How to install OpenVPN

OpenVPN is a full-featured SSL VPN (virtual private network). It implements OSI layer 2 or 3 secure network extension using the SSL/TLS protocol. It is an open source software and distributed under the GNU GPL. A VPN allows you to connect securely to an insecure public network such as wifi network at anywhere. VPN is also required to access your corporate or enterprise or home server resources. You can bypass geo-blocked site and increase your privacy or safety online. This tutorial provides step-by-step instructions for configuring an OpenVPN “road warrior” server on Linux including ufw/iptables firewall configuration

OpenVPN road warrior installer for Ubuntu, Debian, AlmaLinux, Rocky Linux, CentOS and Fedora.

This script will let you set up your own VPN server in no more than a minute, even if you haven’t used OpenVPN before. It has been designed to be as unobtrusive and universal as possible.

The steps are as follows:

  1. Find and note down your public IP address
  2. Download openvpn-install.sh script
  3. Run openvpn-install.sh to install OpenVPN server
  4. Connect an OpenVPN server using iOS/Android/Linux/Windows client
  5. Verify your connectivity

NOTE: You need at least Ubuntu Linux 18.04 LTS or higher is needed to complete this tutorial. Older Ubuntu versions such as 14.04/16.04 LTS are no longer suported.

Find your public IP address

Use any one of the following command to find out your IPv4 public address. If your internface name is eth0 or eth1, enter:

$ ip addr show eth0

Or

$ ip addr show eth1

Or use the host command or dig command as follows:

$ host myip.opendns.com resolver1.opendns.com
## get IPv4 ##
$ host -4 myip.opendns.com resolver1.opendns.com

OR

$ dig TXT +short o-o.myaddr.l.google.com @ns1.google.com
## see IPv4 instead of default IPv6 ##
$ dig -4 TXT +short o-o.myaddr.l.google.com @ns1.google.com

Fig.01: Find out your public IPv4 address using the CLI

Note down the public IPv4 address 172.105.102.90 (or IPv6 2600:3c04::f03c:92ff:fe42:3d72) i.e. public ip address of your OpenVPN server powered by Ubuntu Linux.

Download openvpn-install.sh script to set up OpenVPN

Type the following wget command or curl command:

$ wget https://git.io/vpn -O openvpn-install.sh

wget grabbing the script:

--2020-12-09 09:15:57--  https://git.io/vpn
Resolving git.io (git.io)... 34.195.187.253, 52.87.143.234, 34.205.238.171, ...
Connecting to git.io (git.io)|34.195.187.253|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://raw.github.com/Nyr/openvpn-install/master/openvpn-install.sh [following]
--2020-12-09 09:15:57--  https://raw.github.com/Nyr/openvpn-install/master/openvpn-install.sh
Resolving raw.github.com (raw.github.com)... 151.101.124.133
Connecting to raw.github.com (raw.github.com)|151.101.124.133|:443... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://raw.githubusercontent.com/Nyr/openvpn-install/master/openvpn-install.sh [following]
--2020-12-09 09:15:57--  https://raw.githubusercontent.com/Nyr/openvpn-install/master/openvpn-install.sh
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.124.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.124.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 23079 (23K) [text/plain]
Saving to: 'openvpn-install.sh'

openvpn-install.sh  100%[==================>]  22.54K  --.-KB/s    in 0.001s  

2020-12-09 09:15:57 (36.9 MB/s) - 'openvpn-install.sh saved [23079/23079]

We can verify script using a text editor such as nano command or vim command:

$ nano openvpn-install.sh

Running openvpn-install.sh to install OpenVPN server

Type the following command:

$ sudo chmod +x openvpn-install.sh
$ sudo bash openvpn-install.sh

Make sure you provide needed information:

Welcome to this OpenVPN road warrior installer!

Which protocol should OpenVPN use?
   1) UDP (recommended)
   2) TCP
Protocol [1]: 1

What port should OpenVPN listen to?
Port [1194]: 

Select a DNS server for the clients:
   1) Current system resolvers
   2) Google
   3) 1.1.1.1
   4) OpenDNS
   5) Quad9
   6) AdGuard
DNS server [1]: 2

Enter a name for the first client:
Name [client]: gocit01

OpenVPN installation is ready to begin.
Press any key to continue...

Once you press any key such as [Enter] key, you will see:

writing new private key to '/etc/openvpn/server/easy-rsa/pki/easy-rsa-1768.FjG9Gr/tmp.vQL9q8'
-----
Using configuration from /etc/openvpn/server/easy-rsa/pki/easy-rsa-1768.FjG9Gr/tmp.FiauWW
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'server'
Certificate is to be certified until Dec  7 09:22:17 2030 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

Using SSL: openssl OpenSSL 1.1.1f  31 Mar 2020
Generating a RSA private key
....................................+++++
...................+++++
writing new private key to '/etc/openvpn/server/easy-rsa/pki/easy-rsa-1843.4USwJm/tmp.lOecLW'
-----
Using configuration from /etc/openvpn/server/easy-rsa/pki/easy-rsa-1843.4USwJm/tmp.5j0n6q
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'gocit01'
Certificate is to be certified until Dec  7 09:22:17 2030 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

Using SSL: openssl OpenSSL 1.1.1f  31 Mar 2020
Using configuration from /etc/openvpn/server/easy-rsa/pki/easy-rsa-1899.k6zZtP/tmp.riZi2R

An updated CRL has been created.
CRL file: /etc/openvpn/server/easy-rsa/pki/crl.pem


Created symlink /etc/systemd/system/multi-user.target.wants/openvpn-iptables.service → /etc/systemd/system/openvpn-iptables.service.
Created symlink /etc/systemd/system/multi-user.target.wants/openvpn-server@server.service → /lib/systemd/system/openvpn-server@.service.

Finished!

The client configuration is available in: /root/gocit01.ovpn
New clients can be added by running this script again.

Viewing and Seting up OpenVPN Server Firewall Rules

That is all. Your OpenVPN server has been configured and ready to use. You can see added firewall rules /etc/systemd/system/openvpn-iptables.service file:

$ sudo systemctl cat openvpn-iptables.service

Sample rules. Please do not edit them:

[Unit]
Before=network.target
[Service]
Type=oneshot
ExecStart=/usr/sbin/iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to 172.105.102.90
ExecStart=/usr/sbin/iptables -I INPUT -p udp --dport 1194 -j ACCEPT
ExecStart=/usr/sbin/iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
ExecStart=/usr/sbin/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
ExecStop=/usr/sbin/iptables -t nat -D POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to 172.105.102.90
ExecStop=/usr/sbin/iptables -D INPUT -p udp --dport 1194 -j ACCEPT
ExecStop=/usr/sbin/iptables -D FORWARD -s 10.8.0.0/24 -j ACCEPT
ExecStop=/usr/sbin/iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
ExecStart=/usr/sbin/ip6tables -t nat -A POSTROUTING -s fddd:1194:1194:1194::/64 ! -d fddd:1194:1194:1194::/64 -j SNAT --to 2600:3c04::f03c:92ff:fe42:3d72
ExecStart=/usr/sbin/ip6tables -I FORWARD -s fddd:1194:1194:1194::/64 -j ACCEPT
ExecStart=/usr/sbin/ip6tables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
ExecStop=/usr/sbin/ip6tables -t nat -D POSTROUTING -s fddd:1194:1194:1194::/64 ! -d fddd:1194:1194:1194::/64 -j SNAT --to 2600:3c04::f03c:92ff:fe42:3d72
ExecStop=/usr/sbin/ip6tables -D FORWARD -s fddd:1194:1194:1194::/64 -j ACCEPT
ExecStop=/usr/sbin/ip6tables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target

You can view your openvpn server config file generated by the script as follows (agin do not edit this file by hand as it will break things for you):

$ sudo more /etc/openvpn/server/server.conf

Sample openvpn config:

local 172.105.102.90
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-crypt tc.key
topology subnet
server 10.8.0.0 255.255.255.0
server-ipv6 fddd:1194:1194:1194::/64
push "redirect-gateway def1 ipv6 bypass-dhcp"
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify crl.pem
explicit-exit-notify

How do I start/stop/restart OpenVPN server on Linux

Run the following systemctl command to stop the OpenVPN service:

$ sudo systemctl stop openvpn-server@server.service

Want to start it again? Try:

$ sudo systemctl start openvpn-server@server.service

The command to restart the OpenVPN service:

$ sudo systemctl restart openvpn-server@server.service

View status of your OpenVPN systemd based service:

$ sudo systemctl status openvpn-server@server.service
 openvpn-server@server.service - OpenVPN service for server
     Loaded: loaded (/lib/systemd/system/openvpn-server@.service; enabled; vendor preset: enabled)
     Active: active (running) since Wed 2020-12-09 09:22:18 UTC; 7min ago
       Docs: man:openvpn(8)
             https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
             https://community.openvpn.net/openvpn/wiki/HOWTO
   Main PID: 2017 (openvpn)
     Status: "Initialization Sequence Completed"
      Tasks: 1 (limit: 4610)
     Memory: 1.2M
     CGroup: /system.slice/system-openvpn\x2dserver.slice/openvpn-server@server.service
             └─2017 /usr/sbin/openvpn --status /run/openvpn-server/status-server.log --status-version 2 --suppress-timestamps --config server.conf

Dec 09 09:22:18 nixcraft-ubuntu-vm openvpn[2017]: Socket Buffers: R=[212992->212992] S=[212992->212992]
Dec 09 09:22:18 nixcraft-ubuntu-vm openvpn[2017]: UDPv4 link local (bound): [AF_INET]172.105.102.90:1194
Dec 09 09:22:18 nixcraft-ubuntu-vm openvpn[2017]: UDPv4 link remote: [AF_UNSPEC]
Dec 09 09:22:18 nixcraft-ubuntu-vm openvpn[2017]: GID set to nogroup
Dec 09 09:22:18 nixcraft-ubuntu-vm openvpn[2017]: UID set to nobody
Dec 09 09:22:18 nixcraft-ubuntu-vm openvpn[2017]: MULTI: multi_init called, r=256 v=256
Dec 09 09:22:18 nixcraft-ubuntu-vm openvpn[2017]: IFCONFIG POOL IPv6: (IPv4) size=252, size_ipv6=65536, netbits=64, base_ipv6=fddd:1194:1194:1194::1000
Dec 09 09:22:18 nixcraft-ubuntu-vm openvpn[2017]: IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=1
Dec 09 09:22:18 nixcraft-ubuntu-vm openvpn[2017]: IFCONFIG POOL LIST
Dec 09 09:22:18 nixcraft-ubuntu-vm openvpn[2017]: Initialization Sequence Completed

OpenVPN client configuration

On server your will find a client configuration file called ~/gocit01.ovpn. Use the find command to locate OpenVPN config file:

$ sudo find / -type f -name "gocit01.ovpn"
$ sudo find / -type f -name "*.ovpn"

Now, all you have to do is copy this file to your local desktop using the scp and provide this file to your OpenVPN client to connect:

$ scp root@172.105.102.90:~/gocit01.ovpn .

Next, you need to download OpenVPN client as per your operating system or mobile device:

MacOS/OS X OpenVPN client configuration

Just double click on gocit01.ovpn file and it will open in your Tunnelblick client > Click on the “Only me” to install it:

Once installed click on Connect button and you will be online. Use the following command on MacOS client to verify that your public IP changed to the VPN server IP:

$ dig TXT +short o-o.myaddr.l.google.com @ns1.google.com

You can ping to OpenVPN server private IP:

$ ping 10.8.0.1

Reference

Homepage

https://github.com/hautph/openvpn-install

https://github.com/Nyr/openvpn-install

https://www.cyberciti.biz/faq/howto-setup-openvpn-server-on-ubuntu-linux-14-04-or-16-04-lts/

Print Friendly, PDF & Email
%d bloggers like this: