Install Ubuntu 20.04 Server or Desktop
- Update all packages
- sudo apt update
- sudo apt upgrade -y
- sudo apt dist-upgrade -y
- sudo apt autoremove
- sudo shutdown -r now
- Install easy-rsa for easy setup certifications
- sudo apt update
- sudo apt install easy-rsa -y
- Install OpenVPN
- sudo apt update
- sudo apt install openvpn
- Install OpenVPN with stable version (Option)
- Ref: https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos
- wget -O – https://swupdate.openvpn.net/repos/repo-public.gpg | sudo apt-key add –
- echo “deb http://build.openvpn.net/debian/openvpn/statble focal main” > /etc/apt/sources.list.d/openvpn-aptrepo.list
- sudo apt update
- sudo apt install openvpn
- Config OpenVPN Server
- setup certifications using easyrsa for OpenVPN
- but you can still use openssl command … XD
- Ref: https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto
- go to /etc/openvpn/ and run `sudo make-cadir easy-rsa`
- go to easy-rsa dir, you must change to root account or change this dir permission for entry
- edit vars file, or left default value
- build require files
- ./easyrsa init-pki
- ./easyrsa build-ca
- it will ask a password for this ca key, please remember it
- ./easyrsa gen-dh
- ./easyrsa gen-req openvpn-server nopass
- ./easyrsa sign-req server openvpn-server
- ./easyrsa gen-req client-user nopass
- ./easyrsa sign-req client client-user
- openvpn –genkey –secret tls-auth.key
- now, you have files to config OpenVPN Server and Client under /etc/openvpn/ dir
- easy-rsa/pki/ca.crt
- easy-rsa/pki/issued/openvpn-server.crt
- easy-rsa/pki/private/openvpn-server.key
- easy-rsa/pki/issued/client-user.crt
- easy-rsa/pki/private/client-user.key
- easy-rsa/dh.pem
- tls-auth.key
- you can copy all of them to /etc/openvpn/ dir for less editing
- setup certifications using easyrsa for OpenVPN
- setup OpenVPN config file
- Ref: https://openvpn.net/community-resources/how-to/
- back to /etc/openvpn/ dir
- copy example file for less editing :)
- cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz ./
- gunzip server.conf.gz
- minimal modify server.conf, this section just use ssl certification to auth, if you want user / password for auth, see next part
- push “redirect-gateway def1 bypass-dhcp”
- uncomment it for route all traffic to vpn server
- push “dhcp-option DNS 8.8.8.8”
- ca ca.crt
- cert openvpn-server.crt
- key openvpn-server.key
- dh dh.pem
- tls-auth tls-auth.key 0
- duplicate-cn
- log-append /var/log/openvpn/openvpn.log
- push “redirect-gateway def1 bypass-dhcp”
- add following for user / password auth
- Ref: https://openvpn.net/community-resources/how-to/#auth
- use simple script
- auth-user-pass-verify auth-user.sh via-env
- script-security 3
- username-as-common-name
- use pam
- auth-user-pass-verify auth-pam.pl via-file
- auth-pam.pl at /usr/share/doc/openvpn/examples/sample-scripts/auth-pam.pl
- sudo cp /usr/share/doc/openvpn/examples/sample-scripts/auth-pam.pl /etc/openvpn/
- script-security 3
- username-as-common-name
- auth-user-pass-verify auth-pam.pl via-file
- now OpenVPN Server configuration completed!
- go to /etc/openvpn/
- copy example files for less editing :)
- cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ./
- mininal modify client.conf
- Since we want just one config file, remove
- ca ca.crt
- cert client.crt
- key client.key
- tls-auth ta.key 1
- Add or Modify
- remote your-ip/your-fqdn 1194
—–BEGIN CERTIFICATE—–
put your ca.crt content here
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—–
put your client-user.crt content here
—–END CERTIFICATE—–
—–BEGIN PRIVATE KEY—–
put your client-user.key content here
—–END PRIVATE KEY—–
—–BEGIN OpenVPN Static key V1—–
put you tls-auth.key content here
—–END OpenVPN Static key V1—–
- key-direction 1
- Since we want just one config file, remove
- Add for user / password auth
- auth-user-pass
- check for OpenVPN ‘server.conf’ start at boot
- sudo systemctl enable openvpn@server
- start OpenVPN ‘server.conf’
- sudo systemctl start openvpn@server
- put ip forward for NAT
- add file /etc/sysctl.d/30-openvpn.conf
- net.ipv4.ip_forward = 1
- reload sysctl
- sudo sysctl -p /etc/sysctl.d/30-openvpn.conf
- add file /etc/sysctl.d/30-openvpn.conf
- setup iptable for NAT
- sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -o ens5 -j MASQUERADE
- save iptable for boot
- sudo apt-get install iptables-persistent -y
- sudo iptables-save > /etc/iptables/rules.v4
- open browser with https://ipinfo.io to check the ip you change to