OpenVPN

Server Side

sudo apt install openvpn

To know more about it:

sudo apt info openvpn

Installing OpenVPN is easy but configuring it, is very challenging and that’s why OpenVPN org provide us with scripts and then we can go ahead and our special changes

wget <https://git.io/vpn> -O [openvpn.sh](<http://openvpn.sh/>)

Now let’s start the script:

chmod +x openvpn.sh

You need privileges when installing:

sudo ./openvpn.sh

Welcome to this OpenVPN road warrior installer!

Which IPv4 address should be used?
     1) 192.168.1.5
     2) 172.16.1.100
     3) 10.1.0.3
IPv4 address [1]: 1

This server is behind NAT. What is the public IPv4 address or hostname?
Public IPv4 address / hostname [Your-Public-IP]: 192.168.1.5

Which protocol should OpenVPN use?
   1) UDP (recommended)
   2) TCP
Protocol [1]:

What port should OpenVPN listen to?
Port [1194]:

Select a DNS server for the clients:
   1) Current system resolvers
   2) Google
   3) 1.1.1.1
   4) OpenDNS
   5) Quad9
   6) AdGuard
DNS server [1]: 2

Enter a name for the first client:
Name [client]: touk

OpenVPN installation is ready to begin.
Press any key to continue...

If you want to add more users, you have to run the script again

The needed port 1194 is going to be added on iptables automatically, if you are running UFW you won’t see the rule there and even if you create one in UFW it won’t take precedence

touk@ubuntu-server:~$ sudo iptables-save
# Generated by iptables-save v1.8.7 on Sun Sep  3 15:12:53 2023
*filter
:INPUT ACCEPT [71668:7983516]
:FORWARD ACCEPT [12272:2751669]
:OUTPUT ACCEPT [106599:9084589]
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -j ACCEPT
COMMIT
# Completed on Sun Sep  3 15:12:53 2023
# Generated by iptables-save v1.8.7 on Sun Sep  3 15:12:53 2023
*nat
:PREROUTING ACCEPT [2110:172636]
:INPUT ACCEPT [469:63316]
:OUTPUT ACCEPT [322:28589]
:POSTROUTING ACCEPT [232:22084]
-A POSTROUTING -o ens33 -j MASQUERADE
-A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to-source 192.168.1.5
COMMIT

If you want to check for it’s status,

since OpenVPN package comes with the server and client package we will have to specify the service name like this:

sudo systelctl status openvpn-server@server

touk@ubuntu-server:~$ sudo systemctl status openvpn-server@server
● openvpn-server@server.service - OpenVPN service for server
     Loaded: loaded (/lib/systemd/system/openvpn-server@.service; enabled; vendor preset: enabled)
     Active: active (running) since Sun 2023-09-03 15:09:50 UTC; 5min ago
       Docs: man:openvpn(8)
             <https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage>
             <https://community.openvpn.net/openvpn/wiki/HOWTO>
   Main PID: 68439 (openvpn)
     Status: "Initialization Sequence Completed"
      Tasks: 1 (limit: 4516)
     Memory: 1.8M
        CPU: 21ms
     CGroup: /system.slice/system-openvpn\\x2dserver.slice/openvpn-server@server.service
             └─68439 /usr/sbin/openvpn --status /run/openvpn-server/status-server.log --status-version 2 --suppress-timestamps --config serve>

Sep 03 15:09:50 ubuntu-server openvpn[68439]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Sep 03 15:09:50 ubuntu-server openvpn[68439]: Socket Buffers: R=[212992->212992] S=[212992->212992]
Sep 03 15:09:50 ubuntu-server openvpn[68439]: UDPv4 link local (bound): [AF_INET]192.168.1.5:1194
Sep 03 15:09:50 ubuntu-server openvpn[68439]: UDPv4 link remote: [AF_UNSPEC]
Sep 03 15:09:50 ubuntu-server openvpn[68439]: GID set to nogroup
Sep 03 15:09:50 ubuntu-server openvpn[68439]: UID set to nobody
Sep 03 15:09:50 ubuntu-server openvpn[68439]: MULTI: multi_init called, r=256 v=256
Sep 03 15:09:50 ubuntu-server openvpn[68439]: IFCONFIG POOL IPv4: base=10.8.0.2 size=253
Sep 03 15:09:50 ubuntu-server openvpn[68439]: IFCONFIG POOL LIST
Sep 03 15:09:50 ubuntu-server openvpn[68439]: Initialization Sequence Completed

Or you can spot it from the interfaces in your system:

touk@ubuntu-server:~$ ip -br addr
lo               UNKNOWN        127.0.0.1/8 ::1/128
ens33            UNKNOWN        192.168.1.5/24 fe80::20c:29ff:fee7:1332/64
ens37            UNKNOWN        172.16.1.100/24 fe80::20c:29ff:fee7:133c/64
ens38            UNKNOWN        10.1.0.3/24 metric 100 fe80::20c:29ff:fee7:1346/64
tun0             UNKNOWN        10.8.0.1/24 fe80::1f3:c228:ffc5:4b1b/64

If you want to change anything, you can do that iside the file /etc/openvpn/server/openvpn.conf

ocal 192.168.1.5
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-crypt tc.key
topology subnet
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "block-outside-dns"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
verb 3
crl-verify crl.pem
explicit-exit-notify

CLIENT SIDE

sudo apt install openvpn

It was already installed, because this package comes within the distro installation

I need to get the server’s certificate on my client machine, because i already generated a client profile when i did my installation

It dropped it inisde /root -_-, because i run it with the sudo command which is necessary

touk@ubuntu-server:~$ sudo ls /root
[sudo] password for touk:
snap  touk.ovpn

I am going to copy it from a machine to another or you can use SCP

And then client OpenVPN expects it to .conf I will rename it:

mv touk.ovpn touk.conf

Let’s copy it to the client config ovpn file

touk@k8snode:~$ ls /etc/openvpn/client/
touk@k8snode:~$ sudo mv touk.conf /etc/openvpn/client/
touk@k8snode:~$ ls /etc/openvpn/client/
touk.conf

Now let’s connect over the VPN!

sudo openvpn client config /etc/openvpn/client/touk.conf

And it will runt !

You can view that it created a virtual tunnel :

touk@k8snode:~$ ip -br addr | grep tu
tun0             UNKNOWN        10.8.0.2/24 fe80::3057:e82d:7a60:cb14/64

10.8.0.0/24 Is the default range for the OpenVPN

Logging is turned off, you turn that on the client config file and then you can view it inside /var/log/openvpn

Or since it is turned off, i can use the great journalctl

sudo journalctl -xeu openvpn@client

-xe: extended info if some lines are out of terminal size

-u: specify which service

ALWAYS ON OpenVPN: sudo cp /etc/openvpn/client/touk.conf /etc/openvpn/client.conf sudo systemctl start openvpn@client

VPN Server IP Address

touk@ubuntu-server:~$ ip -br addr | grep tu
tun0             UNKNOWN        10.8.0.1/24 fe80::1f3:c228:ffc5:4b1b/64

touk@k8snode:/var/log/openvpn$ ip -br addr | grep tu
tun0             UNKNOWN        10.8.0.2/24 fe80::3057:e82d:7a60:cb14/64
touk@k8snode:/var/log/openvpn$ ping 10.8.0.1
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=2.05 ms
64 bytes from 10.8.0.1: icmp_seq=2 ttl=64 time=5.35 ms
^C
--- 10.8.0.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 2.049/3.701/5.354/1.652 ms

VOILAA! Everything is working