The make_config.sh script
Open up a Terminal, and then type the following command in order to create an empty file: $ nano ~/openvpn-ca/client-configs/ make_ config.sh Now you need to carefully enter the following lines: #!/bin/bash # First argument: Client identifier KEY_ DIR=~/openvpn-ca/keys
OUTPUT_ DIR=~/openvpn-ca/clientconfigs/files
BASE_CONFIG=~/openvpn-ca/clientconfigs/client.conf cat ${BASE_CONFIG} \ <(echo -e ‘<ca>’) \ ${KEY_ DIR}/ca.crt \ <(echo -e ‘</ca>\n<cert>’) \ ${KEY_ DIR}/${1}.crt \ <(echo -e ‘</cert>\n<key>’) \ ${KEY_ DIR}/${1}.key \ <(echo -e ‘</key>\n<tls-auth>’) \ ${KEY_ DIR}/ta.key \ <(echo -e ‘</tls-auth>’) \ > ${OUTPUT_ DIR}/${1}.ovpn Once created, save and close the file, before typing the following command to make it executable: $ chmod 700 ~/openvpn-ca/clientconfigs/make_ config.sh
$ cd ~/openvpn-ca/keys $ sudo cp ca.crt ca.key MyVPN.crt MyVPN.key ta.key dh2048. pem /etc/openvpn Replace MyVPN.crt and MyVPN. key with the value you allocated to KEY_ NAME in the walkthrough above. Next, you need to generate your OpenVPN configuration file:
$ cd /usr/share/doc/openvpn/ examples/sample-config-files
$ sudo cp server.conf.gz / etc/openvpn
$ sudo gzip -d /etc/openvpn/ server.conf.gz Now follow the second step-by-step guide (over the page) to configure your
server for basic usage. Once done, you need to perform one critical step to allow your clients to actually access the internet through your VPN. First, enter the following command: $ ip route | grep default
Make a note of the interface listed next to ‘dev’ — on our machine, this is ‘enp0s3’. Now enter the following command, substituting enp0s3 with the interface listed on your PC, if applicable: $ sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o enp0s3 -j MASQUERADE START AND TEST YOUR 3 SERVER It’s time to get things up and running. Type the following Terminal command, which launches OpenVPN using the server.conf file you’ve configured: $ sudo systemctl start openvpn@server Now check the server is running correctly: $ sudo systemctl status openvpn@server
You should see a list of messages appear on screeen, including the all-important ‘active (running)’ message [Image A], along with ‘Initialization sequence completed’ at the bottom — press ‘Ctrl-C’ to interrupt the status check. Next, check that the OpenVPN interface is available:
$ ip addr show tun0
If it shows a configured interface ending with “valid_lft forever preferred_lft forever”, things should be working correctly. You can now configure OpenVPN to launch automatically at startup with the following line: $ sudo systemctl enable openvpn@server MAKE CLIENT CONFIGURATION 4 EASY The simplest way to configure your client is through the use of specially made .ovpn files, inside which the required key files are embedded, along with the settings needed to connect. These are created on your server, and here’s what you need to do.
Create a directory structure inside which your client configuration files are stored, then lock down the directory permissions, and create a base config file to work from:
$ mkdir -p ~/openvpn-ca/ client-configs/files
$ chmod 700 ~/openvpn-ca/ client-configs/files
Now open the Nautilus file manager, click the ‘Computer’ link on the left and browse to ‘/usr/share/doc/openvpn/ examples/sample-config-files’. Copy the client.conf file from here to ‘~/openvpn-ca/client-configs’. Doubleclick the copied file to edit it in gedit [Image B]. First, locate the line marked remote my-server-1 1194 and change this to point toward your server’s public IP address or dynamic DNS name — for example, remote 1.2.3.4 1194 or remote dynamic.ddns.net 1194 . Next, uncomment both ;user nobody and ;group nogroup , before commenting out the lines
ca ca.crt , cert client.crt and key client.key , because they’re added by the batch file. Last, but not least, add the following line beneath ;tls-auth ta.key 1 (which should remain commented out):
key-direction 1 . Save and exit, then follow the instructions in the box
on the first page of this article to create the ‘make_config.sh’ file, which you’ll use to generate the client configuration files whenever they’re needed for each client.
GENERATE A CLIENT 5 CONFIGURATION FILE
You’ve now got all the tools you need to create your client configuration files. Here’s the process you need to follow in order to build them. First, you need to generate a certificate and key for your client using the following commands:
$ cd ~/openvpn-ca && source vars
This time, ignore the note (we don’t want to clean anything), then type: $ ./build-key client1 You need a unique name for each client certificate you generate —so, for subsequent certificates, you would use client2
client3 and so on. Again, you’re taken through a similar process as when you ran the build-server-key command, and the answers are exactly the same — no challenge password, and accepting the default choices.
Once generated, build the configuration file: $ cd client-configs $ ./make_ config.sh client1 You’ll find a file marked ‘client1. ovpn’ inside the client-configs/files subfolder. This now needs to be securely transferred to your client — the box above reveals the different options available to you, and how to configure a VPN connection to your server from another Ubuntu PC.
Congratulations — you’ve just made your internet connection more secure [Image C].