Install OpenVPN services

Note

OpenVPN enables remote client computers and smartphones to access VPN server's files and structure, and optionally re-direct clients' IP traffic through the VPN server.

(revised 11 April 2018 to add re-direct function)

(revised 2 Sep 2018 to suit Ubuntu 18.04 which requires a change of the network card device name)

Install VPN server for accessing file server

Switch to root:

$ sudo -s

Install openvpn and easy-rsa:

$ apt-get install openvpn easy-rsa

Set up public key infrastructure:

$ mkdir /etc/openvpn/easy-rsa/
$ cp -r /usr/share/easy-rsa/* /etc/openvpn/easy-rsa/
$ gedit /etc/openvpn/easy-rsa/vars

Define in vars:

export KEY_COUNTRY="CN"
export KEY_PROVINCE="HK"
export KEY_CITY="HongKong"
export KEY_ORG="K C Tang Consultants Ltd"
export KEY_EMAIL="kctang@kctang.com.hk"
export KEY_OU=kctclVPN
export KEY_NAME=kctclVPN
# next line added to avoid error when building the certificate and key 
export KEY_ALTNAMES=kctclVPN

Generate master Certificate Authority (CA) certificate and key:

$ cd /etc/openvpn/easy-rsa/
$ source vars
$ ./clean-all
$ ./build-ca

Generate a certificate and private key for the server:

$ ./build-key-server kctclVPN

Accept defaults for most parameters.

Answer “y” to:

  • "Sign the certificate? [y/n]"
  • "1 out of 1 certificate requests certified, commit? [y/n]"

Generate Diffie Hellman parameters:

$ ./build-dh

Copy certificates and keys generated in subdirectory keys/ to /etc/openvpn/:

$ cd keys/
$ cp kctclVPN.crt kctclVPN.key ca.crt dh2048.pem /etc/openvpn/

Generate a certificate and private key for the client user <client>:

$ cd /etc/openvpn/easy-rsa/
$ source vars
$ ./build-key <client>

Copy or move client's certificate and key to a Samba directory, which is for temporary use only: to enable emailing:

$ cp /etc/openvpn/ca.crt /<Samba directory>/
$ mv /etc/openvpn/easy-rsa/keys/<client>.crt /<Samba directory>/
$ mv /etc/openvpn/easy-rsa/keys/<client>.key /<Samba directory>/

Change the owners of the files:

$ cd /<Samba directory>
$ chown nobody:nogroup ca.crt <client>.crt <client>.key
$ chmod 644 ca.crt <client>.crt <client>.key

​E-mail the files to the client computer.

Remove the files:

$ rm ca.crt <client>.crt <client>.key

Config server.conf:

$ cd /
$ cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
$ gzip -d /etc/openvpn/server.conf.gz
$ gedit /etc/openvpn/server.conf

Define as follows:

port 1194
proto udp
dev tun
ca </path to file/>ca.crt
cert </path to file/>kctclVPN.crt
key </path to file/>kctclVPN.key
dh </path to file/>dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
keepalive 10 120
; tls-auth ta.key 0
# the last line is a new feature and would provide extra security,
# but would require corresponding addition in the form of "tls-auth ta.key 1" to the client.conf
# now commented to avoid that change to the clients until convenient time to change 
# last line commented (2 Sep 2018) 
cipher AES-256-CBC # last line added (30 Dec 2017)
comp-lzo
user nobody
group nogroup
# last two lines for linux system
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
verb 3
explicit-exit-notify lcicipher

Config sysctl.conf:

$ gedit /etc/sysctl.conf

Uncomment the following line to enable IP forwarding:

net.ipv4.ip_forward=1

Reload sysctl.conf:

$ sysctl -p /etc/sysctl.conf

Start the server:

$ systemctl start openvpn@server

Check if OpenVPN created a tun0 interface:

$ ifconfig tun0

Check syslog if tun0 does not appear:

$ grep -i vpn /var/log/syslog

Exit from root:

$ exit

Set the internet router to re-direct OpenVPN connections to server port 1194.

Extend to re-direct clients' IP traffic through VPN server

(section added 5 April 2018)

Define optionally in server.conf to re-direct clients' IP traffic such as web browsing and DNS lookups to go through the VPN server, i.e. the clients will appear to use the IP of the VPN server instead of the actual IP of the clients for internet traffic:

Config server.conf:

$ sudo gedit /etc/openvpn/server.conf

Define by uncommenting the following line:

push "redirect-gateway def1 bypass-dhcp"

Some guide suggests to add the following, but this results in email server not working: (10 April 2018)

push "dhcp-option DNS 10.8.0.1"

Some other guides suggest to uncomment the following, this works: (10 April 2018)

push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"

However, it is found that it still works when the above two lines are left uncommented. Therefore, the only line needing change is the 'redirect-gateway' line. (2 Sep 2018)

Execute to restart the service:

$ sudo systemctl restart openvpn@server

Execute to see the network card device names:

$ ip route

Find the output line beginning with "default", e.g.:

default via 192.168.0.1 dev enp4s0 proto static metro 100

The name "enp4s0" after the word "dev" is the default network card device name. Previously, the default name is "eth0", but this has been changed after Ubuntu 16.04. (2 Sep 2018)

Execute with the default name inserted after "-o":

$ sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o enp4s0 -j MASQUERADE

Note that the iptables configuration will be lost after reboot.

Store the current iptables configurations:

$ sudo sh -c "iptables-save > /etc/iptables.up.rules"

View and remove any configurations no longer applicable:

$ sudo gedit /etc/iptables.up.rules

Do the same whenever the iptables configurations have been changed.

Config file for use on reboot:

$ sudo gedit /etc/network/interfaces

Define to reuse the stored configurations:

auto lo
iface lo inet loopback
post-up iptables-restore < /etc/iptables.up.rules

Install on Windows client computer

Download and install the latest OpenVPN Windows Installer.

Go to Microsoft Management Console: Start > Computer > Manage > Services and Applications > Services.

Start OpenVPN service.

Set it's startup type to automatic.

Save ca.crt <client>.crt <client>.key under C:\Program Files\OpenVPN\config\

Create C:\Program Files\OpenVPN\config\<client>.txt file and define it to contain:

client
dev tun
proto udp
remote kctang.com.hk 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert <\\path\\><client>.crt
key <\\path\\><client>.key
ns-cert-type server
comp-lzo
verb 3

Also add the following at the end of the file: (added 30 December 2017)

auth-nocache
cipher AES-256-CBC

Specify path in Windows format if ca.crt <client>.crt <client>.key are saved in a folder different from <client>.txt.

Change filename from <client>.txt to <client>.ovpn.

Run on Windows client as a service

To start OpenVPN automatically as a service every time after rebooting:

  • Go to Microsoft Management Console: Start > Computer > Manage > Services and Applications > Services.
  • Right-click OpenVPN service > Properties > Start.
  • Change Startup type to Automatic.
  • Click OK.

However, running as a service has a bug that the connection may not be re-connected after the computer wakes up after sleep or hibernation.

If there is the case, connecting with the GUI will be the better choice.

Run on Windows client using GUI

Start OpenVPN every time after rebooting:

  • Right-click OpenVPN GUI icon on Desktop.
  • Click Properties > Compatibility > Run this program as an administrator > OK.

Connect after starting or loss of connection after sleep or hibernation:

    • Click OpenVPN GUI icon on Desktop.
    • Click the icon on the system tray to connect or right-click the icon and click Connect.

    Map drive for quick access

    Define a drive to be listed in the file manager directory to represent the server:
    • Open file manager and enter \\10.8.0.1 to access the vpn server.
    • Right-click the desired folder.
    • Click Map network drive.
    • Choose a drive name to represent the folder.
    • Click Finish.