openVPN server ubuntu

For those moments when you can’t trust the WLAN.. wherever that may be.
Let’s tunnel the connection using openVPN and get some security / bypass the nosey operator of the WLAN
(using Ubuntu server 14.04 here…)
the client side will be using network-manager

DISCLAIMER: we will be breaking some conventions here – the idea is that I will be the only user most of the time and there will be only one instance of openvpn running. Will adjust later if needed :)

friends at DigitalOcean have compiled this here

Step 1: setup the server
install the binaries
apt-get install openvpn easy-rsa
copy the default config to openvpn:
gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf
now edit /etc/openvpn/server.conf
change the DH key from 1024 to 2048 (because why not?)
dh dh1024.pem --> dh dh2048.pem
and find this passage and uncomment it (remove the ‘;’ ) – this will allow all traffic to be redirected to the host; we do this for privacy, not for enterprise networking
;push "redirect-gateway def1 bypass-dhcp"
next is to push openDNS servers to the clients: uncomment these two:
;push "dhcp-option DNS 208.67.222.222"
;push "dhcp-option DNS 208.67.220.220"

and uncomment these two to disallow openVPN to run as root
# You can uncomment this out on
# non-Windows systems.
;user nobody
;group nogroup

save and exit
enable packet forwarding (disabled by default)
echo 1 > /proc/sys/net/ipv4/ip_forward
and to make it permanent change / uncomment it to ‘1’ in /etc/sysctl.conf:
# Uncomment the next line to enable packet forwarding for IPv4
#net.ipv4.ip_forward=1

save and exit and set up the firewall (we use ufw here, right? )
ufw allow 1194/udp
now edit /etc/default/ufw – same story as with sysctl.conf – default is not to forward traffic (DROP) so change it to
DEFAULT_FORWARD_POLICY="ACCEPT"
now edit /etc/ufw/before.rules and add masquerading and NAT rules for the clients:
at the end of “rules.before” add this:
# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to eth0
-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
COMMIT
# END OPENVPN RULES

using ‘ufw status’ verify ports 22 (tcp) and 1194 (udp) are open.

Step 2: create a CA and keys
we are lazy so we use scripts
copy them in place:
cp -r /usr/share/easy-rsa/ /etc/openvpn
create a key storage:
mkdir /etc/openvpn/easy-rsa/keys
edit /etc/openvpn/easy-rsa/vars and fill in as desired (so you can recognize the key)
modify all the “export” variables / don’t leave them blank
the KEY_NAME determines the name of the files that will be created (server.crt/server.key)
also the CA should be your hostname (will be asked later, too)
now create DH parameters (this depends on your CPU.. a “long time” was 10 secons on my box :)
# openssl dhparam -out /etc/openvpn/dh2048.pem 2048
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
…………………………….
now enter cd /etc/openvpn/easy-rsa
and initialize the PKI using . ./vars
(dot space dot slash)
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys
in fact.. let’s do this :) you never know who was on your box before… (or what you did last time drunk…)
./clean-all
and start with ./build-ca
this done, build the key-server
./build-key-server
additional challence password and optional company name should be left BLANK
the other two questions need “Y” to proceed.

once signed you should have these files in /etc/openvpn/easy-rsa/keys
server.crt,server.key,ca.crt < -- server will be the word you specify in "KEY_NAME" before copy these to /etc/openvpn and start the server service openvpn start
verify with service openvpn status
if problems, tail /var/log/syslog (unless you directed logs to a dedicated file)
usually the key name is wrong / cannot be found.
# service openvpn status
* VPN 'server' is running

Step 3: generate certificates and keys for clients
every client needs his/her own username / password combination so let's begin with a user for laptop and one for the phone
remember the names you give there and create keys for every client
./build-key username1 (repeat for username2, etc...)
then copy the client config in place:
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/easy-rsa/keys/client.ovpn
this is a template - it needs to be adjusted for every user!

in the end every client will need 4 files:
ca.crt
username1.key
username1.crt
client.ovpn

Step 4: Creating a Unified OpenVPN Profile for Client Devices