Note
- 30 Jul 2024: Updated for PEM pass phrase. "$" prompts changed to "#" when in root mode.
- 15 Jul 2023: Windows folder to contain config files revised.
- 26 Apr 2022: Cipher added.
- 18 Jan 2022: Installation procedures updated.
- 11 Apr 2018: Re-direct function added.
- 2 Sep 2018: Revised to suit Ubuntu 18.04 which requires a change of the network card device name.
Intro
OpenVPN enables remote client computers and smartphones to access VPN server's files and structure, and optionally re-direct clients' IP traffic through the VPN server.
Install VPN server for accessing file server
Switch to root:
$ sudo -s
Install openvpn and easy-rsa:
# apt-get install openvpn easy-rsa
Set up public key infrastructure:
# mkdir /etc/openvpn/easy-rsa/ # cp -r /usr/share/easy-rsa/* /etc/openvpn/easy-rsa/ # nano /etc/openvpn/easy-rsa/vars
Define in vars:
export KEY_COUNTRY="CN" export KEY_PROVINCE="HK" export KEY_CITY="HongKong" export KEY_ORG="K C Tang Consultants Ltd" export KEY_EMAIL="kctang@kctang.com.hk" export KEY_OU=kctclVPN export KEY_NAME=kctclVPN # next line added to avoid error when building the certificate and key export KEY_ALTNAMES=kctclVPN
Generate master Certificate Authority (CA) certificate and key:
# cd /etc/openvpn/easy-rsa/ # source vars # ./easyrsa init-pki # ./easyrsa build-ca
Enter New CA Key Passphrase: <>
Re-enter New CA Key Passphrase: <>
Enter PEM pass phrase (if prompted): <>
Verifying - Enter PEM pass phrase (if prompted): <>
(last two lines added, 30/7/2024)
Enter Common Name: kctclVPN
Generate a key pair for the server:
# ./easyrsa gen-req kctclVPN nopass
Accept Common Name default [kctclVPN]: <enter key>
Generate Diffie Hellman parameters and generate certificate for the server
# ./easyrsa gen-dh # ./easyrsa sign-req server kctclVPN
Check and confirm the Common Name: yes
Enter pass phrase (i.e. the PEM pass phrase if entered above, otherwise the CA Key Passphrase): <>
(last line revise to mention PEM pass phrase, 30/7/2024)
Copy certificates and keys generated in subdirectory pki/ to /etc/openvpn/:
# cp pki/dh.pem pki/ca.crt pki/issued/kctclVPN.crt pki/private/kctclVPN.key /etc/openvpn/
Config server.conf:
# cd / # cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf /etc/openvpn/ # nano /etc/openvpn/server.conf
Define as follows:
port 1194 proto udp dev tun # Enter the paths if files not in the same directory as the server.conf file ca </path to file/>ca.crt cert </path to file/>kctclVPN.crt key </path to file/>kctclVPN.key dh </path to file/>dh.pem # not dh2048.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist /var/log/openvpn/ipp.txt keepalive 10 120 tls-auth ta.key 0 cipher AES-256-GCM user nobody group nogroup # last two lines added for linux system persist-key persist-tun status /var/log/openvpn/openvpn-status.log verb 3 explicit-exit-notify 1
(cipher added, 26 Apr 2022)
Generate ta.key for tls-auth:
# cd /etc/openvpn # openvpn --genkey tls-auth ta.key$ openvpn --genkey secret ta.key # not --secret
Config sysctl.conf:
# nano /etc/sysctl.conf
Uncomment the following line to enable IP forwarding:
net.ipv4.ip_forward=1
Reload sysctl.conf:
# sysctl -p /etc/sysctl.conf
Start the server:
# systemctl start openvpn@server
# systemctl status openvpn@server
Check if OpenVPN created a tun0 interface:
# ifconfig tun0
Check syslog if tun0 does not appear:
# grep -i vpn /var/log/syslog
Exit from root:
# exit
$
Set the internet router to re-direct OpenVPN connections to server port 1194.
Extend to re-direct clients' IP traffic through VPN server
(section added 5 April 2018)
Define optionally in server.conf to re-direct clients' IP traffic such as web browsing and DNS lookups to go through the VPN server, i.e. the clients will appear to use the IP of the VPN server instead of the actual IP of the clients for internet traffic:
Config server.conf:
$ sudo nano /etc/openvpn/server.conf
Define by uncommenting the following line:
push "redirect-gateway def1 bypass-dhcp"
Some guide suggests to add the following, but this results in email server not working: (10 April 2018)
push "dhcp-option DNS 10.8.0.1"
Some other guides suggest to uncomment the following, this works: (10 April 2018)
push "dhcp-option DNS 208.67.222.222" push "dhcp-option DNS 208.67.220.220"
However, it is found that it still works when the above two lines are left commented. Therefore, the only line needing change is the 'redirect-gateway' line. (2 Sep 2018)
Execute to restart the service:
$ sudo systemctl restart openvpn@server
Execute to see the network card device names:
$ ip route
Find the output line beginning with "default", e.g.:
default via 192.168.0.1 dev enp4s0 proto static metro 100
The name "enp4s0" after the word "dev" is the default network card device name. Previously, the default name is "eth0", but this has been changed after Ubuntu 16.04.
(2 Sep 2018)
Execute with the default name inserted after "-o":
$ sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o enp4s0 -j MASQUERADE
Note that the iptables configuration will be lost after reboot.
Store the current iptables configurations:
$ sudo sh -c "iptables-save > /etc/iptables.up.rules"
View and remove any configurations no longer applicable:
$ sudo nano /etc/iptables.up.rules
Do the same whenever the iptables configurations have been changed.
Config file for use on reboot:
$ sudo nano /etc/network/interfaces
Define to reuse the stored configurations:
auto lo iface lo inet loopback post-up iptables-restore < /etc/iptables.up.rules
Generate files for each Windows client
Switch to root:
$ sudo -s
Generate a certificate and private key for each client user of <username>:
# cd /etc/openvpn/easy-rsa/ # ./easyrsa gen-req <username> nopass # ./easyrsa sign-req client <username>
Check and confirm the Common Name: yes
Enter Passphrase as previously defined: <>
Copy or move client's certificate and key to a Samba directory, which is for temporary use only: to enable emailing:
# cd /etc/openvpn/easy-rsa/ # cp pki/ca.crt pki/issued/<username>.crt pki/private/<username>.key /<Samba directory>/ # cd /etc/openvpn/ # cp ta.key /<Samba directory>/
Change the owners of the files:
# cd /<Samba directory> # chown nobody:nogroup ca.crt ta.key <username>.crt <username>.key # chmod 644 ca.crt ta.key <username>.crt <username>.key
Create a <username>.txt under the Samba directory and define it to contain:
client dev tun proto udp remote kctang.com.hk 1194 resolv-retry infinite nobind persist-key persist-tun mute-replay-warnings ca ca.crt cert <\\path\\><username>.crt key <\\path\\><username>.key remote-cert-tls server tls-auth ta.key 1 cipher AES-256-GCM auth-nocache verb 3
(cipher added, 26 Apr 2022)
Specify path in Windows format if ca.crt, ta.key, <username>.crt, and <username>.key are to be saved in a folder different from <username>.txt.
Change filename from <username>.txt to <username>.ovpn. Creating as a txt file first permits editing by the usual text processors. Watch out that the line breaks are using Windows' linebreak code.
E-mail ca.crt, ta.key, <username>.crt, <username>.key, and <username>.ovpn files to the client computer.
Remove the files:
# rm ca.crt ta.key <username>.crt <username>.key <username>.ovpn
Exit from root:
# exit
$
Install on Windows client computer
Download and install the latest OpenVPN Windows Installer.
An OpenVPN GUI icon should appear at the bottom system tray, with no connection yet.
Save ca.crt, ta.key, <username>.crt, <username>.key, and <username>.ovpn files (emailed from the server) under:
- C:\Program Files\OpenVPN\config-auto\ (for use as a service)
or
- C:\Program Files\OpenVPN\config\ (for use with GUI).
(revised 15 Jul 2023)
Run on Windows client as a service
To start OpenVPN automatically as a service every time after rebooting:
- Click Windows Start > search for Services.
- Right-click OpenVPN Interactive Service > Properties > Start or Restart.
- Change Startup type to Automatic.
- Click OK.
Open file manager and enter \\10.8.0.1 to access the vpn server. All clients will use the same \\10.8.0.1 to map the actual different ip addresses assigned by the vpn server.
If connection is not successful, restart the computer.
Run on Windows client using GUI
To start OpenVPN manually every time after rebooting, or re-connect after loss of connection after sleep or hibernation::
- Right-click OpenVPN GUI icon on Desktop.
- Click Run this program as an administrator > Yes.
Or
- Click the OpenVPN GUI icon on the bottom system tray to connect or right-click the icon and click Connect.
Map drive for quick access
- Open file manager and enter \\10.8.0.1 to access the vpn server.
- Right-click the desired folder.
- Click Map network drive.
- Choose a drive name to represent the folder.
- Click Finish.