How to install OpenVPN on Ubuntu 16.04 | Serverwise about:reader?url=https://blog.ssdnodes.com/blog/tutorial-installing-open...

blog.ssdnodes.com

How to install OpenVPN on Ubuntu

16.04 | Serverwise
Written by Joel Hans
12-15 minutes

In March 2017, the U.S. government made significant changes to

rules that dictate how ISPs can package and sell data about their
customers. In the weeks since, we saw a massive new interest in
virtual private networks (VPNs). While a number of paid VPN
solutions exist—think of them like shared hosting—the tech media
has been directing users toward setting up their own VPNs rather
than relying on the security of another company. Of course, we
think that’s a great option. In this tutorial, we’ll walk you through the
steps to install OpenVPN on Ubuntu 16.04 virtual private server
(VPS).

Prerequisites

A VPS running Ubuntu 16.04

A regular (non-root) account with sudo privileges. See our SSH

keys tutorial for more information.

Hi there! This is a blog post from the people behind SSD

Nodes.

1 of 14 11/19/2018, 11:05 AM
How to install OpenVPN on Ubuntu 16.04 | Serverwise about:reader?url=https://blog.ssdnodes.com/blog/tutorial-installing-open...

We’re the first honest-value VPS provider. Instead of inflating costs,

our engineers developed a lean infrastructure that lets us offer up to
10x more RAM per dollar than the competition.

Ready to learn more about what you get from an honest VPS
provider? Here’s a hint: Our 24GB RAM + KVM VPS is only
$9.99/mo.

Learn more about us

Step 1: Install OpenVPN

Let’s start by updating our apt cache and installing both openvpn
and easy-rsa, which we’ll use to set up certificates.

$ sudo apt-get update

$ sudo apt-get install openvpn easy-rsa

Step 2: Set up the Certificate Authority

The OpenVPN server uses certificates to encrypt traffic between

the server and various clients. Thus, we need to set up a certificate
authority (CA) on the VPS to create and manage these certificates.

We can utilize the easy-rsa template by copying it to a new

directory, and then entering that directory to move into the
configuration.

$ make-cadir ~/openvpn-ca
$ cd ~/openvpn-ca

We need to edit some of the variables that help decide how to

create the certificates. Use nano—or another favorite editor—to
open the file. We’ll be editing some variables toward the end of the
file.

2 of 14 11/19/2018, 11:05 AM
How to install OpenVPN on Ubuntu 16.04 | Serverwise about:reader?url=https://blog.ssdnodes.com/blog/tutorial-installing-open...

$ nano vars

Look for the section below—the easy-rsa template provides some

default fields for these variables, but you should change them
according to your needs. Make sure you also change the
KEY_NAME variable as well. It’s not so important what you change
these to, rather that you don’t leave them in the default state, or
blank.

export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL= class="hljs-
string">"me@myhost.mydomain"
export KEY_OU="MyOrganizationalUnit"

export KEY_NAME="EasyRSA"

After some tweaks:

export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="Tustin"
export KEY_ORG="SSD Nodes"

3 of 14 11/19/2018, 11:05 AM
How to install OpenVPN on Ubuntu 16.04 | Serverwise about:reader?url=https://blog.ssdnodes.com/blog/tutorial-installing-open...

export KEY_EMAIL= class="hljs-

string">"joel@example.com"
export KEY_OU="Marketing"

export KEY_NAME="vpnserver"

Now, source the vars file you just edited. If there aren’t any errors,
you’ll see the following output.

$ source vars
NOTE: If you run ./clean-all, I will be doing a rm
-rf on /home/user/openvpn-ca/keys

Now we can clean up the environment and then build up our CA.

$ ./clean-all
$ ./build-ca

A new RSA key will be created, and you’ll be asked to confirm the
details you entered into the vars file earlier. Just hit Enter to
confirm.

Step 3: Create the server public/private keys

Next up, you need to create the server certificate and key pair.
When you run the below command you can change [server] to
the name of your choice. Later, you’ll need to reference this name.
For the sake of this tutorial, we’re choosing with vpnserver.

Note: When prompted, do not enter a password.

Finally, you’ll be asked two questions about signing the certificate

and committing it. Hit y and then Enter for both, and you’ll be
done.

4 of 14 11/19/2018, 11:05 AM
How to install OpenVPN on Ubuntu 16.04 | Serverwise about:reader?url=https://blog.ssdnodes.com/blog/tutorial-installing-open...

$ ./build-key-server [server]

Next, you need to build Diffie-Hellman keys.

$ ./build-dh

Finally, you need to generate an HMAC signature to strengthen the

certificate.

$ openvpn --genkey --secret keys/ta.key

Step 4: Create the client public/private keys

This process will create a single client key and certificate. If you
have multiple users, you’ll want to create multiple pairs.

When running the below command, hit Enter to confirm the

variables we set and then leave the password field blank.

$ source vars
$ ./build-key client1

If you want to create password-protected credentials, use build-

key-pass instead:

$ source vars
$ ./build-key-pass client1

Step 5: Configure the OpenVPN server

First, you need to copy the keyfiles we created in ~/openvpn-ca

into the /etc/openvpn directory. Note: change the
vpnserver.crt and vpnserver.key files according to the
[server] name you chose earlier.

$ cd ~/openvpn-ca/keys
$ sudo cp ca.crt ca.key vpnserver.crt

5 of 14 11/19/2018, 11:05 AM
How to install OpenVPN on Ubuntu 16.04 | Serverwise about:reader?url=https://blog.ssdnodes.com/blog/tutorial-installing-open...

vpnserver.key ta.key dh2048.pem /etc/openvpn

Now, extract a sample OpenVPN configuration to the default

location.

$ gunzip -c /usr/share/doc/openvpn/examples
/sample-config-files/server.conf.gz | sudo tee
/etc/openvpn/server.conf

We now need to make some edits to the configuration file.

$ sudo nano /etc/openvpn/server.conf

First, let’s ensure that OpenVPN is looking for the right .crt and
.key files.

Before:

ca ca.crt
cert server.crt
key server.key # This file should be kept secret

After (change according to the [server] name you chose

earlier):

ca ca.crt
cert vpnserver.crt
key vpnserver.key # This file should be kept
secret

Next, enforce identical HMAC between clients and the server.

Before:

;tls-auth ta.key 0

After:

tls-auth ta.key 0

6 of 14 11/19/2018, 11:05 AM
How to install OpenVPN on Ubuntu 16.04 | Serverwise about:reader?url=https://blog.ssdnodes.com/blog/tutorial-installing-open...

key-direction 0

Because we are going to use this VPN to route our traffic to the
internet, we need to uncomment a few lines to help us
establish DNS. You should also remove bypass-dhcp from the
first line in question.

If you would prefer to use a DNS other than opendns, you should
change the two lines that begin with push "dhcp-option.

Before:

# If enabled, this directive will configure

# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# or bridge the TUN/TAP interface to the internet
# in order for this to work properly).
;push "redirect-gateway def1 bypass-dhcp"

# Certain Windows-specific network settings

# can be pushed to clients, such as DNS
# or WINS server addresses. CAVEAT:
# http://openvpn.net/faq.html
# The addresses below refer to the public
# DNS servers provided by opendns.com.
;push "dhcp-option DNS 208.67.222.222"
;push "dhcp-option DNS 208.67.220.220"

After:

# If enabled, this directive will configure

7 of 14 11/19/2018, 11:05 AM
How to install OpenVPN on Ubuntu 16.04 | Serverwise about:reader?url=https://blog.ssdnodes.com/blog/tutorial-installing-open...

# all clients to redirect their default

# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# or bridge the TUN/TAP interface to the internet
# in order for this to work properly).
push "redirect-gateway def1"

# Certain Windows-specific network settings

# can be pushed to clients, such as DNS
# or WINS server addresses. CAVEAT:
# http://openvpn.net/faq.html
# The addresses below refer to the public
# DNS servers provided by opendns.com.
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"

Then we need to select the ciphers to use. Uncomment the AES

cipher and change it to 256, and then add auth SHA512 at the
bottom of the block.

Before:

;cipher BF-CBC
;cipher AES-128-CBC
;cipher DES-EDE3-CBC

After:

8 of 14 11/19/2018, 11:05 AM
How to install OpenVPN on Ubuntu 16.04 | Serverwise about:reader?url=https://blog.ssdnodes.com/blog/tutorial-installing-open...

;cipher BF-CBC
cipher AES-256-CBC
;cipher DES-EDE3-CBC
auth SHA512

Finally, let’s have OpenVPN use a non-privileged user account

instead of root, which isn’t particularly secure.

user openvpn
group nogroup

You can now save and close this file in order to create that user:

$ sudo adduser --system --shell /usr/sbin/nologin

--no-create-home openvpn

The OpenVPN server should now be set up!

Step 6: Start up the OpenVPN server

Before we configure our clients, let’s make sure the OpenVPN

server is running as we hope it will.

Make sure to turn on TUN/TAP in the SSD Nodes dashboard.

$ sudo systemctl enable openvpn@server

$ sudo systemctl start openvpn@server

You can double-check that OpenVPN is running with the

systemctl status command:

$ sudo systemctl status openvpn@server

If you’re having problems getting OpenVPN to start, commenting

9 of 14 11/19/2018, 11:05 AM
How to install OpenVPN on Ubuntu 16.04 | Serverwise about:reader?url=https://blog.ssdnodes.com/blog/tutorial-installing-open...

out the LimitNPROC in /lib/systemd/system

/openvpn@.service, as discovered in this Ask Ubuntu thread
may be useful. You’ll then need to run sudo systemctl
daemon-reload and then sudo systemctl start
openvpn@server.

You will also need to set up iptables to properly direct traffic.

First, look for the default interface.

$ sudo ip route | grep default

default dev venet0 scope link

The venet0 field is what we’re looking for. And then we set up
iptables. In order to ensure this rule is persistent between
reboots, isntall the iptables-persistent package, which will
prompt you to save existing rules. Choose Yes and your rules will
be persisted movign forward.

$ sudo iptables -t nat -A POSTROUTING -s

10.8.0.0/24 -o venet0 -j MASQUERADE
$ sudo apt-get install iptables-persistent

Step 7: Configure clients

Lastly, you need to create client configurations. You can store these
in any folder you’d like—they don’t need to be kept secret—as long
as it isn’t the /etc/openvpn folder. We’ll create a directory in
home for this purpose.

$ cd ~
$ mkdir openvpn-clients
cd openvpn-clients

Now, copy the sample client configuration into this new directory,

10 of 14 11/19/2018, 11:05 AM
How to install OpenVPN on Ubuntu 16.04 | Serverwise about:reader?url=https://blog.ssdnodes.com/blog/tutorial-installing-open...

and then open it in nano for editing.

$ cp /usr/share/doc/openvpn/examples/sample-
config-files/client.conf ~/openvpn-clients
/base.conf
$ nano base.conf

Look for the following block of lines. You’ll need to change the my-
server-1 to the public IP address of this VPS. You can find this
information in the SSD Nodes dashboard, or by typing in the
ifconfig command and looking for the inet field that does not
look like 127.0.0.x.

remote my-server-1 1194

;remote my-server-2 1194

Next, uncomment the following two lines by removing the

semicolon.

Before:

After:

# Downgrade privileges after initialization (non-

Windows only)
user nobody
group nogroup

Because we’ll be adding keys and certificates directly into the

11 of 14 11/19/2018, 11:05 AM
How to install OpenVPN on Ubuntu 16.04 | Serverwise about:reader?url=https://blog.ssdnodes.com/blog/tutorial-installing-open...

.ovpn file, let’s comment out the following lines by adding

semicolons to the beginning.

Before:

# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca ca.crt
cert client.crt
key client.key

After:

# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
;ca ca.crt
;cert client.crt
;key client.key

Finally, jump to the bottom of the file and add the following lines.
The first two mirror the cipher/auth options we added to the
server.conf file earlier, and the third establishes that this files
will be used to connect to the server, not the other way around.

We’re also adding three commented-out files that should be

uncommented for Linux-based systems that use update-resolv-

12 of 14 11/19/2018, 11:05 AM
How to install OpenVPN on Ubuntu 16.04 | Serverwise about:reader?url=https://blog.ssdnodes.com/blog/tutorial-installing-open...

conf.

# Added lines via SSD Nodes tutorial

cipher AES-256-CBC
auth SHA512
key-direction 1

# script-security 2
# up /etc/openvpn/update-resolv-conf
# down /etc/openvpn/update-resolv-conf

Finally, you need to embed the keys and certificates into an .ovpn
file using base.conf as a framework. Copy this entire command
and execute it to embed the keys and create a final
client1.ovpn file.

$ cat base.conf
<(echo -e '<ca>') ~/openvpn-ca/keys/ca.crt
<(echo -e '</ca>')
<(echo -e '<cert>') ~/openvpn-ca/keys
/client1.crt <(echo -e '</cert>n')
<(echo -e '<key>') ~/openvpn-ca/keys/client1.key
<(echo -e '</key>n')
<(echo -e '<tls-auth>') ~/openvpn-ca/keys/ta.key
<(echo -e '</tls-auth>')
>> client1.ovpn

This tutorial won’t cover client configurations in detail, but we’ll

share one easy way to transfer the .ovpn file to your Linux or OS
X client. This command will ssh into your VPS, and then use cat to
write a new client1.ovpn file on your local machine.

$ ssh USER@SERVER-IP "cat ~/openvpn-clients

13 of 14 11/19/2018, 11:05 AM
How to install OpenVPN on Ubuntu 16.04 | Serverwise about:reader?url=https://blog.ssdnodes.com/blog/tutorial-installing-open...

/client1.ovpn" > client1.ovpn

Once you configure your client, you should be able to connect to

the VPN and access the wider internet through it. Congratulations!

Additional resources

If you’re having issues, post them in the comments and we’ll do our
best to help you work through them. If we see common issues, we’ll
add a troubleshooting area with workarounds and fixes.

For an easier and more automated method of installing OpenVPN,

plus a few other VPN options, consider trying out our Streisand
tutorial.

Run OpenVPN for $9.99/mo and get 16GB RAM

You're 90 seconds away from running an OpenVPN server on SSD

Nodes!

Start VPNing now 0:13:56:00

14 of 14 11/19/2018, 11:05 AM