Secure Communications with OpenVPN on Ubuntu 12.04 (Precise) and Debian 7
Updated by Alex Fornuto
OpenVPN, or Open Virtual Private Network, is a tool for creating networking tunnels between and among groups of computers that are not on the same local network. This is useful if you want to remotely access services on a local network without making them publicly accessible. By integrating with OpenSSL, OpenVPN can encrypt all VPN traffic to provide a secure connection between machines.
Before installing OpenVPN, we assume that you have followed our Getting Started Guide. If you’re new to Linux server administration you may be interested in our Introduction to Linux Concepts Guide, Beginner’s Guide and Administration Basics Guide. If you’re concerned about securing on your Linode, you might be interested in our Security Basics article as well.
For many private networking tasks, we suggest that you consider the functions of the OpenSSH package which can provide easier VPN and VPN-like services. OpenSSH is also installed and configured by default on all Linodes. For example, see Using SSHFS on Linux and MacOS X or our guide on Setting up an SSH Tunnel for more information. Nevertheless, if your deployment requires a more traditional VPN solution like OpenVPN, this document covers the installation and configuration of the OpenVPN software.
How OpenVPN Works
Once configured, the OpenVPN server encrypts traffic between your local computer and your Linode’s local network. While all other traffic is handled in the conventional manner, the VPN allows traffic on non-public interfaces to be securely passed through your Linode. This means you can connect to the local area network in your Linode’s data center. Using OpenVPN in this manner is supported by the default configuration
With the additional configuration we will set up at the end of this guide, all traffic coming from your local computer can be tunneled through the VPN server. This can be used to circumvent local traffic restrictions, or to mask the traffic coming from your computer.
Please note that only one public IP address is required to use OpenVPN
Follow these instructions to install OpenVPN:
Update your package repositories with the following command:
Update your installed programs:
Install the OpenVPN software with the following command:
apt-get install openvpn
The OpenVPN package provides a set of encryption-related tools called easy-rsa. In order for OpenVPN to function properly, these scripts should be located in the
/etc/openvpn/directory. This is possible with the following command:
cd /etc/openvpn/ && make-cadir easy-rsa
Most of the relevant configuration for the OpenVPN public key infrastructure is contained in
/etc/openvpn/easy-rsa/. We will create several files in this directory used to define the OpenVPN server and client security.
Initializing the Public Key Infrastructure (PKI)
In this section, you will initialize the certificate authority and the public key infrastructure:
Move into the
Create a symbolic link from
ln -s openssl-1.0.0.cnf openssl.cnf
This will return
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys
build-cascript. At each prompt, fill out the information to be used in your certificate.
After doing this, your PKI should be configured properly.
Generating Certificates and Private Keys
With the certificate authority generated, you can generate the private key for the server and certificates for all the VPN clients.
Create the key with the following command:
- You will be prompted for additional information. Change the default values as necessary. By default, the
Common Namefor this key will be server. The challenge password and company names are optional and can be left blank.
- When you’ve completed the question section, confirm the signing of the certificate and the
certificate requests certifiedby answering yes to these questions.
With the private keys generated, create certificates for all of your VPN clients. Issue the following command:
Anyone with access to
client1.keywill be able to access your VPN. To better protect against this scenario, you can issue
./build-key-pass client1instead to build a client key which is encrypted with a passphrase.
- Repeat the previous step for each client, replacing
client1with an appropriate identifier.
You should generate a unique key for every user of the VPN. Each key should have its own unique identifier, but all other information can remain the same. If you need to add users to your OpenVPN at any time, repeat step 4 to create additional keys.
Generating Diffie Hellman Parameters
The Diffie Hellman Parameters govern the method of key exchange used by the OpenVPN server. By creating a .pem file, you create the parameters by which the OpenVPN server will initiate secured connections with the clients.
Issue the following command to generate the
This should produce the following output:
Generating DH parameters, 1024 bit long safe prime, generator 2 This is going to take a long time
This will be followed by a quantity of seemingly random output. Once it brings you back to a command prompt, the task has succeeded. In the
keys subdirectory it’s created a file called
dh1024.pem which will be used to generate secure connections to the VPN server’s clients.
Relocating Secure Keys
Move all of the secure keys to their proper locations by following these instructions:
/etc/openvpn/easy-rsa/keys/directory contains all of the keys and certificates for the server and its clients generated using the
easy-rsatools. Copy the following certificate and key files to the remote client machines, using scp or another means of transferring:
Transfer these keys with the utmost attention to security. Anyone who has the key or is able to intercept an unencrypted copy of the key will be able to gain full access to your virtual private network. Typically we recommend that you encrypt the keys for transfer, either by using a protocol like SSH, or by encrypting them with the PGP tool.
On your server, change to the
Copy the keys to the
/etc/openvpndirectory of the server so the OpenVPN server process can access them:
cp ca.crt ca.key dh1024.pem server.crt server.key /etc/openvpn
Keeping control of these files is of the utmost importance to the integrity of your server. If you ever need to move or back up these keys, ensure that they’re encrypted and secured. If these files become compromised, they must be recreated along with all client keys.
Revoking Client Certificates
If you need to remove a user’s access to the VPN server, follow these instructions:
varsscript. Note that for this script to function properly your working (current) directory must be /etc/openvpn/easy-rsa/ :
revoke-fullscript, substituting client1 with the name of the certificate you want to revoke:
This will revoke the ability of all users using the
client1 certificate to access the VPN. Make sure you don’t accidentally revoke access for someone who still needs it, and who uses that certificate.
Configuring Server and Client Settings
In this section, you’ll create two important configuration files. One is for the server and defines the scope and settings for the VPN. The other is for your local computer, and defines the settings you will pass on to your VPN client. For each client connecting to the VPN you will need to generate a separate configuration file.
Configure your server file. There’s an example file in
/usr/share/doc/openvpn/examples/sample-config-fileswhich you’ll use as a starting point. First, extract and copy the file to the
gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz >/etc/openvpn/server.conf
client.conffile to your home directory:
cp client.conf ~/
Move to your home directory:
~/client.conffile for editing, and update the
remoteline to reflect the OpenVPN server’s name:
1 2 3 4 5
# The hostname/IP and port of the server. # You can have multiple remote entries # to load balance between the servers. remote example.com 1194
In the same file,
client.conf, edit the
keylines to reflect the name of your key. In this example we use
client1for the file name.
1 2 3 4 5 6 7 8 9
# SSL/TLS parms. # See the server config file for more # description. It's best to use # a separate .crt/.key file pair # for each client. A single ca # file can be used for all clients. ca ca.crt cert client1.crt key client1.key
- Copy the
~/client.conffile to your client system.
- Repeat the entire key generation and distribution process for every user and every key that will connect to your network.
To start the OpenVPN server, run the following command:
service openvpn start
This will scan the
/etc/openvpn directory on the server for files with a
.conf extension. For every file that it finds, it will create and run a VPN daemon (server).
Installing Client-Side Software
The process for connecting to the VPN varies depending on the specific operating system and distribution running on the client machine. You will need to install the right OpenVPN package for your client operating system.
Most network management tools provide some facility for managing connections to a VPN. Configure connections to your OpenVPN through the same interface where you might configure wireless or ethernet connections. If you choose to install and manage OpenVPN manually, you will need to place the the
client1.conf file and the requisite certificate files in the local machine’s
/etc/openvpn directory, or equivalent location.
If you use OS X on a Mac, we have found that the Tunnelblick tool provides an easy method for managing OpenVPN connections. If you use Windows, the OpenVPN GUI tool may be an effective tool for managing your connections too. Linux desktop users can install the OpenVPN package and use the network management tools that come with the desktop environment.
Here we will go through installing Tunneblick on OSX:
- To download the latest version of Tunnelblick, click here. After opening the dmg file you can drag it into applications or open it immediately and it will copy itself.
After starting, you will see this splash screen:
At the next screen click the I have configuration files button.
At the next screen, click OpenVPN Configuration(s):
- Tunnelblick will open a Finder window into which you can copy the client.conf and client1 ca, crt, and key files you created on the Linode and copied to this client machine. Follow the rest of the instructions shown in Tunnelblick to create and install your Tunnelblick configuration file.
Connecting to the VPN
If you are using Tunnelblick, click on the tray icon to initiate the connection:
A notification will show you the status as it connects:
Accessing your Linode over the VPN
Once you’re connected to your VPN, you can SSH to another Linode over the private network. If you want to access files directly from your Linode, you will need to install a compatible network file sharing protocol, like Samba, NFS, or Appletalk.
Tunneling All Connections through the VPN
By deploying the following configuration, you will be able to forward all traffic from client machines through your Linode, and encrypt it with transport layer security (TLS/SSL) between the client machine and the Linode.
Uncomment the following parameter by removing the semicolon to the
/etc/openvpn/server.conffile to enable full tunneling:
push "redirect-gateway def1 bypass-dhcp"
/etc/sysctl.conffile to uncomment or add the following line to ensure that your system can forward IPv4 traffic:
Issue the following command to set this variable for the current session:
echo 1 > /proc/sys/net/ipv4/ip_forward
Issue the following set of commands, one line at a time, to configure
iptablesto properly forward traffic through the VPN:
1 2 3 4 5 6 7 8
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT iptables -A FORWARD -j REJECT iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE iptables -A INPUT -i tun+ -j ACCEPT iptables -A FORWARD -i tun+ -j ACCEPT iptables -A INPUT -i tap+ -j ACCEPT iptables -A FORWARD -i tap+ -j ACCEPT
Add the same
iptablesrules to your system’s
/etc/rc.localfile, so they will be recreated following your next reboot cycle:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
#!/bin/sh -e # # [...] # iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT iptables -A FORWARD -j REJECT iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE iptables -A INPUT -i tun+ -j ACCEPT iptables -A FORWARD -i tun+ -j ACCEPT iptables -A INPUT -i tap+ -j ACCEPT iptables -A FORWARD -i tap+ -j ACCEPT exit 0
This will enable all client traffic except for DNS queries to be forwarded through the VPN.
To forward DNS traffic through the VPN, you will need to install the
dnsmasqpackage and modify the
/etc/opnevpn/server.confpackage. Install and configure the
dnsmasqpackage with the following command:
apt-get install dnsmasq && dpkg-reconfigure resolvconf
If you are using Debian 7, replace this command with
apt-get install dnsmasq resolvconfand skip steps 7 through 9
You will be presented with a series of options in an ncurses menu. First, choose yes to prepare
/etc/resolv.conffor dynamic updates.
At the next option select No. This means that you will need to update
/etc/network/interfacesbut won’t need to remove the workaround afterwards.
The third menu simply warns you that a reboot will be required to prevent a known bug.
Modify its configuration so that dnsmasq is not listening on a public interface. Open
/etc/dnsmasq.conffor editing, and make sure the following lines are uncommented and have the appropriate values:
1 2 3
Now that dnsmasq is configured, you will need to add two new lines to /etc/network/interfaces. First, go to the Linode’s Remote Access page, shown below. You’ll need the IP addresses listed under DNS Resolvers for the
Open the interfaces file and insert the addresses listed under DNS Resolvers:
1 2 3 4 5 6
# The primary network interface auto eth0 iface eth0 inet dhcp dns-search members.linode.com dns-nameservers 18.104.22.168 22.214.171.124 126.96.36.199
If you’re not utilizing IPv6, you can omit the addresses starting with 2600:
When your system boots, dnsmasq will try to start before the OpenVPN tun device has been enabled. This will cause dnsmasq to fail at boot. To rectify this, modify your
/etc/rc.localfile to add a line that will restart dnsmasq after all the init scripts have finished. You should place the restart command after your iptables rules:
1 2 3
/etc/init.d/dnsmasq restart exit 0
Add the following line to the
push "dhcp-option DNS 10.8.0.1"
Restart the Linode:
To test your connection, connect to the VPN connection from your local machine, then access one of the many websites that will display your public IP address. If the IP address displayed doesn’t match the IP address of your Linode, your traffic is not being filtered through your Linode or encrypted by the VPN. If the IP matches, network traffic from your local machine is being filtered through your Linode and encrypted over the VPN, and you have successfully completed your OpenVPN setup!
You may wish to consult the following resources for additional information on this topic. While these are provided in the hope that they will be useful, please note that we cannot vouch for the accuracy or timeliness of externally hosted materials.
- Official OpenVPN Documentation
- Tunnelblick OS X OpenVPN Client
- OpenVPN GUI for Windows
- Network Manager GNOME Configuration Management Tool
This guide is published under a CC BY-ND 4.0 license.