Configuring OpenVPN on Ubuntu 8.04 LTS

Configuring OpenVPN on Ubuntu 8.04 LTS

For me, setting up an OpenVPN server on Ubuntu Server was orders of magnitude easier than trying to use a commercial ipsec utility. Here's the steps to take to set up an Ubuntu 8.04 (Hardy) server.

First, be aware this setup makes a few assumptions. First, no bridging of networks is done which means no broadcast traffic and no multicast. I believe most people won't use those, so I'm not even going to try to explain how to make that work - I'm going for a quick and easy setup. Second, the server is on the Internet with a static IP address - or at least has a DNS entry somewhere so that computers on the outside can locate it. Your typical home network won't have a static IP, but with some of the "dynamic DNS" website / utilities, you can get around that restriction.

I'm also not going to try to deal with firewall issues in this HOWTO. If you can disable your firewall and everything works, then get your firewall working afterwards. The best advice I can give there is to allow all traffic to/from the "tun0" (or tun1 or tun2... whatever) device that the VPN creates, and allow incoming traffic on the Internet facing adapter (eth0?) to the TCP or UDP port you configure your server to listen on. It's really not that complicated for a basic setup.

First, become root (sudo su -) and then install the following:

apt-get install openvpn dnsmasq openssl
Unlike most software you'll install, this will not install configuration files for you by default. You'll want a quick barebones setup, so do the following:
mkdir /etc/openvpn
cp /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/
cd /etc/openvpn/
mkdir keys
nano vars

Insert the appropriate settings at the end of this file for your locality and organization name. Afterwards:

./clean-all
source ./vars
./build-ca

The build-ca will ask some questions. This part is for the "Certificate Authority" you are creating - so make sure you enter things accurately. It's mostly for documentation purposes, however and a wrong answer here is unlikely to break anything.

./build-key-server server
This generates an encryption key for your server. If you are positive you will only ever have one server, you can name it "server". Otherwise, name it something meaningful so you know what the key goes to. This does not have to be the dns name, but it may help to use that as a standard. When asked for the common name in the key that you're generating, you will want to use the same thing there. You may not want to put a password on this file so you can have it automatically start at boot. Make sure you tell it to sign the certificate when it asks.
./build-key client-name

This generates the keys that you'll need both on the server and on the client to make the connection work. Replace "client-name" with something you'll use to remember who's key this belongs to. Perhaps a user's name or a laptop workstation name would be good here. NOTE: if you close the console and come back later to generate more keys, you'll need to run "source ./vars" before running build-key again.

Now you'll need to build the "DH" key. This might take some time:

./build-dh
Once completed, copy the "client-name.key" "client-name.crt" and "ca.crt" files securely to the workstation that will be using them. I don't recommend emailing them - a USB drive is a great way to transfer them, or an SSH connection. Next we want to setup the server.conf file. We're going to start with the example provided:
cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
gunzip /etc/openvpn/server.conf.gz

Now edit the server.conf file with your favorite editor.

If your server has multiple interfaces - most firewall machines will because one will face the Internet and one face the LAN, you'll want to add the internet facing IP to this file (Obviously replace 1.2.3.4 with your IP address):

local 1.2.3.4
You may or may not want to change the port that OpenVPN listens on.
port 1194

Personally I found the TCP protcol to work much better for me. Apparently I'm getting packet loss and using UDP was causing extraordinary delays since UDP doesn't detect lost packets and packet order like TCP. So, I changed it to:

proto tcp
Use the TUN device unless you want to figure out how to do bridging, and make sure the dev-node line is commented out:
dev tun
;dev-node MyTap

Now we need to tell it where the server key files are located:

ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key  # This file should be kept secret
dh /etc/openvpn/keys/dh1024.pem

Pick a subnet that the VPN server will assign clients to. This should be a different subnet from anything else you use:

server 10.8.0.0 255.255.255.0
If you want your clients to be able to access your LAN network, you'll need to push a route out to them:
push "route 192.168.1.0 255.255.255.0"

Make sure this matches your LAN route. However, if your LAN has a subnet that is the same as where a client might connect - like the above one based on the overly common "192.168.1.x" - you can choose to only route certain servers or subgroups of it. In this example, 192.168.1.5 and 192.168.1.127-255 will be available to the clients, but the remainder will not. This keeps the common Internet router address of 192.168.1.1 from conflicting:

push "route 192.168.1.5 255.255.255.255"
push "route 192.168.1.128 255.255.255.128"

To add to security just a bit, we want to make sure that the server drops to a non privileged user after it starts:

user nobody
group nogroup

The rest of the settings in this file should be able to be left at default without any trouble.

Start up your new VPN server manually at least once using:

openvpn /etc/openvpn/server.conf
With this you can watch the messages and see if something goes wrong. Next, on an Ubuntu client you install:
sudo apt-get install openvpn dnsmasq openssl network-manager-openvpn

Left click on the network manager in the panel and choose "VPN Connection" "Configure VPN". Create a new OpenVPN connection.

For "Gateway" use the external IP address or DNS name of the OpenVPN server. The type is "Certificates (TLS)"

Attach your client .key, .crt and the ca.crt file in the appropriate places. Make sure those files are only readable by the user.

If you changed to TCP like I did, click the Advanced button and check "Use a TCP connection". If you changed the port that OpenVPN listens to, you'll want to add that here as well, and it's always good to check the LZO data compression if you're going over the Internet. There's also an option to make the VPN always start when you log in.

Save the changes and your client is configured. Left click on the network manager icon again and click on the new VPN entry to open the VPN connection.

Here's a screenshot of the client setup:


Once you're sure everything is working fine, you can configure openvpn to automatically start. Edit the /etc/default/openvpn file and uncomment:

AUTOSTART="all"
Then just do:
/etc/init.d/openvpn start

And there you have it - a fully functional VPN solution. There's also a Windows client version available, so you can use it in a mixed environment.

Posted by Tony on Feb 19, 2009 | Servers