am a new Ubuntu Linux server user. How do I setup an OpenVPN Server on Ubuntu Linux version 18.04/20.04 LTS or 20.10 server to shield my browsing activity from bad guys on public Wi-Fi, and more?
OpenVPN is a full-featured SSL VPN (virtual private network). It implements OSI layer 2 or 3 secure network extension using the SSL/TLS protocol. It is an open source software and distributed under the GNU GPL. A VPN allows you to connect securely to an insecure public network such as wifi network at the airport or hotel. VPN is also required to access your corporate or enterprise or home server resources. You can bypass geo-blocked site and increase your privacy or safety online. This tutorial provides step-by-step instructions for configuring an OpenVPN “road warrior” server on Ubuntu Linux 18.04/20.04 LTS (20.10) version including ufw/iptables firewall configuration. The steps are as follows:
- Find and note down your public IP address
- Download openvpn-install.sh script
- Run openvpn-install.sh to install OpenVPN server
Find your public IP address:
$ ip addr show eth0
OR
$ ip addr show eth1
$ ip a
[root@radius ~]# ip a1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host lovalid_lft forever preferred_lft foreverinet6 ::1/128 scope hostvalid_lft forever preferred_lft forever2: enp5s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000link/ether 74:56:3c:37:b4:2c brd ff:ff:ff:ff:ff:ffinet 192.168.33.6/24 brd 192.168.33.255 scope global noprefixroute enp5s0valid_lft forever preferred_lft foreverinet 59.152.XXX.XXX/29 brd 59.152.107.151 scope global noprefixroute enp5s0valid_lft forever preferred_lft foreverinet 192.168.33.7/24 brd 192.168.33.255 scope global secondary noprefixroute enp5s0valid_lft forever preferred_lft forever3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100link/noneinet 10.8.0.1/24 brd 10.8.0.255 scope global tun0valid_lft forever preferred_lft foreverinet6 fe80::334f:6f01:66fc:20b6/64 scope link stable-privacyvalid_lft forever preferred_lft forever[root@radius ~]#
59.152.XXX.XXX/29
Download openvpn-install.sh script to set up OpenVPN server in 5 minutes on Ubuntu
Type the following wget command or curl command:$ wget https://git.io/vpn -O openvpn-install.sh
wget grabbing the script:
[root@radius ~]# wget https://git.io/vpn -O openvpn-install.sh--2024-01-03 06:04:21-- https://git.io/vpnResolving git.io (git.io)... 140.82.114.21Connecting to git.io (git.io)|140.82.114.21|:443... connected.HTTP request sent, awaiting response... 301 Moved PermanentlyLocation: https://raw.github.com/Nyr/openvpn-install/master/openvpn-install.sh [following]--2024-01-03 06:04:23-- https://raw.github.com/Nyr/openvpn-install/master/openvpn-install.shResolving raw.github.com (raw.github.com)... 185.199.108.133, 185.199.110.133, 185.199.111.133, ...Connecting to raw.github.com (raw.github.com)|185.199.108.133|:443... connected.HTTP request sent, awaiting response... 301 Moved PermanentlyLocation: https://raw.githubusercontent.com/Nyr/openvpn-install/master/openvpn-install.sh [following]--2024-01-03 06:04:23-- https://raw.githubusercontent.com/Nyr/openvpn-install/master/openvpn-install.shResolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.110.133, 185.199.109.133, 185.199.111.133, ...Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.110.133|:443... connected.HTTP request sent, awaiting response... 200 OKLength: 23714 (23K) [text/plain]Saving to: ‘openvpn-install.sh’openvpn-install.sh 100%[========================================================================================================================================>] 23.16K --.-KB/s in 0.008s2024-01-03 06:04:24 (2.69 MB/s) - ‘openvpn-install.sh’ saved [23714/23714][root@radius ~]#
We can verify script using a text editor such as nano command or vim command:$ vi openvpn-install.sh
Running openvpn-install.sh to install OpenVPN server
Type the following command:$ sudo chmod +x openvpn-install.sh
$ sudo bash openvpn-install.sh
Make sure you provide needed information:
[root@radius ~]# ./openvpn-install.sh
Welcome to this OpenVPN road warrior installer!
Which IPv4 address should be used?
1) 192.168.33.6
2) 59.152.107.147
3) 192.168.33.7
IPv4 address [1]: 2
Which protocol should OpenVPN use?
1) UDP (recommended)
2) TCP
Protocol [1]: 1
What port should OpenVPN listen to?
Port [1194]: 1194
Select a DNS server for the clients:
1) Current system resolvers
2) Google
3) 1.1.1.1
4) OpenDNS
5) Quad9
6) AdGuard
DNS server [1]: 3
Enter a name for the first client:
Name [client]: nextgen
OpenVPN installation is ready to begin.
Press any key to continue...
Notice------'init-pki' complete; you may now create a CA or requests.Your newly created PKI dir is:* /etc/openvpn/server/easy-rsa/pkiUsing Easy-RSA configuration:* undefinedNo Easy-RSA 'vars' configuration file exists!Using SSL:* openssl OpenSSL 1.1.1k FIPS 25 Mar 2021.................................+++++..........+++++Notice------CA creation complete. Your new CA certificate is at:* /etc/openvpn/server/easy-rsa/pki/ca.crtNo Easy-RSA 'vars' configuration file exists!Using SSL:* openssl OpenSSL 1.1.1k FIPS 25 Mar 2021Generating a RSA private key.......................+++++.....................................................................................................................+++++writing new private key to '/etc/openvpn/server/easy-rsa/pki/44ea2e7f/temp.1.1'-----Notice------Private-Key and Public-Certificate-Request files created.Your files are:* req: /etc/openvpn/server/easy-rsa/pki/reqs/server.req* key: /etc/openvpn/server/easy-rsa/pki/private/server.keyUsing configuration from /etc/openvpn/server/easy-rsa/pki/openssl-easyrsa.cnfCheck that the request matches the signatureSignature okThe Subject's Distinguished Name is as followscommonName :ASN.1 12:'server'Certificate is to be certified until Dec 31 11:06:09 2033 GMT (3650 days)Write out database with 1 new entriesData Base UpdatedNotice------Certificate created at:* /etc/openvpn/server/easy-rsa/pki/issued/server.crtNotice------Inline file created:* /etc/openvpn/server/easy-rsa/pki/inline/server.inlineNo Easy-RSA 'vars' configuration file exists!Using SSL:* openssl OpenSSL 1.1.1k FIPS 25 Mar 2021Generating a RSA private key..............................................................................................................+++++.....................+++++writing new private key to '/etc/openvpn/server/easy-rsa/pki/7b06327f/temp.1.1'-----Notice------Private-Key and Public-Certificate-Request files created.Your files are:* req: /etc/openvpn/server/easy-rsa/pki/reqs/nextgen.req* key: /etc/openvpn/server/easy-rsa/pki/private/nextgen.keyUsing configuration from /etc/openvpn/server/easy-rsa/pki/openssl-easyrsa.cnfCheck that the request matches the signatureSignature okThe Subject's Distinguished Name is as followscommonName :ASN.1 12:'nextgen'Certificate is to be certified until Dec 31 11:06:10 2033 GMT (3650 days)Write out database with 1 new entriesData Base UpdatedNotice------Certificate created at:* /etc/openvpn/server/easy-rsa/pki/issued/nextgen.crtNotice------Inline file created:* /etc/openvpn/server/easy-rsa/pki/inline/nextgen.inlineNo Easy-RSA 'vars' configuration file exists!Using SSL:* openssl OpenSSL 1.1.1k FIPS 25 Mar 2021Using configuration from /etc/openvpn/server/easy-rsa/pki/openssl-easyrsa.cnfNotice------An updated CRL has been created:* /etc/openvpn/server/easy-rsa/pki/crl.pemCreated symlink /etc/systemd/system/multi-user.target.wants/openvpn-iptables.service → /etc/systemd/system/openvpn-iptables.service.Created symlink /etc/systemd/system/multi-user.target.wants/openvpn-server@server.service → /usr/lib/systemd/system/openvpn-server@.service.Finished!The client configuration is available in: /root/nextgen.ovpnNew clients can be added by running this script again.[root@radius ~]#
Start/stop/restart OpenVPN server on Centos 8
Run the following systemctl command to stop the OpenVPN service:$ sudo systemctl stop openvpn-server@server.service
Want to start it again? Try:$ sudo systemctl start openvpn-server@server.service
The command to restart the OpenVPN service:$ sudo systemctl restart openvpn-server@server.service
View status of your OpenVPN systemd based service:$ sudo systemctl status openvpn-server@server.service
● openvpn-server@server.service - OpenVPN service for server
Loaded: loaded (/usr/lib/systemd/system/openvpn-server@.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2024-01-03 06:06:10 EST; 25min ago
Docs: man:openvpn(8)
https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
https://community.openvpn.net/openvpn/wiki/HOWTO
Main PID: 16020 (openvpn)
Status: "Initialization Sequence Completed"
Tasks: 1 (limit: 47953)
Memory: 1.2M
CGroup: /system.slice/system-openvpn\x2dserver.slice/openvpn-server@server.service
└─16020 /usr/sbin/openvpn --status /run/openvpn-server/status-server.log --status-version 2 --suppress-timestamps --cipher AES-256-GCM --ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC:BF-CBC --config server.conf
Jan 03 06:07:55 radius.zoomonline.com.bd openvpn[16020]: 59.152.105.235:64346 WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
Jan 03 06:07:55 radius.zoomonline.com.bd openvpn[16020]: 59.152.105.235:64346 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Jan 03 06:07:55 radius.zoomonline.com.bd openvpn[16020]: 59.152.105.235:64346 [nextgen] Peer Connection Initiated with [AF_INET]59.152.105.235:64346
Jan 03 06:07:55 radius.zoomonline.com.bd openvpn[16020]: nextgen/59.152.105.235:64346 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=(Not enabled)
Jan 03 06:07:55 radius.zoomonline.com.bd openvpn[16020]: nextgen/59.152.105.235:64346 MULTI: Learn: 10.8.0.2 -> nextgen/59.152.105.235:64346
Jan 03 06:07:55 radius.zoomonline.com.bd openvpn[16020]: nextgen/59.152.105.235:64346 MULTI: primary virtual IP for nextgen/59.152.105.235:64346: 10.8.0.2
Jan 03 06:07:55 radius.zoomonline.com.bd openvpn[16020]: nextgen/59.152.105.235:64346 PUSH: Received control message: 'PUSH_REQUEST'
Jan 03 06:07:55 radius.zoomonline.com.bd openvpn[16020]: nextgen/59.152.105.235:64346 SENT CONTROL [nextgen]: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 1.1.1.1,dhcp-option DNS 1.0.0.1,block-outside-dns,route-gateway >
Jan 03 06:07:55 radius.zoomonline.com.bd openvpn[16020]: nextgen/59.152.105.235:64346 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jan 03 06:07:55 radius.zoomonline.com.bd openvpn[16020]: nextgen/59.152.105.235:64346 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
0 $type={blogger}:
Post a Comment