How to Set Up an OpenVPN Server on Ubuntu 22.04

July 3, 2023

256

Step 1: Get a VPS and Connect to It

Register and pay for a VPS. The author used justhost and chose the cheapest virtual machine in the Netherlands.
While waiting for the VPS to start, download PuTTy.
Once the VPS is running, you will receive an email with the root user password and IPv4 address. Remember these.
Open PuTTy and in the “Host Name (or IP address)” field, enter the IPv4 address from the email and click “Open”.
Accept the security warning (it appears once).
When you see “login as:”, you have connected. Enter “root” and when asked for a password, enter the password from the email.

Step 2: Create a New User and Log In

For security reasons, create a new user and log in as that user. Use the following commands:

useradd -m <username>
passwd <username>
usermod -aG sudo <username>
sudo chsh -s /bin/bash <username>

Reconnect and log in as the new user.

Step 3: Preliminary Preparation

Install the necessary packages:

sudo apt install easy-rsa
sudo apt install openvpn
sudo apt install iptables-persistent

Step 4: Configure FireWall

Use the following commands:

sudo iptables -I INPUT -p udp –dport 1194 -j ACCEPT
sudo netfilter-persistent save

Step 5: Set Up VPN Directories

Use the following commands:

sudo mkdir -p /etc/openvpn/keys
sudo mkdir /etc/openvpn/easy-rsa
cd /etc/openvpn/easy-rsa
sudo cp -r /usr/share/easy-rsa/* .
sudo mkdir /etc/openvpn/ccd

Step 6: Configure VPN

Configure the vars:

sudo nano vars

In the interface that opens, insert the following and replace the placeholders with your own information:

export KEY_COUNTRY=”RU”
export KEY_PROVINCE=”Moscow”
export KEY_CITY=”Moscow”
export KEY_ORG=”sten”
export KEY_ORG=”fdjgbi@sten.com”
export KEY_CN=”sten”
export KEY_OU=”sten”
export KEY_NAME=”vpn.StenLi.com”
export KEY_ALTNAMES=”vpn2.StenLi.com”

Press ctrl+x, y, enter in order.

Step 7: Configure /etc/nat(FireWall)

Use the following command:

sudo nano /etc/nat

In the interface that opens, insert the following:

#!/bin/sh

# Enable packet forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# Reset firewall settings
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X

# Allow connections initiated by us from the outside
iptables -A INPUT -i eth0 -m state –state ESTABLISHED,RELATED -j ACCEPT

# Allow SSH connections
iptables -A INPUT -i eth0 -p tcp –dport 22 -j ACCEPT

# Allow OpenVPN connections
iptables -A INPUT -i eth0 -p udp –dport 1194 -j ACCEPT

# Allow incoming traffic from tun0
iptables -A INPUT -i tun0 -j ACCEPT

# Allow transit traffic between eth0 and tun0:
iptables -A FORWARD -**Step 7: Configure /etc/nat(FireWall) (continued)**

i eth0 -o tun0 -j ACCEPT iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT

Deny incoming from outside

iptables -A INPUT -i eth0 -j DROP

Allow transit connections initiated by us from the outside

iptables -A FORWARD -i eth0 -o tun0 -m state –state ESTABLISHED,RELATED -j ACCEPT

Deny transit traffic from the outside

iptables -A FORWARD -i eth0 -o tun0 -j DROP

Enable masquerading for the local network

iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.0/24 -j MASQUERADE

– Press ctrl+x, y, enter in order.
– Use the following command:

sudo chmod 755 /etc/nat

**Step 8: Create Server Keys**
– Use the following commands:

sudo ./easyrsa init-pki sudo ./easyrsa build-ca

– Enter and remember the password (Enter New CA Key Passphrase).
– Use the following commands:

sudo ./easyrsa gen-req server nopass

sudo ./easyrsa sign-req server server

sudo ./easyrsa gen-dh sudo openvpn –genkey secret pki/ta.key

sudo cp pki/ca.crt /etc/openvpn/keys/

sudo cp pki/issued/server.crt /etc/openvpn/keys/ sudo cp pki/private/server.key /etc/openvpn/keys/

sudo cp pki/dh.pem /etc/openvpn/keys/

sudo cp pki/ta.key /etc/openvpn/keys/

**Step 9: Configure Server**
– Use the following command:

sudo nano /etc/openvpn/server.conf

– In the interface that opens, insert the following and replace the placeholders with your own information:

local 999.999.999.999

port 1194

proto udp

dev tun

ca keys/ca.crt

cert keys/server.crt

key keys/server.key

dh keys/dh.pem

tls-auth keys/ta.key 0

server 10.0.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt

client-to-client

client-config-dir /etc/openvpn/ccd

keepalive 10 120

max-clients 32

persist-key

persist-tun

status /var/log/openvpn/openvpn-status.log

log-append /var/log/openvpn/openvpn.log

verb 4

mute 20

daemon

mode server

tls-server

comp-lzo

tun-mtu 1500

mssfix 1620

cipher AES-256-GCM

topology subnet

push “redirect-gateway def1”

push “dhcp-option DNS 8.8.8.8”

up /etc/nat

– Replace “local 999.999.999.999” with “local <your VPS’s external IP address>”.

**Step 10: Start Server**
– Use the following commands:

sudo systemctl start openvpn@server

sudo systemctl status openvpn@server

– Congratulations! You have started the server!

**Step 11: Generate Certificates**
– Use the following commands:

cd /<any directory you like>

sudo nano gen_sert.sh

– In the interface that opens, insert the following and replace the placeholders with your own information:

#!/bin/bash

if [ $# -ne 1 ];Step 11: Generate Certificates (continued)

then
echo “Usage: $0 –client-name”
exit 1
fi

client_name=$1
password=””
rm -r /tmp/keys
mkdir /tmp/keys
cd /etc/openvpn/easy-rsa
export EASYRSA_CERT_EXPIRE=1460
echo “$password” | ./easyrsa build-client-full $client_name nopass
cp pki/issued/client_name.key pki/ca.crt pki/ta.key /tmp/keys/
chmod -R a+r /tmp/keys

cat << EOF > /tmp/keys/$client_name.ovpn
client
resolv-retry infinite
nobind
remote 999.999.999.999 1194
proto udp
dev tun
comp-lzo
ca ca.crt
cert $client_name.crt
key $client_name.key
tls-client
tls-auth ta.key 1
float
keepalive 10 120
persist-key
persist-tun
tun-mtu 1500
mssfix 1620
cipher AES-256-GCM
verb 0

EOF

echo “OpenVPN client configuration file created: /tmp/keys/$client_name.ovpn”

Replace “remote 999.999.999.999 1194” with “remote <server IP> 1194”.
Use the following command:

sudo bash ./gen_sert.sh <certificate name>

Go to /tmp/keys and retrieve the certificates.

Step 12: Assign Static Addresses to Clients

Use the following commands:

cd /etc/openvpn/ccd
sudo nano <certificate name>

In the interface that opens, insert the following and replace the placeholders with your own information:

ifconfig-push 10.0.0.<address that will not change, addresses should not repeat> 255.255.255.0

That’s it! You have now set up an OpenVPN server on Ubuntu 22.04. Enjoy your free and secure internet, regardless of your location.

How to Set Up an OpenVPN Server on Ubuntu 22.04

Deny incoming from outside

Allow transit connections initiated by us from the outside

Deny transit traffic from the outside

Enable masquerading for the local network

EDITOR PICKS

How to install Zaproxy on Kali Linux 2023

Binance Withdraws License Application in Austria Amid Regulatory Challenges in the EU

How to install Brave on Kali Linux 2023

The Gap in Users’ Identity Security Knowledge Gives Cybercriminals an Opening

EVEN MORE NEWS

Understanding SQL Injection

100 interview questions related to Linux administration

Understanding chown and chmod in Linux with Examples

POPULAR CATEGORY

Understanding Your Ubuntu System: How to Check the Number of CPU...