ubuntulinuxvpnnetworkingsecuritydevops
Setup OpenVPN on Ubuntu 24.04
Sanjay Sikdar
Installing the OpenVPN to Ubuntu Server
After launching your instance, we need to log in into our new server using SSH client.
bash
ssh -i "YourKey.pem" ubuntu@SERVER_IPAfter login, you need to update the system
bash
sudo apt update && sudo apt upgrade -ySet Timezone
bash
sudo su -
apt install tzdata
dpkg-reconfigure tzdataInstall via Repository (Combined)
bash
apt update && apt -y install ca-certificates wget net-tools gnupg
mkdir -p /etc/apt/keyrings && wget https://packages.openvpn.net/as-repo-public.asc -qO /etc/apt/keyrings/as-repository.asc
echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/as-repository.asc] http://packages.openvpn.net/as/debian noble main">/etc/apt/sources.list.d/openvpn-as-repo.list
apt update && apt -y install openvpn-asAfter completion of installation, you will get output like this.
json
+++++++++++++++++++++++++++++++++++++++++++++++
Access Server 3.0.2 has been successfully installed in /usr/local/openvpn_as
Configuration log file has been written to /usr/local/openvpn_as/init.log
Access Server Web UIs are available here:
Admin UI: https://172.26.13.242:943/admin
Client UI: https://172.26.13.242:943/
To login please use the "openvpn" account with "0JVlXxoaQgqy" password.
(password can be changed on Admin UI)
+++++++++++++++++++++++++++++++++++++++++++++++You need to replace the local IP 172.26.13.242 to your Server Public IP to access the OpenVPN Access Server.
That's all, you are ready to browse your OpenVPN Access Web Interface and configure everything.
- Connecting a Custom Domain
If you are willing to access the OpenVPN server from a custom domain, instead of the Server Public IP.
In your DNS Server, add A record.
In my case, I have created a subdomain vpn.sanjaysikdar.dev and pointed to my OpenVPN Server IP.
-
Login to OpenVPN Access Server Admin
-
Navigate to Configuration > Network Settings. Set the ‘Hostname or IP Address’ to
vpn.sanjaysikdar.dev. (Optional)
- Installing SLL
json
apt-get update
apt install certbot
certbot certonly --standalone --preferred-challenges http -d vpn.sanjaysikdar.devOutput Like:
bash
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/vpn.sanjaysikdar.dev/fullchain.pem
Key is saved at: /etc/letsencrypt/live/vpn.sanjaysikdar.dev/privkey.pem
This certificate expires on 2024-01-07.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.Install the acquired certificate:
bash
/usr/local/openvpn_as/scripts/sacli --key "cs.priv_key" --value_file "/etc/letsencrypt/live/vpn.sanjaysikdar.dev/privkey.pem" ConfigPut
/usr/local/openvpn_as/scripts/sacli --key "cs.cert" --value_file "/etc/letsencrypt/live/vpn.sanjaysikdar.dev/fullchain.pem" ConfigPut
/usr/local/openvpn_as/scripts/sacli startAutomate Renewal:
sudo nano /usr/local/bin/certrenewal.sh
paste the following replacing your domain name.
bash
#!/bin/bash
certbot renew — standalone
sleep 1m
/usr/local/openvpn_as/scripts/sacli --key "cs.priv_key" --value_file "/etc/letsencrypt/live/vpn.sanjaysikdar.dev/privkey.pem" ConfigPut
/usr/local/openvpn_as/scripts/sacli --key "cs.cert" --value_file "/etc/letsencrypt/live/vpn.sanjaysikdar.dev/fullchain.pem" ConfigPut
/usr/local/openvpn_as/scripts/sacli startcli startbash
sudo chmod +x /usr/local/bin/certrenewal.sh
sudo crontab -e
# Add the following line
0 0 1 */2 * /usr/local/bin/certrenewal.shTroubleshoot
FIREWALL SECURITY:
| Type | Protocol | Port range |
|---|---|---|
| HTTP | TCP | 80 |
| HTTPS | TCP | 443 |
| SSH | TCP | 22 |
| Custom | TCP | 943 |
| Custom | TCP | 945 |
| Custom | UDP | 1194 |
VPN SETTINGS:
Turn on Have clients use specific DNS servers use Primary DNS 1.1.1.1 and Secondary DNS 8.8.8.8
Restart OpenVPN: sudo service openvpnas restart