Setup OpenVPN Access Server on Ubuntu Server

 

Introduction

I’m not going to spend any time talking about why you should be using a VPN, or how a VPN works. If you’re here, you know that already. If you need a refresher on the different types of VPNs, see below.

 PPTPL2TP/IPSecOpenVPN
Pro
  • Available in most operating systems by default
  • Available in most operating systems by default
  • More secure than PPTP
  • No known security flaws
  • Very configurable
  • Uses open source software
  • More secure than PPTP
  • No known security flaws
  • Can use any port, setting to TCP 443 makes it almost indistinguishable from HTTPS traffic
  • Con
  • Uses IP protocol 47 (GRE) and UDP port 1723, making it easily detectable and blockable by a firewall
  • Encryption is not strong
  • First on NSA's "to-hack" list
  • Uses UDP ports 50, 500, 1701, and 4500, making it easily detectable and blockable by a firewall
  • Slightly more overhead than OpenVPN, since traffic is passing through the tunnel and encryption in two separate steps
  • Not available in most operating systems by default, requires a third-party application
  • This tutorial is going to be about setting up your own OpenVPN server, using OpenVPN Access Server. OpenVPN-AS is a dead-simple way to setup OpenVPN, without editing config files via terminal or troubleshooting different settings. OpenVPN Access Server consists of three major components, wrapped into one:

    • OpenVPN Server
    • Web interface (both admin and client)
    • OpenVPN Connect client

    OpenVPN-AS allows you to install an OpenVPN server and admin/client web interface onto any server. The admin web interface will give you access to configure OpenVPN settings via a GUI. The client web interface will allow users to download client applications, and pre-configured client profiles, directly from your OpenVPN-AS server.

    For this tutorial, I’m going to be using DigitalOcean to setup a server, but you could very easily set this up in your own home behind your router (don’t forget to forward ports).

    Setup your droplet

    Create droplet

    In the DigitalOcean Control Panel:

    1. Click Create Droplet
    2. Name your droplet (e.g., webserver1, openvpn1, etc…)
    3. Select a size* (I recommend 512MB RAM with 1 CPU and size-up if needed)
    4. Select a region**
    5. Select any necessary options
    6. Select an image***
    7. Skip SSH keys for now, as we’ll set these up later.
    8. Click Create Droplet and wait 55 seconds! In a minute, you’ll have an email with your droplet’s IPv4 address and root password.

    *When selecting a droplet, keep in mind the amount of transfer allowed. If you go over your limit on the VPN, you’ll need to pay more or wait until the next month.

    **To improve load times, select a region closest to you.

    ***I chose Ubuntu 14.04 x64. Ubuntu LTS relases are supported for 5 years, as opposed to 1.5 years for regular releases.

    Create SSH keys

    Do this on each machine you’ll be using to access your droplet. Once we setup SSH authentication, we won’t be able to login from a machine without a SSH key (other than the console in the Control Panel). Change the comment as necessary.

    ssh-keygen -b 4096 -t rsa -C "Logan on Arch"

    Then, cat out the newly created public key for use in the next step.

    cat ~/.ssh/id_rsa.pub

    Note – In this scenario, I’m creating multiple public/private key pairs. However, you could copy your private key onto a flash drive and use that on multiple machines, instead of having a different key pair for each machine.

    Create admin user

    Start by logging into your droplet using the information that was emailed to you.

    ssh root@xx.xx.xx.xx

    When you login, you’ll be prompted to change the root password. You should use one of the many available password generators to create a secure password. Chances are, you won’t be logging into the root account very often, so this should be long and complex. Later on, we’re going to disable root SSH access, so you’ll only ever be able to su – to root after you’re already logged in as a standard user.

    Speaking of that, it is recommended to create a user other than root to perform most tasks. This user will have sudo access if they need temporary root privileges. Change the username as necessary and set a password for the user.

    useradd -m -G sudo,adm -s /bin/bash testuser
    passwd testuser

    This password will also need to be complex, but you’re going to be using it often.

    Setup SSH authentication

    Now, su – from root to your new account, create the .ssh directory, then paste in your public key(s). Obviously, substitute your own public key(s).

    su - testuser
    mkdir ~/.ssh
    chmod 700 ~/.ssh
    touch ~/.ssh/authorized_keys
    chmod 600 ~/.ssh/authorized_keys
    cat >> ~/.ssh/authorized_keys << EOF
    ssh-rsa AAAB3NzaC1yc2EAAAADAQABAAACAQC1sIaRVcN9hHIf+5YBOgK2l27JwrVBFC0KYTqmjyvcGEqX2Gd1H8tjeK+9eGOXGSMhylJgNjQzemgXckMjpDlvHimFcVKN+j2Ch/i1uKKIk6upqnmcyE+XwEKAt7UlIoKTQfW0+BVf4MEk58Qi2zqJherKlJLrSfjgpVygOLJQEL3fAuGm2ZGiArWSv/R+1WmKWmdgQF1Xy2oXogMZg9PMuFwTX/9ggSRDEvEXil99WanEwoCSLAdhhGGfIrGBDCmV/CFZezxdx08qjFb37r5Yc/g3ffqZMiPDSKqOf6ZzqqVpfeEshASXFrsz6eZ6mWm3C4k9ufqS97cValLWUtZjmY5OJG3m+VKlz5JlNGvd8Mg5STVh7DKIGBcF+LjbuZdyINKixY6orUDH3z/fhfwpE3g4DQIyM77hKdaFWpcFZdAr5t/sGhhFNl9jX1KTbFC2di8DiZATQ37OpLTwzjojqjxHCHZLrZ6RQLBNTWHbPFvUxuFWH4h4BvEX4JnAIlzCQzzZPIjH+Fr0oECUa/WISnVYUT0A1q5MNCPWRJTTHSUhvGBWVtjXPegnmN4WQbyLog3m8Ee6Jf/BjKbMjTNSZnPEvKWRyM8balGTP9aqqTquDjHG15C8RpiVU4uGQ7QhCf0NJn47r9/0cDn36VZtOUpOop/EMGEyMyoZnI/FEQ== Logan on Arch
    EOF

    When you are done, exit back to root.

    exit

    Secure SSH

    Now, we’re going to disable root login via SSH, change the SSH port, and turn off password authentication by editing the /etc/ssh/sshd_config file. Substitute 1234 with your desired port.

    sed -i "s/PermitRootLogin yes/PermitRootLogin no/g" /etc/ssh/sshd_config
    sed -i "s/Port 22/Port 1234/g" /etc/ssh/sshd_config
    sed -i "s/#PasswordAuthentication yes/PasswordAuthentication no/g" /etc/ssh/sshd_config
    service ssh restart
    exit

    Now, login as the new user on the new port. You should not be using your password here, since you have SSH setup for the user named testuser.

    ssh testuser@xx.xx.xx.xx -p 1234

    If you need root access, you can su – to root, or use sudo.

    Update Ubuntu Server

    For security purposes, you should install any updates right away.

    sudo apt-get update && sudo apt-get upgrade

    To update the kernel, use the command below. You’ll need to then follow the instructions here to select a new kernel in the DigitalOcean Control Panel.

    sudo apt-get update && sudo apt-get dist-upgrade

    I’m also installing a few tools that I use often.

    sudo apt-get update && sudo apt-get install htop ntp rsync ufw unzip

    Setup NTP

    First, select the correct timezone.

    sudo dpkg-reconfigure tzdata

    Then, manually sync the time (only once) and start the NTP service.

    sudo ntpdate pool.ntp.org
    sudo service ntp start

    Setup firewall

    Check the status of UFW.

    sudo ufw status verbose

    Set the default state of UFW to deny incoming and allow outgoing.

    sudo ufw default deny incoming
    sudo ufw default allow outgoing

    Edit the /etc/ufw/applications.d/openssh-server file to change the SSH port from 22 to 1234 (or whatever port you used). Otherwise, you’ll lock yourself out of SSH.

    sudo sed -i "s/ports=22\/tcp/ports=1234\/tcp/g" /etc/ufw/applications.d/openssh-server

    We also need to create a UFW application entry for OpenVPN-AS.

    sudo sh -c "cat > /etc/ufw/applications.d/openvpn << EOF
    [OpenVPN]
    title=OpenVPN
    description=OpenVPN
    ports=443/tcp|1194/udp
    EOF"

    List all of the current apps that have UFW rules.

    sudo ufw app list

    Enable OpenSSH, OpenVPN, and NTP access.

    sudo ufw allow OpenSSH
    sudo ufw allow OpenVPN
    sudo ufw allow ntp

    Finally, turn on UFW.

    sudo ufw enable

    Then, check the status again.

    sudo ufw status verbose

    Setup SWAP

    Create a swapfile to help RAM usage. The swapfile should be equal to, or the double the size of, your RAM. Here, I’m setting the swappiness to 15.

    sudo fallocate -l 2G /swapfile
    sudo chmod 600 /swapfile
    sudo chown root:root /swapfile 
    sudo mkswap /swapfile
    sudo swapon /swapfile
    sudo sh -c 'echo "/swapfile none swap sw 0 0" >> /etc/fstab'
    sudo sysctl -w vm.swappiness=15
    sudo sh -c 'echo "vm.swappiness = 15" > /etc/sysctl.conf'
    sudo reboot

    Setup OpenVPN Access Server

    Install packages

    Select your OpenVPN Access Server package. Here, I’m using the Ubuntu 14 x64 package.

    cd ~
    sudo wget http://swupdate.openvpn.org/as/openvpn-as-2.0.20-Ubuntu14.amd_64.deb
    sudo dpkg -i openvpn-as-2.0.20-Ubuntu14.amd_64.deb
    sudo rm openvpn-as-2.0.20-Ubuntu14.amd_64.deb

    When the setup is completed, you should make note of the two addresses provided.

    Admin: https://server_name_or_IP_here:943/admin
    Client: https://server_name_or_IP_here:943/

    Change default password

    By default, the OpenVPN-AS package creates an admin user called openvpn. We need to start by changing the password for this user.

    sudo passwd openvpn

    Create VPN users

    You’ll want to create a different VPN user, since openvpn is the admin user. This new user won’t ever SSH to your server, but will need to exist to use OpenVPN-AS.

    sudo useradd vpntest
    sudo passwd vpntest

    Configure OpenVPN server

    Use the admin address to login to the console. You’ll receive a warning that the connection is not secure. That’s OK, since OpenVPN-AS created a self-signed certificate upon setup.

    20150811_002

    Once you’re logged in, accept the terms of the license to be greeted by the admin web interface.

    20150811_003

    Feel free to change any settings in here (e.g., users, ports, IPs, etc…). However, remember that you’ll need to issue new configs to your clients every time you change a setting in the admin web interface.

    Configure OpenVPN client

    OpenVPN-AS makes client connections dead-simple. Visit the client address from a client device (e.g., laptop, phone, etc..) and login with the client username/password. Depending on the type of device you’re using (e.g., Windows, Mac, Linux, Android, iOS), you’ll have the option to download an OpenVPN client and profile directly from your OpenVPN-AS server.

    20150811_001

    Android setup

    Start by logging into the client web interface on your Android phone.

    20150811_004

    When prompted, download the OpenVPN Connect for Android app.

    20150811_005

    Once completed, download the profile for yourself (user-locked profile).

    20150811_005

    Once completed, tap on the profile to import it into the OpenVPN Connect app.

    20150811_006

    Sign in with your username/password and tap Connect to establish a connection.

    20150811_007

    Verify your connection on the next screen.

    20150811_007

    Linux setup

    Linux setup is easier than Android. Start by installing the OpenVPN package for your distribution.

    sudo pacman -S openvpn

    Next, login to the client web interface in your browser to download the profile for yourself (user-locked profile).

    20150811_001

    Finally, start OpenVPN with your config, as shown below.

    sudo openvpn --config client.ovpn

     

    Did you setup your server differently? If so, let me know!

    -Logan

    9 thoughts on “Setup OpenVPN Access Server on Ubuntu Server

    1. it looks very good!
      can i try this tutorial on virtual machine?
      i need to configure network on bridge, right?

    2. This is a great tutorial. I followed it on my vps and it worked. I was able to set see my lan and everything.
      Thank you so mcuh

    3. Thanks for posting this awesome article. I’m a long time reader but I’ve never
      been compelled to leave a comment. I subscribed to your blog
      and shared this on my Twitter. Thanks again for this
      great post!

    Leave a Comment

    This site uses Akismet to reduce spam. Learn how your comment data is processed.