Linode Library Home
Linode Library RSS Feed
Home :: Networking :: OpenVPN
Print View View Source

Secure Communications with OpenVPN on Ubuntu 12.04 (Precise) and Debian 7

Published: by

OpenVPN, or Open Virtual Private Network, is a tool for creating networking tunnels between and among groups of computers that are not on the same local network. This is useful if you want to remotely access services on a local network without making them publicly accessible. By integrating with OpenSSL, OpenVPN can encrypt all VPN traffic to provide a secure connection between machines.

Before installing OpenVPN, we assume that you have followed our Getting Started Guide. If you're new to Linux server administration you may be interested in our Using Linux document series, including the Beginner's Guide and Administration Basics Guide. If you're concerned about securing on your Linode, you might be interested in our Security Basics article as well.

Note

For many private networking tasks, we suggest that you consider the functions of the OpenSSH package which can provide easier VPN and VPN-like services. OpenSSH is also installed and configured by default on all Linodes. For example, see Using SSHFS on Linux and MacOS X or our guide on Setting up an SSH Tunnel for more information. Nevertheless, if your deployment requires a more traditional VPN solution like OpenVPN, this document covers the installation and configuration of the OpenVPN software.

Contents

How OpenVPN Works

Once configured, the OpenVPN server encrypts traffic between your local computer and your Linode's local network. While all other traffic is handled in the conventional manner, the VPN allows traffic on non-public interfaces to be securely passed through your Linode. This means you can connect to the local area network in your Linode's data center. Using OpenVPN in this manner is supported by the default configuration

Splash screen for TunnelBlick.

This image shows the flow of information in a basic VPN environment.

With the additional configuration we will set up at the end of this guide, all traffic coming from your local computer can be tunneled through the VPN server. This can be used to curcumvent local traffic restrictions, or to mask the traffic coming from your computer.

Splash screen for TunnelBlick.

This image shows the flow of information when a VPN is used with full tunnelling.

Note

Please note that only one public IP address is required to use OpenVPN

Installing OpenVPN

Follow these instructions to install OpenVPN:

  1. Update your package repositories with the following command:

    apt-get update
    
  2. Update your installed programs:

    apt-get upgrade
    
  3. Install the OpenVPN software with the following command:

    apt-get install openvpn
    
  4. The OpenVPN package provides a set of encryption-related tools called easy-rsa. These scripts are located by default in the /usr/share/doc/openvpn/examples/easy-rsa/ directory. In order for OpenVPN to function properly, these scripts should be located in the /etc/openvpn/ directory. Copy these files with the following command:

    cp -R /usr/share/doc/openvpn/examples/easy-rsa/ /etc/openvpn
    
Most of the relevant configuration for the OpenVPN public key infrastructure is contained in /etc/openvpn/easy-rsa/2.0/. We will create several files in this directory used to define the OpenVPN server and client security.

Initializing the Public Key Infrastructure (PKI)

In this section, you will initialize the certificate authority and the public key infrastructure:

  1. Move into the /etc/openvpn/easy-rsa/2.0/ directory:

    cd /etc/openvpn/easy-rsa/2.0/
    
  2. Create a symbolic link from openssl-1.0.0.cnf to openssl.cnf:

    ln -s openssl-1.0.0.cnf openssl.cnf
    
  3. Execute the vars script:

    . /etc/openvpn/easy-rsa/2.0/vars
    
This will return "NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/2.0/keys"
  1. Execute the clean-all script.

    . /etc/openvpn/easy-rsa/2.0/clean-all
    
  2. Execute the build-ca script. At each prompt, fill out the information to be used in your certificate.

    . /etc/openvpn/easy-rsa/2.0/build-ca
    

After doing this, your PKI should be configured properly.

Generating Certificates and Private Keys

With the certificate authority generated, you can generate the private key for the server and certificates for all the VPN clients.

  1. Create the key with the following command:

    . /etc/openvpn/easy-rsa/2.0/build-key-server server
    
  2. You will be prompted for additional information. Change the default values as necessary. By default, the Common Name for this key will be server. The challenge password and company names are optional and can be left blank.

  3. When you've completed the question section, confirm the signing of the certificate and the certificate requests certified by answering yes to these questions.

  4. With the private keys generated, create certificates for all of your VPN clients. Issue the following command:

    . /etc/openvpn/easy-rsa/2.0/build-key client1
    
  5. Repeat the previous step for each client, replacing client1 with an appropriate identifier.

You should generate a unique key for every user of the VPN. Each key should have its own unique identifier, but all other information can remain the same. If you need to add users to your OpenVPN at any time, repeat step 4 to create additional keys.

Generating Diffie Hellman Parameters

The Diffie Hellman Parameters govern the method of key exchange used by the OpenVPN server. By creating a .pem file, you create the parameters by which the OpenVPN server will initiate secured connections with the clients.

Issue the following command to generate the .pem file:

. /etc/openvpn/easy-rsa/2.0/build-dh

This should produce the following output:

Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time

This will be followed by a quantity of seemingly random output. Once it brings you back to a command prompt, the task has succeeded. In the keys subdirectory it's created a file called dh1024.pem which will be used to generate secure connections to the VPN server's clients.

Relocating Secure Keys

Move all of the secure keys to their proper locations by following these instructions:

  1. The /etc/openvpn/easy-rsa/2.0/keys/ directory contains all of the keys and certificates for the server and its clients generated using the easy-rsa tools. Copy the following certificate and key files to the remote client machines, using scp or another means of transferring:

    • ca.crt
    • client1.crt
    • client1.key

    Note

    Transfer these keys with the utmost attention to security. Anyone who has the key or is able to intercept an unencrypted copy of the key will be able to gain full access to your virtual private network. Typically we recommend that you encrypt the keys for transfer, either by using a protocol like SSH, or by encrypting them with the PGP tool.

  2. On your server, change to the /etc/openvpn/easy-rsa/2.0/keys directory:

    cd /etc/openvpn/easy-rsa/2.0/keys
    
  3. Copy the keys to the /etc/openvpn directory of the server so the OpenVPN server process can access them:

    cp ca.crt ca.key dh1024.pem server.crt server.key /etc/openvpn
    

Keeping control of these files is of the utmost importance to the integrity of your server. If you ever need to move or back up these keys, ensure that they're encrypted and secured. If these files become compromised, they must be recreated along with all client keys.

Revoking Client Certificates

If you need to remove a user's access to the VPN server, follow these instructions:

  1. Run the vars script. Note that for this script to function properly your working (current) directory must be /etc/openvpn/easy-rsa/2.0/

    . /etc/openvpn/easy-rsa/2.0/vars
    
  2. Run the revoke-full script, substituting client1 with the name of the certificate you want to revoke:

    . /etc/openvpn/easy-rsa/2.0/revoke-full client1
    

This will revoke the ability of all users using the client1 certificate to access the VPN. Make sure you don't accidentally revoke access for someone who still needs it, and who uses that certificate.

Configuring Server and Client Settings

In this section, you'll create two important configuration files. One is for the server and defines the scope and settings for the VPN. The other is for your local computer, and defines the settings you will pass on to your VPN client. For each client connecting to the VPN you will need to generate a separate configuration file.

  1. Configure your server file. There's an example file in /usr/share/doc/openvpn/examples/sample-config-files which you'll use as a starting point. First, move to the /usr/share/doc/openvpn/examples/sample-config-files directory:

    cd /usr/share/doc/openvpn/examples/sample-config-files
    
  2. Unarchive the file:

    gunzip -d server.conf.gz
    
  3. Copy it to the /etc/openvpn/ directory:

    cp server.conf /etc/openvpn/
    
  4. Copy the client.conf file to your home directory:

    cp client.conf ~/
    
  5. Move to your home directory:

    cd ~/
    
  6. Open your ~/client.conf file for editing, and update the remote line to reflect the OpenVPN server's name:

    nano ~/client.conf
    

    File:~/client.conf

    # The hostname/IP and port of the server.
    # You can have multiple remote entries
    # to load balance between the servers.
    
    remote example.com 1194
    
  7. In the same file, client.conf, edit the cert and key lines to reflect the name of your key. In this example we use client1 for the file name.

    File:~/client.conf

    # SSL/TLS parms.
    # See the server config file for more
    # description.  It's best to use
    # a separate .crt/.key file pair
    # for each client.  A single ca
    # file can be used for all clients.
    ca ca.crt
    cert client1.crt
    key client1.key
    
  8. Copy the ~/client.conf file to your client system.

  9. Repeat the entire key generation and distribution process for every user and every key that will connect to your network.

  10. To start the OpenVPN server, run the following command:

    service openvpn start
    

This will scan the /etc/openvpn directory on the server for files with a .conf extension. For every file that it finds, it will create and run a VPN daemon (server).

Installing Client-Side Software

The process for connecting to the VPN varies depending on the specific operating system and distribution running on the client machine. You will need to install the right OpenVPN package for your client operating system.

Most network management tools provide some facility for managing connections to a VPN. Configure connections to your OpenVPN through the same interface where you might configure wireless or ethernet connections. If you choose to install and manage OpenVPN manually, you will need to place the the client1.conf file and the requisite certificate files in the local machine's /etc/openvpn directory, or equivalent location.

If you use OS X on a Mac, we have found that the Tunnelblick tool provides an easy method for managing OpenVPN connections. If you use Windows, the OpenVPN GUI tool may be an effective tool for managing your connections too. Linux desktop users can install the OpenVPN package and use the network management tools that come with the desktop environment.

Here we will go through installing Tunneblick on OSX:

  1. To download the latest version of Tunnelblick, click here. After opening the dmg file you can drag it into applications or open it immediately and it will copy itself.

  2. After starting, you will see this splash screen:

    Splash screen for TunnelBlick.

    At the next screen click the I have configuration files button.

    Splash screen for TunnelBlick.
  3. At the next screen, click OpenVPN Configuration(s):

    Splash screen for TunnelBlick.
  4. Tunnelblick will open a Finder window into which you can copy the client.conf and client1 ca, crt, and key files you created on the Linode and copied to this client machine. Follow the rest of the instructions shown in Tunnelblick to create and install your Tunnelblick configuration file.

    Splash screen for TunnelBlick.

Connecting to the VPN

If you are using Tunnelblick, click on the tray icon to initiate the connection:

Splash screen for TunnelBlick.

A notification will show you the status as it connects:

Splash screen for TunnelBlick.

Accessing your Linode over the VPN

Once you're connected to your VPN, you can SSH to another Linode over the private network. If you want to access files directly from your Linode, you will need to install a compatible network file sharing protocol, like Samba, NFS, or Appletalk.

Tunneling All Connections through the VPN

By deploying the following configuration, you will be able to forward all traffic from client machines through your Linode, and encrypt it with transport layer security (TLS/SSL) between the client machine and the Linode.

  1. Uncomment the following parameter by removing the semicolon to the /etc/openvpn/server.conf file to enable full tunneling:

    nano /etc/openvpn/server.conf
    

    File excerpt:/etc/openvpn/server.conf

    push "redirect-gateway def1 bypass-dhcp"
    
  2. Edit the /etc/sysctl.conf file to uncomment or add the following line to ensure that your system can forward IPv4 traffic:

    nano /etc/sysctl.conf
    

    File excerpt:/etc/sysctl.conf

    net.ipv4.ip_forward=1
    
  3. Issue the following command to set this variable for the current session:

    echo 1 > /proc/sys/net/ipv4/ip_forward
    
  4. Issue the following set of commands, one line at a time, to configure iptables to properly forward traffic through the VPN:

    iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
    iptables -A FORWARD -j REJECT
    iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
    iptables -A INPUT -i tun+ -j ACCEPT
    iptables -A FORWARD -i tun+ -j ACCEPT
    iptables -A INPUT -i tap+ -j ACCEPT
    iptables -A FORWARD -i tap+ -j ACCEPT
    
  5. Add the same iptables rules to your system's /etc/rc.local file, so they will be recreated following your next reboot cycle:

    nano /etc/rc.local
    

    File excerpt:/etc/rc.local

    #!/bin/sh -e
    #
    # [...]
    #
    
    iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
    iptables -A FORWARD -j REJECT
    iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
    iptables -A INPUT -i tun+ -j ACCEPT
    iptables -A FORWARD -i tun+ -j ACCEPT
    iptables -A INPUT -i tap+ -j ACCEPT
    iptables -A FORWARD -i tap+ -j ACCEPT
    
    exit 0
    

    This will enable all client traffic except for DNS queries to be forwarded through the VPN.

  6. To forward DNS traffic through the VPN, you will need to install the dnsmasq package and modify the /etc/opnevpn/server.conf package. Install and configure the dnsmasq package with the following command:

    apt-get install dnsmasq && dpkg-reconfigure resolvconf
    

Note

If you are using Debian 7, replace this command with apt-get install dnsmasq resolvconf and skip steps 7 thorugh 9

  1. You will be presented with a series of options in an ncurses menu. First, choose yes to prepare /etc/resolv.conf for dynamic updates.

    A curses menu.
  2. At the next option select No. This means that you will need to update /etc/network/interfaces but won't need to remove the workaround afterwards.

    A curses menu.
  3. The third menu simply warns you that a reboot will be required to prevent a known bug.

    A curses menu.
  4. Modify its configuration so that dnsmasq is not listening on a public interface. Open /etc/dnsmasq.conf for editing, and make sure the following lines are uncommented and have the appropriate values:

    nano /etc/dnsmasq.conf
    

File excerpt:/etc/dnsmasq.conf

listen-address=127.0.0.1,10.8.0.1

bind-interfaces

This will configure dnsmasq to listen on localhost and the gateway IP address of your OpenVPN's tun device.

  1. Now that dnsmasq is configured, you will need to add two new lines to /etc/network/interfaces. First, go to the Linode's Remote Access page, shown below. You'll need the IP addresses listed under DNS Resolvers for the dns-nameservers line:

    DNS resolvers in the Linode Manager.
  2. Open the interfaces file and insert the addresses listed under DNS Resolvers:

    nano /etc/network/interfaces
    

File excerpt:/etc/network/interfaces

# The primary network interface
auto eth0
iface eth0 inet dhcp

dns-search members.linode.com
dns-nameservers 97.107.133.4 207.192.69.4 207.192.69.5

Note

If you're not utilizing IPv6, you can omit the addresses starting with 2600:

  1. When your system boots, dnsmasq will try to start before the OpenVPN tun device has been enabled. This will cause dnsmasq to fail at boot. To rectify this, modify your /etc/rc.local file to add a line that will restart dnsmasq after all the init scripts have finished. You should place the restart command after your iptables rules:

    nano /etc/rc.local
    

File excerpt:/etc/rc.local

/etc/init.d/dnsmasq restart

exit 0
  1. Add the following line to the /etc/openvpn/server.conf file:

    nano /etc/openvpn/server.conf
    

File excerpt:/etc/openvpn/server.conf

push "dhcp-option DNS 10.8.0.1"
  1. Restart the Linode:

    reboot
    

To test your connection, connect to the VPN connection from your local machine, then access one of the many websites that will display your public IP address. If the IP address displayed doesn't match the IP address of your Linode, your traffic is not being filtered through your Linode or encrypted by the VPN. If the IP matches, network traffic from your local machine is being filtered through your Linode and encrypted over the VPN, and you have succesfully completed your OpenVPN setup!

More Information

You may wish to consult the following resources for additional information on this topic. While these are provided in the hope that they will be useful, please note that we cannot vouch for the accuracy or timeliness of externally hosted materials.

Creative Commons License

This guide is licensed under a Creative Commons Attribution-NoDerivs 3.0 United States License.

Last edited by Alex Fornuto on Monday, February 17th, 2014 (r4261).