What is VPN?

VPN stands for Virtual Private Network. It offers the possibility to open a secure tunnel to a trustworthy server. All requests are then sent and received via this server. The advantage of this is, of course, the security in public networks such as free WLAN in a hotel. The VPN processes all data encrypted over the server, devices that hang in between, such as external routers and co have no way to redirect traffic to unwanted destinations. In addition, after the connection is successfully established, the connection is part of the network of the server. Other servers, computers or devices, such as printers, which would normally only be accessible in the local network of the server, are now also accessible through the VPN tunnel. However, since not all data has to be sent through an encrypted tunnel, it is possible to configure the VPN client to send only a defined portion of the queries via the VPN tunnel. The rest of the traffic is processed normally over the Internet. In today’s example we show how to use OpenVPN to create a VPN server on an Ubuntu 16.04 LTS and log on to it with your own client.

Prepare the server

To create your own server with Ubuntu 16.04 LTS is only a few seconds at gridscale. How does gridscale work is shown in the article How to gridscale. After starting the server, a connection via SSH must be created as root and the server should be updated with the following command:

Copyapt -y update && apt -y upgrade && apt -y dist-upgrade

OpenVPN is available via apt and therefore has to be installed via the package manager.

Copyapt -y install openvpn easy-rsa

You must then create a folder for the certificates.

Copymake-cadir ~/openvpn-ca

Then change to the folder.

Copycd ~/ope nvpn-ca

Create server certificate

In the file vars contained in this folder, the variables for the creation of the certificates are stored. In order to facilitate the creation of the certificates, it is recommended to adjust the variables. To do this, modify the vars file.

Copynano vars

The following screenshot shows how the vars file looks.

All other settings in the file can remain unchanged:

The following command chain must then be executed:

Copysource vars ./clean-all ./build-ca 

The first command causes the variables to be defined. The second deletes existing certificates and the third one defines a new server certificate. The variables are predefined here, but can be modified if necessary.

The following command creates the certificate by the name that was placed in the vars file as “KEY_NAME”.

Copy./build-key-server SERVER

During the process, you will be asked to enter all the variables that have already been defined. However, the values that were created in the vars file are stored as default. If there are deviations, the change can be made directly in the line. The vars file does not have to be adapted for each certificate.

At the end of the process it is still possible to choose whether the certificate should be signed. This query should be answered with y(es).

CopyCertificate is to be certified until Apr 1 09:42:21 2027 GMT (3650 days) Sign the certificate? [y/n]:y 

A good encryption is only as good as the key used. At least one Diffie-Hellman key with a length of at least 2048 bit should be used for encrypting the VPN connection, here the more the better. If you want to find out more, the Wikipedia article on Diffie-Hellman can help.

Use the following command to create a DH key with a length of 8192 bits.

Copyopenssl dhparam -out /etc/openvpn/dh.pem 8192

Now only one HMAC signature has to be created for the server. This is done with the following command:

Copyopenvpn --genkey --secret keys/ta.key

HMAC stands for Keyed-Hash Message Authentication Code. On Wikipedia you can find more on this topic.

This means that almost all files are used on the server side. But it is still missing the server.conf. For this file, the OpenVPN template must be copied to the correct directory, unpacked, and modified as follows:

Copygunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | sudo tee /etc/openvpn/server.conf nano /etc/openvpn/server.conf 

Next, the HMCA section must be found and the TLS Auth part edited. To enable the TLS Auth option, the “;” must be removed. The key-direction is now defined by adding the following lines:

Copytls-auth ta.key 0 key-direction 0 auth SHA256 

In addition, a further line must be found and then activated by removing the “;”:

Copycipher AES-128-CBC 

Finally, two lines must be activated again:

Copyuser nobody group nogroup 

In the following lines, you must specify the file name that was defined during the creation (in the tutorial, SERVER was used):

Copycert SERVER.crt key SERVER.key 

It is important to remember that the file names are case-sensitive and that they are also in the same directory.

Then change the line “dh2020.pem” in:

Copydh dh.pem

Subsequently, Nano can be terminated and the changes saved.

In order to allow the clients to access the Internet and not only the internal network, the following commands have to be entered:

Copyecho "net.ipv4.ip_nonlocal_bind = 1" >> /etc/sysctl.conf sysctl –p 

Next, copy the created certificate files to the openvpn directory:

Copycd ~/openvpn-ca/keys sudo cp ca.crt ca.key server.crt server.key ta.key /etc/openvpn 

Now the OVPN service can be started. To do this, use the following command:

Copyservice openvpn@server start

The following command can be used to stop the service:

Copyservice openvpn@server stop

Other parameters are status and restart. These can be used to display the current status or restart the service.

So that OpenVPN is also started after a reboot of the server, the following command is missing:

Copysudo systemctl enable openvpn@server

Create a client certificate

The creation of the client certificate is similar to that of the server certificate.

The variables of the vars file must be loaded first.

Copycd ~/openvpn-ca source vars 

Subsequently, there are two possible approaches:

Create a simple certificate for the client

Copy./build-key client1 

Create a password-protected certificate for the client at which the password is enforced

Copy./build-key-pass client1 

“Client1” is the name of the client. Here a name should be chosen, where you can afterwards assign to whom the certificate was given and for what.
For example: pascal_mobil or pascal_notebook

With the certificates, however, it is not yet done. It also requires a profile file for each client. This contains all certificates, keys and information on the server to which the client is to be connected at the end. Some files are required to create the profile. These must all be brought together.

To do this, first create a folder in which the profiles should be saved. Because this will include very sensitive files, the rights should be changed to 700.

Copymkdir -p ~/client-configs/files chmod 700 ~/client-configs/files 

As a template for the profile, the sample file provided by OpenVPN can be used. This must first be copied to the directory you just created:

Copycp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client-configs/base.conf 

This must then be edited.

Copynano ~/client-configs/base.conf 

In line

Copyremote server_IP_address 1194 

Server_IP_address must be swapped by the domain or IP of the server.

Make sure that the log is the same as the server configuration.

Copyproto udp

For Linux / Mac clients, the two semicolons must be removed before these lines.

Copyuser nobody group nogroup 

It is recommended to insert the keys and CAs directly into the file – put a # in front of the lines. By combining the keys and CAs in the profile file, it is much easier to transfer the profile to the client.

Copyca ca.crt cert client.crt key.client.key 

The following settings should also be saved:

Copycipher AES-128-CBC auth SHA256 key-direction 1 # down /etc/openvpn/update-resolv-conf # up /etc/openvpn/update-resolv-conf # script-security 2 

The last three lines should be in each profile, but only work if the client is a Linux system. If the profile is used on a Linux system, the diamond must be removed later.
It is important to ensure that the specification does not occur twice in the file. Depending on the version, individual entries may already exist in this or similar type.

Next, a small script is created that automatically generates client certificates in the future.

Copynano ~/client-configs/make_config.sh

Add the following text to this file:

Copy#!/bin/bash # First argument: Client identifier KEY_DIR=~/openvpn-ca/keys OUTPUT_DIR=~/client-configs/files BASE_CONFIG=~/client-configs/base.conf cat ${BASE_CONFIG} \ <(echo -e '') \ ${KEY_DIR}/ca.crt \ <(echo -e '\n') \ ${KEY_DIR}/${1}.crt \ <(echo -e '\n') \ ${KEY_DIR}/${1}.key \ <(echo -e '\n') \ ${KEY_DIR}/ta.key \ <(echo -e '') \ > ${OUTPUT_DIR}/${1}.ovpn 

The file must then be made executable:

Copychmod 700 ~/client-configs/make_config.sh

To create the profile file now, run the script you just created, specifying the name of the client to create as a parameter. This must exactly match the spelling used when the certificate was created.

Copy~/client-configs/make_config.sh client1 Install the certificate on a client cp 

Depending on the client, there are different procedures. But all of them go according to a similar pattern.

A profil file is created which in turn contains the key files and CAs.

On Windows, the official OpenVPN client can be installed from here and the ovpn can be copied to C: \ Program Files \ OpenVPN \ config. OpenVPN GUI must then be opened from the Start menu. Administrator rights are required. In the Tray (area in the start bar next to the clock) is now an icon with a gray display. Then right click on the icon and then select “Connect”.

On OS X, there is currently no official OpenVPN client. For example, you can download and install the free “Tunnelblick” tool here. After the installation it is possible to double click on the .ovpn file. Tunnelblick then does the rest. As with Windows, administrative rights are necessary.

On Linux it is a bit more complicated. Under each distribution the process is somewhat different.

Under Debian (Debian, Ubuntu, Kubuntu …) is possible as follows:

Copyapt -y update; apt -y install openvpn

Under CentOs, the package openvpn is only available with epel.

Copyyum install epel-release; yum update; yum install openvpn

The rest of the installation is the same.
It must be certain that a Resolve Config exists under its own distribution.

Copyls /etc/openvpn

Then the file “update-resolve-conf” should be displayed.
Then the ovpn you downloaded from your server has to be edited.

Copynano /download/pfad/client1.ovpn

The # before the last three lines of the file must be removed:

Copydown /etc/openvpn/update-resolv-conf up /etc/openvpn/update-resolv-conf script-security 2 

Under CentOS, the group nogroup must still be changed to group nobody.
Then the changes can be saved and started with the command OpenVPN.

Copyopenvpn --config /download/pfad/client1.ovpn

Under Android there is also an official app of OpenVPN. This can be downloaded directly from the PlayStore. Afterwards the ovpn has to be imported via the menu in the app.

Under iOS, there is also an official app. This is to download on your own iPhone or iPad, which must then be connected to your Mac or computer. Open iTunes here and move the ovpn directly into the app.

Test connection

To test whether the connection to the server via VPN works, one of the following pages can be called up and the own IP will be displayed. These pages are just examples, there are countless sites that offer this service and each of them should produce the same result.
After opening the pages, the displayed IP can be compared with its own. Then you should connect to the server via OpenVPN and update the page. The IP that displays the page and (possibly the location) should now be that of the server.

If so, everything worked.

Revoke client certificates

Anyone who has been granted a certificate or, in other circumstances, has a certificate for this server can now connect to the server. This can be problematic, for example, if the certificate is lost or something like this.
In such a case it is necessary to revoke the certificate. Otherwise, anyone could plug into the network. To revoke a certificate, the following command is required:

Copycd ~/openvpn-ca source vars ./revoke-full client1 

Alternatively, the server certificate and the key can be replaced. However, all client certificates would have to be replaced.


With OpenVPN, it is relatively easy to set up and manage VPN networks. The targeted redirection and encryption of network traffic contributes significantly to security and should therefore be used urgently. Especially if files with sensitive content have to be transmitted over the Internet or if you are surfing in an unprotected network.

What else can be done to secure servers and all the data is described in the article Server security for your Linux Server.