What is OpenVPN?
OpenVPN is an open-source, fast, popular program for creating a VPN (Virtual Private Network). It uses both the TCP and UDP transmission protocols, and VPN tunnels are secured with OpenVPN protocol with SSL/TLS authentication, certificates, credentials, and optionally MAC address lock as well as multi-factor authentication.
Installing the packages
To start off, update your VPN server’s package index and install OpenVPN. OpenVPN is available in Ubuntu’s default repositories, so you can use apt for the installation:
sudo apt update sudo apt install openvpn
OpenVPN utilizes certificates in order to encrypt traffic between the server and clients. To issue trusted certificates, you will set up your own simple certificate authority (CA). To do this, we will download the latest version of EasyRSA, which we will use to build our CA public key infrastructure (PKI), from the project’s official GitHub repository.
To begin building the CA and PKI infrastructure, use wget to download the latest version of EasyRSA on both your CA machine and your OpenVPN server. To get the latest version, go to the Releases page on the official EasyRSA GitHub project, copy the download link for the file ending in `.tgz, and then paste it into the following command:
wget -P ~/ https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.8/EasyRSA-3.0.8.tgz
Then extract the tarball:
cd ~ tar xvf EasyRSA-3.0.8.tgz
You have successfully installed all the required software on your server and CA machine. Continue on to configure the variables used by EasyRSA and to set up a CA directory, from which you will generate the keys and certificates needed for your server and clients to access the VPN.
Configuring the packages
EasyRSA comes installed with a configuration file which you can edit to define a number of variables for your CA.
On your CA machine, navigate to the EasyRSA directory:
Inside this directory is a file named vars.example. Make a copy of this file, and name the copy vars without a file extension:
cp vars.example vars
Open this new file using your preferred text editor. Here, we’ll use nano:
Find the settings that set field defaults for new certificates. It will look something like this:
#set_var EASYRSA_REQ_COUNTRY "US" #set_var EASYRSA_REQ_PROVINCE "California" #set_var EASYRSA_REQ_CITY "San Francisco" #set_var EASYRSA_REQ_ORG "Copyleft Certificate Co" #set_var EASYRSA_REQ_EMAIL "firstname.lastname@example.org" #set_var EASYRSA_REQ_OU "My Organizational Unit"
Uncomment these lines by removing the pound sign (
#) at the beginning of each one. Then update the highlighted values to whatever you’d prefer, but do not leave them blank:
set_var EASYRSA_REQ_COUNTRY "US" set_var EASYRSA_REQ_PROVINCE "New York" set_var EASYRSA_REQ_CITY "New York City" set_var EASYRSA_REQ_ORG "How To Ubuntu" set_var EASYRSA_REQ_EMAIL "email@example.com" set_var EASYRSA_REQ_OU "How To Ubuntu Network"
When you are finished, save and close the file. If you edited the file using nano, do so by pressing
CTRL + X,
Y, and then ENTER.
Within the EasyRSA directory is a script called easyrsa which is called to perform a variety of tasks involved with building and managing the CA. Run this script with the init-pki option to initiate the public key infrastructure on the CA server:
sh easyrsa init-pki
init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /root/EasyRSA-3.0.8/pki
After this, call the easyrsa script again, following it with the build-ca option. This will build the CA and create two important files — ca.crt and ca.key — which make up the public and private sides of an SSL certificate.
If you don’t want to be prompted for a password every time you interact with your CA, you can run the build-ca command with the nopass option, like this:
sh easyrsa build-ca nopass
In the output, you’ll be asked to confirm the common name for your CA:
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:
Now that you have a CA ready to go, you can generate a private key and certificate request from your server and then transfer the request over to your CA to be signed, creating the required certificate. You’re also free to create some additional files used during the encryption process.
Start by navigating to the EasyRSA directory on your OpenVPN server:
From there, run the
easyrsa script with the init-pki option. Although you already ran this command on the CA machine, it’s necessary to run it here because your server and CA will have separate PKI directories:
sh easyrsa init-pki
Then call the easyrsa script again, this time with the
gen-req option followed by a common name for the machine. Again, this could be anything you like but it can be helpful to make it something descriptive. Throughout this tutorial, the OpenVPN server’s common name will simply be “server”. Be sure to include the nopass option as well. Failing to do so will password-protect the request file which could lead to permissions issues later on:
sh easyrsa gen-req server nopass
This will create a private key for the server and a certificate request file called server.req. Copy the server key to the /etc/openvpn/ directory:
sudo cp ~/EasyRSA-3.0.8/pki/private/server.key /etc/openvpn/
Using a secure method (like SCP, in our example below), transfer the server.req file to your CA machine:
scp ~/EasyRSA-3.0.8/pki/reqs/server.req sammy@your_CA_ip:/tmp