How to install OpenVPN Server

Below you will find how to install OpenVPN server.  At the end of the article;

1- We will have a VPN server running under linux..
2- We will be using linux pam accounts to authenticate clients
3- All clients connected can access local network and each other
4- All clients will use the VPN server to access the internet.
5- VPN server will act as Remote to Site
6- We will have a sample windows client configuration to connect.

Setup
Ubuntu Server 12.04
WAN 192.168.1.33/30
LAN 172.16.70.0/24
VPN 10.8.0.0/24

Go with the commands below step by step.

install necessary packages
apt-get install openvpn openssl


Generate server certificates

cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/openvpn/easy-rsa2
cd /etc/openvpn/easy-rsa2

edit certificate variables
export KEY_COUNTRY="My country"
export KEY_PROVINCE="XX"
export KEY_CITY="My City"
export KEY_ORG="MÖy organization"
export KEY_EMAIL="mail@blabladoamin.com"

save and exit.
Run the commands to generate.
Note: we only generate server certificates here..
source ./vars
./clean-all
./build-ca
./build-key-server server
./build-dh

copy generated files to openvpn folder.
cp /etc/openvpn/easy-rsa/2.0/keys/ca.crt /etc/openvpn
cp /etc/openvpn/easy-rsa/2.0/keys/ca.key /etc/openvpn
cp /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem /etc/openvpn
cp /etc/openvpn/easy-rsa/2.0/keys/server.crt /etc/openvpn
cp /etc/openvpn/easy-rsa/2.0/keys/server.key /etc/openvpn

now go to /etc/openvpn folder and create your configuration file
cd /etc/openvpn
vi openvpn.conf

add the following lines

notes about conf file
If you need another features please comment.
default port changed to 11194
traffic between clients allowed “client-to-client”
clients assigned ip addresses persistent to usernames “ifconfig-pool-persist ipp.txt”
pam auth is enabled “plugin /usr/lib/openvpn/openvpn-auth-pam.so login”
we dont need client certificates. we will login with linux account “client-cert-not-required”
we have enabled management interface in order to get statistics etc.. “management localhost 7505”
use your desired DNS server to push if you need “push “dhcp-option DNS xxx.xxx.xxx.xxx””

dev tun
proto udp
port 11194
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
user nobody
group nogroup
server 10.8.0.0 255.255.255.0
client-to-client
ifconfig-pool-persist ipp.txt
persist-key
persist-tun
verb 3
keepalive 10 100
cipher AES-256-CBC
push "redirect-gateway def1"
push "dhcp-option DNS xxx.xxx.xxx.xxx"
push "explicit-exit-notify 3"
comp-lzo
link-mtu 1500
log-append /var/log/openvpn
plugin /usr/lib/openvpn/openvpn-auth-pam.so login
client-cert-not-required
username-as-common-name
management localhost 7505

now we have to overload NAT our tun0 interface to our internet uplink. So clients will go through VPN interface to internet via VPN server.

enable ip forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
now add your NAT rule.
eth0 is my internet uplink . and 10.8.0.0/24 is my vpn network. so we add source nat rule to overload our internet uplink.
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

restart openvpnserver service
service openvpn restart

Now, files needed for your client. copy ca.crt which was generated before to client conf folder.

we have windows client in our example.
auth-user-pass > we enable user authentication.
auth-nocache > we enabel nocache for security reasons
ca “C:\\cert\\ca.crt” > copy the ca.crt file from your server to client. and define path for it.

client
dev tun
proto udp
remote "yourserver ip address" 11194
resolv-retry infinite
nobind
persist-key
persist-tun
auth-user-pass
auth-nocache
comp-lzo
link-mtu 1500
cipher AES-256-CBC
ca "C:\\cert\\ca.crt"
ns-cert-type server
route-method exe
verb 3

save the file as myconffile.ovpn
connect :)

1 thought on “How to install OpenVPN Server”

  1. Pingback: Frederick

Leave a Reply