This article will guide you in a basic OpenVPN installation on an Ubuntu server running 12.04 or 14.04 using a TUN device.
The TUN solution is utilizes a separate subnet for the remote VPN clients so local LAN hosts would see traffic sources from this separate subnet. To use this solution, you should have a gateway/router on the local LAN that supports the use of static routes or be prepared to add a static route to every device on the internal LAN. Since the OpenVPN server is not the default gateway, yet is the hop for the VPN clients at the new subnet, you must rely on the static routes on the gateway (or on each Host) to direct the VPN traffic to the OpenVPN server instead of sending it out your Internet connection. This type of setup is much easier to complete than the TAP based VPN since we don’t need to use any bridges. Plus, TUN based VPNs are supported by Android (TAP is not as of 4.2.2).
OpenVPN has a few methods of authentication. Out of the box, OpenVPN relies on certificate based auth. However, with a recompiled client, you can also use Id/password authentication as well providing 2 factor auth into your network (something you have = the cert, something you know= the password).
Before we begin, lets get the installation of the pre-reqs done.
apt-get install openvpn libssl-dev openssl
We need to allow IPv4 forwarding so the server can send out packets on the VPN’s behalf.
Uncomment the line net.ipv4.ip_forward=1
Restart networking or run ‘sysctl -p’ for the changes to take effect. Or just restart the server.
Create Server Keys
We need to create the server keys and client keys that we need for the OpenVPN server and the eventual client. Easy-RSA will be used to generate the items we need.
If you are on 12.04 Create the easy-rsa folder and copy the sample files into it.
sudo mkdir /etc/openvpn/easy-rsa/ sudo cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/ sudo chown -R $USER /etc/openvpn/easy-rsa/
If you are on 14.04, easy-rsa is an installed application with the utilities built in to create the needed directory.
apt-get install easy-rsa make-cadir /etc/openvpn/easy-rsa
Edit the vars file and edit the following items for your needs, located near the bottom
sudo nano /etc/openvpn/easy-rsa/vars
export KEY_CITY=”New York City”
Next step is to generate the Server Keys
cd /etc/openvpn/easy-rsa/ source vars ./clean-all ./build-dh ./pkitool --initca ./pkitool --server server cd keys openvpn --genkey --secret ta.key
Note: if you get an error on the command “./pkitool –initca”
grep: /etc/openvpn/easy-rsa/openssl.cnf: No such file or directory
pkitool: KEY_CONFIG (set by the ./vars script) is pointing to the wrong
version of openssl.cnf: /etc/openvpn/easy-rsa/openssl.cnf
The correct version should have a comment that says: easy-rsa version 2.x
You are hitting a known bug #998918 https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/998918.
In a nutshell, openvpn easy-rsa is missing the openssl.cnf file in the package. As a workaround, create a softlink and rerun the pkitool using the following:
cd /etc/openvpn/easy-rsa/ ln -s openssl-1.0.0.cnf openssl.cnf ./pkitool --initca
Continue on from there.
Now copy certain keys to the openvpn directory
cp server.crt server.key ca.crt dh1024.pem ta.key /etc/openvpn/
Create Client Certificates
If you are using the default method of authentication, have a client cert per client, then you need to create the cert on the openvpn server for the client. This is done on the server, not on the client because the server’s CA needs to sign the key. Also, the client cert process will prompt you for a client cert password. You need to give this to the client along with the cert.
cd /etc/openvpn/easy-rsa/ source vars ./pkitool client-name
Those commands will create new files int the easy-rsa/keys directory called client-name.crt and client-name.key (client-name.csr is the text request and can be ignored/deleted). These 2 files need to be copied out the client, along with the server ca.crt and the ta.key (the ta.key is used if TLS is enabled in server conf).
These files need to be copied to the client and placed in the proper folder. For a linux client, this would usually be the /home/folder for the user. For windows based machines, this would be in the openvpn client install folder where the profiles are stored.
Last step is to copy in the sample server config file and edit it to support our config. This sample is a default method using only certificates, but this could be changed to support id/pw instead of user certs (good for large subscription based services), or even 2 factor auth requiring both the cert and the password.
Note that openvpn from repo may already have the sample server.conf extracted. So adjust the command as needed to cp the file and omit the gzip step.
cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/ gzip -d /etc/openvpn/server.conf.gz nano /etc/openvpn/server.conf
Edit the /etc/openvpn/server.conf file and make the following changes:
Change the following to reflect the VPN subnet you want to use
server 192.168.2.0 255.255.255.0
Change this so the vpn clients have the correct routes for your private IP traffic that you want to capture in the VPN (edit these to reflect your scheme)
;push "route 192.168.10.0 255.255.255.0" ;this line becomes: push "route 192.168.1.0 255.255.255.0" push "route 22.214.171.124 255.255.255.0"
Change this so all your client traffic passes through the VPN. This will capture all traffic regardless of the ‘push route’ set above.
;push "redirect-gateway def1 bypass-dhcp" ;change to push "redirect-gateway def1 bypass-dhcp"
Change these to 1 of your internal DNS servers if you have 1, otherwise use any public dns you want. You can also leave it out if you want no changes at all.
;push "dhcp-option DNS 126.96.36.199" ;push "dhcp-option DNS 188.8.131.52" ;uncomment and e3dit these as needed to: push "dhcp-option DNS 184.108.40.206" push "dhcp-option DNS 220.127.116.11"
Change this to implement tls auth, without a proper file, the initial UDP communication is dropped. It also saves on processor time since it doesn’t have to service bad requests. This is completely optional and is not needed for a working connection.
;tls-auth ta.key 0 # This file is secret ; change to tls-auth ta.key 0 # This file is secret
Change the following to increase security so the VPN service has restricted access
;user nobody ;group nogroup ;change to user nobody group nogroup
With that, you should be able to load the openvpn client, copy in the Ca and user certs and get a connection.
Remember the ta.key is used if ‘tls-auth’ is activated on the server.conf.
This is very helpful document and very good xplaination. so thank you so much for this stuff. and i’ve few ques. Among that, one que is after this setting up openVPN , how to test the connection or how to use or what is the next step to do?
Thanks in advance.
Thank you so much for this article! I was struggling to find info on the easy-rsa workflow, and this article just scratched every itch.
Thanks for the tutorial.
My problem is that no .conf or .ovpn files are being created when I run ./pkitool client-name.
I get an error message at the end of the output, which probably points out that problem:
➜ easy-rsa ./pkitool client-name
Using Common Name: …
failed to update database
TXT_DB error number 2
Does anyone else come around this problem? Does anybody know what the problem is.
All files that are being created are the .crt, .csr and .key files.
the pki tool only creates the cert files needed, not the openvpn config file for the client. You create the config file on the client yourself either through a client GUI or manually using a text editor. Unable to update database points to a duplicate client cert in the database. If you are sourcing a VAR file with the user details, then you need to make the KEY_EMAIL unique or delete the previous cert from the database.