View Categories

How to Install and Configure OpenVPN on a Linux Server

Eugene
Updated on November 2, 2024

Here’s a comprehensive guide for installing and configuring OpenVPN on a Linux server to secure remote access. OpenVPN is widely used for setting up secure VPN connections, and it’s flexible enough for various configurations and network requirements.

Step 1: Update Your System #

Before installing OpenVPN, start by updating your package repositories.

sudo apt update && sudo apt upgrade -y # For Ubuntu/Debian-based systems
sudo dnf update -y # For CentOS/RHEL-based systems

Step 2: Install OpenVPN and Easy-RSA #

OpenVPN and Easy-RSA are necessary to create the VPN and manage encryption keys.

For Ubuntu/Debian-based systems:

sudo apt install -y openvpn easy-rsa

For CentOS/RHEL-based systems:

sudo dnf install -y epel-release
sudo dnf install -y openvpn easy-rsa

Step 3: Set Up the CA Directory #

To establish the VPN, you need to create a Certificate Authority (CA) to issue SSL/TLS certificates for encryption.

  1. Create the Easy-RSA directory:
make-cadir ~/openvpn-ca
cd ~/openvpn-ca

2. Edit the vars file: The vars file defines settings for generating certificates. Open it in a text editor:

vi vars

Update the following values according to your organization or location:

set_var EASYRSA_REQ_COUNTRY    "US"
set_var EASYRSA_REQ_PROVINCE   "California"
set_var EASYRSA_REQ_CITY       "San Francisco"
set_var EASYRSA_REQ_ORG        "YourOrganization"
set_var EASYRSA_REQ_EMAIL      "email@example.com"
set_var EASYRSA_REQ_OU         "IT"

3. Load the new vars settings:

source vars

4. Clean any previous keys (if this is a reconfiguration):

./clean-all

Step 4: Build the CA and Server Certificates #

  1. Build the CA:
./easyrsa init-pki
./easyrsa build-ca

Follow the prompts to create the CA certificate.

2. Create the server certificate and key:

./easyrsa build-server-full server nopass

3. Generate the Diffie-Hellman key (for secure key exchange):

./easyrsa gen-dh

4. Generate an HMAC signature (for extra security):

openvpn --genkey --secret ta.key

Step 5: Configure the OpenVPN Server #

Now, configure OpenVPN to use the generated certificates and keys.

  1. Copy the certificates and keys to the OpenVPN directory:
sudo cp pki/ca.crt pki/private/server.key pki/issued/server.crt pki/dh.pem ta.key /etc/openvpn

2. Edit the OpenVPN server configuration: Start by creating a new configuration file from the sample provided.

sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf /etc/openvpn/server.conf

sudo nano /etc/openvpn/server.conf

3. Update the server configuration file:

  • Set the ca, cert, key, and dh options to point to the correct certificate and key files:
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh.pem
  • Add the tls-auth directive to enable the HMAC signature:
tls-auth /etc/openvpn/ta.key 0
  • Enable server mode:
server 10.8.0.0 255.255.255.0
  • Uncomment push "redirect-gateway def1 bypass-dhcp" to route client traffic through the VPN.
  • Uncomment or set the DNS server to push for clients, e.g., Google’s DNS:
push "dhcp-option DNS 8.8.8.8"

Step 6: Adjust Firewall and Enable IP Forwarding #

  1. Enable IP forwarding to allow VPN traffic to route properly:
sudo sysctl -w net.ipv4.ip_forward=1

To make this change permanent, edit /etc/sysctl.conf and uncomment or add:

net.ipv4.ip_forward=1

2. Configure firewall rules:

  • Allow forwarding in iptables:
sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
  • Open the UDP port (default 1194) for OpenVPN:
sudo ufw allow 1194/udp

3. Save the firewall rules:

sudo iptables-save > /etc/iptables/rules.v4

Step 7: Start and Enable the OpenVPN Service #

  1. Start OpenVPN:
sudo systemctl start openvpn@server

2. Enable OpenVPN to start on boot

sudo systemctl enable openvpn@server

3. Check the status to ensure the VPN is running:

sudo systemctl status openvpn@server

Step 8: Generate Client Configurations #

  1. Generate a client certificate:
./easyrsa build-client-full client1 nopass

2. Create a client configuration file: Use the sample configuration as a base.

sudo cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client1.ovpn

3. Edit the client configuration file:

  • Set the correct server IP address:
remote your_server_ip 1194
  • Specify the client certificates:
ca ca.crt
cert client1.crt
key client1.key
  • Add the tls-auth key and cipher settings to match the server:
tls-auth ta.key 1
cipher AES-256-CBC

4. Copy certificates and keys to the client configuration directory:

cp pki/ca.crt pki/issued/client1.crt pki/private/client1.key ta.key ~/client1.ovpn

5. Transfer the .ovpn file (client configuration file) to the client device securely (e.g., via SCP).

Step 9: Connect the Client to the VPN #

To connect, import the .ovpn file into the OpenVPN client software on the device. Start the VPN, and it should route traffic securely through the server.

Author’s Final Word #

This configuration sets up a secure OpenVPN server on Linux with traffic routing and client configuration included. The VPN is now ready for secure connections from your client devices!

Updated on November 2, 2024

Powered by BetterDocs

Leave a Reply

Your email address will not be published. Required fields are marked *