How to Install OpenVPN in Ubuntu 11.04

Few days ago I bought VPS account which I installed Ubuntu 11.04. This is how I installed OpenVPN into the VPS.

The network configuration:

# ifconfig
lo        Link encap:Local Loopback
inet addr:127.0.0.1  Mask:255.0.0.0
UP LOOPBACK RUNNING  MTU:16436  Metric:1
RX packets:11947 errors:0 dropped:0 overruns:0 frame:0
TX packets:11947 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1287068 (1.2 MB)  TX bytes:1287068 (1.2 MB)

venet0    Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1
RX packets:33189 errors:0 dropped:0 overruns:0 frame:0
TX packets:33130 errors:0 dropped:10 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:7778081 (7.7 MB)  TX bytes:7956162 (7.9 MB)

venet0:0  Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:208.89.210.232  P-t-P:208.89.210.232  Bcast:0.0.0.0  Mask:255.255.255.255
UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1

venet0:1  Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:208.89.210.78  P-t-P:208.89.210.78  Bcast:0.0.0.0  Mask:255.255.255.255
UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1

Install OpenVPN package and add openvpn user:

# apt-get install openvpn
# adduser --system --no-create-home --group openvpn

Configure Easy-RSA:
Easy-RSA is tool to manage security certificates (for granting client access to OpenVPN server).

# mkdir /etc/openvpn/easy-rsa
# cp /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa
# cd /etc/openvpn/easy-rsa
# nano vars

Now you’re editing /etc/openvpn/easy-rsa/vars file. Scroll down to bottom until you see “export KEY_COUNTRY=” and make sure you edit accordingly:

export KEY_COUNTRY="SG"
export KEY_PROVINCE="Singapore"
export KEY_CITY="Singapore"
export KEY_ORG="My Company"
export KEY_EMAIL="root@server.local"

After edit, exit by pressing CTRL+X and answer Y to save the file.

Run the following command, and answer the question with default answer:

# source ./vars
# ./clean-all
# chmod 700 /etc/openvpn/easy-rsa/keys/
# ./build-ca
# ./build-dh

Create server key, in this case I use domain ‘vpn.id-ebook.com’.

# ./build-key-server vpn.id-ebook.com

If you want to create more domains, just use these 3 commands:

# cd /etc/openvpn/easy-rsa
# source ./vars
# ./build-key-server <domain name>

Now we create server configuration file. You can replace myserver.conf to any name.

# nano /etc/openvpn/myserver.conf

and type in the following configuration lines:

server 10.8.0.0 255.255.255.0
# YOUR LOCAL SERVER IP HERE: (I decided to comment out this value)
# local  a.b.c.d
dev tun
proto udp
comp-lzo
# THESE 2 LINES ARE HELPFUL FOR THOSE WITH MOBILE (G3 / G3.5) BROADBAND:
tun-mtu 1500
tun-mtu-extra 32
# ROUTE THE CLIENT'S INTERNET ACCESS THROUGH THIS SERVER:
push "redirect-gateway def1"
keepalive 10 60
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
ca /etc/openvpn/easy-rsa/keys/ca.crt
# ENSURE THE DOMAIN NAME/FILENAME IS CORRECT:
cert /etc/openvpn/easy-rsa/keys/vpn.id-ebook.com.crt
key /etc/openvpn/easy-rsa/keys/vpn.id-ebook.com.key
# LEAVE THE FOLLOWING LINE COMMENTED FOR NOW:
# crl-verify /etc/openvpn/easy-rsa/keys/crl.pem
user openvpn
group openvpn
persist-key
persist-tun

Client configuration:
First of all, we create client access certificate (CSR file) on the server.

# cd /etc/openvpn/easy-rsa
# source ./vars
# ./build-key-pkcs12 <csr name>

CSR name can be any name, for example: mylaptop. This will generate a file /etc/openvpn/easy-rsa/keys/mylaptop.p12.
And then configure IP forward and NAT on the server:

# echo 1 > /proc/sys/net/ipv4/ip_forward
# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j SNAT --to 208.89.210.232

208.89.210.232 is Ubuntu public IP.

For the client, I use Windows XP. So I download and install OpenVPN GUI from http://openvpn.se

Create mylaptop.vpn.id-ebook.com.ovpn config file and put in C:\Program Files\OpenVPN\config\ using the following content:

client
dev tun
proto udp
# THE IP OF THE REMOTE OPENVPN SERVER:
remote 208.89.210.232
# THE CSR FILE:
pkcs12 mylaptop.p12
comp-lzo

Don’t forget to copy mylaptop.p12 from server to client PC and put also in C:\Program Files\OpenVPN\config\ folder.

At this stage, all configuration is done.

Now restart OpenVPN server:

# /etc/init.d/openvpn restart

And run OpenVPN client to connect to the server.

Source