Enable Root (ignore it, it is unsafe to use Root. I keep it to remind myself how wrong this is). Go directly to “Install VPN and Configure it “
sudo passwd root
su root
Enable root login over SSH
sudo nano /etc/ssh/sshd_config
add line
PermitRootLogin yes
Save and exit the file
systemctl restart sshd
Install VPN and Configure it
download this script as ubuntu user
wget https://git.io/vpn -O openvpn-install.sh
Enable Key-phase Authentication
find the lines of creating SSL certificate in the script and remove “nopass”
$ grep -n '"$client" nopass' openvpn-install.sh
241: EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-client-full "$client" nopass
458: EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-client-full "$client" nopass
Use nano to open the .sh file and remove “nopass” from line 241 and 458.
Running openvpn-install.sh to install OpenVPN server
chmod +x openvpn-install.sh --makes it executable
bash openvpn-install.sh
Make sure you provide needed information
Welcome to this OpenVPN road warrior installer!
Which protocol should OpenVPN use?
1) UDP (recommended)
2) TCP
Protocol [1]: 1
What port should OpenVPN listen to?
Port [1194]:
Select a DNS server for the clients:
1) Current system resolvers
2) Google
3) 1.1.1.1
4) OpenDNS
5) Quad9
6) AdGuard
DNS server [1]: 2
Enter a name for the first client:
Name [client]: anything
OpenVPN installation is ready to begin.
Press any key to continue...
this will create a file on root home directory anything.ovpn. Copy it to ubuntu user home directory.
cp the .ovpn to /home/ubuntu/ovpnusers
cd
mkdir ovpnuser
sudo cp /root/anything.ovpn /home/ubuntu/ovpnuser
Download .ovpn file onto your local machine
# logoff from ssh
exit
# execute this on your local machine. both windows or mac should work
scp ubuntu@server_id:/home/ubuntu/ovpnuser/anything.ovpn .
# this would download the anything.ovpn file to your current folder
Once you have the .ovpn file on your local machine, drag and drop it into your openvpn application.
Start the connection and enter the key-phase.
OpenVPN Maintenance
Update to the newest Version
to check the openvpn version
openvpn --version
Somehow, the openvpn is not in the ubuntu repo. At least not the newest version. But to stay secure, updated to the newest (stable) version is always a appreciated. Here is how. And here is official guide.
- add repo to vm
sudo -s
curl -fsSL https://swupdate.openvpn.net/repos/repo-public.gpg | gpg --dearmor > /etc/apt/trusted.gpg.d/openvpn-repo-public.gpg
# watch out here <version> <osrelease>
echo "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/openvpn-repo-public.gpg] https://build.openvpn.net/debian/openvpn/<version> <osrelease> main" > /etc/apt/sources.list.d/openvpn-aptrepo.list
# I am running ubuntu 22.0.4, in my case I need
echo "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/openvpn-repo-public.gpg] https://build.openvpn.net/debian/openvpn/stable jammy main" > /etc/apt/sources.list.d/openvpn-aptrepo.list
<version> <osrelease> need to be substringed,
Where <version> can be one of
- stable: stable releases only – no alphas, betas or RCs
- testing: latest releases, including alphas/betas/RCs
- release/2.3: OpenVPN 2.3 releases
- release/2.4: OpenVPN 2.4 releases, including alphas/betas/RCs
- release/2.5: OpenVPN 2.5 releases, including alphas/betas/RCs
- release/2.6: OpenVPN 2.6 releases, including alphas/betas/RCs
and <osrelease> depends your distribution:
- stretch (Debian 9.x)
- buster (Debian 10.x)
- bullseye (Debian 11.x)
- xenial (Ubuntu 16.04 LTS)
- bionic (Ubuntu 18.04 LTS)
- focal (Ubuntu 20.04 LTS)
- jammy (Ubuntu 22.04 LTS)
- kinetic (Ubuntu 22.10)
- sudo apt update
sudo apt update
- sudo apt upgrade
sudo apt upgrade
Regular Admin tasks
--run
bash openvpn-install.sh
-- outputs ----
Looks like OpenVPN is already installed
What do you want to do?
1) Add a cert for a new user
2) Revoke existing user cert
3) Remove OpenVPN
4) Exit
Select an option [1-4]:
Final Step: Portforwarding
if you running this at home, like I am. The final step is going on to your router and under port forwarding, enable 1194 to your vpn server’s private ip address.
Enbale UFW to be sure 🙂
sudo ufw enable
sudo ufw allow 22 -- for ssh and sftp
sudo ufw allow 1194 -- for openvpn
# for ubuntu, no reload needed.
Read Logs about All VPN collection
grep VPN /var/log/syslog
-- for me it is
grep chaoyuVPN /var/log/syslog
Read more here!