How to install/setup a VPN server on Ubuntu 20.04

Share this article

As we have learned in our previous article What is VPN and why it is used. That VPN is a virtual private network which allows user to connect securely for eg. office or universities have their own private network and some of the services are only accessible from only that network and people who are not at the premises they use VPN to connect to the network.

VPN is based on point-to-point tunneling protocol and works in a server-client architecture.

VPN server installation

For the VPN server installation, we will use the OpenVPN installation script.

VPN uses Secure Sockets Layer (SSL) protocol for the encryption of the data and pre-shared keys, username/password or certificates for authentication of the VPN client.

Use the following command to get OpenVPN installation script.

wget https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh

After running the above command we have a script file, first make it executable use the following command.

chmod +x openvpn-install.sh

Now run the script to install the OpenVPN server

./openvpn-install.sh

See the below code section, it is the output during the script running, it will ask you a few questions answer them according to your setup.

root@server-foreman:/# ./openvpn-install.sh 
Welcome to the OpenVPN installer!
The git repository is available at: https://github.com/angristan/openvpn-install

I need to ask you a few questions before starting the setup.
You can leave the default options and just press enter if you are ok with them.

I need to know the IPv4 address of the network interface you want OpenVPN listening to.
Unless your server is behind NAT, it should be your public IPv4 address.
IP address: 192.168.122.201

It seems this server is behind NAT. What is its public IPv4 address or hostname?
We need it for the clients to connect to the server.
Public IPv4 address or hostname: 77.191.46.85

Checking for IPv6 connectivity...

Your host does not appear to have IPv6 connectivity.

Do you want to enable IPv6 support (NAT)? [y/n]: n

What port do you want OpenVPN to listen to?
   1) Default: 1194
   2) Custom
   3) Random [49152-65535]
Port choice [1-3]: 1

What protocol do you want OpenVPN to use?
UDP is faster. Unless it is not available, you shouldn't use TCP.
   1) UDP
   2) TCP
Protocol [1-2]: 1

What DNS resolvers do you want to use with the VPN?
   1) Current system resolvers (from /etc/resolv.conf)
   2) Self-hosted DNS Resolver (Unbound)
   3) Cloudflare (Anycast: worldwide)
   4) Quad9 (Anycast: worldwide)
   5) Quad9 uncensored (Anycast: worldwide)
   6) FDN (France)
   7) DNS.WATCH (Germany)
   8) OpenDNS (Anycast: worldwide)
   9) Google (Anycast: worldwide)
   10) Yandex Basic (Russia)
   11) AdGuard DNS (Anycast: worldwide)
   12) NextDNS (Anycast: worldwide)
   13) Custom
DNS [1-12]: 11

Do you want to use compression? It is not recommended since the VORACLE attack make use of it.
Enable compression? [y/n]: n

Do you want to customize encryption settings?
Unless you know what you're doing, you should stick with the default parameters provided by the script.
Note that whatever you choose, all the choices presented in the script are safe. (Unlike OpenVPN's defaults)
See https://github.com/angristan/openvpn-install#security-and-encryption to learn more.

Customize encryption settings? [y/n]: n

Okay, that was all I needed. We are ready to setup your OpenVPN server now.
You will be able to generate a client at the end of the installation.
Press any key to continue...

The above code section only shows the only part of the running script which asks the question related to the OpenVPN server. The below code section shows the client setup questions while running the same script.

 Tell me a name for the client.
The name must consist of alphanumeric character. It may also include an underscore or a dash.
Client name: foofunc1

Do you want to protect the configuration file with a password?
(e.g. encrypt the private key with a password)
   1) Add a passwordless client
   2) Use a password for the client
Select an option [1-2]: 1

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.1.1  11 Sep 2018
Generating an EC private key
writing new private key to '/etc/openvpn/easy-rsa/pki/easy-rsa-7384.9lWIqc/tmp.hJqGoL'
-----
Using configuration from /etc/openvpn/easy-rsa/pki/easy-rsa-7384.9lWIqc/tmp.qeMquS
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'foofunc1'
Certificate is to be certified until Dec 18 20:31:30 2023 GMT (825 days)

Write out database with 1 new entries
Data Base Updated

Client foofunc1 added.

The configuration file has been written to /root/foofunc1.ovpn.
Download the .ovpn file and import it in your OpenVPN client.
root@server-foreman:/# 

use the following command to check the status and restart of the OpenVPN service

sudo service openvpn status
sudo service openvpn restart

Also, you can run the following command to check.

root@server-foreman:/# ss -tupln|grep openvpn
udp UNCONN 0 0 0.0.0.0:1194 0.0.0.0:* users:(("openvpn",pid=7235,fd=9))
root@server-foreman:/#

Networking configuration: Allow NATing

Use the How to do Network address translation (NAT) in Linux article to understand

Enable IP forwarding

You can use sysctl command to enable the IP forwarding with -w option. See the following command

sysctl -w net.ipv4.ip_forward=1

The above change is not persistent, the above change lasts only till reboot. To make the change persistent to survive a reboot, edit the /etc/sysctl.conf file and uncomment or add.

net.ipv4.ip_forward=1

IP table configuration for NAT

Following commands will do the IP routing private to public and public to private.

/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
/sbin/iptables -I FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -I FORWARD -i eth1 -o eth0 -j ACCEPT

Firewall configuration

Ubuntu 20.04 runs a firewall service. Therefore, you need to allow openvpn traffic on the firewall. You can allow by running the following commands.

sudo ufw allow  to any port openvpn

See the screenshot of the firewall entries where you can see that the above command allowed traffic to 1194 port which is running the OpenVPN server.

Summary

This article explains how to setup and configure the OpenVPN server. In the next article, we will create the VPN client.

In case you face any issues don’t hesitate to comment.

Leave a Comment

Your email address will not be published. Required fields are marked *