NavigationContentFooter
Jump toSuggest an edit

Installing OpenVPN on Ubuntu 20.04 or later

Reviewed on 02 July 2024Published on 16 January 2019
  • vpn
  • OpenVPN
  • Ubuntu
  • Bionic-Beaver

OpenVPN is an open-source software to run a virtual Private Network (VPN) to create secure point-to-point or site-to-site connections in routed or bridged configurations. The software uses a proprietary security protocol that uses SSL/TLS for key exchange.

Before you start

To complete the actions presented below, you must have:

  • A Scaleway account logged into the console
  • Owner status or IAM permissions allowing you to perform actions in the intended Organization
  • An SSH key
  • An Instance running on Ubuntu 20.04 or later

Installing Easy-RSA

The first step in building an OpenVPN configuration is to establish a PKI (Public Key Infrastructure). It is composed of the following elements:

  • a public and private key for the server and each client
  • the certification authority (CA) and the key used to identify servers as well as the client certificate

OpenVPN supports two-way certificate-based authentication, this means that the client must authenticate the server certificate and the server must authenticate the client certificate before mutual trust is established.

Both the server and the client will authenticate each other. First, the certificate needs to be signed by the certification authority (CA) then, the information in the header (common name of the certificate or the certificate type) of the authenticated certificate can be tested.

  1. Connect to your Instance via SSH.

  2. Update the package List:

    apt update
    apt upgrade -y

  3. Install OpenVPN and Easy-RSA:

    apt install -y openvpn easy-rsa

  4. Set Up the CA Directory:

    make-cadir ~/openvpn-ca
    cd ~/openvpn-ca

  5. Initialize the PKI:

    ./easyrsa init-pki

  6. Build the Certificate Authority:

    ./easyrsa build-ca nopass

  7. Generate the server certificate and key:

    ./easyrsa gen-req server nopass
    ./easyrsa sign-req server server

  8. Generate the Diffie-Hellman parameters:

    ./easyrsa gen-dh

  9. Generate a shared secret:

    openvpn --genkey secret ta.key

Configuring the OpenVPN server

  1. Copy the server certificate and key files:

    cp pki/ca.crt pki/private/server.key pki/issued/server.crt ta.key /etc/openvpn/

  2. Create the OpenVPN Server configuration file:

    nano /etc/openvpn/server.conf

    Add the following configuration, save the file and quit nano:

    port 1194
    proto udp
    dev tun
    ca ca.crt
    cert server.crt
    key server.key
    dh dh.pem
    auth SHA256
    tls-auth ta.key 0
    server 10.8.0.0 255.255.255.0
    ifconfig-pool-persist ipp.txt
    push "redirect-gateway def1 bypass-dhcp"
    push "dhcp-option DNS 8.8.8.8"
    push "dhcp-option DNS 8.8.4.4"
    keepalive 10 120
    cipher AES-256-CBC
    user nobody
    group nogroup
    persist-key
    persist-tun
    status openvpn-status.log
    log-append /var/log/openvpn.log
    verb 3

Setting up a Let’s Encrypt TLS certificate

  1. Install Certbot:

    apt install -y certbot

  2. Obtain the TLS certificate:

    certbot certonly --standalone -d your_domain
    Tip

    Make sure to replace your_domain with your actual domain name. You need to ensure that your domain points to the IP address of your Scaleway Instance.

  3. Configure OpenVPN to use the Let’s Encrypt certificate:

    • Update the server.conf file to use the Let’s Encrypt certificate and key: 
      ca /etc/letsencrypt/live/your_domain/fullchain.pem
      cert /etc/letsencrypt/live/your_domain/cert.pem
      key /etc/letsencrypt/live/your_domain/privkey.pem

Enabling IP forwarding and adjusting the firewall

  1. Enable IP forwarding:

    echo 1 > /proc/sys/net/ipv4/ip_forward
    • Make the change permanent by editing the sysctl.conf file: 
      nano /etc/sysctl.conf
      Uncomment the following line: 
      net.ipv4.ip_forward=1

  2. Configure the firewall of the Instance (UFW):

    ufw allow 1194/udp
    ufw allow OpenSSH
    ufw enable

    Add the following rules to before.rules to allow forwarding:

    nano /etc/ufw/before.rules

    Add these lines before the *filter line:

    *nat
    :POSTROUTING ACCEPT [0:0]
    -A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
    COMMIT

Starting the OpenVPN server

  1. Start and enable OpenVPN:

    systemctl start openvpn@server
    systemctl enable openvpn@server

  2. Check the status of the OpenVPN server:

    systemctl status openvpn@server

Setting up client configuration

  1. Generate client certificates:

    cd ~/openvpn-ca
    ./easyrsa gen-req client1 nopass
    ./easyrsa sign-req client client1

  2. Create the client configuration file:

    nano ~/client1.ovpn

    Add the following configuration:

    client
    dev tun
    proto udp
    remote your_domain 1194
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    ca ca.crt
    cert client1.crt
    key client1.key
    tls-auth ta.key 1
    cipher AES-256-CBC
    verb 3

  3. Transfer the client configuration files to the remote (client) machine:

    scp ~/openvpn-ca/pki/ca.crt ~/openvpn-ca/pki/issued/client1.crt ~/openvpn-ca/pki/private/client1.key ta.key user@your_client_machine:~/client1/
    scp ~/client1.ovpn user@your_client_machine:~/client1/

Your OpenVPN server is now set up on your Scaleway Instance, secured with a Let’s Encrypt certificate, and ready for clients to connect. Follow the client configuration steps for each device you want to connect to your VPN.

Tip

For ongoing maintenance, remember to renew your Let’s Encrypt certificates regularly (they expire every 90 days), and you can automate this with a cron job:

echo "0 0 1 */2 * certbot renew --quiet" | crontab -
API DocsScaleway consoleDedibox consoleScaleway LearningScaleway.comPricingBlogCareers
© 2023-2024 – Scaleway