Note: Ubuntu 16.04 is no longer the most up-to-date release, consider installing OpenVPN on Ubuntu 18.04 as this is the latest stable release...
In March 2017, the U.S. government made significant changes to rules that dictate how ISPs can package and sell data about their customers. In the weeks since, we saw a massive new interest in virtual private networks (VPNs). While a number of paid VPN solutions exist—think of them like shared hosting—the tech media has been directing users toward setting up their own VPNs rather than relying on the security of another company. Of course, we think that's a great option. In this tutorial, we'll walk you through the steps to install OpenVPN on Ubuntu 16.04 virtual private server (VPS).
Prerequisites
- A VPS running Ubuntu 16.04
- A regular (non-root) account with sudo privileges. See our SSH keys tutorial for more information.
Run OpenVPN on an SSD VPS for under $8/month!
Don't overpay to get the resources you need for your VPN. Intel and SSD backed VPS servers and Tier-1 network connections give you the performance you need, for less. Launch your VPN with SSD Nodes!
Step 1: Install OpenVPN
Let's start by updating our apt cache and installing both openvpn and easy-rsa, which we'll use to set up certificates.
$ sudo apt-get update
$ sudo apt-get install openvpn easy-rsa
Step 2: Set up the Certificate Authority
The OpenVPN server uses certificates to encrypt traffic between the server and various clients. Thus, we need to set up a certificate authority (CA) on the VPS to create and manage these certificates.
We can utilize the easy-rsa template by copying it to a new directory, and then entering that directory to move into the configuration.
$ make-cadir ~/openvpn-ca
$ cd ~/openvpn-ca
We need to edit some of the variables that help decide how to create the certificates. Use nano—or another favorite editor—to open the file. We'll be editing some variables toward the end of the file.
$ nano vars
Look for the section below—the easy-rsa template provides some default fields for these variables, but you should change them according to your needs. Make sure you also change the KEY_NAME variable as well. It's not so important what you change these to, rather that you don't leave them in the default state, or blank.
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="[email protected]"
export KEY_OU="MyOrganizationalUnit"
# X509 Subject Field
export KEY_NAME="EasyRSA"
After some tweaks:
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="Tustin"
export KEY_ORG="SSD Nodes"
export KEY_EMAIL="[email protected]"
export KEY_OU="Marketing"
# X509 Subject Field
export KEY_NAME="vpnserver"
Now, source the vars file you just edited. If there aren't any errors, you'll see the following output.
$ source vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /home/user/openvpn-ca/keys
Now we can clean up the environment and then build up our CA.
$ ./clean-all
$ ./build-ca
A new RSA key will be created, and you'll be asked to confirm the details you entered into the vars file earlier. Just hit Enter to confirm.
Step 3: Create the server public/private keys
Next up, you need to create the server certificate and key pair. When you run the below command you can change [server] to the name of your choice. Later, you'll need to reference this name. For the sake of this tutorial, we're choosing with vpnserver.
Note: When prompted, do not enter a password.
Finally, you'll be asked two questions about signing the certificate and committing it. Hit y and then Enter for both, and you'll be done.
$ ./build-key-server [server]
Next, you need to build Diffie-Hellman keys.
$ ./build-dh
Finally, you need to generate an HMAC signature to strengthen the certificate.
$ openvpn --genkey --secret keys/ta.key
Step 4: Create the client public/private keys
This process will create a single client key and certificate. If you have multiple users, you'll want to create multiple pairs.
When running the below command, hit Enter to confirm the variables we set and then leave the password field blank.
$ source vars
$ ./build-key client1
If you want to create password-protected credentials, use build-key-pass instead:
$ source vars
$ ./build-key-passby subscribing to our newsletter.
A note about tutorials: We encourage our users to try out tutorials, but they aren't fully supported by our team—we can't always provide support when things go wrong. Be sure to check which OS and version it was tested with before you proceed.
If you want a fully managed experience, with dedicated support for any application you might want to run, contact us for more information.
