Prerequisites:
1. An Ubuntu server with root access.
2. Basic knowledge of using the terminal and SSH.
3. A static IP address for the server.
4. Port forwarding enabled on your router for the VPN port (default is 1194).
5. OpenVPN installed on your server.
Step 1: Update and Upgrade
Connect to your Ubuntu server via SSH and update the package list and upgrade existing packages by running the following commands:
“`
sudo apt update
sudo apt upgrade
“`
Step 2: Install OpenVPN
Install OpenVPN and the easy-rsa package to set up the certificate authority:
“`
sudo apt install openvpn easy-rsa
“`
Step 3: Configure the Certificate Authority
Navigate to the easy-rsa directory and initialize the PKI (Public Key Infrastructure) by running:
“`
cd /usr/share/easy-rsa
sudo cp -r /usr/share/easy-rsa /etc/openvpn
cd /etc/openvpn/easy-rsa
sudo ./easyrsa init-pki
“`
Step 4: Build the Certificate Authority
Build the certificate authority and generate a key pair by running the following commands:
“`
sudo ./easyrsa build-ca
“`
Follow the prompts to set up your CA (Certificate Authority).
Step 5: Generate Server Key and Certificate
Generate a key pair for the server and sign it with the CA:
“`
sudo ./easyrsa gen-req server nopass
sudo ./easyrsa sign-req server server
“`
Step 6: Generate Diffie-Hellman Parameters
Generate Diffie-Hellman parameters for key exchange:
“`
sudo ./easyrsa gen-dh
“`
Step 7: Generate HMAC Signature
Generate an HMAC signature to strengthen the server’s TLS integrity verification:
“`
openvpn –genkey –secret /etc/openvpn/ta.key
“`
Step 8: Configure OpenVPN Server
Copy the generated files to the OpenVPN configuration directory and configure the server:
“`
sudo cp pki/private/server.key /etc/openvpn/
sudo cp pki/issued/server.crt /etc/openvpn/
sudo cp pki/dh.pem /etc/openvpn/
sudo cp pki/ca.crt /etc/openvpn/
sudo cp ta.key /etc/openvpn/
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf /etc/openvpn/
sudo mv /etc/openvpn/server.conf /etc/openvpn/openvpn.conf
“`
Edit the OpenVPN configuration file:
“`
sudo nano /etc/openvpn/openvpn.conf
“`
Uncomment and modify the following lines:
“`
cert server.crt
key server.key
dh dh.pem
ca ca.crt
tls-auth ta.key 0
“`
Step 9: Enable IP Forwarding
Enable IP forwarding to allow the server to forward traffic:
“`
sudo sysctl -w net.ipv4.ip_forward=1
“`
To make this change permanent, edit the sysctl.conf file:
“`
sudo nano /etc/sysctl.conf
“`
Uncomment the line `net.ipv4.ip_forward=1` and save the file.
Step 10: Start and Enable OpenVPN Service
Start and enable the OpenVPN service to run on system boot:
“`
sudo systemctl start openvpn@openvpn
sudo systemctl enable openvpn@openvpn
“`
Step 11: Configure Firewall
If you have UFW (Uncomplicated Firewall) enabled, allow OpenVPN traffic:
“`
sudo ufw allow OpenSSH
sudo ufw allow 1194/udp
sudo ufw enable
“`
Step 12: Client Configuration
Generate a client key and certificate for each user you want to connect to the VPN server. Distribute the client configuration file to each user.
Step 13: Test the VPN Connection
Connect a client device to the VPN server using the OpenVPN client software. Verify that the connection is successful and that your internet traffic is routed through the VPN.
By following this comprehensive guide, you can set up a secure VPN server on Ubuntu to protect your online activities and data. Remember to regularly update your server and monitor its security settings to maintain a secure VPN environment.
Leave a Reply