Setting up a VPS (Virtual Private Server) as a VPN on Ubuntu 18.04 involves several steps, including installing the necessary software, configuring the VPN, and ensuring that it’s secure. One popular method is using OpenVPN, which is a secure and reliable open-source VPN solution.
Here’s a detailed guide to setting up a VPN on your VPS running Ubuntu 18.04 using OpenVPN:
Prerequisites
- A VPS with Ubuntu 18.04.
- Root or sudo access to the server.
- Basic understanding of command line operations.
- A domain or static IP address (optional but helpful).
Step 1: Update Your Server
Start by updating your VPS to ensure all packages are up to date.
sudo apt update && sudo apt upgrade -y
Step 2: Install OpenVPN and Easy-RSA
Install OpenVPN and Easy-RSA, which is a tool used to create SSL certificates needed for the VPN.
sudo apt install openvpn easy-rsa -y
Step 3: Configure Easy-RSA for Certificate Generation
- Create a directory for Easy-RSA and navigate to it:
make-cadir ~/openvpn-ca
cd ~/openvpn-ca
- Edit the
vars
file to configure your Certificate Authority (CA) variables:
nano vars
At the end of the file, customize the following lines to match your information (adjust these variables as needed):
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="YourOrganization"
export KEY_EMAIL="[email protected]"
export KEY_OU="YourOrganizationalUnit"
export KEY_NAME="server"
- Source the
vars
file:
source ./vars
- Clean any previous configurations:
./clean-all
Step 4: Build the CA and Server Certificate
- Build the Certificate Authority (CA):
./build-ca
You will be prompted to confirm the values from the vars
file.
- Generate the server certificate and key:
./build-key-server server
During the process, press “Enter” to confirm defaults, and when asked to sign the certificate, type “yes” to confirm.
- Generate Diffie-Hellman parameters, which is required for perfect forward secrecy:
./build-dh
- Generate an HMAC signature to further secure the connection:
openvpn --genkey --secret keys/ta.key
Step 5: Configure OpenVPN
- Copy the generated files to the OpenVPN directory:
sudo cp ~/openvpn-ca/keys/{server.crt,server.key,ca.crt,dh2048.pem,ta.key} /etc/openvpn/
- Copy the OpenVPN sample configuration file to use as a base:
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
sudo gzip -d /etc/openvpn/server.conf.gz
- Open the configuration file and edit it:
sudo nano /etc/openvpn/server.conf
- Uncomment the following lines to use the necessary certificates:
ca ca.crt cert server.crt key server.key dh dh2048.pem
- Uncomment this line to enable the HMAC key:
tls-auth ta.key 0 # This key is used to secure connections.
- Uncomment or modify the following lines to push DNS to clients and route all traffic through the VPN:
push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4"
- Enable IP forwarding by editing the
sysctl
configuration file:
sudo nano /etc/sysctl.conf
Uncomment the following line:
net.ipv4.ip_forward=1
Apply the changes:
sudo sysctl -p
Step 6: Configure UFW (Firewall)
- Allow traffic on the OpenVPN port (default is 1194):
sudo ufw allow 1194/udp
- Edit the UFW configuration to allow packet forwarding:
sudo nano /etc/ufw/before.rules
Add the following lines above the # START OPENVPN RULES
comment:
# START OPENVPN RULES
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
COMMIT
# END OPENVPN RULES
- Modify the UFW default policy for forwarding:
sudo nano /etc/default/ufw
Change the value of DEFAULT_FORWARD_POLICY
from DROP
to ACCEPT
:
DEFAULT_FORWARD_POLICY="ACCEPT"
- Reload UFW:
sudo ufw reload
Step 7: Start and Enable OpenVPN
Start the OpenVPN service and ensure it starts on boot:
sudo systemctl start openvpn@server
sudo systemctl enable openvpn@server
Step 8: Create Client Configurations
- Build client certificates:
cd ~/openvpn-ca
source ./vars
./build-key client1
- Copy the client configuration template to use as a base:
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client1.ovpn
- Modify the client configuration file (adjust IP and protocol as necessary):
nano ~/client1.ovpn
- Replace
remote my-server-1 1194
with your server’s IP or domain name, like so:remote your.server.ip 1194
- Ensure it uses the correct protocol (
proto udp
). - Embed the client certificates by adding them directly into the
.ovpn
file, for easier distribution.
Step 9: Test Your VPN
- Download the
client1.ovpn
configuration to your local machine. - Install an OpenVPN client (such as OpenVPN GUI for Windows, Tunnelblick for macOS, or OpenVPN for Linux).
- Import the configuration and connect to your VPN.
Conclusion
You now have a fully functional VPN set up on your VPS using OpenVPN and Ubuntu 18.04! You can create additional client configurations for more devices as needed. Make sure to secure your VPS and VPN further by keeping software up to date and considering additional security measures like fail2ban or strong firewall rules.