How to Setup A Cloud VPN with OpenVPN

VPN (Virtual Private Network) is a protocol to safely and securely access the Internet from your PC to an untrusted network. VPN creates a secure tunnel to traverse untrusted networks. There is a lot of VPN software available in the market. Some are free, and some are commercial.

OpenVPN is a free, open-source and one of the most popular VPN solutions. It has many configuration options that provide encryption and protect your online activities using the secure tunnel. It uses the OpenSSL library and 256-bit encryption, so most VPN providers use this protocol.

This post will show you how to set up an OpenVPN server on Ubuntu 20.04.

Table Of Contents

Requirements

  • Two running systems on Ubuntu, one for the VPN server and one for the VPN client.

  • A root password is configured on both systems.

Before starting, you will need to update your software packages to the latest version. You can update them with the following command:

apt-get update -y

Once all the packages are updated, you can proceed to the next step.

Install OpenVPN

By default, the OpenVPN package is included in the Ubuntu standard repository. You can install it by running the following command:

apt-get install openvpn -y

After the installation, you will need to create a server certificate and key files.

Generate Server Certificate and Key File

This section will show you how to generate CA authority and server certificate files.

Configure Certificate Authority

First, you will need to download EasyRSA to your server. The EasyRSA is a tool that you can use to generate server certificates and key files.

You can download it from the Git repository using the following command:

wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.8/EasyRSA-3.0.8.tgz

After downloading, extract the downloaded with the following command:

tar -xvzf EasyRSA-3.0.8.tgz

Next, copy the extracted directory to the OpenVPN with the following command:

mv EasyRSA-v3.0.8 /etc/openvpn/easy-rsa

Next, navigate to the easy-rsa directory and create a configuration file to generate certificate authority.

cd /etc/openvpn/easy-rsa nano vars

Add the following lines:

set_var EASYRSA "$PWD" set_var EASYRSA_PKI "$EASYRSA/pki" set_var EASYRSA_DN "cn_only" set_var EASYRSA_REQ_COUNTRY "INDIA" set_var EASYRSA_REQ_PROVINCE "Gujarat" set_var EASYRSA_REQ_CITY "Ahmedabad" set_var EASYRSA_REQ_ORG "Example CERTIFICATE AUTHORITY" set_var EASYRSA_REQ_EMAIL "admin@example.com" set_var EASYRSA_REQ_OU "Example EASY CA" set_var EASYRSA_KEY_SIZE 2048 set_var EASYRSA_ALGO rsa set_var EASYRSA_CA_EXPIRE 7500 set_var EASYRSA_CERT_EXPIRE 365 set_var EASYRSA_NS_SUPPORT "no" set_var EASYRSA_NS_COMMENT "Example CERTIFICATE AUTHORITY" set_var EASYRSA_EXT_DIR "$EASYRSA/x509-types" set_var EASYRSA_SSL_CONF "$EASYRSA/openssl-easyrsa.cnf" set_var EASYRSA_DIGEST "sha256"

Save and close the file, then initiate the PKI directory with the following command:

./easyrsa init-pki

This will create a pki directory under /etc/openvpn/easy-rsa/ as shown below:

Note: using Easy-RSA configuration from: ./vars init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /etc/openvpn/easy-rsa/pki

Next, you will need to build the certificate authority. You can build it with the following command:

./easyrsa build-ca

This will create two files named ca.key and ca.crt as shown below:

Note: using Easy-RSA configuration from: ./vars Using SSL: openssl OpenSSL 1.1.1f 23 Jan 2021 Enter New CA Key Passphrase: Re-Enter New CA Key Passphrase: Generating RSA private key, 2048 bit long modulus (2 primes) .....................................................................................................+++++ ..................................................+++++ Can't load /etc/openvpn/easy-rsa/pki/.rnd into RNG 139636302492992:error:2406F079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:98:Filename= /etc/openvpn/easy-rsa/pki/.rnd You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [Easy-RSA CA]: CA creation complete and you may now import and sign cert requests. Your new CA certificate file for publishing is at: /etc/openvpn/easy-rsa/pki/ca.crt

Generate Server Certificate Files

Next, you must create a certificate request and key pair for your server. You can make it with the following command:

./easyrsa gen-req example-server nopass

You should see the following output:

Note: using Easy-RSA configuration from: ./vars Using SSL: openssl OpenSSL 1.1.1f 23 Jan 2021 Generating a RSA private key .............................+++++ ...+++++ writing new private key to '/etc/openvpn/easy-rsa/pki/private/example-server.key.IMonKybM0y' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [example-server]: Keypair and certificate request completed. Your files are: req: /etc/openvpn/easy-rsa/pki/reqs/example-server.req key: /etc/openvpn/easy-rsa/pki/private/example-server.key

Sign the Server Key

Next, you must sign your example-server key using your CA certificate. You can sign it with the following command:

./easyrsa sign-req server example-server

It would be best if you get the following output:

Note: using Easy-RSA configuration from: ./vars Using SSL: openssl OpenSSL 1.1.1f 23 Jan 2021 You are about to sign the following certificate. Please check over the details shown below for accuracy. Note that this request has not been cryptographically verified. Please be sure it came from a trusted source or that you have verified the request checksum with the sender. Request subject, to be signed as a server certificate for 365 days: subject= commonName = example-server Type the word 'yes' to continue, or any other input to abort. Confirm request details: yes Using configuration from /etc/openvpn/easy-rsa/pki/safessl-easyrsa.cnf Enter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key: Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'example-server' Certificate is to be certified until Jan 23 11:43:05 2022 GMT (365 days) Write out database with 1 new entries Data Base Updated Certificate created at: /etc/openvpn/easy-rsa/pki/issued/example-server.crt

Next, generate a strong Diffie-Hellman key with the following command:

./easyrsa gen-dh

This will generate a dh.pem file inside the /etc/openvpn/easy-rsa/pki/ directory as shown below:

Note: using Easy-RSA configuration from: ./vars Using SSL: openssl OpenSSL 1.1.1f 23 Jan 2021 Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time ......................+...........................+............................................ DH parameters of size 2048 created at /etc/openvpn/easy-rsa/pki/dh.pem

At this point, all certificates and key files are generated. You must copy them inside /etc/OpenVPN/server/ directory.

You can copy them with the following command:

cp /etc/openvpn/easy-rsa/pki/ca.crt /etc/openvpn/server/ cp /etc/openvpn/easy-rsa/pki/dh.pem /etc/openvpn/server/ cp /etc/openvpn/easy-rsa/pki/private/example-server.key /etc/openvpn/server/ cp /etc/openvpn/easy-rsa/pki/issued/example-server.crt /etc/openvpn/server/

Generate Client Certificate and Key File

In this section, we will show you how to generate the key and certificate file for the client.

First, change the directory to /etc/OpenVPN/easy-RSA/ and build the client key file with the following command:

./easyrsa gen-req client nopass

You should see the following output:

Note: using Easy-RSA configuration from: ./vars Using SSL: openssl OpenSSL 1.1.1f 23 Jan 2021 Generating a RSA private key ...+++++ ........+++++ writing new private key to '/etc/openvpn/easy-rsa/pki/private/client.key.JmBal6cmr8' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [client]: Keypair and certificate request completed. Your files are: req: /etc/openvpn/easy-rsa/pki/reqs/client.req key: /etc/openvpn/easy-rsa/pki/private/client.key

Next, sign the generated client key using your CA certificate with the following command:

./easyrsa sign-req client client

You should see the following output:

Note: using Easy-RSA configuration from: ./vars Using SSL: openssl OpenSSL 1.1.1f 23 Jan 2021 You are about to sign the following certificate. Please check over the details shown below for accuracy. Note that this request has not been cryptographically verified. Please be sure it came from a trusted source or that you have verified the request checksum with the sender. Request subject, to be signed as a client certificate for 365 days: subject= commonName = client Type the word 'yes' to continue, or any other input to abort. Confirm request details: yes Using configuration from /etc/openvpn/easy-rsa/pki/safessl-easyrsa.cnf Enter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key: Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'client' Certificate is to be certified until Jan 23 11:46:58 2023 GMT (365 days) Write out database with 1 new entries Data Base Updated Certificate created at: /etc/openvpn/easy-rsa/pki/issued/client.crt

Next, you must copy all client certificates and key files to the /etc/OpenVPN/client/ directory.

You can copy them with the following command:

cp /etc/openvpn/easy-rsa/pki/ca.crt /etc/openvpn/client/ cp /etc/openvpn/easy-rsa/pki/issued/client.crt /etc/openvpn/client/ cp /etc/openvpn/easy-rsa/pki/private/client.key /etc/openvpn/client/

Configure OpenVPN Server

In this section, we will create an OpenVPN configuration file.

First, create an OpenVPN configuration file with the following command:

nano /etc/openvpn/server.conf

Add the following lines:

port 1194 proto udp dev tun ca /etc/openvpn/server/ca.crt cert /etc/openvpn/server/example-server.crt key /etc/openvpn/server/example-server.key dh /etc/openvpn/server/dh.pem server 10.8.0.0 255.255.255.0 push "redirect-gateway def1" push "dhcp-option DNS 208.67.222.222" push "dhcp-option DNS 208.67.220.220" duplicate-cn cipher AES-256-CBC tls-version-min 1.2 tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256 auth SHA512 auth-nocache keepalive 20 60 persist-key persist-tun compress lz4 daemon user nobody group nogroup log-append /var/log/openvpn.log verb 3

Save the file, then start and enable the OpenVPN service with the following command;

systemctl start openvpn@server systemctl enable openvpn@server

After starting the OpenVPN service, you can verify the OpenVPN interface with the following command:

ip a show tun0

It would be best if you get the following output:

4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100 link/none inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0 valid_lft forever preferred_lft forever inet6 sa80::5h63:87n:31a:ag5/64 scope link stable-privacy valid_lft forever preferred_lft forever

Generate Client Configuration File

At this point, your OpenVPN server is ready. You will need to create a configuration file for the client machine. You can create it with the following command:

nano /etc/openvpn/client/client.ovpn

Add the following lines:

client dev tun proto udp remote your-vpn-server-ip 1194 ca ca.crt cert client.crt key client.key cipher AES-256-CBC auth SHA512 auth-nocache tls-version-min 1.2 tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256 resolv-retry infinite compress lz4 nobind persist-key persist-tun mute-replay-warnings verb 3

Save and close the file when you are finished. You can need to transfer this file and all client certificates to the client machine from where you want to connect OpenVPN server.

Install and Setup OpenVPN Client

Next, go to the Client machine and install the OpenVPN client with the following command;

apt-get install openvpn -y

Next, copy all client certificate files to the client machine with the following command:

scp -r root@vpn-server-ip:/etc/openvpn/client .

Next, navigate to the client directory and connect to your VPN server with the following command:

cd client openvpn --config client.ovpn

Once the connection has been established successfully, you should see the following output:

Jan 23 09:23:27 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.1.225:1194 Jan 23 09:23:27 2021 Socket Buffers: R=[212992->212992] S=[212992->212992] Jan 23 09:23:27 2021 UDP link local: (not bound) Jan 23 09:23:27 2021 UDP link remote: [AF_INET]192.168.1.225:1194 Jan 23 09:23:27 2021 TLS: Initial packet from [AF_INET]192.168.1.225:1194, sid=6d27e1cb 524bd8cd Jan 23 09:23:27 2021 VERIFY OK: depth=1, CN=Easy-RSA CA Jan 23 09:23:27 2021 VERIFY OK: depth=0, CN=atlantic-server Jan 23 09:23:27 2021 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA Jan 23 09:23:27 2021 [atlantic-server] Peer Connection Initiated with [AF_INET]192.168.1.225:1194 Jan 23 09:23:27 2021 SENT CONTROL [atlantic-server]: 'PUSH_REQUEST' (status=1) Jan 23 09:23:27 2021 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,route 10.8.0.1,topology net30,ping 20,ping-restart 60,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM'

Next, verify your OpenVPN connection with the following command;

ip a show tun0

You should get a new IP address as shown in the following output:

4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100 link/none inet 10.8.0.6 peer 10.8.0.5/32 scope global tun0 valid_lft forever preferred_lft forever inet6 ds06::hd64:32js:d303:132s/64 scope link stable-privacy valid_lft forever preferred_lft forever

Conclusion

In the above post, you have learned how to install and set up the OpenVPN server on Ubuntu. You also learned how to install the OpenVPN client and connect to the OpenVPN server. I hope this will help you to set up an OpenVPN on your cloud server.

Is OpenVPN cloud safe?

The experts strongly advise OpenVPN as the most secure protocol you can find. Only minor security flaws were discovered during protocol audits, but OpenVPN promptly fixed them.

Backup one server, database, or application for free forever.

No credit card required. Cancel anytime!

Was this page helpful?

Thank you for helping us improve!