OpenVPN enables remote client computers and smartphones to access VPN server's files and structure, and optionally re-direct clients' IP traffic through the VPN server.
(revised 11 April 2018 to add re-direct function)
(revised 2 Sep 2018 to suit Ubuntu 18.04 which requires a change of the network card device name)
Install VPN server for accessing file server
Switch to root:
$ sudo -s
Install openvpn and easy-rsa:
$ apt-get install openvpn easy-rsa
Set up public key infrastructure:
$ mkdir /etc/openvpn/easy-rsa/ $ cp -r /usr/share/easy-rsa/* /etc/openvpn/easy-rsa/ $ gedit /etc/openvpn/easy-rsa/vars
Define in vars:
export KEY_COUNTRY="CN" export KEY_PROVINCE="HK" export KEY_CITY="HongKong" export KEY_ORG="K C Tang Consultants Ltd" export KEY_EMAIL="firstname.lastname@example.org" export KEY_OU=kctclVPN export KEY_NAME=kctclVPN # next line added to avoid error when building the certificate and key export KEY_ALTNAMES=kctclVPN
Generate master Certificate Authority (CA) certificate and key:
$ cd /etc/openvpn/easy-rsa/ $ source vars $ ./clean-all $ ./build-ca
Generate a certificate and private key for the server:
$ ./build-key-server kctclVPN
Accept defaults for most parameters.
Answer “y” to:
- "Sign the certificate? [y/n]"
- "1 out of 1 certificate requests certified, commit? [y/n]"
Generate Diffie Hellman parameters:
Copy certificates and keys generated in subdirectory keys/ to /etc/openvpn/:
$ cd keys/ $ cp kctclVPN.crt kctclVPN.key ca.crt dh2048.pem /etc/openvpn/
Generate a certificate and private key for the client user <client>:
$ cd /etc/openvpn/easy-rsa/ $ source vars $ ./build-key <client>
Copy or move client's certificate and key to a Samba directory, which is for temporary use only: to enable emailing:
$ cp /etc/openvpn/ca.crt /<Samba directory>/ $ mv /etc/openvpn/easy-rsa/keys/<client>.crt /<Samba directory>/ $ mv /etc/openvpn/easy-rsa/keys/<client>.key /<Samba directory>/
Change the owners of the files:
$ cd /<Samba directory> $ chown nobody:nogroup ca.crt <client>.crt <client>.key $ chmod 644 ca.crt <client>.crt <client>.key
E-mail the files to the client computer.
Remove the files:
$ rm ca.crt <client>.crt <client>.key
$ cd / $ cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/ $ gzip -d /etc/openvpn/server.conf.gz $ gedit /etc/openvpn/server.conf
Define as follows:
port 1194 proto udp dev tun ca </path to file/>ca.crt cert </path to file/>kctclVPN.crt key </path to file/>kctclVPN.key dh </path to file/>dh2048.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist /var/log/openvpn/ipp.txt keepalive 10 120 ; tls-auth ta.key 0 # the last line is a new feature and would provide extra security, # but would require corresponding addition in the form of "tls-auth ta.key 1" to the client.conf # now commented to avoid that change to the clients until convenient time to change # last line commented (2 Sep 2018) cipher AES-256-CBC # last line added (30 Dec 2017) comp-lzo user nobody group nogroup # last two lines for linux system persist-key persist-tun status /var/log/openvpn/openvpn-status.log verb 3 explicit-exit-notify lcicipher
$ gedit /etc/sysctl.conf
Uncomment the following line to enable IP forwarding:
$ sysctl -p /etc/sysctl.conf
Start the server:
$ systemctl start openvpn@server
Check if OpenVPN created a tun0 interface:
$ ifconfig tun0
Check syslog if tun0 does not appear:
$ grep -i vpn /var/log/syslog
Exit from root:
Set the internet router to re-direct OpenVPN connections to server port 1194.
Extend to re-direct clients' IP traffic through VPN server
(section added 5 April 2018)
Define optionally in server.conf to re-direct clients' IP traffic such as web browsing and DNS lookups to go through the VPN server, i.e. the clients will appear to use the IP of the VPN server instead of the actual IP of the clients for internet traffic:
$ sudo gedit /etc/openvpn/server.conf
Define by uncommenting the following line:
push "redirect-gateway def1 bypass-dhcp"
Some guide suggests to add the following, but this results in email server not working: (10 April 2018)
push "dhcp-option DNS 10.8.0.1"
Some other guides suggest to uncomment the following, this works: (10 April 2018)
push "dhcp-option DNS 220.127.116.11" push "dhcp-option DNS 18.104.22.168"
However, it is found that it still works when the above two lines are left commented. Therefore, the only line needing change is the 'redirect-gateway' line. (2 Sep 2018)
Execute to restart the service:
$ sudo systemctl restart openvpn@server
Execute to see the network card device names:
$ ip route
Find the output line beginning with "default", e.g.:
default via 192.168.0.1 dev enp4s0 proto static metro 100
The name "enp4s0" after the word "dev" is the default network card device name. Previously, the default name is "eth0", but this has been changed after Ubuntu 16.04. (2 Sep 2018)
Execute with the default name inserted after "-o":
$ sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o enp4s0 -j MASQUERADE
Note that the iptables configuration will be lost after reboot.
Store the current iptables configurations:
$ sudo sh -c "iptables-save > /etc/iptables.up.rules"
View and remove any configurations no longer applicable:
$ sudo gedit /etc/iptables.up.rules
Do the same whenever the iptables configurations have been changed.
Config file for use on reboot:
$ sudo gedit /etc/network/interfaces
Define to reuse the stored configurations:
auto lo iface lo inet loopback post-up iptables-restore < /etc/iptables.up.rules
Install on Windows client computer
Download and install the latest OpenVPN Windows Installer.
Save ca.crt <client>.crt <client>.key under C:\Program Files\OpenVPN\config\
Create C:\Program Files\OpenVPN\config\<client>.txt file and define it to contain:
client dev tun proto udp remote kctang.com.hk 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert <\\path\\><client>.crt key <\\path\\><client>.key ns-cert-type server comp-lzo verb 3
Also add the following at the end of the file: (added 30 December 2017)
auth-nocache cipher AES-256-CBC
Specify path in Windows format if ca.crt <client>.crt <client>.key are saved in a folder different from <client>.txt.
Change filename from <client>.txt to <client>.ovpn.
Run on Windows client as a service
To start OpenVPN automatically as a service every time after rebooting:
- Go to Microsoft Management Console: Start > Computer > Manage > Services and Applications > Services.
- Right-click OpenVPN service > Properties > Start.
- Change Startup type to Automatic.
- Click OK.
However, running as a service has a bug that the connection may not be re-connected after the computer wakes up after sleep or hibernation.
If there is the case, connecting with the GUI will be the better choice.
Run on Windows client using GUI
Start OpenVPN every time after rebooting:
- Right-click OpenVPN GUI icon on Desktop.
- Click Properties > Compatibility > Run this program as an administrator > OK.
Connect after starting or loss of connection after sleep or hibernation:
- Click OpenVPN GUI icon on Desktop.
- Click the icon on the system tray to connect or right-click the icon and click Connect.
Map drive for quick access
- Open file manager and enter \\10.8.0.1 to access the vpn server.
- Right-click the desired folder.
- Click Map network drive.
- Choose a drive name to represent the folder.
- Click Finish.