How to Create a VPN Server on Ubuntu 12.04
Commands:
apt-get update
apt-get install openvpn openssl
cd /etc/openvpn
cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 ./easy-rsa
apt-get install nano
nano easy-rsa/vars
change
export EASY_RSA=”`pwd`”
to
export EASY_RSA=”/etc/openvpn/easy-rsa”
. ./easy-rsa/vars
./easy-rsa/clean-all
cd easy-rsa
ln -s openssl-1.0.0.cnf openssl.cnf
cd ..
./easy-rsa/build-ca OpenVPN
./easy-rsa/build-key-server server
./easy-rsa/build-key client1
./easy-rsa/build-dh
nano openvpn.conf
begin openvpn.conf contents – copy below this line
dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
user nobody
group nogroup
server 10.8.0.0 255.255.255.0
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3
client-to-client
push “redirect-gateway def1″
#set the dns servers
push “dhcp-option DNS 8.8.8.8″
push “dhcp-option DNS 8.8.4.4″
log-append /var/log/openvpn
comp-lzo
end openvpn.conf contents – copy above this line
echo 1 > /proc/sys/net/ipv4/ip_forward
do “ifconfig” to get adapter name and ipaddress (venet0 was mine since my vps host is using openvz)
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j SNAT --to YOUR.VPS.IP
cd ..
nano sysctl.conf
un-comment (remove the #) from the line containing #net.ipv4.ip_forward=1
cd ..
/etc/init.d/openvpn start
begin newvpn.ovpn contents – copy below this line
dev tun
client
proto udp
remote YOUR.VPS.IP 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
comp-lzo
verb 3
end newvpn.ovpn contents – copy above this line
The software I download the files with is called WinSCP. It allows you to transfer files via SSH. This is useful if you do not have an ftp or http server running.
Comments prior to 12/23/2012 for this post can be found here.
31 comments
Skip to comment form ↓
GeeksAndTweaks
December 24, 2012 at 1:49 AM (UTC -4) Link to this comment
All comments have been archived to reduce page load time. They are linked to at the bottom of the original post. Please feel free to leave new comments questions and suggestions. You don’t even have to register :)
joelb
December 30, 2012 at 4:19 PM (UTC -4) Link to this comment
Hey wow! Great tut. No problems with the steps listed, could use a teensy-tiny bit more info though:
you mention copying 3 files to the client. Which 3 files?
I assume these would go in the users .ssh dir?
Also, the file newvpn.ovpn, where does that go? I’ll be using OS X 10.8 as the client.
GeeksAndTweaks
December 31, 2012 at 6:52 AM (UTC -4) Link to this comment
ca.crt, client1.crt, and client1.key are the three files if you named everything the same as I did in the tutorial. Those and the newvpn.ovpn would all go in C:\Program Files\OpenVPN\config\choose_a_sensible_folder_name on a Windows machine. On a Mac (bear with me I’ve no experience with them) it appears to be located in ~/Library/openvpn/choose_a_sensible_folder_name (The ~ represents the currently logged on users’ /Home directory) I hope this helps (:
joelb
December 30, 2012 at 4:19 PM (UTC -4) Link to this comment
sorry, 1 more question: i have fwded port 1194 on the router to the OpenVPN server. Any other ports needed for this?
GeeksAndTweaks
December 31, 2012 at 6:43 AM (UTC -4) Link to this comment
Port 1194 is all that’s necessary, and is only necessary if your server is behind a router.
Steve
January 14, 2013 at 3:04 PM (UTC -4) Link to this comment
root@server:/etc/openvpn/easy-rsa/keys# cat >mkclientpkg.sh
#!/bin/bash
client=$1
tar -cvzf $client.package.tar.gz ca.crt $client.crt $client.key $client.ovpn
echo “Saved $client.package.tar.gz”
(ctrl-d)
root@server:/etc/openvpn/easy-rsa/keys# chmod 700 mkclientpkg.sh
root@server:/etc/openvpn/easy-rsa/keys# ./mkclientpkg.sh client1
ca.crt
client1.crt
client1.key
client1.ovpn
Saved client1.package.tar.gz
root@server:/etc/openvpn/easy-rsa/keys# scp client1.package.tar.gz user@someclient:.
~meanwhile..
user@someclient:~$ tar -xvzf client1.package.tar.gz
~user imports with VPN client… just works.. user is amazed.. ++admin
disclaimer: o&oe cap fits wear
GeeksAndTweaks
January 14, 2013 at 4:47 PM (UTC -4) Link to this comment
Nice! Thanks for the tip :)
Simon
January 20, 2013 at 4:25 AM (UTC -4) Link to this comment
Hi,
Thanks for the great tutorial. It worked for me and I got the VPN working. The VPN server is an Amazon EC2 instance.
After establishing the VPN connection using my OpenVPN Windows client, I wanted to ensure that all the Internet traffic is routed via the Amazon EC2 instance. But my local browsing is still using the local ISP. Is there is tutorial somewhere where I can use the VPN server as my access gateway once I’m connected?
Thanks in advance.
GeeksAndTweaks
January 21, 2013 at 3:52 PM (UTC -4) Link to this comment
Hmm, by default all your traffic should be routed through the VPN if it’s connected. You’d normally have to take extra steps to get any software to talk outside the VPN while it’s connected.
petter
January 30, 2013 at 5:59 PM (UTC -4) Link to this comment
hello, i followed the instructions, but the server only allow one client connected at the time, i have tried the same client cert/keys, and created diffrent for each client, but no luck:(
wome tips how to fix this? thanks
GeeksAndTweaks
February 14, 2013 at 11:45 AM (UTC -4) Link to this comment
Have you checked the “max-clients” setting in the server config file?
julz
January 31, 2013 at 2:34 AM (UTC -4) Link to this comment
How can i make it work like pptp? with username and password.
also how to add account?
Sorry for asking too much, i really don’t have any idea who to get started :)
GeeksAndTweaks
February 14, 2013 at 11:43 AM (UTC -4) Link to this comment
I’ve never had the need to set up authentication for the way I use these but this is what the OpenVPN offical site says:
You can read more here.
julz
February 6, 2013 at 8:37 AM (UTC -4) Link to this comment
I got everything. its working, though when i check my ip. its still using the same home ip i had. any idea what went wrong?
GeeksAndTweaks
February 14, 2013 at 11:37 AM (UTC -4) Link to this comment
When you connect, does the Openvpn GUI client icon in the system tray turn green? You can also right click the tray icon, choose “View Log” under your VPN, and see if you can find any errors listed.
Terje
February 14, 2013 at 6:42 AM (UTC -4) Link to this comment
I want to use a physical (mail)server located in Norway to watch webTV from Norway while in US. webTV providers in Norway will not stream video to my US based IP address. As a work around, I installed the OpenVPN software on my mail server in Norway following your instructions and it works apparently OK. The changes I made was to use 127.0.0.0/24 where you have 10.8.0.0/24 and I used 192.168.#.# for the mailserver IP address where you have Your.VPS.IP. Let me know if this is OK.
However, for the newvpn.ovpn file, what Your.VPS.IP do I use? The static internet IP address of my server in Norway is what I put in the file. My server is behind a router that now is forwarding port 1194 to the local address of my server.
This is a simple setup to be used for one purpose only. Please let know you suggestions.
Thanks, Terje
GeeksAndTweaks
February 14, 2013 at 11:34 AM (UTC -4) Link to this comment
Sounds like you got everything right to me. The IP address you used 127.0.0.0/24, is what range of IP’s to assign to clients within the VPN. Being as most machines assign the address 127.0.0.1 for itself (ever heard the joke there’s no place like 127.0.0.1?) I suppose it could cause issues if an IP address conflict happened. For example in IPtables when telling it to forward traffic, the server could get confused when you tell it to route traffic to 127.0.0.1. It may think you mean to itself. Does this make sense? I’m not even positive it will cause an issue, but if trouble arises it would be one of the first things I’d troubleshoot.
And last, you used the correct IP in the .ovpn file.
Thanks for stopping by :)
Chris
March 3, 2013 at 3:15 PM (UTC -4) Link to this comment
Hi,
Great tutorial.
Im having a little trouble with the setup though. I cannot see tun0 in mx ifconfig on the Ubuntu server and I copied the client files across to my windows machine and I cant seem to get it to connect, just says openvpn exit. Im quite lost where to go from here?
GeeksAndTweaks
May 14, 2013 at 2:20 AM (UTC -4) Link to this comment
I know this reply is super late but I’m going to leave it for anyone who may run across the same issue. If the machine is not showing a tun0 adapter issue the following commands and try again. If is works as expected you’ll need to do it every time the server starts. Do this by inserting them into rc.local.
mkdir /dev/netmknod /dev/net/tun c 10 200
DaveJ
April 10, 2013 at 1:08 AM (UTC -4) Link to this comment
This might be a stupid question, but how do you know what to user for YOUR VPS IP?
GeeksAndTweaks
April 10, 2013 at 2:35 AM (UTC -4) Link to this comment
It’s usually given to you by the company you purchase the VPS from.
Anonymous
April 22, 2013 at 7:16 AM (UTC -4) Link to this comment
Hi. stupid question. is my easy-rsa/vars file supose to be blank when I open it?
GeeksAndTweaks
May 14, 2013 at 2:13 AM (UTC -4) Link to this comment
Yeap.
Sri Kolla
April 26, 2013 at 1:12 PM (UTC -4) Link to this comment
Hi, I followed your instructions and installed. But when i tried to connect to openvpn, it connects to openvpn but i cannot browse any internet. connection timed out.
But i can ping to my vpn server and can browse files in my vps server. What may have gone wrong??
GeeksAndTweaks
May 14, 2013 at 2:12 AM (UTC -4) Link to this comment
Did you un-comment the line containing #net.ipv4.ip_forward=1 in sysctl.conf?
Steve
May 7, 2013 at 4:59 PM (UTC -4) Link to this comment
This is a really fantastic tutorial! Thanks
One question though – I want to VPN into this box from outside. No VPS…just want to allow incoming VPN connections to this server – what do I do about the “YOUR.VPS.IP” line?
GeeksAndTweaks
May 14, 2013 at 2:07 AM (UTC -4) Link to this comment
YOUR.VPS.IP is to be replaced with the external IP address of the VPS you’re installing the VPN on. The VPS is a virtual private server hosting a virtual private network(VPN). One runs on the other and both are required.
Deirdre Hebert
May 10, 2013 at 3:27 PM (UTC -4) Link to this comment
Hello,
When I get to the line: ./easy-rsa/build-ca OpenVPN
I get the response ./easy-rsa/build-ca: 8: ./easy-rsa/build-ca: ./pkitool: not found
It looks like pkitool is in the easy-rsa directory, so I’m at a loss as to what is happening. I’m not exactly a Linux expert, so I’m hoping that you can help.
Thanks.
GeeksAndTweaks
May 14, 2013 at 1:59 AM (UTC -4) Link to this comment
Copy pkitool to /
cp pkitool ../Jasvin
May 14, 2013 at 1:39 AM (UTC -4) Link to this comment
Hi bro, when i tried to perform following commands, i got “permission denied”
. ./easy-rsa/vars
./easy-rsa/clean-all
any solutions?
GeeksAndTweaks
May 14, 2013 at 1:57 AM (UTC -4) Link to this comment
Log on as root or
sudo su