By Tim Setting Up OpenVPN on Ubuntu
This article introduces how to set up OpenVPN service on an Ubuntu system.
First, let me describe my local environment:
- Operating System: Ubuntu-18.04-LTS
- Intranet IP: 192.168.1.110
- External IP: 14.153.76.90
- OpenVPN Version: 2.4.4
Installing OpenVPN
First, install some dependencies, including openssl and lzo, where lzo is used to compress communication data to speed up transmission.
sudo apt-get install openssl libssl-dev
sudo apt-get install lzop
Install OpenVPN and easy-rsa
sudo apt-get install openvpn
sudo apt-get install easy-rsa
Creating Certificates and Keys
After installing easy-rsa, we can start creating the keys required for the OpenVPN service.
Modify and Initialize Environment Variables
sudo su
cd /usr/share/easy-rsa/
vim vars
# Modify registration information, such as company address, company name, department name, etc.
export KEY_COUNTRY="CN"
export KEY_PROVINCE="GuangDong"
export KEY_CITY="ShenZhen"
export KEY_ORG="XJXH"
export KEY_EMAIL="rock@xjxh.io"
export KEY_OU="FuckItWhatever"
export KEY_NAME="EasyRSA"
# Make environment variables effective
source ./vars
# Add openssl configuration file
cp openssl-1.0.0.cnf openssl.cnf
Create Keys
# Clear all certificate-related files in the keys directory
# The certificates and keys generated by the following steps are all in the /usr/share/easy-rsa/keys directory
./clean-all
# Generate root certificate ca.crt and root key ca.key (just press Enter throughout)
./build-ca
# Generate certificate and private key for the server, --batch means keeping default settings without needing Enter confirmation
./build-key-server --batch server
# Generate certificate and private key for the client
./build-key --batch client
# Create Diffie-Hellman key, which will generate the dh2048.pem file (the generation process is slow, do not interrupt it)
./build-dh
# Generate ta.key file (to prevent DDoS attacks, UDP floods, and other malicious attacks)
openvpn --genkey --secret keys/ta.key
Create Server Configuration File (server.conf)
First, create a keys directory in the OpenVPN configuration directory
sudo mkdir -p /etc/openvpn/keys
Then, copy the required OpenVPN certificates and keys to the newly created keys directory
cp /usr/share/easy-rsa/keys/{ca.crt,server.{crt,key},dh2048.pem,ta.key} /etc/openvpn/keys/
Copy a server configuration file template server.conf to /etc/openvpn/
gzip -d /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz
cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf /etc/openvpn/
Edit server.conf
# Service port
port 1194
# Transmission protocol used
proto tcp
# Routing mode, use dev tap for bridge mode
dev tun
# Certificate path
ca keys/ca.crt
cert keys/server.crt
key keys/server.key
dh keys/dh2048.pem
# Default virtual LAN segment, ensure it does not conflict with the actual LAN
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
# 192.168.1.0 is the LAN segment where my OpenVPN server is located
# If your LAN is not this, you need to modify it to your LAN segment here
push "route 192.168.1.0 255.255.255.0"
# If clients connect to the VPN using the same certificate and key, this option must be enabled, otherwise each certificate only allows one person to connect to the VPN
duplicate-cn
# If tls-auth is set here, the client must also set it, and it must correspond to the server side, where the server is 0 and the client is 1
;tls-auth keys/ta.key 0 # This file is secret
;key-direction 0
# clients we want to allow.
max-clients 100
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
log-append /var/log/openvpn/openvpn.log
verb 3
# If the transmission method is set to TCP above, this should be commented out to avoid conflicts
;explicit-exit-notify 1
# Here configure support for logging in with username and password, which can replace logging in with keys and certificates
auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env
# This is very important, if you enable this option, you only need to log in with username and password
# But if you comment out this option, you must use Username + Password + Certificate to log in successfully, none can be missing.
;verify-client-cert none
username-as-common-name
script-security 3
If you have configured logging in with username and password, you need to create a login verification script vim /etc/openvpn/checkpsw.sh
#!/bin/sh
###########################################################
# checkpsw.sh (C) 2004 Mathias Sundman <mathias@openvpn.se>
#
# This script will authenticate OpenVPN users against
# a plain text file. The passfile should simply contain
# one row per user with the username first followed by
# one or more space(s) or tab(s) and then the password.
PASSFILE="/etc/openvpn/psw-file"
LOG_FILE="/etc/openvpn/openvpn-password.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`
###########################################################
if [ ! -r "${PASSFILE}" ]; then
echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
exit 1
fi
CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`
if [ "${CORRECT_PASSWORD}" = "" ]; then
echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1
fi
if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
exit 0
fi
echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1
Then you also need to create a password file vim /etc/openvpn/psw-file, with one user per line, separated by spaces between the username and password:
user1 pass1
user2 pass2
user3 pass3
With this, the server configuration is complete.
Configuring Kernel and Firewall, Starting the Server
Step 1, enable routing forwarding feature
sed -i '/net.ipv4.ip_forward/s/0/1/' /etc/sysctl.conf
sed -i '/net.ipv4.ip_forward/s/#//' /etc/sysctl.conf
sysctl -p
Step 2, configure
iptables
iptables -I INPUT -p tcp --dport 1194 -m comment --comment "openvpn" -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
Then we save the iptables settings and load them automatically at boot. This can be quickly achieved with iptables-persistent
sudo apt-get install iptables-persistent
# Save rules
sudo service netfilter-persistent save
Next time you boot, you will see that the iptables rules have been loaded automatically
$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:openvpn /* openvpn */
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Disable ufw firewall
ufw disable
Step 3, start OpenVPN service
/etc/init.d/openvpn start
# Set to start on boot
systemctl enable openvpn@server
Creating Client Configuration File client.ovpn (for client software use)
First, copy a client.conf template and name it client.ovpn
mkdir ~/openvpn-client
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/openvpn-client/client.ovpn
Then modify client.ovpn, vim /etc/openvpn/client.ovpn
client
# Set this the same as the server
dev tun
proto tcp
# OpenVPN server IP and port
remote 14.153.76.90 1194
resolv-retry infinite
nobind
persist-key
persist-tun
# Set certificates and keys here
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
# If the server uses tls-auth, enable it here as well
;tls-auth ta.key 1
comp-lzo
verb 3
# Path to the file storing username and password, so you don't need to enter them manually when connecting
auth-user-pass pass.txt
After modifying the client configuration document, you also need to copy the certificate files to the ~/openvpn-client folder:
cp /ect/openvpn/keys/ca.crt ~/openvpn-client
cp /usr/share/easy-rsa/keys/client.crt ~/openvpn-client
cp /usr/share/easy-rsa/keys/client.key ~/openvpn-client
Then you also need to create a pass.txt file in the openvpn-client directory, with the username on the first line and the password on the second line:
user1
pass1
Your point of view caught my eye and was very interesting. Thanks. I have a question for you.