What is OpenVPN?
Firstly, OpenVPN is currently one of the most reliable protocols. It functions as both software and a VPN protocol. Also, it uses various security measures to offer a site to site or secure point to point network connection. Nowadays, there are plenty of VPN providers and consumers who are using this protocol.
Moreover, OpenVPN was created by James Yohan and published to the general public in 2001. Choose a variety of ports and encryption methods with it. What is more, it also enables you to use it for other projects or check its source code for problems.
How Does OpenVPN Work?
A VPN connection protects your internet connection when functioning from a distance (e.g., hotel, airport, or even a different country). Basically, a VPN transmits all of your network traffic over an encrypted tunnel. Routing network traffic hides your IP address when accessing the internet by substituting it with the location and an IP address from the VPN server, which misrepresents the location. Besides, a VPN connection additionally protects against outside attacks.
Advantages of OpenVPN
Let’s examine the advantages that help OpenVPN to gain a user base among VPN providers.
Better Security
Certainly, OpenVPN uses peer authentication and pre shared keys, among other security protocols, to secure communication. Further, the network has maximum protection and security from Man in the Middle attacks by using OpenSSL in combination with HMAC packet authentication.
Reliability
If OpenVPN disconnects for some reason, the network comes to a halt so that it can be fixed or configured. As an outcome, it is essential to be sure that there are no information losses or communications failures.
Cost
Most of the time, OpenVPN is downloaded for free. Some platforms provide it for free of costs like MacOS, Linux, Android, and iOS. Additionally, you also use OpenVPN to have a free connection to a VPN server. As a result, whenever VPN connections are received from a certain server, OpenVPN gives access for free. This implies that OpenVPN is convenient and cost effective.
Community Support
Chiefly, OpenVPN has support from the global community as it is an open source solution. Use almost any GNU GPL licensed software to support them. This is due to the source code’s ease of modification. Anyone who needs to use our VPN network benefits from it.
Firewall Compatibility
Platform support
Regardless of the operating system, a wide range of devices and platforms can support OpenVPN. These platforms are Mac OS, Android, and iOS. Therefore, it is not only preferred by seasoned users but also suitable for newcomers.
We have reached the main part of the article How to Install OpenVPN on Ubuntu 20.04 / 22.04.
How to Install OpenVPN on Ubuntu 20.04 / 22.04 (Step by Step)
This section shows you how to install OpenVPN server and client on Ubuntu 20.04 / 22.04 server.
Prerequisites
- Two servers running Ubuntu 20.04 or 22.04.
- A root user or a user with sudo privileges.
Step 1 - Update the System
Before starting, you need to update all your system packages to the updated version. You can update all of them by running the following command.
apt update -y
apt upgrade -y
Once all the packages are updated, you proceed to the next step.
Step 2 - Installing OpenVPN
By default, the OpenVPN package is included in the Ubuntu default repository. You install it via following command.
apt install openvpn -y
Once the OpenVPN server is installed, verify the OpenVPN version with the following command.
openvpn --version
You should see the version information in the following output.
OpenVPN 2.5.5 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 14 2022
library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10
Originally developed by James Yonan
Copyright (C) 2002-2021 OpenVPN Inc <sales@openvpn.net>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_maintainer_mode=no enable_management=yes enable_multihome=yes enable_option_checking=no enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no
Step 3 - Installing Easy-RSA and Creating PKI for OpenVPN
Next, you need to install Easy-RSA public key infrastructure (PKI) management tool on your server. By default, it is available in the Ubuntu default repository. Please install it using the following command.
apt install easy-rsa -y
Once installed, navigate to your Easy-RSA directory and create a vars file to create OpenVPN server’s private key and certificate.
cd /usr/share/easy-rsa/
nano vars
Add the following configurations.
set_var EASYRSA "$PWD"
set_var EASYRSA_PKI "$EASYRSA/pki"
set_var EASYRSA_DN "cn_only"
set_var EASYRSA_REQ_COUNTRY "UK"
set_var EASYRSA_REQ_PROVINCE "UK"
set_var EASYRSA_REQ_CITY "London"
set_var EASYRSA_REQ_ORG "cloudinfra CERTIFICATE AUTHORITY"
set_var EASYRSA_REQ_EMAIL "admin@cloudinfra.com"
set_var EASYRSA_REQ_OU "cloudinfra EASY CA"
set_var EASYRSA_KEY_SIZE 2048
set_var EASYRSA_ALGO rsa
set_var EASYRSA_CA_EXPIRE 7500
set_var EASYRSA_CERT_EXPIRE 365
set_var EASYRSA_NS_SUPPORT "no"
set_var EASYRSA_NS_COMMENT "cloudinfra CERTIFICATE AUTHORITY"
set_var EASYRSA_EXT_DIR "$EASYRSA/x509-types"
set_var EASYRSA_SSL_CONF "$EASYRSA/openssl-easyrsa.cnf"
set_var EASYRSA_DIGEST "sha256"
Save and close the file after you finish. Then, run the following command to initialize PKI.
./easyrsa init-pki
You should see the following screen.
Step 4 - Creating Certificate Authority and CSR
Next, you need to build certificate authority and CSR on your server. First, run the following command to build CA.
./easyrsa build-ca nopass
You should see the following screen.
Next, generate the certificate request with the following command.
./easyrsa gen-req cloudinfra-server nopass
You should see the following screen.
Step 5 - Use CA to Sign the Server Key
Next, you need to sign the request using the generated CA file as shown below.
./easyrsa sign-req server cloudinfra-server
You should see the following screen.
Now, verify all generated certificates using the following command.
openssl verify -CAfile pki/ca.crt pki/issued/cloudinfra-server.crt
If everything is fine, you will get the following output.
pki/issued/cloudinfra-server.crt: OK
Next, you will also need to generate Diffie-Hellman key to use for the key exchange. YGenerate it with the following command.
./easyrsa gen-dh
You will see the following output.
Note: using Easy-RSA configuration from: /usr/share/easy-rsa/vars
Using SSL: openssl OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
Generating DH parameters, 2048 bit long safe prime
.++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*
DH parameters of size 2048 created at /usr/share/easy-rsa/pki/dh.pem
Finally, copy all the certificate and key file to the OpenVPN server directory.
cp pki/ca.crt pki/dh.pem pki/private/cloudinfra-server.key pki/issued/cloudinfra-server.crt /etc/openvpn/server/
Once you are done, proceed to generate client certificate and key.
Step 6 - Creating Client Certificate and Key
At this point, your OpenVPN certificates are ready to use. Now, you need to create certificate and key file for the client. First, build the client key using the following command.
./easyrsa gen-req client nopass
You should see the following screen.
Then, sign the key using the following command.
./easyrsa sign-req client client
You should see the following screen.
Finally, copy all client key and certificate file to the client directory.
cp pki/ca.crt pki/issued/client.crt pki/private/client.key /etc/openvpn/client/
Once you are done, proceed to configure OpenVPN server.
Step 7 - Configuring OpenVPN Server
Next, you need to create an OpenVPN configuration file and define the port, and path of all your generated certificate and key. Create a configuration file using the following command.
nano /etc/openvpn/server.conf
Add the following configurations:
port 1194
proto udp
dev tun
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/cloudinfra-server.crt
key /etc/openvpn/server/cloudinfra-server.key
dh /etc/openvpn/server/dh.pem
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
duplicate-cn
cipher AES-256-GCM
auth SHA256
auth-nocache
keepalive 20 60
persist-key
persist-tun
compress lz4
daemon
user nobody
group nogroup
log-append /var/log/openvpn.log
verb 3
explicit-exit-notify 0
Save and close the file when you are done. Then, start the OpenVPN service and enable it to start at system reboot.
systemctl start openvpn@server
systemctl enable openvpn@server
Verify the status of OpenVPN service using the following command.
systemctl status openvpn@server
You should see the OpenVPN status in the following output.
● openvpn@server.service - OpenVPN connection to server
Loaded: loaded (/lib/systemd/system/openvpn@.service; disabled; vendor preset: enabled)
Active: active (running) since Sat 2023-02-11 15:35:17 UTC; 8s ago
Docs: man:openvpn(8)
https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
https://community.openvpn.net/openvpn/wiki/HOWTO
Main PID: 2332 (openvpn)
Status: "Initialization Sequence Completed"
Tasks: 1 (limit: 2242)
Memory: 2.0M
CPU: 28ms
CGroup: /system.slice/system-openvpn.slice/openvpn@server.service
└─2332 /usr/sbin/openvpn --daemon ovpn-server --status /run/openvpn/server.status 10 --cd /etc/openvpn --script-security 2 --con>
Feb 11 15:35:17 vpnserver systemd[1]: Starting OpenVPN connection to server...
Concurrently, OpenVPN creates a new network interface named tun0 automatically after starting the service. Verify it using the following command.
ip a show tun0
You should see the tun0 details on the following screen.
Step 8 - Configuring IP Forwarding
In order to route all traffic through OpenVPN, you need to enable the IP forwarding on your server. Do it by editing the sysctl.conf file.
nano /etc/sysctl.conf
Uncomment the following line.
net.ipv4.ip_forward = 1
Save and close the file then run the following command to apply the changes.
sysctl -p
Step 9 - Creating OpenVPN Client Configuration File
Next, you need to create a client.ovpn configuration file to connect OpenVPN client to server. You create it with the following command.
nano /etc/openvpn/client/client.ovpn
Define your OpenVPN server IP, port, and certificate name as shown below:
client
dev tun
proto udp
remote vpn-server-ip 1194
ca ca.crt
cert client.crt
key client.key
cipher AES-256-GCM
auth SHA256
auth-nocache
resolv-retry infinite
compress lz4
nobind
persist-key
persist-tun
mute-replay-warnings
verb 3
explicit-exit-notify 0
Save and close the file when you are done.
Step 10 - Installing OpenVPN Client
This section explains how to install OpenVPN on client system and connect it to the OpenVPN server.
First, log into the client machine and install the OpenVPN package using the following command.
apt install openvpn -y
After the successful installation, you need to copy all client’s certificate, key and configuration file to the client machine. You copy all of them with the following command.
scp -r root@vpn-server-ip:/etc/openvpn/client/* /etc/openvpn/client/
Next, navigate to the client directory and run the following command to connect to the OpenVPN server.
cd /etc/openvpn/client/
openvpn --config client.ovpn
Once you are connected to the OpenVPN server, you proceed to the next step.
Step 11 - Verifying OpenVPN Connection
At this point, your client machine is connected to the OpenVPN server. Now, it’s time to verify the OpenVPN connection.
Go to the OpenVPN server machine and run the following command.
ip a show tun0
You see the IP address assigned by OpenVPN server on the following screen
To verify the server log, run the following command.
tail -f /var/log/openvpn.log
You should see the VPN server log in the following screen.
Thank you for reading How to Install OpenVPN on Ubuntu 20.04 / 22.04. We shall conclude.
How to Install OpenVPN on Ubuntu 20.04 / 22.04 (Step by Step) Conclusion
We hope you can now implement OpenVPN in your organization to provide secure your network. Users use OpenVPN, an open VPN protocol, and a VPN client software to execute secure VPN connections. Truly, VPN providers offer this protocol because of its use of the OpenSSL library, 256 bit encryption and cross platform compatibility. Generally, you should choose a VPN service that provides access to OpenVPN connections and other VPN protocols.
Do explore more of our content regarding VPN, by navigating to our blog over here.
