Ubuntu 24.04 OpenVPN Setup

Introduction

This guide outlines the steps to set up an OpenVPN server on Ubuntu 24.04, including certificate management, server configuration, firewall setup, and client provisioning.


Step 1: Install OpenVPN and Easy-RSA

1
2
$ sudo apt update
$ sudo apt install openvpn easy-rsa -y

Step 2: Initialize the Public Key Infrastructure (PKI)

1
2
3
$ make-cadir ~/openvpn-ca
$ cd ~/openvpn-ca
$ vi vars

Edit the vars file with appropriate values:

1
2
3
4
5
6
set_var EASYRSA_REQ_COUNTRY    "TW"
set_var EASYRSA_REQ_PROVINCE "Taipei"
set_var EASYRSA_REQ_CITY "Taipei"
set_var EASYRSA_REQ_ORG "MyVPN"
set_var EASYRSA_REQ_EMAIL "[email protected]"
set_var EASYRSA_REQ_OU "IT"

Initialize the PKI and build the Certificate Authority (CA):

1
2
$ ./easyrsa init-pki
$ ./easyrsa build-ca

If you see an error like Can't load /home/$USER/openvpn-ca/pki/.rnd into RNG, run:

1
$ openssl rand -writerand pki/.rnd

and retry ./easyrsa build-ca.


Step 3: Generate Server Certificate and Keys

1
2
3
4
$ ./easyrsa gen-req server nopass
$ ./easyrsa sign-req server server
$ ./easyrsa gen-dh
$ openvpn --genkey --secret ta.key

Step 4: Deploy Server Keys and Certificates

1
$ sudo cp pki/ca.crt pki/private/server.key pki/issued/server.crt pki/dh.pem ta.key /etc/openvpn/server/

️ Step 5: Configure the OpenVPN Server

Create the configuration file:

1
$ sudo vi /etc/openvpn/server/server.conf

Paste the following:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA256
tls-auth ta.key 0
topology subnet
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 8.8.8.8"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1

Step 6: Enable IP Forwarding and Configure UFW

Edit sysctl.conf, and ensure the following line is uncommented:

1
2
3
4
$ sudo vi /etc/sysctl.conf
...
net.ipv4.ip_forward=1
...

Apply changes:

1
$ sudo sysctl -p

Configure firewall:

1
2
$ sudo ufw allow 1194/udp
$ sudo ufw allow OpenSSH

Edit UFW NAT rules:

1
$ sudo vi /etc/ufw/before.rules

Add above *filter section:

1
2
3
4
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT

Replace eth0 with your actual network interface. Check it using:

1
ip route

Edit UFW default settings:

1
2
3
4
5
$ sudo vi /etc/default/ufw
# Set DEFAULT_FORWARD_POLICY to ACCEPT
...
DEFAULT_FORWARD_POLICY="ACCEPT"
...

Restart UFW:

1
2
$ sudo ufw disable
$ sudo ufw enable

Step 7: Start OpenVPN Service

1
2
3
$ sudo systemctl start openvpn-server@server
$ sudo systemctl enable openvpn-server@server
$ sudo systemctl status openvpn-server@server

Step 8: Generate Client Certificate

1
2
3
$ cd ~/openvpn-ca
$ ./easyrsa gen-req client1 nopass
$ ./easyrsa sign-req client client1

Prepare these files for client use:

  • ~/openvpn-ca/pki/ca.crt
  • ~/openvpn-ca/pki/issued/client1.crt
  • ~/openvpn-ca/pki/private/client1.key
  • ~/openvpn-ca/ta.key

Step 9: Create Client Configuration File

Create client1.ovpn with the following content:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
client
dev tun
proto udp
remote your.server.ip 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA256
cipher AES-256-CBC
key-direction 1
verb 3

<ca>
# Paste contents of ca.crt here
</ca>
<cert>
# Paste contents of client1.crt here
</cert>
<key>
# Paste contents of client1.key here
</key>
<tls-auth>
# Paste contents of ta.key here
</tls-auth>

Import this .ovpn file into your OpenVPN client application.


Completion

Your OpenVPN server is now up and running on Ubuntu 24.04.