OpenVPN Ubuntu 16.04¶
How To Set Up an OpenVPN Server on Ubuntu 16.04
Server setup¶
sudo apt-get update
sudo apt-get install openvpn easy-rsa
#
make-cadir ~/openvpn-ca
cd openvpn-ca
nano vars
#
#
# export KEY_COUNTRY="US"
# export KEY_PROVINCE="NY"
# export KEY_CITY="New York City"
# export KEY_ORG="DigitalOcean"
# export KEY_EMAIL="[email protected]"
# export KEY_OU="Community"
# export KEY_NAME="biztech-vpn"
#
#
source vars
./clean-all
./build-ca
#
./build-key-server biztech-vpn
#
./build-dh
#
openvpn --genkey --secret keys/ta.key
#
cd ~/openvpn-ca
Server setup - add clients¶
cd ~/openvpn-ca
source vars
./build-key als-mbp
Configure - service¶
cd ~/openvpn-ca/keys
sudo cp -v ca.crt biztech-vpn.crt biztech-vpn.key ta.key dh2048.pem /etc/openvpn
gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | sudo tee /etc/openvpn/server.conf
sudo nano /etc/openvpn/server.conf
#
#
tls-auth ta.key 0 # This file is secret
key-direction 0
cipher AES-128-CBC # AES
auth SHA256
#
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
#
port 443 # default `port 1194`
proto tcp # default `proto udp`
#
cert biztech-vpn.crt
key biztech-vpn.key
Configure - server networking¶
#
sudo nano /etc/sysctl.conf
#
#
net.ipv4.ip_forward=1
#
#
sudo sysctl -p
ip route | grep default
#
#
default via 128.199.192.1 dev eth0 onlink
#
#
sudo nano /etc/ufw/before.rules
#
#
# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to wlp11s0 (change to the interface you discovered!)
-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
COMMIT
# END OPENVPN RULES
#
#
sudo nano /etc/default/ufw
#
#
DEFAULT_FORWARD_POLICY="ACCEPT"
#
#
sudo ufw allow 1194/udp
sudo ufw disable
sudo ufw enable
#
sudo systemctl start openvpn@biztech-vpn
sudo systemctl restart openvpn@biztech-vpn
ip addr show tun0
Configure - client infrastructure¶
#
mkdir -p ~/client-configs/files
chmod 700 ~/client-configs/files
#
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client-configs/base.conf
nano ~/client-configs/base.conf
#
#
remote 128.199.202.34 1194
proto udp
user nobody
group nogroup
#ca ca.crt
#cert client.crt
#key client.key
cipher AES-128-CBC
auth SHA256
key-direction 1
#
# For linux clients
# script-security 2
# up /etc/openvpn/update-resolv-conf
# down /etc/openvpn/update-resolv-conf
nano ~/client-configs/make_config.sh
#
#
#!/bin/bash
# First argument: Client identifier
KEY_DIR=~/openvpn-ca/keys
OUTPUT_DIR=~/client-configs/files
BASE_CONFIG=~/client-configs/base.conf
cat ${BASE_CONFIG} \
<(echo -e '<ca>') \
${KEY_DIR}/ca.crt \
<(echo -e '</ca>\n<cert>') \
${KEY_DIR}/${1}.crt \
<(echo -e '</cert>\n<key>') \
${KEY_DIR}/${1}.key \
<(echo -e '</key>\n<tls-auth>') \
${KEY_DIR}/ta.key \
<(echo -e '</tls-auth>') \
> ${OUTPUT_DIR}/${1}.ovpn
#
#
chmod 700 ~/client-configs/make_config.sh
cd ~/client-configs
./make_config.sh als-mbp
Configure - client¶
sftp -P 8022 -i ~/.ssh/do-proxsis-docker-deploy [email protected]:client-configs/files/als-mbp.ovpn ~/
Windows¶
https://openvpn.net/index.php/open-source/downloads.html
Linux¶
macOS¶
https://tunnelblick.net/downloads.html
brew cask install tunnelblick