OpenVPN is a full-featured SSL VPN (virtual private network). It implements OSI layer 2 or 3 secure network extension using the SSL/TLS protocol. It is an open source software and distributed under the GNU GPL. A VPN allows you to connect securely to an insecure public network such as wifi network at the airport or hotel. VPN is also required to access your corporate or enterprise or home server resources. You can bypass geo-blocked site and increase your privacy or safety online. This tutorial provides step-by-step instructions for configuring an OpenVPN “road warrior” server on Ubuntu Linux v14.04/16.04/18.04 LTS (19.10) version including ufw/iptables firewall configuration. The steps are as follows:
- Find and note down your public IP address
- Download openvpn-install.sh script
- Run openvpn-install.sh to install OpenVPN server
- Connect an OpenVPN server using IOS/Android/Linux/Windows client
- Verify your connectivity
Find your public IP address
Use any one of the following command to find out your IPv4 public address. If your internface name is eth0 or eth1, enter:
OR
Or use the host command or dig command as follows:
OR
Sample outputs:
$ ip addr show eth0OR
$ ip addr show eth1Or use the host command or dig command as follows:
$ host myip.opendns.com resolver1.opendns.comOR
$ dig TXT +short o-o.myaddr.l.google.com @ns1.google.comSample outputs:
Note down the public IP address 139.59.1.155 i.e. public ip address of your OpenVPN server.
Download openvpn-install.sh script to set up OpenVPN server in 5 minutes on Ubuntu
Type the following wget command or curl command:
Sample outputs:
$ wget https://git.io/vpn -O openvpn-install.shSample outputs:
Run openvpn-install.sh to install OpenVPN server
Type the following command:
When prompted set IP address to 139.59.1.155 and Port to 1194. Use Google or OpenDNS DNS servers with the vpn. Next, type client name (such as iPhone, Nexus6, LinuxRouter etc). Finally, press [Enter] key to install and set up OpenVPN on your system:
$ sudo bash openvpn-install.shWhen prompted set IP address to 139.59.1.155 and Port to 1194. Use Google or OpenDNS DNS servers with the vpn. Next, type client name (such as iPhone, Nexus6, LinuxRouter etc). Finally, press [Enter] key to install and set up OpenVPN on your system:
The script will now generate keys, DH parameters and more as follows:
That is all. Your OpenVPN server has been configured and ready to use. You can see added firewall rules /etc/rc.local file:
Sample outputs:
$ cat /etc/rc.localSample outputs:
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT iptables -I INPUT -p udp --dport 1194 -j ACCEPT iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to 139.59.1.155
You can view your openvpn server config file generated by the script as follows (do not edit this file by hand):
Sample outputs:
$ sudo more /etc/openvpn/server.conf
$ sudo vi /etc/openvpn/server.confSample outputs:
port 1194 proto udp dev tun sndbuf 0 rcvbuf 0 ca ca.crt cert server.crt key server.key dh dh.pem tls-auth ta.key 0 topology subnet server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" keepalive 10 120 cipher AES-128-CBC comp-lzo user nobody group nogroup persist-key persist-tun status openvpn-status.log verb 3 crl-verify crl.pem
How do I start/stop/restart OpenVPN server on Ubuntu Linux 16.04/18.04 LTS?
Type the following command stop the OpenVPN service:
Type the following command start the OpenVPN service:
Type the following command restart the OpenVPN service:
$ sudo systemctl stop openvpn@serverType the following command start the OpenVPN service:
$ sudo systemctl start openvpn@serverType the following command restart the OpenVPN service:
$ sudo systemctl restart openvpn@serverHow do I start/stop/restart OpenVPN server on Ubuntu Linux 14.04 LTS?
Type the following command stop the OpenVPN service:
Type the following command start the OpenVPN service:
Type the following command restart the OpenVPN service:
$ sudo /etc/init.d/openvpn stopType the following command start the OpenVPN service:
$ sudo /etc/init.d/openvpn startType the following command restart the OpenVPN service:
$ sudo /etc/init.d/openvpn restart{Optional} How to configure and use the ufw firewall rules for the OpenVPN server
The default rules added to the /etc/rc.local file should work out of the box. However, if you have complicated firewall settings or prefer ufw to control all firewall settings on Ubuntu Linux server, try the following. First, edit the /etc/rc.local file using a text editor and comment out all firewall rules added by the script. Type the following ufw command to open port 1194 and 22 (ssh):
Edit the file /etc/ufw/before.rules, enter:
At top of the file add the following rules:
$ sudo ufw allow 1194/udp
$ sudo ufw allow 22/tcpEdit the file /etc/ufw/before.rules, enter:
$ sudo vi /etc/ufw/before.rulesAt top of the file add the following rules:
# START OPENVPN RULES by vg # NAT table rules *nat :POSTROUTING ACCEPT [0:0] #****************************************[README]*****************************************************# # Allow traffic from OpenVPN client to 139.59.1.155. Replace 139.59.1.155 with your actual IP address*# #****************************************[README]*****************************************************# -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source 139.59.1.155 COMMIT # END OPENVPN RULES by vg
Next scroll down and find the comment that read s follows
# ok icmp code for FORWARD
Append the following rules:
#OpenVPN Forward by vg -A ufw-before-forward -m state --state RELATED,ESTABLISHED -j ACCEPT -A ufw-before-forward -s 10.8.0.0/24 -j ACCEPT -A ufw-before-forward -i tun+ -j ACCEPT -A ufw-before-forward -i tap+ -j ACCEPT #OpenVPN END by vg
Save and close the file. Next edit the /etc/ufw/sysctl.conf file, enter:
Find and uncomment the following line to allow this host to route packets between interfaces
Save and close the file. Enable ufw or reload if already running:
OR
Verify new firewall rules:
$ sudo vi /etc/ufw/sysctl.confFind and uncomment the following line to allow this host to route packets between interfaces
net/ipv4/ip_forward=1Save and close the file. Enable ufw or reload if already running:
$ sudo ufw enableOR
$ sudo ufw reloadVerify new firewall rules:
$ sudo ufw status
$ sudo iptables -t nat -L -n -v
$ sudo iptables -L FORWARD -n -v
$ sudo iptables -L ufw-before-forward -n -vClient configuration
On server your will find a client configuration file called ~/iphone.ovpn. All you have to do is copy this file to your local desktop using the scp and provide this file to your OpenVPN client to connect:
Next, you need to download OpenVPN client as per your operating system:
$ scp vivek@139.59.1.155:~/iphone.ovpn .Next, you need to download OpenVPN client as per your operating system:
- Download OpenVPN client for Apple IOS version 6.x or above and install it.
- Download OpenVPN client for Android and install it.
- Download OpenVPN client for Apple MacOS (OS X) and install it.
- Download OpenVPN client for Windows 8/10 and install it.
MacOS/OS X OpenVPN client configuration
Just double click on iphone.ovpn file and it will open in your tunnelblick client > Click on the “Only me” to install it.
Once installed click on Connect button and you will be online. Use the following command on MacOS client to verify that your public IP changed to the VPN server IP:
$ dig TXT +short o-o.myaddr.l.google.com @ns1.google.comYou can ping to OpenVPN server private IP:
$ ping 10.8.0.1Linux OpenVPN client configuration
First, install the openvpn client, enter:
OR
Next, copy iphone.ovpn as follows:
Test connectivity from the CLI:
Your Linux system will automatically connect when computer restart using /etc/init.d/openvpn script:
For systemd based system, use the following command:
Test the connectivity:
$ sudo yum install openvpnOR
$ sudo apt install openvpnNext, copy iphone.ovpn as follows:
$ sudo cp iphone.ovpn /etc/openvpn/client.confTest connectivity from the CLI:
$ sudo openvpn --client --config /etc/openvpn/client.confYour Linux system will automatically connect when computer restart using /etc/init.d/openvpn script:
$ sudo /etc/init.d/openvpn startFor systemd based system, use the following command:
$ sudo systemctl start openvpn@clientTest the connectivity:
$ ping 10.8.0.1 #Ping to OpenVPN server gateway
$ ip route #Make sure routing setup
$ dig TXT +short o-o.myaddr.l.google.com @ns1.google.com #Make sure your public IP set to OpenVPN serverFreeBSD OpenVPN client configuration
First, install the openvpn client, enter:
Next, copy iphone.ovpn as follows:
Edit /etc/rc.conf and add the following:
$ sudo pkg install openvpnNext, copy iphone.ovpn as follows:
$ mkdir -p /usr/local/etc/openvpn/
$ sudo cp iphone.ovpn /usr/local/etc/openvpn/client.confEdit /etc/rc.conf and add the following:
openvpn_enable="YES" openvpn_configfile="/usr/local/etc/openvpn/client.conf"
Start the OpenVPN service:
Verify it:
$ sudo /usr/local/etc/rc.d/openvpn startVerify it:
$ ping 10.8.0.1 #Ping to OpenVPN server gateway
$
$ netstat -nr #Make sure routing setup
$
$ drill myip.opendns.com @resolver1.opendns.com #Make sure your public IP set to OpenVPN serverHow do I add a new client?
For demo purpose I added a new device called iphone. Let us add one more device called googlephone by running the script again:
Sample outputs:
$ sudo bash openvpn-install.shSample outputs:
Looks like OpenVPN is already installed What do you want to do? 1) Add a cert for a new user 2) Revoke existing user cert 3) Remove OpenVPN 4) Exit Select an option [1-4]:
Select option 1 and type googlephone as a client name:
Now you can use googlephone.ovpn with Google Android phone. You can add as many users you want using this method.
How do I delete/revoke existing user certificate?
Run the script:
Sample outputs:
$ sudo bash openvpn-install.shSample outputs:
Looks like OpenVPN is already installed What do you want to do? 1) Add a cert for a new user 2) Revoke existing user cert 3) Remove OpenVPN 4) Exit Select an option [1-4]:
Type 2 option and you will see a list of all the existing client certificate you want to revoke:
Select the existing client certificate you want to revoke
1) iphone6
2) googlephone
3) delllaptop
4) macbook
Select one client [1-4]: 2
Sample outputs when I revoked googlephone certificate:
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.cnf Revoking Certificate 09. Data Base Updated Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.cnf An updated CRL has been created. CRL file: /etc/openvpn/easy-rsa/pki/crl.pem Certificate for client googlephone revoked
Conclusion
And there you have it, OpenVPN server installed in five minutes to increase your privacy. Please see OpenVPN project here and road warrior installer Linux script github page here.
This entry is 1 of 9 in the OpenVPN Tutorial series. Keep reading the rest of the series:
- How To Setup OpenVPN Server In 5 Minutes on Ubuntu Server
- Install Pi-hole with an OpenVPN to block ads
- How to update/upgrade Pi-hole with an OpenVPN
- How to install an OpenVPN server on Debian 9/8
- How to import a OpenVPN .ovpn file with Network Manager
- Ubuntu 18.04 LTS Set Up OpenVPN Server In 5 Minutes
- CentOS 7.0 Set Up OpenVPN Server In 5 Minutes
- Pi-Hole and Cloudflare DoH config
- Debian 10 Set Up OpenVPN Server In 5 Minutes
stroebs commented Oct 28, 2017 •
edited