… [Trackback]
[…] Information to that Topic: blog.neterra.cloud/en/what-is-openvpn-and-how-to-install-it-on-ubuntu-18-04-20-04/ […]
OpenVPN is an open-source software responsible for handling client-server communications that implement Virtual Private Network techniques to create secure point-to-point or site-to-site connections. It handles encryption and authentication, implementing layer 2 or layer 3 connections and uses the industry-standard SSL/TLS for encryption. The packaging is done with standardized UDP or optional TCP packets.
The three main purposes of VPN security:
OpenVPN handles encryption and authentication using the TLS (Transport Layer Security)/SSL (Secure Sockets Layer) cartographic protocol. TLS is built on the earlier SSL specifications developed by Netscape. The TLS protocol aims primarily to provide privacy and data integrity. SSL/TLS uses one of the best encryption technologies, called asymmetric encryption, to ensure the identity of the VPN partner. Both encryption partners own two keys each – one public and one private.
OpenVPN uses the TUN/TAP driver which is an open-source project that is included in all modern Linux/Unix distributions, as well as Windows, Solaris, and Mac OS X. The TUN device can be used as a virtual point-to-point interface and the TAP device can be used as a virtual Ethernet adapter.
Some of the advantages of using OpenVPN are the following:
You will need a VPS or a virtual machine with Ubuntu 18.04/20.04 for the VPN server and one PC for the client.
Before you start installing any package on your Ubuntu server, we always recommend that you check whether all system packages are updated:
root@test:~# apt update root@test:~# apt upgrade
Switch the directory (if you are not there):
root@test:~# cd ~
The next step is to install EasyRSA
root@test:/etc/openvpn/server# cd && wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.5/EasyRSA-nix-3.0.5.tgz
When the download is complete, extract the archive.
root@test:~# tar xzf EasyRSA-nix-3.0.5.tgz
Switch the directory and copy the file.
root@test:~# cd ~/EasyRSA-3.0.5/ root@test:~/EasyRSA-3.0.5# cp vars.example vars
Uncomment and update the following entries to match your information:
root@test:~/EasyRSA-3.0.5# nano ~/EasyRSA-3.0.5/vars
set_var EASYRSA_REQ_COUNTRY "US" set_var EASYRSA_REQ_PROVINCE "California" set_var EASYRSA_REQ_CITY "San Francisco" set_var EASYRSA_REQ_ORG "Copyleft Certificate Co" set_var EASYRSA_REQ_EMAIL "me@example.net" set_var EASYRSA_REQ_OU "My Organizational Unit"
Ctrl+o ; Ctrl + x # In order to save and exit from the editor
First, we need to initialize a new PKI:
root@test:~/EasyRSA-3.0.5# ./easyrsa init-pki Note: using Easy-RSA configuration from: ./vars Using SSL: openssl OpenSSL 1.1.1f 31 Mar 2020 init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /root/EasyRSA-3.0.5/pki
Now we can create the CA certificate, it will ask you for a key phrase and a host name:
root@test:~/EasyRSA-3.0.5# ./easyrsa build-ca You will be requested to enter a Passphrase and a common name (etc user, client, server): Note: using Easy-RSA configuration from: ./vars Using SSL: openssl OpenSSL 1.1.1f 31 Mar 2020 Enter New CA Key Passphrase: Re-Enter New CA Key Passphrase: Generating RSA private key, 2048 bit long modulus (2 primes) ...............+++++ Common Name (eg: your user, host, or server name) [Easy-RSA CA]:test Your new CA certificate file for publishing is at: /root/EasyRSA-3.0.5/pki/ca.crt
root@test:~/EasyRSA-3.0.5# apt update root@test:~/EasyRSA-3.0.5# apt install openvpn
Generate a Diffie-Hellman key (The Diffie-Hellman key exchange was one of the most important developments in public-key cryptography) It will take some time to be installed and copy it in the openvpn directory:
root@test:~/EasyRSA-3.0.5# ./easyrsa gen-dh root@test:~/EasyRSA-3.0.5# cp ~/EasyRSA-3.0.5/pki/dh.pem /etc/openvpn/
Generate an HMAC (Hash-based message authentication code (HMAC) is a mechanism for calculating a message authentication code involving a hash function in combination with a secret key.) signature:
root@test:~/EasyRSA-3.0.5# openvpn --genkey --secret ta.key root@test:~/EasyRSA-3.0.5# cp ~/EasyRSA-3.0.5/ta.key /etc/openvpn/
Now we should create a Server Certificate and a Private Key (you will be asked for the passphrase)
root@test:~/EasyRSA-3.0.5# ./easyrsa gen-req test-server nopass root@test:~/EasyRSA-3.0.5# cp ~/EasyRSA-3.0.5/pki/private/test-server.key /etc/openvpn/ root@test:~/EasyRSA-3.0.5# ./easyrsa sign-req server test-server root@test:~/EasyRSA-3.0.5# cp ~/EasyRSA-3.0.5/pki/private/test-server.crt /etc/openvpn/
It will display the output below:
Certificate is to be certified until Jul 26 08:32:13 2023 GMT (1080 days) Write out database with 1 new entries Data Base Updated Certificate created at: /root/EasyRSA-3.0.5/pki/issued/test-server.crt
Move to the directory issued and copy the crt and ca file:
root@test:~/EasyRSA-3.0.5# cd pki/issued/ root@test:~/EasyRSA-3.0.5/pki/issued# cp test-server.crt /etc/openvpn/ root@test:~/EasyRSA-3.0.5/pki/issued# cd .. root@test:~/EasyRSA-3.0.5/pki# cp ca.crt /etc/openvpn/
Copy the example configuration file:
# sh -c "gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server1.conf"
Open the file with the nano editor:
# nano /etc/openvpn/server1.conf
Uncomment and replace with the correct data for your server the below:
cert test-server.crt #correct the crt file name key test-server.key #correct the key file name dh dh.pem push "redirect-gateway def1 bypass-dhcp" (remove the ;) push "dhcp-option DNS 208.67.222.222" (remove the ;) push "dhcp-option DNS 208.67.220.220" (remove the ;) user nobody (remove the ;) group nogroup (remove the ;)
Add at the bottom of the file (this will change authentication algorithm (HMAC) from SHA1 to SHA256)
auth SHA256
Now you need to enable the OpenVPN server, start it, and make sure it is running to check the status.
root@test:~/EasyRSA-3.0.5# systemctl enable openvpn root@test:~/EasyRSA-3.0.5# systemctl start openvpn root@test:~/EasyRSA-3.0.5# systemctl status openvpn â— openvpn.service - OpenVPN service Loaded: loaded (/lib/systemd/system/openvpn.service; enabled; vendor preset: enabled) Active: active (exited) since Thu 2020-08-06 17:15:34 EEST; 7s ago Process: 48692 ExecStart=/bin/true (code=exited, status=0/SUCCESS) Main PID: 48692 (code=exited, status=0/SUCCESS) Aug 06 17:15:34 test systemd[1]: Starting OpenVPN service... Aug 06 17:15:34 test systemd[1]: Finished OpenVPN service.
Now we need to change the route and to open the firewall ports:
You can see the current configuration with:
# ip a show tun0
We need to edit the file sysctl.conf
root@test:~# nano /etc/sysctl.conf
Uncomment this line to save the file and exit. After this, apply the changes.
net.ipv4.ip_forward=1
root@test:~# sysctl -p
Check the interface:
root@test:~# ip -o -4 route show to default | awk '{print $5}' eth0
Edit this file by changing the default policy to “ACCEPT” – save the file and exit
root@test:~# nano /etc/default/ufw DEFAULT_FORWARD_POLICY="ACCEPT"
Edit the file before rules:
root@test:~# nano /etc/ufw/before.rules
Add at the bottom of the file:
# NAT table rules *nat :POSTROUTING ACCEPT [0:0] # Forward traffic through eth0 (in my case the interface adapter is eth0 you should replace it with yours) -A POSTROUTING -s 10.8.0.0/16 -o eth0 -j MASQUERADE # don't delete the 'COMMIT' line or these rules won't be processed COMMIT
Now we need to open the port for the VPN and allow OpenSSH:
root@test:~# ufw allow 1194/udp root@test:~# ufw allow OpenSSH root@test:~# ufw disable root@test:~# ufw enable Command may disrupt existing ssh connections. Proceed with operation (y|n)? yes Firewall is active and enabled on system startup root@test:~# iptables -nvL POSTROUTING -t nat Chain POSTROUTING (policy ACCEPT 9 packets, 670 bytes) pkts bytes target prot opt in out source destination 1190 135K MASQUERADE all -- * eth0 10.8.0.0/16 0.0.0.0/0
Create OpenVPN directory for the clients files
Create the directories:
root@test:~# mkdir -p ~/openvpn-clients/{configs,base,files}
Copy the ta.key and ca.crt files:
root@test:~# cp ~/EasyRSA-3.0.5/ta.key ~/openvpn-clients/base/ root@test:~# cp /etc/openvpn/ca.crt ~/openvpn-clients/base/
Copy the client example configuration on the base directory and edit it:
root@test:~# cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/openvpn-clients/base/ root@test:~# nano ~/openvpn-clients/base/client.conf
Replace YOUR_SERVER_IP with your server IP
remote YOUR_SERVER_IP 1194
Comment the below lines:
ca ca.crt cert client.crt key client.key
Add at the end of the file:
auth SHA256
Save the file and exit.
Switch to EasyRSA directory and generate the client/user key file and copy it to the openvpn-clinets/files
root@test:~# cd ~/EasyRSA-3.0.5/ root@test:~/EasyRSA-3.0.5# ./easyrsa gen-req client1 nopass root@test:~/EasyRSA-3.0.5# cp ~/EasyRSA-3.0.5/pki/private/client1.key ~/openvpn-clients/files/
Generate the crt file and copy it to the openvpn-clinets/files
root@test:~/EasyRSA-3.0.5# ./easyrsa sign-req client client1 root@test:~/EasyRSA-3.0.5# cp ~/EasyRSA-3.0.5/pki/issued/client1.crt ~/openvpn-clients/files/
Switch the directory to /root/openvpn-clients/ and create a file therewith nano editor
cd /root/openvpn-clients/ nano ~/openvpn-clients/gen_config.sh
Insert the following lines:
#!/bin/bash FILES_DIR=$HOME/openvpn-clients/files BASE_DIR=$HOME/openvpn-clients/base CONFIGS_DIR=$HOME/openvpn-clients/configs BASE_CONF=${BASE_DIR}/client.conf CA_FILE=${BASE_DIR}/ca.crt TA_FILE=${BASE_DIR}/ta.key CLIENT_CERT=${FILES_DIR}/${1}.crt CLIENT_KEY=${FILES_DIR}/${1}.key # Test for files for i in "$BASE_CONF" "$CA_FILE" "$TA_FILE" "$CLIENT_CERT" "$CLIENT_KEY"; do if [[ ! -f $i ]]; then echo " The file $i does not exist" exit 1 fi if [[ ! -r $i ]]; then echo " The file $i is not readable." exit 1 fi done # Generate client config cat > ${CONFIGS_DIR}/${1}.ovpn <<EOF $(cat ${BASE_CONF}) <key> $(cat ${CLIENT_KEY}) </key> <cert> $(cat ${CLIENT_CERT}) </cert> <ca> $(cat ${CA_FILE}) </ca> <tls-auth> $(cat ${TA_FILE}) </tls-auth> EOF
* the script is taken from here!
make the file executable:
root@test:~/openvpn-clients# chmod u+x ~/openvpn-clients/gen_config.sh
Generate the ovpn file:
root@test:~/openvpn-clients/configs# ./gen_config.sh client1
The file is located in ~/openvpn-clients/configs and you can list the directory:
root@test:~/openvpn-clients/configs# ll ~/openvpn-clients/configs
Copy the text to the client/ user machine, save it with extension ovpn:
root@test:~/openvpn-clients/configs# cat client1.ovpn
You can find useful commands and more information for the certificates at the link here!
… [Trackback]
[…] Information to that Topic: blog.neterra.cloud/en/what-is-openvpn-and-how-to-install-it-on-ubuntu-18-04-20-04/ […]
… [Trackback]
[…] Find More to that Topic: blog.neterra.cloud/en/what-is-openvpn-and-how-to-install-it-on-ubuntu-18-04-20-04/ […]
… [Trackback]
[…] Find More Information here on that Topic: blog.neterra.cloud/en/what-is-openvpn-and-how-to-install-it-on-ubuntu-18-04-20-04/ […]
… [Trackback]
[…] Read More on that Topic: blog.neterra.cloud/en/what-is-openvpn-and-how-to-install-it-on-ubuntu-18-04-20-04/ […]
… [Trackback]
[…] Find More on that Topic: blog.neterra.cloud/en/what-is-openvpn-and-how-to-install-it-on-ubuntu-18-04-20-04/ […]
… [Trackback]
[…] Read More to that Topic: blog.neterra.cloud/en/what-is-openvpn-and-how-to-install-it-on-ubuntu-18-04-20-04/ […]
… [Trackback]
[…] Find More Information here on that Topic: blog.neterra.cloud/en/what-is-openvpn-and-how-to-install-it-on-ubuntu-18-04-20-04/ […]
… [Trackback]
[…] Information to that Topic: blog.neterra.cloud/en/what-is-openvpn-and-how-to-install-it-on-ubuntu-18-04-20-04/ […]
… [Trackback]
[…] Find More Info here on that Topic: blog.neterra.cloud/en/what-is-openvpn-and-how-to-install-it-on-ubuntu-18-04-20-04/ […]
… [Trackback]
[…] There you will find 62346 more Information to that Topic: blog.neterra.cloud/en/what-is-openvpn-and-how-to-install-it-on-ubuntu-18-04-20-04/ […]
… [Trackback]
[…] Find More here to that Topic: blog.neterra.cloud/en/what-is-openvpn-and-how-to-install-it-on-ubuntu-18-04-20-04/ […]