OpenVPN is a widely used open-source virtual private network (VPN) solution that provides secure connections for remote access and data privacy. This step-by-step guide will walk you through the process of installing and configuring OpenVPN on an Ubuntu 22.04 server.
Step 1: Update the System
Before you begin, ensure your Ubuntu system is up-to-date by running the following commands:
sudo apt update
sudo apt upgrade
Step 2: Install OpenVPN
Install the OpenVPN package from the Ubuntu repository:
sudo apt install openvpn
Step 3: Configure OpenVPN
- Copy the example OpenVPN configuration files to the /etc/openvpn directory:
sudo cp -r /usr/share/doc/openvpn/examples/easy-rsa/ /etc/openvpn
- Navigate to the EasyRSA directory:
cd /etc/openvpn/easy-rsa
- Initialize the PKI (Public Key Infrastructure) variables:
sudo ./easyrsa init-pki
- Build the Certificate Authority (CA) and generate a server key:
sudo ./easyrsa build-ca
sudo ./easyrsa gen-req server nopass
sudo ./easyrsa sign-req server server
- Generate Diffie-Hellman parameters for key exchange:
sudo ./easyrsa gen-dh
- Create the OpenVPN server configuration file:
sudo nano /etc/openvpn/server.conf
Add the following content:
port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server.crt
key /etc/openvpn/easy-rsa/pki/private/server.key
dh /etc/openvpn/easy-rsa/pki/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 10 120
tls-auth /etc/openvpn/easy-rsa/pki/ta.key 0
cipher AES-256-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
- Create the TLS authentication key:
openvpn --genkey --secret /etc/openvpn/easy-rsa/pki/ta.key
Step 4: Enable IP Forwarding
Edit the sysctl.conf file to enable IP forwarding:
sudo nano /etc/sysctl.conf
Uncomment or add the following line:
net.ipv4.ip_forward=1
Apply the changes:
sudo sysctl -p
Step 5: Configure Firewall Rules
Enable NAT (Network Address Translation) to allow VPN clients to access the internet:
sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
Save the rules:
sudo sh -c "iptables-save > /etc/iptables/rules.v4"
Step 6: Start and Enable OpenVPN
Start the OpenVPN service:
sudo systemctl start openvpn@server
Enable OpenVPN to start on boot:
sudo systemctl enable openvpn@server
Step 7: Generate Client Configurations
- Copy the example client configuration file to the easy-rsa directory:
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/easy-rsa/
- Edit the client configuration:
sudo nano /etc/openvpn/easy-rsa/client.conf
Modify the following lines:
remote your_server_ip 1194
; user nobody
; group nogroup
- Generate the client key:
sudo ./easyrsa gen-req client nopass
sudo ./easyrsa sign-req client client
Copy the necessary client files to the /etc/openvpn directory:
sudo cp /etc/openvpn/easy-rsa/pki/ca.crt /etc/openvpn
sudo cp /etc/openvpn/easy-rsa/pki/issued/client.crt /etc/openvpn
sudo cp /etc/openvpn/easy-rsa/pki/private/client.key /etc/openvpn
sudo cp /etc/openvpn/easy-rsa/pki/ta.key /etc/openvpn
**
Step 8: Connect to the VPN Server**
Install OpenVPN client on your local machine. Copy the client files (ca.crt, client.crt, client.key, ta.key) to your client machine and use the client.conf file you modified in Step 7 to connect.
By following these steps, you’ve successfully installed and configured OpenVPN on your Ubuntu 22.04 server. Your server is now ready to provide secure and encrypted VPN connections for remote access and data privacy.