections to specific sources.

Step 15: Configure IP masquerading

IP masquerading is a technique used to route traffic from one network to another. In this step, you're updating the Uncomplicated Firewall rules and policies to ensure that masquerading works properly.

First, you need to identify your default network interface. The below command is used to determine the default network interface. It helps identify the network interface through which traffic will be routed.

ip route get 8.8.8.8

Output:

finding network interface

Next, we need to update UFW rules. UFW is a user-friendly interface for managing iptables, Ubuntu's default firewall management tool. The command below opens the UFW configuration file for editing.

sudo nano /etc/ufw/before.rules

opening UFW config file

Afterward, we need to update the UFW default forwarding policy. This command uses the 'sed' utility to find and replace a line in the UFW configuration. It changes the default forwarding policy from drop to accept.

sudo sed -i 's/DEFAULT_FORWARD_POLICY="DROP"/DEFAULT_FORWARD_POLICY="ACCEPT"/' /etc/default/ufw

updating UFW config file

After making changes to the firewall rules, you need to reload UFW for the changes to take effect. This ensures that the updated rules are applied without requiring a server restart.

sudo ufw reload

reloading UFW

If you encounter any errors, try the command sudo sed -ie 's/ENABLED=no/ENABLED=yes/' /etc/ufw/ufw.conf and then type the reload command.

Step 16: Start the OpenVPN server

Enable and start the OpenVPN server service.

sudo systemctl enable --now openvpn-server@server

start OpenVPN server

Next, check the service status. The command below will provide information on its current state and recent log messages.

sudo systemctl status openvpn-server@server

Output:

current state and recent logs

Congratulations! Your OpenVPN server is now set up on Ubuntu 22.04. Remember to configure your clients according to your setup.

Conclusion

You can now browse securely with OpenVPN. Although this guide has equipped you with the essential procedures for setting up an OpenVPN server, there are further precautions to guarantee the continuous security of your VPN. It is necessary to maintain certifications, monitor logs regularly, and consistently update your server to safeguard the security of your OpenVPN server.

Cloud VPS - Cheaper Each Month

Start with $9.99 and pay $0.5 less until your price reaches $6 / month.

Share this article

Related Articles

Published on Aug 21, 2019 Updated on Jun 15, 2023

Can DDoS attacks harm your server and how to prevent them?

DDoS attacks can cause real harm to your system. Learn some practical examples of how to lower the risk and how to prevent ddos attacks.

Read More
Published on Nov 28, 2019 Updated on Aug 8, 2023

Streaming Servers: Everything You Need To Know

What are Live Streaming servers. How do they work? Why do you need a stable and fast network? We will try to cover these topics on our article.

Read More
Published on Jul 8, 2022 Updated on Oct 4, 2023

How to Install and Configure Apache Reverse Proxy Server With SSL/TLS Encryption

This step-by-step guide will explain what a reverse proxy is and show you how to install Apache reverse proxy server with SSL/TLS encryption.

Read More
We use cookies to ensure seamless user experience for our website. Required cookies - technical, functional and analytical - are set automatically. Please accept the use of targeted cookies to ensure the best marketing experience for your user journey. You may revoke your consent at any time through our Cookie Policy.
build: 06ac5732e.831