Ubuntu 24.04 OpenVPN Setup

Posted on

Introduction

This guide outlines the steps to set up an OpenVPN server on Ubuntu 24.04, including certificate management, server configuration, firewall setup, and client provisioning.

Step 1: Install OpenVPN and Easy-RSA

1
2
$ sudo apt update
$ sudo apt install openvpn easy-rsa -y

Step 2: Initialize the Public Key Infrastructure (PKI)

1
2
3
$ make-cadir ~/openvpn-ca
$ cd ~/openvpn-ca
$ vi vars

Edit the vars file with appropriate values:

1
2
3
4
5
6
set_var EASYRSA_REQ_COUNTRY    "TW"
set_var EASYRSA_REQ_PROVINCE   "Taipei"
set_var EASYRSA_REQ_CITY       "Taipei"
set_var EASYRSA_REQ_ORG        "MyVPN"
set_var EASYRSA_REQ_EMAIL      "[email protected]"
set_var EASYRSA_REQ_OU         "IT"

Initialize the PKI and build the Certificate Authority (CA):

1
2
$ ./easyrsa init-pki
$ ./easyrsa build-ca

If you see an error like Can't load /home/$USER/openvpn-ca/pki/.rnd into RNG, run:

1
$ openssl rand -writerand pki/.rnd

and retry ./easyrsa build-ca.

Step 3: Generate Server Certificate and Keys

1
2
3
4
$ ./easyrsa gen-req server nopass
$ ./easyrsa sign-req server server
$ ./easyrsa gen-dh
$ openvpn --genkey --secret ta.key

Step 4: Deploy Server Keys and Certificates

1
$ sudo cp pki/ca.crt pki/private/server.key pki/issued/server.crt pki/dh.pem ta.key /etc/openvpn/server/

️ Step 5: Configure the OpenVPN Server

Create the configuration file:

1
$ sudo vi /etc/openvpn/server/server.conf

Paste the following:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA256
tls-auth ta.key 0
topology subnet
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 8.8.8.8"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1

Step 6: Enable IP Forwarding and Configure UFW

Edit sysctl.conf, and ensure the following line is uncommented:

1
2
3
4
$ sudo vi /etc/sysctl.conf
...
net.ipv4.ip_forward=1
...

Apply changes:

1
$ sudo sysctl -p

Configure firewall:

1
2
$ sudo ufw allow 1194/udp
$ sudo ufw allow OpenSSH

Edit UFW NAT rules:

1
$ sudo vi /etc/ufw/before.rules

Add above *filter section:

1
2
3
4
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT

Replace eth0 with your actual network interface. Check it using:

1
ip route

Edit UFW default settings:

1
2
3
4
5
$ sudo vi /etc/default/ufw
# Set DEFAULT_FORWARD_POLICY to ACCEPT
...
DEFAULT_FORWARD_POLICY="ACCEPT"
...

Restart UFW:

1
2
$ sudo ufw disable
$ sudo ufw enable

Step 7: Start OpenVPN Service

1
2
3
$ sudo systemctl start openvpn-server@server
$ sudo systemctl enable openvpn-server@server
$ sudo systemctl status openvpn-server@server

Step 8: Generate Client Certificate

1
2
3
$ cd ~/openvpn-ca
$ ./easyrsa gen-req client1 nopass
$ ./easyrsa sign-req client client1

Prepare these files for client use:

  • ~/openvpn-ca/pki/ca.crt
  • ~/openvpn-ca/pki/issued/client1.crt
  • ~/openvpn-ca/pki/private/client1.key
  • ~/openvpn-ca/ta.key

Step 9: Create Client Configuration File

Create client1.ovpn with the following content:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
client
dev tun
proto udp
remote your.server.ip 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA256
cipher AES-256-CBC
key-direction 1
verb 3

<ca>
# Paste contents of ca.crt here
</ca>
<cert>
# Paste contents of client1.crt here
</cert>
<key>
# Paste contents of client1.key here
</key>
<tls-auth>
# Paste contents of ta.key here
</tls-auth>

Import this .ovpn file into your OpenVPN client application.

Completion

Your OpenVPN server is now up and running on Ubuntu 24.04.