Enabling SSH on Ubuntu
July 1, 2023Why Does a Server Room Need to Be Cold?
July 3, 2023How to Set Up an OpenVPN Server on Ubuntu 22.04
Step 1: Get a VPS and Connect to It
- Register and pay for a VPS. The author used justhost and chose the cheapest virtual machine in the Netherlands.
- While waiting for the VPS to start, download PuTTy.
- Once the VPS is running, you will receive an email with the root user password and IPv4 address. Remember these.
- Open PuTTy and in the “Host Name (or IP address)” field, enter the IPv4 address from the email and click “Open”.
- Accept the security warning (it appears once).
- When you see “login as:”, you have connected. Enter “root” and when asked for a password, enter the password from the email.
Step 2: Create a New User and Log In
- For security reasons, create a new user and log in as that user. Use the following commands:
useradd -m <username>
passwd <username>
usermod -aG sudo <username>
sudo chsh -s /bin/bash <username>
- Reconnect and log in as the new user.
Step 3: Preliminary Preparation
- Install the necessary packages:
sudo apt install easy-rsa
sudo apt install openvpn
sudo apt install iptables-persistent
Step 4: Configure FireWall
- Use the following commands:
sudo iptables -I INPUT -p udp –dport 1194 -j ACCEPT
sudo netfilter-persistent save
Step 5: Set Up VPN Directories
- Use the following commands:
sudo mkdir -p /etc/openvpn/keys
sudo mkdir /etc/openvpn/easy-rsa
cd /etc/openvpn/easy-rsa
sudo cp -r /usr/share/easy-rsa/* .
sudo mkdir /etc/openvpn/ccd
Step 6: Configure VPN
- Configure the vars:
sudo nano vars
In the interface that opens, insert the following and replace the placeholders with your own information:
export KEY_COUNTRY=”RU”
export KEY_PROVINCE=”Moscow”
export KEY_CITY=”Moscow”
export KEY_ORG=”sten”
export KEY_ORG=”[email protected]”
export KEY_CN=”sten”
export KEY_OU=”sten”
export KEY_NAME=”vpn.StenLi.com”
export KEY_ALTNAMES=”vpn2.StenLi.com”
- Press ctrl+x, y, enter in order.
Step 7: Configure /etc/nat(FireWall)
- Use the following command:
sudo nano /etc/nat
In the interface that opens, insert the following:
#!/bin/sh
# Enable packet forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# Reset firewall settings
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
# Allow connections initiated by us from the outside
iptables -A INPUT -i eth0 -m state –state ESTABLISHED,RELATED -j ACCEPT
# Allow SSH connections
iptables -A INPUT -i eth0 -p tcp –dport 22 -j ACCEPT
# Allow OpenVPN connections
iptables -A INPUT -i eth0 -p udp –dport 1194 -j ACCEPT
# Allow incoming traffic from tun0
iptables -A INPUT -i tun0 -j ACCEPT
# Allow transit traffic between eth0 and tun0:
iptables -A FORWARD -**Step 7: Configure /etc/nat(FireWall) (continued)**
i eth0 -o tun0 -j ACCEPT iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT
Deny incoming from outside
iptables -A INPUT -i eth0 -j DROP
Allow transit connections initiated by us from the outside
iptables -A FORWARD -i eth0 -o tun0 -m state –state ESTABLISHED,RELATED -j ACCEPT
Deny transit traffic from the outside
iptables -A FORWARD -i eth0 -o tun0 -j DROP
Enable masquerading for the local network
iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.0/24 -j MASQUERADE
– Press ctrl+x, y, enter in order.
– Use the following command:
sudo chmod 755 /etc/nat
**Step 8: Create Server Keys**
– Use the following commands:
sudo ./easyrsa init-pki sudo ./easyrsa build-ca
– Enter and remember the password (Enter New CA Key Passphrase).
– Use the following commands:
sudo ./easyrsa gen-req server nopass
sudo ./easyrsa sign-req server server
sudo ./easyrsa gen-dh sudo openvpn –genkey secret pki/ta.key
sudo cp pki/ca.crt /etc/openvpn/keys/
sudo cp pki/issued/server.crt /etc/openvpn/keys/ sudo cp pki/private/server.key /etc/openvpn/keys/
sudo cp pki/dh.pem /etc/openvpn/keys/
sudo cp pki/ta.key /etc/openvpn/keys/
**Step 9: Configure Server**
– Use the following command:
sudo nano /etc/openvpn/server.conf
– In the interface that opens, insert the following and replace the placeholders with your own information:
local 999.999.999.999
port 1194
proto udp
dev tun
ca keys/ca.crt
cert keys/server.crt
key keys/server.key
dh keys/dh.pem
tls-auth keys/ta.key 0
server 10.0.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-to-client
client-config-dir /etc/openvpn/ccd
keepalive 10 120
max-clients 32
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 4
mute 20
daemon
mode server
tls-server
comp-lzo
tun-mtu 1500
mssfix 1620
cipher AES-256-GCM
topology subnet
push “redirect-gateway def1”
push “dhcp-option DNS 8.8.8.8”
up /etc/nat
– Replace “local 999.999.999.999” with “local <your VPS’s external IP address>”.
**Step 10: Start Server**
– Use the following commands:
sudo systemctl start openvpn@server
sudo systemctl status openvpn@server
– Congratulations! You have started the server!
**Step 11: Generate Certificates**
– Use the following commands:
cd /<any directory you like>
sudo nano gen_sert.sh
– In the interface that opens, insert the following and replace the placeholders with your own information:
#!/bin/bash
if [ $# -ne 1 ];Step 11: Generate Certificates (continued)
then
echo “Usage: $0 –client-name”
exit 1
fi
client_name=$1
password=””
rm -r /tmp/keys
mkdir /tmp/keys
cd /etc/openvpn/easy-rsa
export EASYRSA_CERT_EXPIRE=1460
echo “$password” | ./easyrsa build-client-full $client_name nopass
cp pki/issued/client_name.key pki/ca.crt pki/ta.key /tmp/keys/
chmod -R a+r /tmp/keys
cat << EOF > /tmp/keys/$client_name.ovpn
client
resolv-retry infinite
nobind
remote 999.999.999.999 1194
proto udp
dev tun
comp-lzo
ca ca.crt
cert $client_name.crt
key $client_name.key
tls-client
tls-auth ta.key 1
float
keepalive 10 120
persist-key
persist-tun
tun-mtu 1500
mssfix 1620
cipher AES-256-GCM
verb 0
EOF
echo “OpenVPN client configuration file created: /tmp/keys/$client_name.ovpn”
- Replace “remote 999.999.999.999 1194” with “remote <server IP> 1194”.
- Use the following command:
sudo bash ./gen_sert.sh <certificate name>
- Go to /tmp/keys and retrieve the certificates.
Step 12: Assign Static Addresses to Clients
- Use the following commands:
cd /etc/openvpn/ccd
sudo nano <certificate name>
In the interface that opens, insert the following and replace the placeholders with your own information:
ifconfig-push 10.0.0.<address that will not change, addresses should not repeat> 255.255.255.0
That’s it! You have now set up an OpenVPN server on Ubuntu 22.04. Enjoy your free and secure internet, regardless of your location.