Ultimate Guide to Setting Up Your Own VPN with OpenVPN on Ubuntu (2024)

Creating a VPN (Virtual Private Network) involves several steps. Here's a detailed guide to set up a VPN server using OpenVPN, one of the most popular open-source VPN solutions. This example assumes you are using a Linux-based server, such as Ubuntu.

Step 1: Update Your System

Before installing any software, it's important to update your system's package list and install available updates.

sudo apt-get update sudo apt-get upgrade

Step 2: Install OpenVPN and Easy-RSA

OpenVPN requires Easy-RSA, a set of scripts that simplifies the process of creating a Certificate Authority (CA) to manage your own certificate (used to secure the VPN connections).

• sudo apt-get install openvpn easy-rsa

Step 3: Configure Easy-RSA

Create a directory for Easy-RSA and set up the environment variables:

• make-cadir ~/openvpn-ca cd ~/openvpn-ca nano vars

In the vars file, adjust the following parameters to match your environment. These values will be used to create the certificates:

• export KEY_COUNTRY="US"
• export KEY_PROVINCE="CA"
• export KEY_CITY="SanFrancisco"
• export KEY_ORG="MyVPN"
• export KEY_EMAIL="[email protected]"
• export KEY_OU="MyVPNUnit"
• export KEY_NAME="server"

Step 4: Build the Certificate Authority

Initialize the PKI (Public Key Infrastructure) and build the CA:

• source vars ./clean-all ./build-ca

Step 5: Create the Server Certificate, Key, and Encryption Files

Generate the server certificate and key:

• ./build-key-server server

Generate Diffie-Hellman parameters:

• ./build-dh

Generate an HMAC signature to strengthen the server's TLS integrity verification capabilities:

• openvpn --genkey --secret keys/ta.key

Step 6: Configure the OpenVPN Service

Copy the sample OpenVPN configuration file to the /etc/openvpn directory and edit it:

• sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/ sudo gzip -d /etc/openvpn/server.conf.gz sudo nano /etc/openvpn/server.conf

Modify the server.conf file with the following parameters:

port 1194

proto udp

dev tun

ca ca.crt

cert server.crt

key server.key # This file should be kept secret

dh dh2048.pem

auth SHA256

tls-auth ta.key 0 # This file is secret

cipher AES-256-CBC

user nobody

group nogroup

persist-key

persist-tun

status openvpn-status.log

log-append /var/log/openvpn.log

verb 3

Step 7: Enable IP Forwarding and Configure Firewall

Enable IP forwarding:

• sudo nano /etc/sysctl.conf

Uncomment the following line:

• net.ipv4.ip_forward=1

Apply the changes:

• sudo sysctl -p

Configure the firewall to allow traffic through the VPN:

sudo ufw allow 1194/udp sudo ufw allow OpenSSH sudo ufw enable sudo ufw status

Step 8: Start the OpenVPN Service

Start and enable the OpenVPN service:

Recommended by LinkedIn

Implementing a VPN Server inRust

Luis Soares, M.Sc. 10 months ago

See Also

How to Install WireGuard VPN Client on Ubuntu Linux | Serverspace

How to monitor network traffic on Linux

Iman Abrehdari 1 month ago

Managing Remote Server Securely Using SSH

Eleke Great 7 months ago

• sudo systemctl start openvpn@server
• sudo systemctl enable openvpn@server

Step 9: Generate Client Certificates and Configuration

Create the client certificates:

• cd ~/openvpn-ca source vars ./build-key client1

Copy the necessary files to a secure location to distribute to your clients:

• cp ~/openvpn-ca/keys/ca.crt ~/openvpn-ca/keys/client1.crt ~/openvpn-ca/keys/client1.key ~/openvpn-ca/keys/ta.key ~/client-configs/keys/

Create a client configuration file template:

• mkdir -p ~/client-configs/files nano ~/client-configs/base.conf

Add the following configuration to base.conf:

client

dev tun

proto udp

remote YOUR_SERVER_IP 1194

resolv-retry infinite

nobind

persist-key

persist-tun

remote-cert-tls server

cipher AES-256-CBC

auth SHA256

key-direction 1

verb 3

Step 10: Create Client Configuration Files

Create a script to generate client configuration files:

nano ~/client-configs/make_config.sh

Add the following content to make_config.sh:

#!/bin/bash

# First argument: Client identifier

KEY_DIR=~/client-configs/keys

OUTPUT_DIR=~/client-configs/files

BASE_CONFIG=~/client-configs/base.conf

cat ${BASE_CONFIG} \

<(echo -e '<ca>') \

${KEY_DIR}/ca.crt \

<(echo -e '</ca>\n<cert>') \

${KEY_DIR}/${1}.crt \

<(echo -e '</cert>\n<key>') \

${KEY_DIR}/${1}.key \

<(echo -e '</key>\n<tls-auth>') \

${KEY_DIR}/ta.key \

<(echo -e '</tls-auth>') \

> ${OUTPUT_DIR}/${1}.ovpn

Make the script executable:

• chmod 700 ~/client-configs/make_config.sh

Generate a client configuration file:

• ~/client-configs/make_config.sh client1

Step 11: Distribute the Client Configuration

Transfer the generated .ovpn file to your client's device securely. This can be done using secure methods such as SFTP, SCP, or a secure USB drive.

Step 12: Connect with the Client

Install an OpenVPN client on your client device and import the .ovpn file to connect to your VPN server.

That's it! Your VPN server should now be set up and ready to use.