SnapShooter Learning Center

How to Setup A Cloud VPN with OpenVPN

Learn how to getup your own VPN network with OpenVPN.

Simon Bennett]
Simon Bennett
Last Updated: Jan 25, 2021
Table of Contents

VPN (Virtual Private Network) is a protocol used to access the Internet safely and securely from your PC or smartphones when you are connected to an untrusted network. VPN creates a secure tunnel to traverse untrusted networks privately. There is a lot of VPN software are available in the market. Some of them are free and some of them are commercial.

OpenVPN is a free, open-source and one of the most popular VPN solutions. It comes with many configuration options. It provides encryption and protects your online activities using the secure tunnel. It uses the OpenSSL library and 256-bit encryption so most VPN providers use this protocol.

In this post, we will show you how to set up an OpenVPN server on Ubuntu 20.04.


# Requirements

  • Two systems running Ubuntu one for the VPN server and one for the VPN client.
  • A root password is configured on both systems.

# Getting Started

Before starting, you will need to update your software packages to the latest version. You can update them with the following command:

apt-get update -y

Once all the packages are updated, you can proceed to the next step.


# Install OpenVPN

By default, the OpenVPN package is included in the Ubuntu standard repository. You can install it by running the following command:

apt-get install openvpn -y

After the installation, you will need to create a server certificate and key files.


# Generate Server Certificate and Key File

In this section, we will show you how to generate CA authority and server certificate files.


# Configure Certificate Authority

First, you will need to download the EasyRSA to your server. The EasyRSA is a tool that can be used to generate server certificate and key files.

You can download it from the Git repository using the following command:

wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.8/EasyRSA-3.0.8.tgz

After downloading, extract the downloaded with the following command:

tar -xvzf EasyRSA-3.0.8.tgz

Next, copy the extracted directory to the OpenVPN with the following command:

mv EasyRSA-v3.0.8 /etc/openvpn/easy-rsa

Next, navigate to easy-rsa directory and create a configuration file to generate certificate authority.

cd /etc/openvpn/easy-rsa
nano vars

Add the following lines:

set_var EASYRSA                 "$PWD"
set_var EASYRSA_PKI             "$EASYRSA/pki"
set_var EASYRSA_DN              "cn_only"
set_var EASYRSA_REQ_COUNTRY     "INDIA"
set_var EASYRSA_REQ_PROVINCE    "Gujarat"
set_var EASYRSA_REQ_CITY        "Ahmedabad"
set_var EASYRSA_REQ_ORG         "Example CERTIFICATE AUTHORITY"
set_var EASYRSA_REQ_EMAIL       "admin@example.com"
set_var EASYRSA_REQ_OU          "Example EASY CA"
set_var EASYRSA_KEY_SIZE        2048
set_var EASYRSA_ALGO            rsa
set_var EASYRSA_CA_EXPIRE       7500
set_var EASYRSA_CERT_EXPIRE     365
set_var EASYRSA_NS_SUPPORT      "no"
set_var EASYRSA_NS_COMMENT      "Example CERTIFICATE AUTHORITY"
set_var EASYRSA_EXT_DIR         "$EASYRSA/x509-types"
set_var EASYRSA_SSL_CONF        "$EASYRSA/openssl-easyrsa.cnf"
set_var EASYRSA_DIGEST          "sha256"

Save and close the file then initiate the PKI directory with the following command:

./easyrsa init-pki

This will create a pki directory under /etc/openvpn/easy-rsa/ as shown below:

Note: using Easy-RSA configuration from: ./vars

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa/pki

Next, you will need to build the certificate authority. You can build it with the following command:

./easyrsa build-ca

This will creates two files named ca.key and ca.crt as shown below:

Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.1.1f  23 Jan 2021

Enter New CA Key Passphrase:
Re-Enter New CA Key Passphrase:
Generating RSA private key, 2048 bit long modulus (2 primes)
.....................................................................................................+++++
..................................................+++++
Can't load /etc/openvpn/easy-rsa/pki/.rnd into RNG
139636302492992:error:2406F079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:98:Filename=
/etc/openvpn/easy-rsa/pki/.rnd
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter
is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at: /etc/openvpn/easy-rsa/pki/ca.crt

# Generate Server Certificate Files

Next, you will need to create a certificate request and keypair for your server. You can create it with the following command:

./easyrsa gen-req example-server nopass

You should see the following output:

Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.1.1f  23 Jan 2021
Generating a RSA private key
.............................+++++
...+++++
writing new private key to '/etc/openvpn/easy-rsa/pki/private/example-server.key.IMonKybM0y'
-----
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [example-server]:

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/pki/reqs/example-server.req
key: /etc/openvpn/easy-rsa/pki/private/example-server.key

# Sign the Server Key

Next, you will need to sign your example-server key using your CA certificate. You can sign it with the following command:

./easyrsa sign-req server example-server

You should get the following output:

Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.1.1f  23 Jan 2021

You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a server certificate for 365 days:

subject=
commonName                = example-server

Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /etc/openvpn/easy-rsa/pki/safessl-easyrsa.cnf
Enter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'example-server'
Certificate is to be certified until Jan 23 11:43:05 2022 GMT (365 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/openvpn/easy-rsa/pki/issued/example-server.crt

Next, generate a strong Diffie-Hellman key with the following command:

./easyrsa gen-dh

This will generate a dh.pem file inside the /etc/openvpn/easy-rsa/pki/ directory as shown below:

Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.1.1f  23 Jan 2021
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
......................+...........................+............................................

DH parameters of size 2048 created at /etc/openvpn/easy-rsa/pki/dh.pem

At this point, all certificates and key files are generated. Now, you will need to copy them inside /etc/openvpn/server/ directory.

You can copy them with the following command:

cp /etc/openvpn/easy-rsa/pki/ca.crt /etc/openvpn/server/
cp /etc/openvpn/easy-rsa/pki/dh.pem /etc/openvpn/server/
cp /etc/openvpn/easy-rsa/pki/private/example-server.key /etc/openvpn/server/
cp /etc/openvpn/easy-rsa/pki/issued/example-server.crt /etc/openvpn/server/

# Generate Client Certificate and Key File

In this section, we will show you how to generate the key and certificate file for the client.

First, change the directory to /etc/openvpn/easy-rsa/ and build the client key file with the following command:

./easyrsa gen-req client nopass

You should see the following output:

Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.1.1f  23 Jan 2021
Generating a RSA private key
...+++++
........+++++
writing new private key to '/etc/openvpn/easy-rsa/pki/private/client.key.JmBal6cmr8'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [client]:

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/pki/reqs/client.req
key: /etc/openvpn/easy-rsa/pki/private/client.key

Next, sign the generated client key using your CA certificate with the following command:

./easyrsa sign-req client client

You should see the following output:

Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.1.1f  23 Jan 2021

You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a client certificate for 365 days:

subject=
commonName                = client

Type the word 'yes' to continue, or any other input to abort.
 Confirm request details: yes
Using configuration from /etc/openvpn/easy-rsa/pki/safessl-easyrsa.cnf
Enter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'client'
Certificate is to be certified until Jan 23 11:46:58 2023 GMT (365 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/openvpn/easy-rsa/pki/issued/client.crt

Next, you will need to copy all client certificate and key files to the /etc/openvpn/client/ directory.

You can copy them with the following command:

cp /etc/openvpn/easy-rsa/pki/ca.crt /etc/openvpn/client/
cp /etc/openvpn/easy-rsa/pki/issued/client.crt /etc/openvpn/client/
cp /etc/openvpn/easy-rsa/pki/private/client.key /etc/openvpn/client/

# Configure OpenVPN Server

In this section, we will create an OpenVPN configuration file.

First, create an OpenVPN configuration file with the following command:

nano /etc/openvpn/server.conf

Add the following lines:

port 1194
proto udp
dev tun
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/example-server.crt
key /etc/openvpn/server/example-server.key
dh /etc/openvpn/server/dh.pem
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
duplicate-cn
cipher AES-256-CBC
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
auth SHA512
auth-nocache
keepalive 20 60
persist-key
persist-tun
compress lz4
daemon
user nobody
group nogroup
log-append /var/log/openvpn.log
verb 3

Save the file then start and enable the OpenVPN service with the following command;

systemctl start openvpn@server
systemctl enable openvpn@server

After starting the OpenVPN service, you can verify the OpenVPN interface with the following command:

ip a show tun0

You should get the following output:

4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
link/none
inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
   valid_lft forever preferred_lft forever
inet6 sa80::5h63:87n:31a:ag5/64 scope link stable-privacy
   valid_lft forever preferred_lft forever

# Generate Client Configuration File

At this point, your OpenVPN server is ready. Now, you will need to create a configuration file for client machine. You can create it with the following command:

nano /etc/openvpn/client/client.ovpn

Add the following lines:

client
dev tun
proto udp
remote your-vpn-server-ip 1194
ca ca.crt
cert client.crt
key client.key
cipher AES-256-CBC
auth SHA512
auth-nocache
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
resolv-retry infinite
compress lz4
nobind
persist-key
persist-tun
mute-replay-warnings
verb 3

Save and close the file when you are finished. You can need to transfer this file and all client certificates to the client machine from where you want to connect OpenVPN server.


# Install and Setup OpenVPN Client

Next, go to the Client machine and install OpenVPN client with the following command;

apt-get install openvpn -y

Next, copy all client certificate file to the client machine with the following command:

scp -r root@vpn-server-ip:/etc/openvpn/client .

Next, navigate to the client directory and connect to your VPN server with the following command:

cd client
openvpn --config client.ovpn

Once the connection has been established successfully, you should see the following output:

Jan 23 09:23:27 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.1.225:1194
Jan 23 09:23:27 2021 Socket Buffers: R=[212992->212992] S=[212992->212992]
Jan 23 09:23:27 2021 UDP link local: (not bound)
Jan 23 09:23:27 2021 UDP link remote: [AF_INET]192.168.1.225:1194
Jan 23 09:23:27 2021 TLS: Initial packet from [AF_INET]192.168.1.225:1194, sid=6d27e1cb 524bd8cd
Jan 23 09:23:27 2021 VERIFY OK: depth=1, CN=Easy-RSA CA
Jan 23 09:23:27 2021 VERIFY OK: depth=0, CN=atlantic-server
Jan 23 09:23:27 2021 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Jan 23 09:23:27 2021 [atlantic-server] Peer Connection Initiated with [AF_INET]192.168.1.225:1194
Jan 23 09:23:27 2021 SENT CONTROL [atlantic-server]: 'PUSH_REQUEST' (status=1)
Jan 23 09:23:27 2021 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 208.67.222.222,dhcp-option
DNS 208.67.220.220,route 10.8.0.1,topology net30,ping 20,ping-restart 60,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM'

Next, verify your OpenVPN connection with the following command;

ip a show tun0

You should get new IP address as shown in the following output:

4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
link/none
inet 10.8.0.6 peer 10.8.0.5/32 scope global tun0
   valid_lft forever preferred_lft forever
inet6 ds06::hd64:32js:d303:132s/64 scope link stable-privacy
   valid_lft forever preferred_lft forever

# Conclusion

In the above post, you have learned how to install and setup the OpenVPN server on Ubuntu. You also learned how to install the OpenVPN client and connect to the OpenVPN server. I hope this will help you to set up an OpenVPN on your cloud server.


Did you find this article helpful?