OpenVPN Ubuntu

What is OpenVPN?

OpenVPN is a VPN virtual private network system that implements several techniques for creating secure site-to-site or point-to-point connections in bridged or routed remote access facilities and configurations. It implements both server and client applications.

OpenVPN permits peers for authenticating each other with pre-shared username/password, certificates, or secret keys. It permits the server for releasing an authentication certificate for all clients using certificate and signatures authority when used in the multi client-server configuration.

It extensively uses the encryption library of OpenSSL, TLS protocol, and includes various control and security features. Also, it uses a protocol for custom security that uses TLS/SSL for key exchange. It can traverse firewalls and network address translators.

OpenVPN has been embedded and ported to many systems. For instance, DD-WRT contains a function of OpenVPN server, a multi-protocol VPN server, i.e., SoftEther VPN also includes an OpenVPN protocol implementation.

It is free software and defined by James Yonan, published upon the terms of the GPLv2 (GNU General Public License Version 2). Commercial licenses are also available.

Prerequisites

We will require:

  • One 22.04 server version of Ubuntu along with a firewall enabled and sudo non-root user.
  • A separate 22.04 server version of Ubuntu is set up as an independent CA (Certificate Authority).

Note: While it's technically possible to use our local machine or OpenVPN Server as our CA, it is not suggested because it opens up our VPN to a few security vulnerabilities. We should place our certificate authority on a standalone device that is committed to importing and lettering certificate requests.

Additionally, we will need a client device that we will use to link to our OpenVPN Server.

Note: If we deactivate password authentication during the configuration of these servers, we may go into difficulties when sending files among them. To resolve this problem, we could enable password authentication again on all servers. We could produce an SSH keypair for all servers, add the public SSH key of the OpenVPN Server to the authorized_keys file of the CA machine, and vice versa.

Architecture of OpenVPN

OpenVPN Ubuntu

Encryption

OpenVPN uses the library of OpenSSL for providing encryption of both the control and data channels. It enables OpenSSL to implement every authentication and encryption work, permitting OpenVPN for using every cipher present inside the OpenSSL package.

Also, it can use the authentication feature of the HMAC packet for adding an extra security layer to the connection. It can also apply hardware acceleration for getting the better performance of encryption. It supports mbed TLS that is available from the 2.3 version.

Authentication

OpenVPN contains many ways for authenticating pairs with each other. OpenVPN provides pre-shared keys, username/password-based, and certificate-based authentication. Pre-shared secret keys are the simplest and certificate-based are the most feature-rich and robust.

In the 2.0 version, password/username authentications could be enabled both without or with certificates. However, OpenVPN relies on third-party modules to make use of password/username authentications.

Extensibility

OpenVPN can be developed with third-party scripts and plug-ins which can be known at specified entry points. The aim of it is often for extending OpenVPN with more leading logging, increased authentication with RADIUS integration, dynamic firewall updates, passwords/username, and so on. Dynamically, the plugins are loadable modules, written in C and the scripts interface can run any binaries and scripts present to OpenVPN.

There are a few examples of these plug-ins in the source code of OpenVPN including a PAM authentication plug-in. Also, many third-party plugins exist for authenticating against SQL or LDAP databases like MySQL and SQLite.

Networking

OpenVPN can execute over Transmission Control Protocol or User Datagram Protocol transports, multiplexing established SSL tunnels on an individual UDP/TCP port. OpenVPN completely supports IPv6 as a protocol of the virtual network in a tunnel and the applications of OpenVPN can also create connections by IPv6 from the 2.3.x series on.

It has the capability for working from almost all proxy servers and is good at implementing network address translation and getting out from firewalls. The server configuration contains the capability to "push" various options of network configuration to the clients. These contain routing commands, IP addresses, and some connection options. OpenVPN facilitates two interface types for networking by the Universal TAP/TUN driver. OpenVPN can use the LZO compression library for compressing the data stream. For OpenVPN, the official assigned port number of IANA is the 1194 port.

When OpenVPN uses TCP transports for establishing a tunnel, the performance would be acceptable only as far as there is enough excess bandwidth over the un-tunneled network link to ensure that the tunneled TCP timers don't expire. The performance dramatically falls off if it becomes untrue. It is called the "TCP meltdown problem".

Security

OpenVPN provides several features of internal security. It includes up to 256-bit encryption from the library of OpenSSL, although a few service providers might provide lower rates, offering a few of the fastest VPNs available for customers.

It executes in userspace rather than needing an IP stack operation. OpenVPN includes the ability for dropping root privileges, apply mlockall for preventing swapping conscious data to disk.

OpenVPN executes a protocol for custom security based on TLS and SSL, instead of supporting PPTP, L2TP, IPSec, or IKE. OpenVPN provides support for smart cards by PKCS#11-based cryptographic tokens.

Platforms of OpenVPN

OpenVPN is available on macOS, QNX, NetBSD, FreeBSD, OpenBSD, Linux, Solaris, and Windows XP, and later versions. It is available for several mobile phone operating systems including Windows Mobile 6.5, Maemo, and below, Android devices, Android 4.0+ devices, jailbroken iOS 3.1.2+ devices, and iOS 3GS+ devices that have the accurately installed kernel module.

It's not compatible with a few mobile phone operating systems including Palm operating system. It's not a VPN that is web-based displayed as a webpage like Terminal Services Web access or Citrix: the program is independently installed and configured by manually editing text files instead of using a GUI-based wizard.

OpenVPN isn't suitable for VPN clients that apply the IPSec over PPTP or L2TP protocols. The whole package is composed of a binary for both server and client connections, a configuration file (optional), and multiple key files relying on the method of authentication used.

Firmware implementations

OpenVPN is developed to various firmware packages of the router, permitting users for running OpenVPN in server or client mode using their network routers. The routers executing OpenVPN in client mode, for instance, permit a device on the network for accessing a VPN without requiring the capability for installing OpenVPN.

Also, OpenVPN has been implemented in a few firmware of the manufacturer router.

Software implementations

OpenVPN is developed to SoftEther VPN. It is a multi-protocol and open-source VPN server that permits users for connecting to the VPN server through OpenVPN clients.

Also, OpenVPN is developed for Vyos. It is an open-source routing operating system forked through the Vyatta software router.

Configuration of OpenVPN

OpenVPN can validate users via certificates, pre-share keys, user/pass, etc.

GNOME/NetworkManager System Menu

It's possible to completely set up OpenVPN connections with the Debian GNOME setup (default) using the network-manger-openvpn-gnome command. In NetworkManager, the VPN connection will be handled like another network connection and will have authority in the GNOME System Menu near the Ethernet and WiFi controls.

In GNOME 42, to activate an OpenVPN configuration automatically, we use the nm-connection-editor command. Search the network connection, launch its settings, and select the "Automatically connect to VPN" option under General. After saving, the line, i.e., secondaries=, is included in the configuration file of that network in the connection section. It includes a secondary connection UUIDs list to be enabled. Usually, /etc/NetworkManager/system-connections is the configuration file.

Unsecured (raw) VPN connection to test

  • Client part

openvpn --remote SERVER_IP --dev tun1 --ifconfig 10.9.8.2 10.9.8.1

Also, we may ping the server to check if it could be reached.

  • Server part

We can execute the following command with a server shell:

openvpn --remote CLIENT_IP --dev tun1 --ifconfig 10.9.8.1 10.9.8.2

We can execute the following command if our client has any static IP#:

openvpn --dev tun1 --ifconfig 10.9.8.1 10.9.8.2

Static-Key VPN Connection

  • Configuration of static-key VPN server

We can execute the below command to produce a static key in the /etc/openvpn directory of the server:

openvpn --genkey secret static.key

Note: We can use --secret rather than secret for the 2.4 version of OpenVPN on Debian 10.

  • Configuration of static-key VPN client

We can copy the /etc/openvpn/static.key file from the server and make a fresh /etc/openvpn/tun0.conf file.

By hand, start OpenVPN on both sides using the below command:

openvpn --config /etc/openvpn/tun0.conf --verb 6

We can ping the 10.9.8.2 port to authenticate the VPN is active from the server and the 10.9.8.1 port form the client.

TLS-enabled VPN connection

  • Init easy-rsa

Easy-rsa is a different package that can be pulled using the OpenVPN installation, starting with Jessie:

Remember:

  • Just .key files shouldn't be kept confidential.
  • Not important to copy any .key file among systems.
  • .csr and .crt files can be transferred over unstable channels, including plaintext email.
  • All systems will have their key/certificate pair.

Produce CA KEY/CERTIFICATE

  • Produce CA KEY/CERTIFICATE of the CA (Certificate Authority):

./easyrsa build-ca

It will produce crt.key and ca.crt in the /etc/openvpn/easy-rsa/{pki,pki/private} directories.

  • Produce KEY/CERTIFICATE of the server:

./easyrsa build-server-full server

It will produce server.key and server.crt in the /etc/openvpn/easy-rsa/pki/{issued/server.crt,private/server.key} directories and signed using our root certificates.

Produce DIFFIE-HELLMAN PARAMETERS

Produce BUILD DIFFIE-HELLMAN PARAMETERS (mandatory for the server completion of an SSL/TLS connection):

./easyrsa gen-dh

Produce Static key for authentication

If we produced any static key, we may retitle it and transfer it. Or else we can run the below:

openvpn --genkey secret /etc/openvpn/server/ta.key

Note: We can use the --secret option rather than the secret option for the 2.4 version of OpenVPN on Debian 10.

Produce client's KEY/CERTIFICATEs

Produce key for all clients: We can use the below two commands:

  • Produce a key without a password:

./easy build-client-full clientname nopass

  • Produce a key using a password: We will be prompted to "Enter PEM pass phrase" for all clients:

./easyrsa build-client-full clientname

It will produce keys in the /etc/openvpn/easy-rsa/pki/{issued/clientname.crt.private/clientname.key} directory.

Licensing of OpenVPN

OpenVPN is present in two different editions:

  • OpenVPN Community Edition is an open-source and free edition.
  • OpenVPN Access Server is Community Edition-based server, but offers extra proprietary and paid aspects like Web UI management, SMB server, LDAP integration, and offers a set of configuration and installation tools that are reported for simplifying the rapid deployment of the VPN remote access solution.

This addition heavily depends on iptables for load balancing and never has been present on Windows for this specific reason. Also, this version can create client installers dynamically, which add a client profile to connect to a specific Access Server instance.

The user however doesn't require to have an Access Server client for connecting to the Access Server instance; a client can be used from the OpenVPN Community Edition.

Installing OpenVPN on Ubuntu

OpenVPN is a popular, fast, and, open-source program to create a virtual private network. It applies both the UDP and TCP transmission protocols. VPN tunnels are captured with the protocol of OpenVPN with TLS/SSL authentication, credentials, certificates, MAC address book, and multi-factor authentication.

OpenVPN can be used on a huge range of systems and devices. It contains a client-server architecture like almost all VPN protocols in the market. The access server of OpenVPN executes on a Linux System, the clients could be installed on many Linux systems, macOS, Windows, and mobile operating systems like iOS, Android, and Windows mobile.

The access server of OpenVPN accepts several connections of incoming VPN and the Connect clients of OpenVPN or the open-source clients suitable with OpenVPN can start a connection to a server.

We will learn how we can set up an access server of OpenVPN on Ubuntu and connect the clients of VPN from many Linux systems in this article.

Set up OpenVPN server in Ubuntu

  • Manually configuring and installing an OpenVPN server is not an easy task. That's why we will be applying a script that enables us to set up our secure OpenVPN server.

Before downloading and executing the script, remember that the script would auto-detect the private IP address of our server. But we need to take note of the public IP address of our server when especially if it is executing behind NAT.

To check the public IP address of our server, we need to execute the following wget command in the terminal window:

  • Download an installer script with the help of the curl command-line tool, then let it runnable with the help of the chmod The commands are below:
  • Execute the installer script:

When run for the very first time, this script will prompt us a few questions, we need to carefully read them, and give answers according to our preferences for setting up our OpenVPN server.

  • A file of the client configuration will be written upon the recent working directory once the installation process of VPN is completed. It is a file that we will use for configuring our OpenVPN client as specified in the upcoming section.
  • Ensure that the service of OpenVPN is up and executing by inspecting its status with the help of the below command:

OpenVPN Ubuntu
  • Also, ensure that the daemon of OpenVPN is listening over the port advised the script to apply, with the help of the following command:

OpenVPN Ubuntu
  • If we check our network interfaces, a fresh interface has been established for the VPN tunnel. We can confirm it by running the IP command:

OpenVPN Ubuntu

Setting up OpenVPN clients

  • It's time to set up our OpenVPN clients and link them to the VPN server. We need to install the package of OpenVPN within the client machine:

OpenVPN Ubuntu
  • Also, we need to install the package, i.e., network-manager-openvpn on the desktop system for making VPN settings using the graphical interface:

OpenVPN Ubuntu
  • Initiate the OpenVPN service, enable it for automatically starting at system restart, and inspect its status for confirming that it is up and active after installing the above-mentioned packages:

OpenVPN Ubuntu

OpenVPN Ubuntu

OpenVPN Ubuntu
  • We need to now import the settings of the OpenVPN client using the OpenVPN server.
  • Open the System Settings option, then go inside the Networks Press the Add button under VPN for getting the essential options.
    OpenVPN Ubuntu
  • Select the "Import from file" option within the pop-up window. Then, browse our file manager and choose the client config file, i.e., .ovpn we downloaded using the server.
    OpenVPN Ubuntu
  • Press the network icon over the system panel and go inside the Network Connections on other desktop systems of Linux. Then, press the plus button for adding any new connection. Choose the "Import a saved VPN configuration..." option from the drop.
    OpenVPN Ubuntu
    Establish the connection and transfer the file.
  • The VPN settings will be added after transferring the file. Then, we need to press the Add
  • The settings of our VPN client should be successfully added. We can connect to the server, i.e., OpenVPN by activating the VPN.
  • The VPN connection should now be successfully established.
  • If we check our network interface connections with the help of the command, i.e., IP add, there should present a VPN tunnel interface.

OpenVPN Ubuntu