Setup OpenVPN on Ubuntu / Debian

this guide contains material from Debian Wiki site with contribution from Kevin Coyner

These notes cover the installation of openvpn on a Debian server and client. Once setup, all internet traffic, including browser traffic, from the client will travel via the VPN to the server. The server config write-up is first, followed by the client write-up further down the page.

This presumes you are not ethernet bridging.

Begin by installing openvpn on server


apt-get install openvpn udev openssl


Now you must create the keys needed by both server and client.


mkdir /etc/openvpn/easy-rsa
cp -ai /usr/share/doc/openvpn/examples/easy-rsa/2.0/ /etc/openvpn/easy-rsa
cd /etc/openvpn/easy-rsa/
vi vars


In the vars file, edit the KEY_* entries at the bottom of the file, such as KEY_COUNTRY, KEY_ORG, KEY_EMAIL, etc. Next, source the vars file and then clean the directory.


. ./vars
./clean-all


Next build the certificates. For the ‘Common Name’ field, you can use anything to your liking. I used ‘OpenVPN-CA-AZEEM’. For the Certificate Authority (build-ca), use ’server’. For the client keys (build-key), use ‘client1′ or ‘client2′ or whatever you like, I used ‘client_azeem’.


./build-ca
./build-key-server server
./build-key client_azeem
./build-key client2


Generate the Diffie Hellman parameters for the server.


.build-dh


When this is done, you will have a number of files in the keys/ subdirectory. Copy the keys listed below to the server’s /etc/openvpn directory.


cd /etc/openvpn

cp easy-rsa/keys/ca.crt .
cp easy-rsa/keys/server.key .
cp easy-rsa/keys/server.crt .
cp easy-rsa/keys/dh1024.pem .

And copy the keys needed for the client either directly to the client via scp or to a USB disk. The files needed by the client are ca.crt, client_kevin.crt, and client_kevin.key (or whatever you named the files when you generated them with the build-key script).

create the openvpn server config file. Start with the example in the docs.


cd /etc/openvpn
cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf .


Gunzip it if necessary then edit it. Here’s a simple but workable example:


# [server.conf]
port 1194
proto udp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 202.107.105.13"
push "dhcp-option DNS 202.108.107.21"
keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3


Note the entries for ‘push dhcp-option DNS’. These will be DNS servers that are accessible from your server. They will be pushed out to the client. Change them to your network’s DNS servers. I used 8.8.8.8 as the second one with my network’s router IP as the first DNS.

Now start the openvpn server with either of the following commands.


/etc/init.d/openvpn start
or
openvpn /etc/openvpn/server.conf


You will need to enable IP forwarding.


echo 1 > /proc/sys/net/ipv4/ip_forward


You can make this a permanent change by uncommenting the line:


net.ipv4.ip_forward = 1


in the file /etc/sysctl.conf.

You’ll also have to allow NAT forwarding through your firewall. This will most likely be accomplished with something like the following rule in iptables:


iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE


This assumes you have set up your openvpn server with the IP 10.8.0.0 in the server.conf file as described above.

You can make this command permanent by creating a script file in


/etc/init.d/


I created my file as below:


vim /etc/init.d/iptables_openvpn.sh


the script file contains


#! /bin/sh
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE


save the file and run following command


update-rc.d iptab_openvpn.sh defaults


also make the script file executable


chmod +x iptab_openvpn.sh


Don’t forget to open port 1194 on your firewall / router which protects your network where your OpenVPN server now sits.

You can now setup your favourite OpenVPN client. If you want to use OpenVPN client the settings are as below:

In the server config above, you created keys for the client, which you should have already copied from the server to the client’s directory at /etc/openvpn. This includes the ca.crt file.

Next you need a client.conf file, a sample of which is found in the docs.


cd /etc/openvpn
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf .
vi client.conf

# [client.conf]
client
dev tun
proto udp
remote 66.32.272.181 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
mute-replay-warnings
ca /etc/openvpn/ca.crt
cert /etc/openvpn/client_kevin.crt
key /etc/openvpn/client_kevin.key
ns-cert-type server
comp-lzo
verb 3
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf


Some obvious things: You’ll want to use your server’s IP for the remote entry. List your client keys and the server CA. Uncomment the user and group entries.

Not so obvious are the last two lines. These are the key to getting DNS to work correctly on the client. You should check the README.Debian in the openvpn docs, but basically you need to install the deb package resolvconf. Make sure you read the README for resolvconf, as it can potentially conflict with other DNS writing programs on your client.

The last two lines call the script update-resolv-conf, which should be in your /etc/openvpn directory. The script will use resolvconf, and the DNS settings of the openvpn server, to rewrite your client resolv.conf file.

To start openvpn on the client, issue the command:


openvpn --script-security 2 --config /etc/openvpn/client.conf &


You’ll need the –script-security setting to get the update-resolv-conf script to execute. You can place this setting in the client.conf file if you like.

Check your installation by pinging 10.8.0.1 from the client. You should successfully be pinging the server. Check it further by opening a browser and going to http://www.whatismyip.com. It should return the IP of the server, not the client. Note also that if you run the command ifconfig, you’ll see a new entry for tun0.

On both the server and the client, you can control whether your vpn is automatically started on machine startup by editing the AUTOSTART lines in the file /etc/default/openvpn.

another detailed guide including more details on iptables and dnsmasq is available here