Linux start openvpn server

OpenVPN

If you want more than just pre-shared keys OpenVPN makes it easy to set up a Public Key Infrastructure (PKI) to use SSL/TLS certificates for authentication and key exchange between the VPN server and clients. OpenVPN can be used in a routed or bridged VPN mode and can be configured to use either UDP or TCP. The port number can be configured as well, but port 1194 is the official one; this single port is used for all communication. VPN client implementations are available for almost anything including all Linux distributions, OS X, Windows and OpenWRT based WLAN routers.

Server Installation

To install openvpn in a terminal enter:

Public Key Infrastructure Setup

The first step in building an OpenVPN configuration is to establish a PKI (public key infrastructure). The PKI consists of:

a separate certificate (also known as a public key) and private key for the server and each client.

a master Certificate Authority (CA) certificate and key, used to sign the server and client certificates.

OpenVPN supports bidirectional authentication based on certificates, meaning that the client must authenticate the server certificate and the server must authenticate the client certificate before mutual trust is established.

Both server and client will authenticate the other by first verifying that the presented certificate was signed by the master certificate authority (CA), and then by testing information in the now-authenticated certificate header, such as the certificate common name or certificate type (client or server).

Certificate Authority Setup

To setup your own Certificate Authority (CA) and generate certificates and keys for an OpenVPN server and multiple clients first copy the easy-rsa directory to /etc/openvpn . This will ensure that any changes to the scripts will not be lost when the package is updated. From a terminal, run:

Note: If desired, you can alternatively edit /etc/openvpn/easy-rsa/vars directly, adjusting it to your needs.

As root user change to the newly created directory /etc/openvpn/easy-rsa and run:

Server Keys and Certificates

Next, we will generate a key pair for the server:

Diffie Hellman parameters must be generated for the OpenVPN server. The following will place them in pki/dh.pem .

And finally a certificate for the server:

All certificates and keys have been generated in subdirectories. Common practice is to copy them to /etc/openvpn/:

Client Certificates

The VPN client will also need a certificate to authenticate itself to the server. Usually you create a different certificate for each client.

This can either be done on the server (as the keys and certificates above) and then securely distributed to the client. Or vice versa: the client can generate and submit a request that is sent and signed by the server.

To create the certificate, enter the following in a terminal while being user root:

If the first command above was done on a remote system, then copy the .req file to the CA server. There you can then import it via easyrsa import-req /incoming/myclient1.req myclient1 . Then you can go on with the second sign-eq command.

In both cases, afterwards copy the following files to the client using a secure method:

As the client certificates and keys are only required on the client machine, you can remove them from the server.

Simple Server Configuration

Along with your OpenVPN installation you got these sample config files (and many more if you check):

Start with copying and unpacking server.conf.gz to /etc/openvpn/server.conf.

Edit /etc/openvpn/myserver.conf to make sure the following lines are pointing to the certificates and keys you created in the section above.

Complete this set with a ta key in etc/openvpn for tls-auth like:

Edit /etc/sysctl.conf and uncomment the following line to enable IP forwarding.

Then reload sysctl.

That is the minimum you have to configure to get a working OpenVPN server. You can use all the default settings in the sample server.conf file. Now start the server.

Be aware that the “systemctl start openvpn” is not starting your openvpn you just defined.
Openvpn uses templatized systemd jobs, openvpn@CONFIGFILENAME. So if for example your configuration file is myserver.conf your service is called openvpn@myserver. You can run all kinds of service and systemctl commands like start/stop/enable/disable/preset against a templatized service like openvpn@server.

You will find logging and error messages in the journal. For example, if you started a templatized service openvpn@server you can filter for this particular message source with:

The same templatized approach works for all of systemctl:

You can enable/disable various openvpn services on one system, but you could also let Ubuntu do it for you. There is config for AUTOSTART in /etc/default/openvpn . Allowed values are “all”, “none” or space separated list of names of the VPNs. If empty, “all” is assumed. The VPN name refers to the VPN configutation file name. i.e. home would be /etc/openvpn/home.conf If you’re running systemd, changing this variable will require running systemctl daemon-reload followed by a restart of the openvpn service (if you removed entries you may have to stop those manually).

After “systemctl daemon-reload” a restart of the “generic” openvpn will restart all dependent services that the generator in /lib/systemd/system-generators/openvpn-generator created for your conf files when you called daemon-reload.

Now check if OpenVPN created a tun0 interface:

Simple Client Configuration

There are various different OpenVPN client implementations with and without GUIs. You can read more about clients in a later section on VPN Clients. For now we use commandline/service based OpenVPN client for Ubuntu which is part of the very same package as the server. So you have to install the openvpn package again on the client machine:

This time copy the client.conf sample config file to /etc/openvpn/:

Copy the following client keys and certificate files you created in the section above to e.g. /etc/openvpn/ and edit /etc/openvpn/client.conf to make sure the following lines are pointing to those files. If you have the files in /etc/openvpn/ you can omit the path.

And you have to specify the OpenVPN server name or address. Make sure the keyword client is in the config. That’s what enables client mode.

Now start the OpenVPN client with the same templatized mechanism:

You can check status as you did on the server:

On the server log an incoming connection looks like the following.
You can see client name and source address as well as success/failure messages.

And you can check on the client if it created a tun0 interface:

Check if you can ping the OpenVPN server:

The OpenVPN server always uses the first usable IP address in the client network and only that IP is pingable. E.g. if you configured a /24 for the client network mask, the .1 address will be used. The P-t-P address you see in the ip addr output above is usually not answering ping requests.

Check out your routes:

First trouble shooting

If the above didn’t work for you, check this:

• Check your journal -xe
• Check that you have specified the keyfile names correctly in client and server conf files
• Can the client connect to the server machine? Maybe a firewall is blocking access? Check journal on server.
• Client and server must use same protocol and port, e.g. UDP port 1194, see port and proto config option
• Client and server must use same config regarding compression, see comp-lzo config option
• Client and server must use same config regarding bridged vs routed mode, see server vs server-bridge config option

Advanced configuration

Advanced routed VPN configuration on server

The above is a very simple working VPN. The client can access services on the VPN server machine through an encrypted tunnel. If you want to reach more servers or anything in other networks, push some routes to the clients. E.g. if your company’s network can be summarized to the network 192.168.0.0/16, you could push this route to the clients. But you will also have to change the routing for the way back — your servers need to know a route to the VPN client-network.

The example config files that we have been using in this guide are full of all these advanced options in the form of a comment and a disabled configuration line as an example.

Please read the OpenVPN hardening security guide for further security advice.

Advanced bridged VPN configuration on server

OpenVPN can be setup for either a routed or a bridged VPN mode. Sometimes this is also referred to as OSI layer-2 versus layer-3 VPN. In a bridged VPN all layer-2 frames — e.g. all ethernet frames — are sent to the VPN partners and in a routed VPN only layer-3 packets are sent to VPN partners. In bridged mode all traffic including traffic which was traditionally LAN-local like local network broadcasts, DHCP requests, ARP requests etc. are sent to VPN partners whereas in routed mode this would be filtered.

Prepare interface config for bridging on server

First, use netplan to configure a bridge device using the desired ethernet device.

Static IP addressing is highly suggested. DHCP addressing can also work, but you will still have to encode a static address in the OpenVPN configuration file.

The next step on the server is to configure the ethernet device for promiscuous mode on boot. To do this, ensure the networkd-dispatcher package is installed and create the following configuration script.

Then add the following contents.

Prepare server config for bridging

Edit /etc/openvpn/server.conf to use tap rather than tun and set the server to use the server-bridge directive:

After configuring the server, restart openvpn by entering:

Prepare client config for bridging

The only difference on the client side for bridged mode to what was outlined above is that you need to edit /etc/openvpn/client.conf and set tap mode:

Finally, restart openvpn:

You should now be able to connect to the full remote LAN through the VPN.

Источник

How To Set up OpenVPN Server In 5 Minutes on Ubuntu Linux

NOTE: You need at least Ubuntu Linux 18.04 LTS or higher is needed to complete this tutorial. Older Ubuntu versions such as 14.04/16.04 LTS are no longer suported.

Find your public IP address

Tutorial details
Difficulty level	Easy
Root privileges	Yes
Requirements	Ubuntu Linux
Est. reading time	5 minutes

Use any one of the following command to find out your IPv4 public address. If your internface name is eth0 or eth1, enter:
$ ip addr show eth0
OR
$ ip addr show eth1
Or use the host command or dig command as follows:
$ host myip.opendns.com resolver1.opendns.com
## get IPv4 ##
$ host myip.opendns.com resolver1.opendns.com
OR
$ dig TXT +short o-o.myaddr.l.google.com @ns1.google.com
## see IPv4 instead of default IPv6 ##
$ dig -4 TXT +short o-o.myaddr.l.google.com @ns1.google.com

Fig.01: Find out your public IPv4 address using the CLI

Download openvpn-install.sh script to set up OpenVPN server in 5 minutes on Ubuntu

Type the following wget command or curl command:
$ wget https://git.io/vpn -O openvpn-install.sh
wget grabbing the script:

We can verify script using a text editor such as nano command or vim command:
$ nano openvpn-install.sh

Running openvpn-install.sh to install OpenVPN server

Type the following command:
$ sudo chmod +x openvpn-install.sh
$ sudo bash openvpn-install.sh
Make sure you provide needed information:

Once you press any key such as [Enter] key, you will see:

Viewing and Seting up OpenVPN Server In 5 Minutes on Ubuntu Firewall Rules

That is all. Your OpenVPN server has been configured and ready to use. You can see added firewall rules /etc/systemd/system/openvpn-iptables.service file:
$ sudo systemctl cat openvpn-iptables.service
Sample rules. Please do not edit them:

You can view your openvpn server config file generated by the script as follows (agin do not edit this file by hand as it will break things for you):
$ sudo more /etc/openvpn/server/server.conf
Sample openvpn config:

How do I start/stop/restart OpenVPN server on Ubuntu Linux 18.04/20.04 LTS and 20.10 ?

Run the following systemctl command to stop the OpenVPN service:
$ sudo systemctl stop openvpn-server@server.service
Want to start it again? Try:
$ sudo systemctl start openvpn-server@server.service
The command to restart the OpenVPN service:
$ sudo systemctl restart openvpn-server@server.service
View status of your OpenVPN systemd based service:
$ sudo systemctl status openvpn-server@server.service

OpenVPN client configuration

On server your will find a client configuration file called

/iphone.ovpn. Use the find command to locate OpenVPN config file:
$ sudo find / -type f -name «iphone.ovpn»
$ sudo find / -type f -name «*.ovpn»
Now, all you have to do is copy this file to your local desktop using the scp and provide this file to your OpenVPN client to connect:
$ scp root@172.105.102.90:

/iphone.ovpn .
Next, you need to download OpenVPN client as per your operating system or mobile device:

MacOS/OS X OpenVPN client configuration

Just double click on iphone.ovpn file and it will open in your tunnelblick client > Click on the “Only me” to install it:

Fig.03: MacOS / OS X openvpn client configuration

Linux OpenVPN client configuration

First, install the openvpn client, enter:
$ sudo yum install openvpn
OR
$ sudo apt install openvpn
Next, copy iphone.ovpn as follows:
$ sudo cp iphone.ovpn /etc/openvpn/client.conf
Test connectivity from the CLI:
$ sudo openvpn —client —config /etc/openvpn/client.conf
Your Linux system will automatically connect when computer restart using /etc/init.d/openvpn script:
$ sudo /etc/init.d/openvpn start
For systemd based system, use the following command:
$ sudo systemctl start openvpn@client
Test the OpenVPN connectivity on Linux desktop:
$ ping 10.8.0.1 #Ping to OpenVPN server gateway using the ping command
$ ip route #Make sure routing setup using the ip command $ ip route get 10.8.0.1
#Make sure your public IP set to OpenVPN server
$ dig TXT +short o-o.myaddr.l.google.com @ns1.google.com

FreeBSD OpenVPN client configuration

First, install the openvpn client using the pkg command:
$ sudo pkg install openvpn
Next, copy iphone.ovpn as follows:
$ mkdir -p /usr/local/etc/openvpn/
$ sudo cp iphone.ovpn /usr/local/etc/openvpn/client.conf
Edit /etc/rc.conf and add the following:

Start the OpenVPN service:
$ sudo /usr/local/etc/rc.d/openvpn start
Verify it:
#Ping to OpenVPN server gateway from BSD
$ ping 10.8.0.1
#Make sure routing setup
$ netstat -nr
#Make sure your public IP set to OpenVPN server
$ drill myip.opendns.com @resolver1.opendns.com

How do I add a new client?

For demo purpose I added a new device called googlephone. Let us add one more device called googlephone by running the script again:
$ sudo bash openvpn-install.sh

Select option 1 and type googlephone as a client name:

Now you can use googlephone.ovpn with Google Android phone. You can add as many users you want using this method.

• No ads and tracking
• In-depth guides for developers and sysadmins at Opensourceflare✨
• Join my Patreon to support independent content creators and start reading latest guides:
  • How to set up Redis sentinel cluster on Ubuntu or Debian Linux
  • How To Set Up SSH Keys With YubiKey as two-factor authentication (U2F/FIDO2)
  • How to set up Mariadb Galera cluster on Ubuntu or Debian Linux
  • A podman tutorial for beginners – part I (run Linux containers without Docker and in daemonless mode)
  • How to protect Linux against rogue USB devices using USBGuard

Join Patreon ➔

How do I delete/revoke existing user certificate?

Run the script:
$ sudo bash openvpn-install.sh
Here is how it looks:

Type 2 option and you will see a list of all the existing client certificate you want to revoke:

Sample outputs when I revoked googlephone certificate:

Conclusion

And there you have it, OpenVPN server installed in five minutes to increase your privacy. Please see OpenVPN project and road warrior installer Linux script. Let us know if you have any problems or comments in the comments section below.

🐧 Get the latest tutorials on Linux, Open Source & DevOps via

Category	List of Unix and Linux commands
Documentation	help • mandb • man • pinfo
Disk space analyzers	df • duf • ncdu • pydf
File Management	cat • cp • less • mkdir • more • tree
Firewall	Alpine Awall • CentOS 8 • OpenSUSE • RHEL 8 • Ubuntu 16.04 • Ubuntu 18.04 • Ubuntu 20.04
Linux Desktop Apps	Skype • Spotify • VLC 3
Modern utilities	bat • exa
Network Utilities	NetHogs • dig • host • ip • nmap
OpenVPN	CentOS 7 • CentOS 8 • Debian 10 • Debian 8/9 • Ubuntu 18.04 • Ubuntu 20.04
Package Manager	apk • apt
Processes Management	bg • chroot • cron • disown • fg • glances • gtop • jobs • killall • kill • pidof • pstree • pwdx • time • vtop
Searching	ag • grep • whereis • which
Shell builtins	compgen • echo • printf
Text processing	cut • rev
User Information	groups • id • lastcomm • last • lid/libuser-lid • logname • members • users • whoami • who • w
WireGuard VPN	Alpine • CentOS 8 • Debian 10 • Firewall • Ubuntu 20.04

Comments on this entry are closed.

5 minutes? It takes more time for sure. Where are keys.

Doesn’t look like 5 minutes to me and in fact it’s much, much simpler. Here is my cheat sheet (in Russian) http://eax.me/openvpn/ – this way it actually takes 5 minutes, I’ve checked many times.

Can we see a CentOS 7 version of this tutorial?
Cheers.

And… how to temporarily suspend a client?
no easy guide outsider there.
thx

Hey, what a great article you’ve written, has long sought something like this, I have many articles and information gathered on the subject of Open VPN for when it is their time to implement exactly what you suggest in this article, that just what I need, nothing more.

The option to download the article in pdf format of this blog is superior and much needed, although I use Pocket to store many items is very comfortable to save it to disk in a nicely formatted pdf.

Can you make the option “Download to PDF” print the comments and related posts? your blog provides highly valuable information and deserves this option.

Thanks for the feedback. It required too much programming or changes to include the comments and related post in pdf file. I can’t promise anything but I will look into it when I’ve some free time.

Nice guide, how about adding users as this only shows the one user during setup

I will add it soon. Thanks for the feedback.

Please can you add a guide of how to add users/clients

I updated info about adding a new client and deleting existing one. HTH

First a brief note:
sudo openvpn-install.sh I not work for me
Openvpn-install.sh bash had to do to make it work.

Hi, I’m trying to do this in a Lubuntu 14.04 LTS 2007 MacBook Laptop connected to a WiFi network, is this possible? I know you specify that is a Ubuntu Server.

The script ran successfully, but the first step in where he had to enter the IP address, showed the local network address 192.168.0.25 and change it to the public IP address that showed me the command: dig + short myip \. opendns.com @ resolver1.opendns.com

When I try to connect another Asus Linux Client Lubuntu 14.04, I note that your public IP address Unchanging remains in

Here is some of the output produced by my client:
Mon 4 July 2016 3:10:25 SIGUSR1 [soft, tls-error] received, process restarting
Mon 4 July 2016 3:10:25 Restart pause, 2 second (s)
Mon 4 July 2016 3:10:27 Socket Buffers: R = [212992-> 212992] S = [212992-> 212992]
3:10:27 Mon 4 July 2016 Local UDPv4 link: [undef]
Mon 4 July 2016 3:10:27 UDPv4 link remote: [AF_INET] 82.250.240.108:1194
3:11:27 Mon 4 July 2016 TLS Error: TLS key negotiation failed to Occur Within 60 seconds (check your network connectivity)
3:11:27 Mon 4 July 2016 TLS Error: TLS handshake failed
Mon 4 July 2016 3:11:27 SIGUSR1 [soft, tls-error] received, process restarting
Mon 4 July 2016 3:11:27 Restart pause, 2 second (s)
Mon 4 July 2016 3:11:29 Socket Buffers: R = [212992-> 212992] S = [212992-> 212992]
3:11:29 Mon 4 July 2016 Local UDPv4 link: [undef]
Mon 4 July 2016 3:11:29 UDPv4 link remote: [AF_INET] 82.250.240.108:1194
3:12:29 Mon 4 July 2016 TLS Error: TLS key negotiation failed to Occur Within 60 seconds (check your network connectivity)
3:12:29 Mon 4 July 2016 TLS Error: TLS handshake failed
Mon 4 July 2016 3:12:29 SIGUSR1 [soft, tls-error] received, process restarting
Mon 4 July 2016 3:12:29 Restart pause, 2 second (s)
Mon 4 July 2016 3:12:31 Socket Buffers: R = [212992-> 212992] S = [212992-> 212992]
3:12:31 Mon 4 July 2016 Local UDPv4 link: [undef]
Mon 4 July 2016 3:12:31 UDPv4 link remote: [AF_INET] 82.250.240.108:1194

My goal is to assemble an experimental home domestic vpn, web traffic to route and connect via ssh as if it were a LAN network to Backups or systems management work.
Thanks greetings.

Sorry for the hasty and mistranslation, at the beginning I meant:

Источник