How to set up a simple routed VPN - Set up VPN server

How to set up a VPN server using openVPN

OpenVPN is an openSource and free software that provides all you need to establish a Virtual Private Network. On Ubuntu and other Linux based systems it can be installed from the central repositories. OpenVPN is also available for other operating systems but here we'll focus on Ubuntu (based on our experience). So, first of all you have to install openvpn using the following command:

sudo apt-get install openvpn

Create a folder where we'll put the necessary certificates:

sudo mkdir /etc/openvpn/easy-rsa/ 
sudo cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/

Then personalize the information in the file /etc/openvpn/easy-rsa/vars. Edit the file using vim or any other editor:

sudo vim /etc/openvpn/easy-rsa/vars

And set properly the parameters therein. For instance:

export KEY_COUNTY=GR

Afterwards you will need to create certificates for your server (some of which you will use for your clients too):

sudo su
cd /etc/openvpn/easy-rsa/ ## move to the easy-rsa directory
chown -R root:admin . ## make this directory writable by the system admins
chmod g+w . ## make this directory writable by the system administrators
source ./vars ## execute your new vars file
./clean-all ## Setup the easy-rsa directory (Deletes all keys)
./build-dh ## takes a while consider backgrounding
./pkitool --initca ## creates ca cert and key
./pkitool --server server ## creates a server cert and key
cd keys
openvpn --genkey --secret ta.key ## Build a TLS key
cp server.crt server.key ca.crt dh1024.pem ta.key ../../
exit ## Exit root console

You now need to configure your VPN server properly and that's all. For that you have to choose the private IP of the server. For the purposes of this tutorial we assume it is 10.8.0.1 (private network IP of the server). Your client(s) will have IPs like 10.8.0.X (e.g. 10.8.0.6).Modify the file /etc/openvpn/server.conf

sudo vim /etc/openvpn/server.conf

And write the following content:

port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 4

You now just start openvpn! Run:

sudo /etc/init.d/openvpn restart

You should receive the following message:

* Starting virtual private network daemon(s)...
* Autostarting VPN server [ OK ]

It is interesting to run ifconfig. A new network interface has been set up - namely tun0:

tun0  Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
      inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
      UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
      RX packets:61 errors:0 dropped:0 overruns:0 frame:0
      TX packets:54 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:100
      RX bytes:10876 (10.8 KB)  TX bytes:22967 (22.9 KB)

The machine will reply to ping at 10.8.0.1. We are now ready to configure our VPN clients to connect to the VPN server. By default, the VPN server will isolate the clients from each other allowing them to connect only to 10.8.0.1. If you need your clients to be visible to each other then include in the configuration file of openvpn (i.e. /etc/openvpn/server.conf) the following:

# This directive will allow different
# clients to be able to see each other.
# By default, clients will only see the server.
# To force clients to only see the server, you
# will also need to appropriately firewall the
# TUN/TAP interface of the server
client-to-client

In the next section we establish a connection between a VPN server and a client. These two machines lie now within the same private network. The client needs to be given certain files that identify him against the VPN server. To create these files run on the server the following commands:

cd /etc/openvpn/easy-rsa
source ./vars
./pkitool serverName

where serverName is the domain name of your server or any other identifier you would like to use. This command generates the files:

serverName.crt
serverName.key
serverName.csr

From these files only the first two are needed. In the following section we'll explain how to set up a connection between the VPN server and a VPN client.

 

Something went wrong?

Did something go wrong so far? Did openvpn fail to start for example returning a message like:

*   Autostarting VPN server   [ Fail ]

Then first of all you need to check the logs of openvpn. These are stored in /var/log/daemon.log. Do a 'tail' to output the last 50 lines (or more if needed). Usually this file is huge so don't attempt a 'cat' on it. Run:

tail -n 50 /var/log/daemon.log

There you should be able to find what has happened and solve it. Usual mistakes have to do with typos in the configuration file (server.conf).