axiontech logo

Building software for businesses

Setting up OpenVPN on Ubuntu 22.04

Setting up OpenVPN on Ubuntu 22.04


We recently setup OpenVPN for one of our clients and thought of documenting it for all the DIY enthusiasts. Follow these step-by-step instructions to set up a secure and efficient VPN server using OpenVPN.


1. Install OpenVPN and Easy-RSA

sudo apt update
sudo apt install openvpn easy-rsa -y

2. Set Up Easy-RSA


2.1 Create an Easy-RSA directory:

make-cadir ~/openvpn-ca
cd ~/openvpn-ca

2.2 Initialize the PKI (Public Key Infrastructure):

./easyrsa init-pki

2.3 Build the CA:

./easyrsa build-ca

Enter a password for the CA and provide a common name (e.g., "OpenVPN-CA").



3. Generate Server Certificates and Keys


3.1 Generate the server certificate and key:

./easyrsa build-server-full server nopass

3.2 Generate the Diffie-Hellman key exchange file:

./easyrsa gen-dh

3.3 Generate an HMAC signature:

openvpn --genkey secret ta.key

4. Configure the OpenVPN Server


4.1 Copy the necessary files to

/etc/openvpn: sudo cp ~/openvpn-ca/pki/ca.crt /etc/openvpn/
sudo cp ~/openvpn-ca/pki/issued/server.crt /etc/openvpn/
sudo cp ~/openvpn-ca/pki/private/server.key /etc/openvpn/
sudo cp ~/openvpn-ca/pki/dh.pem /etc/openvpn/
sudo cp ~/openvpn-ca/ta.key /etc/openvpn/

4.2 Edit the server configuration:

sudo nano /etc/openvpn/server.conf

Add or modify the following lines:

port 1194
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
tls-auth ta.key 0
cipher AES-256-CBC
auth SHA256
user nobody
group nogroup
keepalive 10 120
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3

5. Enable IP Forwarding


5.1 Edit the sysctl configuration:

sudo nano /etc/sysctl.conf

Uncomment or add:

net.ipv4.ip_forward=1

5.2 Apply changes:

sudo sysctl -p

6. Configure Firewall Rules


6.1 Allow traffic through the OpenVPN and SSH ports:

sudo ufw allow 1194/tcpsudo ufw allow 22/tcp

6.2 Add NAT rules:

sudo nano /etc/ufw/before.rules

Add the following before the *filter line:

*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
COMMIT

6.3 Enable the firewall:

sudo ufw enable

7. Start the OpenVPN Service


sudo systemctl start openvpn@server sudo systemctl enable openvpn@server

Check the status:

sudo systemctl status openvpn@server

8. Generate Client Configurations


8.1 Create a new client


./easyrsa build-client-full client1 nopass
sudo cp ~/openvpn-ca/pki/issued/client1.crt ~/openvpn-ca/pki/private/client1.key /etc/openvpn/

8.2 Create a Client Configuration File

nano client1.ovpn Add the following to the above file. client
dev tun
proto tcp
remote YOUR_SERVER_IP 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
auth SHA256
tls-auth ta.key 1
key-direction 1
verb 3
<ca>
(Paste contents of ca.crt here)
</ca>
<cert>
(Paste contents of client1.crt here)
</cert>
<key>
(Paste contents of client1.key here)
</key>
<tls-auth>
(Paste contents of ta.key here)
</tls-auth>

8.3 Setting up client


Move the file client1.opvn file and use it to connect to the VPN from your client machine.