OpenVPN is a full-featured SSL VPN (virtual private network). It implements OSI layer 2 or 3 secure network extension using the SSL/TLS protocol. It is an open source software and distributed under the GNU GPL. A VPN allows you to connect securely to an insecure public network such as wifi network at the airport or hotel. VPN is also required to access your corporate or enterprise or home server resources. You can bypass geo-blocked site and increase your privacy or safety online. This tutorial provides step-by-step instructions for configuring an OpenVPN “road warrior” server on Ubuntu Linux 18.04/20.04 LTS (20.10) version including ufw/iptables firewall configuration. The steps are as follows:
- Find and note down your public IP address
- Download openvpn-install.sh script
- Run openvpn-install.sh to install OpenVPN server
- Connect an OpenVPN server using iOS/Android/Linux/Windows client
- Verify your connectivity
NOTE: You need at least Ubuntu Linux 18.04 LTS or higher is needed to complete this tutorial. Older Ubuntu versions such as 14.04/16.04 LTS are no longer supported.
Find your public IP address
| Tutorial details | |
|---|---|
| Difficulty level | Easy |
| Root privileges | Yes |
| Requirements | Linux terminal |
| Category | OpenVPN |
| Prerequisites | Ubuntu Linux |
| OS compatibility | Debian • Linux • Ubuntu |
| Est. reading time | 10 minutes |
$ ip addr show eth0OR
$ ip addr show eth1Or use the host command or dig command as follows:
$ host myip.opendns.com resolver1.opendns.com
## get IPv4 ##
$ host -4 myip.opendns.com resolver1.opendns.comOR
$ dig TXT +short o-o.myaddr.l.google.com @ns1.google.com
## see IPv4 instead of default IPv6 ##
$ dig -4 TXT +short o-o.myaddr.l.google.com @ns1.google.com
Fig.01: Find out your public IPv4 address using the CLI
Download openvpn-install.sh script to set up OpenVPN server in 5 minutes on Ubuntu
Type the following wget command or curl command:$ wget https://git.io/vpn -O openvpn-install.sh
wget grabbing the script:
--2020-12-09 09:15:57-- https://git.io/vpn Resolving git.io (git.io)... 34.195.187.253, 52.87.143.234, 34.205.238.171, ... Connecting to git.io (git.io)|34.195.187.253|:443... connected. HTTP request sent, awaiting response... 302 Found Location: https://raw.github.com/Nyr/openvpn-install/master/openvpn-install.sh [following] --2020-12-09 09:15:57-- https://raw.github.com/Nyr/openvpn-install/master/openvpn-install.sh Resolving raw.github.com (raw.github.com)... 151.101.124.133 Connecting to raw.github.com (raw.github.com)|151.101.124.133|:443... connected. HTTP request sent, awaiting response... 301 Moved Permanently Location: https://raw.githubusercontent.com/Nyr/openvpn-install/master/openvpn-install.sh [following] --2020-12-09 09:15:57-- https://raw.githubusercontent.com/Nyr/openvpn-install/master/openvpn-install.sh Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.124.133 Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.124.133|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 23079 (23K) Saving to: 'openvpn-install.sh' openvpn-install.sh 100%[==================>] 22.54K --.-KB/s in 0.001s 2020-12-09 09:15:57 (36.9 MB/s) - 'openvpn-install.sh saved [23079/23079]
We can verify script using a text editor such as nano command or vim command:$ nano openvpn-install.sh
Running openvpn-install.sh to install OpenVPN server
Type the following command:$ sudo chmod +x openvpn-install.sh
$ sudo bash openvpn-install.sh
Make sure you provide needed information:
Welcome to this OpenVPN road warrior installer! Which protocol should OpenVPN use? 1) UDP (recommended) 2) TCP Protocol [1]: 1 What port should OpenVPN listen to? Port [1194]: Select a DNS server for the clients: 1) Current system resolvers 2) Google 3) 1.1.1.1 4) OpenDNS 5) Quad9 6) AdGuard DNS server [1]: 2 Enter a name for the first client: Name [client]: iphone OpenVPN installation is ready to begin. Press any key to continue...
Once you press any key such as [Enter] key, you will see:
writing new private key to '/etc/openvpn/server/easy-rsa/pki/easy-rsa-1768.FjG9Gr/tmp.vQL9q8' ----- Using configuration from /etc/openvpn/server/easy-rsa/pki/easy-rsa-1768.FjG9Gr/tmp.FiauWW Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'server' Certificate is to be certified until Dec 7 09:22:17 2030 GMT (3650 days) Write out database with 1 new entries Data Base Updated Using SSL: openssl OpenSSL 1.1.1f 31 Mar 2020 Generating a RSA private key ....................................+++++ ...................+++++ writing new private key to '/etc/openvpn/server/easy-rsa/pki/easy-rsa-1843.4USwJm/tmp.lOecLW' ----- Using configuration from /etc/openvpn/server/easy-rsa/pki/easy-rsa-1843.4USwJm/tmp.5j0n6q Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'iphone' Certificate is to be certified until Dec 7 09:22:17 2030 GMT (3650 days) Write out database with 1 new entries Data Base Updated Using SSL: openssl OpenSSL 1.1.1f 31 Mar 2020 Using configuration from /etc/openvpn/server/easy-rsa/pki/easy-rsa-1899.k6zZtP/tmp.riZi2R An updated CRL has been created. CRL file: /etc/openvpn/server/easy-rsa/pki/crl.pem Created symlink /etc/systemd/system/multi-user.target.wants/openvpn-iptables.service → /etc/systemd/system/openvpn-iptables.service. Created symlink /etc/systemd/system/multi-user.target.wants/openvpn-server@server.service → /lib/systemd/system/openvpn-server@.service. Finished! The client configuration is available in: /root/iphone.ovpn New clients can be added by running this script again.
Viewing and Seting up OpenVPN Server In 5 Minutes on Ubuntu Firewall Rules
That is all. Your OpenVPN server has been configured and ready to use. You can see added firewall rules /etc/systemd/system/openvpn-iptables.service file:$ sudo systemctl cat openvpn-iptables.service
Sample rules. Please do not edit them:
[Unit] Before=network.target [Service] Type=oneshot ExecStart=/usr/sbin/iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to 172.105.102.90 ExecStart=/usr/sbin/iptables -I INPUT -p udp --dport 1194 -j ACCEPT ExecStart=/usr/sbin/iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT ExecStart=/usr/sbin/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT ExecStop=/usr/sbin/iptables -t nat -D POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to 172.105.102.90 ExecStop=/usr/sbin/iptables -D INPUT -p udp --dport 1194 -j ACCEPT ExecStop=/usr/sbin/iptables -D FORWARD -s 10.8.0.0/24 -j ACCEPT ExecStop=/usr/sbin/iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT ExecStart=/usr/sbin/ip6tables -t nat -A POSTROUTING -s fddd:1194:1194:1194::/64 ! -d fddd:1194:1194:1194::/64 -j SNAT --to 2600:3c04::f03c:92ff:fe42:3d72 ExecStart=/usr/sbin/ip6tables -I FORWARD -s fddd:1194:1194:1194::/64 -j ACCEPT ExecStart=/usr/sbin/ip6tables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT ExecStop=/usr/sbin/ip6tables -t nat -D POSTROUTING -s fddd:1194:1194:1194::/64 ! -d fddd:1194:1194:1194::/64 -j SNAT --to 2600:3c04::f03c:92ff:fe42:3d72 ExecStop=/usr/sbin/ip6tables -D FORWARD -s fddd:1194:1194:1194::/64 -j ACCEPT ExecStop=/usr/sbin/ip6tables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT RemainAfterExit=yes [Install] WantedBy=multi-user.target
You can view your openvpn server config file generated by the script as follows (agin do not edit this file by hand as it will break things for you):$ sudo more /etc/openvpn/server/server.conf
Sample openvpn config:
local 172.105.102.90 port 1194 proto udp dev tun ca ca.crt cert server.crt key server.key dh dh.pem auth SHA512 tls-crypt tc.key topology subnet server 10.8.0.0 255.255.255.0 server-ipv6 fddd:1194:1194:1194::/64 push "redirect-gateway def1 ipv6 bypass-dhcp" ifconfig-pool-persist ipp.txt push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" keepalive 10 120 cipher AES-256-CBC user nobody group nogroup persist-key persist-tun status openvpn-status.log verb 3 crl-verify crl.pem explicit-exit-notify
How do I start/stop/restart OpenVPN server on Ubuntu Linux 18.04/20.04 LTS and 20.10?
Run the following systemctl command to stop the OpenVPN service:$ sudo systemctl stop openvpn-server@server.service
Want to start it again? Try:$ sudo systemctl start openvpn-server@server.service
The command to restart the OpenVPN service:$ sudo systemctl restart openvpn-server@server.service
View status of your OpenVPN systemd based service:$ sudo systemctl status openvpn-server@server.service
● openvpn-server@server.service - OpenVPN service for server Loaded: loaded (/lib/systemd/system/openvpn-server@.service; enabled; vendor preset: enabled) Active: active (running) since Wed 2020-12-09 09:22:18 UTC; 7min ago Docs: man:openvpn(8) https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage https://community.openvpn.net/openvpn/wiki/HOWTO Main PID: 2017 (openvpn) Status: "Initialization Sequence Completed" Tasks: 1 (limit: 4610) Memory: 1.2M CGroup: /system.slice/system-openvpn\x2dserver.slice/openvpn-server@server.service └─2017 /usr/sbin/openvpn --status /run/openvpn-server/status-server.log --status-version 2 --suppress-timestamps --config server.conf Dec 09 09:22:18 nixcraft-ubuntu-vm openvpn[2017]: Socket Buffers: R=[212992->212992] S=[212992->212992] Dec 09 09:22:18 nixcraft-ubuntu-vm openvpn[2017]: UDPv4 link local (bound): [AF_INET]172.105.102.90:1194 Dec 09 09:22:18 nixcraft-ubuntu-vm openvpn[2017]: UDPv4 link remote: [AF_UNSPEC] Dec 09 09:22:18 nixcraft-ubuntu-vm openvpn[2017]: GID set to nogroup Dec 09 09:22:18 nixcraft-ubuntu-vm openvpn[2017]: UID set to nobody Dec 09 09:22:18 nixcraft-ubuntu-vm openvpn[2017]: MULTI: multi_init called, r=256 v=256 Dec 09 09:22:18 nixcraft-ubuntu-vm openvpn[2017]: IFCONFIG POOL IPv6: (IPv4) size=252, size_ipv6=65536, netbits=64, base_ipv6=fddd:1194:1194:1194::1000 Dec 09 09:22:18 nixcraft-ubuntu-vm openvpn[2017]: IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=1 Dec 09 09:22:18 nixcraft-ubuntu-vm openvpn[2017]: IFCONFIG POOL LIST Dec 09 09:22:18 nixcraft-ubuntu-vm openvpn[2017]: Initialization Sequence Completed
OpenVPN client configuration
On server your will find a client configuration file called ~/iphone.ovpn (or whatever name given during installation). Use the find command to locate OpenVPN config file:$ sudo find / -type f -name "iphone.ovpn"
$ sudo find / -type f -name "*.ovpn" -ls
Now, all you have to do is copy this file to your local desktop using the scp and provide this file to your OpenVPN client to connect (replace iphone.ovpn and root username as per your set up):{client-desktop:~}$ scp root@172.105.102.90:~/iphone.ovpn .
If you cannnot run the scp command as root then log in as a normal user on your server. For example:{client-desktop:~}$ ssh {user}@172.105.102.90
{client-desktop:~}$ ssh vivek@172.105.102.90
Find the location of opvn file on the server:$ sudo find / -type f -name "*.ovpn" -ls
34605854 4 -rw-r--r-- 1 root root 2774 May 6 01:04 /root/desktopclient.ovpn
Then copy that file using the cp command in your home directory (say /home/vivek/ on the server itself):$ sudo cp /root/desktopclient.ovpn /home/vivek/
Now type the scp from your desktop:{client-desktop:~}$ scp vivek@172.105.102.90:/home/vivek/desktopclient.ovpn .
Next, you need to download OpenVPN client as per your operating system or mobile device:
- Client for Apple iOS version 6.x or above
- Android client
- Apple MacOS (OS X)
- Windows 8/10 OpenVPN client
macOS/OS X OpenVPN client configuration
Just double click on iphone.ovpn file and it will open in your tunnelblick client > Click on the “Only me” to install it:
Fig.03: MacOS / OS X openvpn client configuration
$ dig TXT +short o-o.myaddr.l.google.com @ns1.google.comYou can ping to OpenVPN server private IP using the ping command:
$ ping 10.8.0.1Linux OpenVPN client configuration
First, install the openvpn client, enter:$ sudo yum install openvpn
OR$ sudo apt install openvpn
Next, copy iphone.ovpn as follows:$ sudo cp iphone.ovpn /etc/openvpn/client.conf
Test connectivity from the CLI:$ sudo openvpn --client --config /etc/openvpn/client.conf
Your Linux system will automatically connect when computer restart using /etc/init.d/openvpn script:$ sudo /etc/init.d/openvpn start
For systemd based system, use the following command:$ sudo systemctl start openvpn@client
Test the OpenVPN connectivity on Linux desktop:$ ping 10.8.0.1 #Ping to OpenVPN server gateway using the ping command
$ ip route #Make sure routing setup using the ip command $ ip route get 10.8.0.1
#Make sure your public IP set to OpenVPN server
$ dig TXT +short o-o.myaddr.l.google.com @ns1.google.com
FreeBSD OpenVPN client configuration
First, install the openvpn client using the pkg command:$ sudo pkg install openvpn
Next, copy iphone.ovpn as follows:$ mkdir -p /usr/local/etc/openvpn/
$ sudo cp iphone.ovpn /usr/local/etc/openvpn/client.conf
Edit /etc/rc.conf and add the following:
openvpn_enable="YES" openvpn_configfile="/usr/local/etc/openvpn/client.conf"
Start the OpenVPN service:$ sudo /usr/local/etc/rc.d/openvpn start
Verify it:#Ping to OpenVPN server gateway from BSD
$ ping 10.8.0.1
#Make sure routing setup
$ netstat -nr
#Make sure your public IP set to OpenVPN server
$ dig +short myip.opendns.com @resolver1.opendns.com
How do I add a new client?
For demo purpose I added a new device called googlephone. Let us add one more device called googlephone by running the script again:$ sudo bash openvpn-install.sh
Looks like OpenVPN is already installed What do you want to do? 1) Add a cert for a new user 2) Revoke existing user cert 3) Remove OpenVPN 4) Exit Select an option [1-4]:
Select option 1 and type googlephone as a client name:
Tell me a name for the client cert Please, use one word only, no special characters Client name: googlephone Generating a 2048 bit RSA private key .........+++ .................................................................................................+++ writing new private key to '/etc/openvpn/easy-rsa/pki/private/googlephone.key.FNaDMaP56c' ----- Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'googlephone' Certificate is to be certified until Sep 25 07:31:46 2027 GMT (3650 days) Write out database with 1 new entries Data Base Updated Client googlephone added, certs available at ~/googlephone.ovpn
Now you can use googlephone.ovpn with Google Android phone. You can add as many users you want using this method.
How do I delete/revoke existing user certificate?
Run the script:$ sudo bash openvpn-install.sh
Here is how it looks:
Looks like OpenVPN is already installed What do you want to do? 1) Add a cert for a new user 2) Revoke existing user cert 3) Remove OpenVPN 4) Exit Select an option [1-4]:
Type 2 option and you will see a list of all the existing client certificate you want to revoke:
Select the existing client certificate you want to revoke
1) iphone6
2) googlephone
3) delllaptop
4) macbook
Select one client [1-4]: 2Sample outputs when I revoked googlephone certificate:
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.cnf Revoking Certificate 09. Data Base Updated Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.cnf An updated CRL has been created. CRL file: /etc/openvpn/easy-rsa/pki/crl.pem Certificate for client googlephone revoked
Conclusion
And there you have it, OpenVPN server installed in five minutes to increase your privacy. Please see OpenVPN project and road warrior installer Linux script. Let us know if you have any problems or comments in the comments section below.
No hay comentarios:
Publicar un comentario