How to setup ssl vpn server on Ubuntu server 14.04

Leave a Comment / By /

Step 1. Install OpenVPN and Easy-RSA

sudo apt-get update
sudo apt-get install openvpn easy-rsa

Extract sample server.conf to /etc/openvpn folder

gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf

Start editing server.conf

sudo nano /etc/openvpn/server.conf

Change dh1024.pem to dh2048.pem to double RSA key

# Diffie hellman parameters.
# Generate your own with:
# openssl dhparam -out dh1024.pem 1024
# Substitute 2048 for 1024 if you are using
# 2048 bit keys.
# dh dh1024.pem
dh dh2048.pem

 

Uncomment push “redirect-gateway def1 bypass-dhcp”
push "redirect-gateway def1 bypass-dhcp"

# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# or bridge the TUN/TAP interface to the internet
# in order for this to work properly).
push "redirect-gateway def1 bypass-dhcp"

 

Uncomment push “dhcp-option DNS 208.67.222.222”


# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses. CAVEAT:
# http://openvpn.net/faq.html#dhcpcaveats
# The addresses below refer to the public
# DNS servers provided by opendns.com.

push "dhcp-option DNS 8.8.8.8"

push "dhcp-option DNS 208.67.222.222"

push "dhcp-option DNS 208.67.220.220"

 

Uncomment both user nobody and group nogroup

# You can uncomment this out on
# non-Windows systems.

user nobody

group nogroup

 

STEP 2. Enable packet forwarding. Allow Firewall

sudo echo 1 > /proc/sys/net/ipv4/ip_forward
sudo nano /etc/sysctl.conf

Uncomment net.ipv4.ip_forward

net.ipv4.ip_forward=1

 

For VPN server facing public

Firewall facing public kim.sg

Allow ssh
Allow 1194/udp

# Allow VPN to LAN
iptables -I FORWARD -i tun0 -o lan -s 10.8.0.0/24 -d 192.168.1.0/24 -m conntrack --ctstate NEW -j ACCEPT
# Allow VPN to WAN
iptables -I FORWARD -i tun0 -o wan -s 10.8.0.0/24 -m conntrack --ctstate NEW -j ACCEPT

# Allow LAN to WAN
iptables -I FORWARD -i lan -o wan -s 192.168.1.0/24 -m conntrack --ctstate NEW -j ACCEPT

#Allow established traffic to pass back and forth
iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

#Masquerade traffic from VPN to WAN
iptables -t nat -I POSTROUTING -o wan -s 10.8.0.0/24 -j MASQUERADE

#Masquerade traffic from LAN to WAN
iptables -t nat -I POSTROUTING -o wan -s 192.168.1.0/24 -j MASQUERADE

#Masquerade traffic from VPN to LAN (if LAN hosts dont' use VPN server default gateway)
iptables -t nat -A POSTROUTING -o lan -d 192.168.1.0/24 -j MASQUERADE
####### This is the same as MASQUERADING VPN to LAN
iptables -t nat -A POSTROUTING -o lan -d 192.168.1.0 -j SNAT --to-source 192.168.1.241

 

For VPN server behind firewall

VPN server behind firewall kim.sg

 

STEP 3. Create Certificate Authority (only run once!)

Copy Easy-RSA generation scripts to /etc/openvpn

cp -r /usr/share/easy-rsa/ /etc/openvpn

Make the key storage directory

mkdir /etc/openvpn/easy-rsa/keys

Make your key personal by entering your info

sudo nano /etc/openvpn/easy-rsa/vars
export KEY_COUNTRY="SG"
export KEY_PROVINCE="SG"
export KEY_CITY="Singapore"
export KEY_ORG="My Company Name"
export KEY_EMAIL="your@email.com";
export KEY_OU="ClientOrganizationalUnit"
export KEY_NAME="server"

Generate Diffie-Hellman parameters

openssl dhparam -out /etc/openvpn/dh2048.pem 2048

Move to /etc/openvpn/easy-rsa/

cd /etc/openvpn/easy-rsa

Initialize the PKI (Public Key Infrastructure)

. ./vars

Since we haven’t generated anything in the keys directory yet, the warning is nothing to be concerned about
“NOTE: If you run ./clean-all, it will be doing a rm -rf on /etc/openvpn/easy-rsa/keys”

Now we’ll clear the working directory of any possible old or example keys to make way for our new ones.

./clean-all

Builds certificate authority (CA) by invoking an interactive OpenSSL command
Prompt you to confirm Easy-RSA’s variables.
Simply press ENTER to pass through each prompt.

./build-ca

 Remember that this step (generating Certificate Authority) should only run once.!

 

STEP 4. Server-side Certificate & Key

Generate a Certificate and Key for the Server
Still working from /etc/openvpn/easy-rsa folder, execute below.

./build-key-server server

(“server” refers to the export KEY_NAME variable entered in Easy-RSA vars)

Just press ENTER to pass through each one.
A challenge password []:
An optional company name []:

Answer Y to additional two queries below.
Sign the certificate? [y/n]
1 out of 1 certificate requests certified, commit? [y/n]

Move the Server Certificates and Keys
OpenVPN expects server’s CA(certificate and key) in /etc/openvpn.
Let’s copy them into the proper location.

cp /etc/openvpn/easy-rsa/keys/{server.crt,server.key,ca.crt} /etc/openvpn

Start OpenVPN

service openvpn start
service openvpn status

Troubleshooting
Look at /var/log/syslog for OpenVPN errors
Options error: –key fails with ‘server.key’: No such file or directory

 

STEP 5. Generate Certificates and Keys for Clients

From location /etc/openvpn/easy-rsa execute below command

./build-key client_name1
./build-key client_name2
./build-key client_name3

Press ENTER to accept the defaults.
Sign the certificate? [y/n]
1 out of 1 certificate requests certified, commit? [y/n]

In the copy process, we will change file extension for clients to use later.
Example from client_name1.conf to client_name1.ovpn

cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/easy-rsa/keys/client_name1.ovpn
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/easy-rsa/keys/client_name2.ovpn
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/easy-rsa/keys/client_name3.ovpn

 

STEP 6. Transferring Certificates and Keys to Client Devices

Requires clients certificate and key to be located in server.

/etc/openvpn/easy-rsa/keys/client_name1.crt
/etc/openvpn/easy-rsa/keys/client_name1.key
/etc/openvpn/easy-rsa/keys/client_name2.crt
/etc/openvpn/easy-rsa/keys/client_name2.key

 

The ca.crt and client.ovpn are the same for all client devices.

The ca.crt and client.ovpn are located at the following location.

/etc/openvpn/ca.crt
/etc/openvpn/easy-rsa/keys/client.ovpn

 

Securely copy out client_name1.key file

scp root@vpn.server.com:/etc/openvpn/easy-rsa/keys/client_name1.key Downloads/

Make sure you have the following 4 files for your client

client_name1.crt
client_name1.key
client.ovpn
ca.crt

 

 

STEP 7. Create a Unified OpenVPN profile for client

Edit client_name1.ovpn and enter your vpn ip address

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote x.x.x.x 1194

Uncomment user nobody and group nogroup

# Downgrade privileges after initialization (non-Windows only)

user nobody

group nogroup

Insert certificate and key 

# SSL/TLS parms.
# . . .
#ca ca.crt
#cert client.crt
#key client.key

<ca>
 (insert ca.crt here)
</ca>
<cert>
 (insert client1.crt here)
</cert>
<key>
 (insert client1.key here)
</key>

Save client.ovpn and deploy at client device

 

STEP 8. Deploy Client profile

Download OpenVPN client
https://openvpn.net/index.php/open-source/downloads.html 

Save client_name1.ovpn file at the following location

C:\Program Files\OpenVPN\config\client.ovpn

Always run as Administrator

Leave a Comment

Your email address will not be published. Required fields are marked *