Install OpenVPN on Ubuntu 24.04

• When installing OpenVPN on a server, the item that takes the most preparation is the setup of the PKI.
• Although it is easy once you figured it out, because OpenVPN has been around for such a long time there are lots of outdated or over complicated documentation out there.
• Even when I asked one of the AI engines for instructions it provided me with old outdated instructions.
• The following instructions should work well on any of the recent versions of OpenVPN

• We will install openvpn and easy-rsa.
• Easy-rsa is a CLI utility to build and manage a PKI CA.

sudo apt update && sudo apt upgrade -y
sudo apt install openvpn easy-rsa -y

• Easy-rsa includes a couple of utility programs which you should use in a specific sequence to get a working PKI.
• Start of by using the make-cadir program and specify the folder name where the CA / PKI files will live.

make-cadir ~/openvpn-ca
cd ~/openvpn-ca

• You will see the following files inside the CA directory.

ls -l
total 20
lrwxrwxrwx 1 system system   27 Nov 18 11:57 easyrsa -> /usr/share/easy-rsa/easyrsa
-rw-r--r-- 1 system system 5145 Nov 18 11:57 openssl-easyrsa.cnf
-rw-r--r-- 1 system system 9085 Nov 18 11:57 vars
lrwxrwxrwx 1 system system   30 Nov 18 11:57 x509-types -> /usr/share/easy-rsa/x509-types

• We need to edit the vars file in order to direct Easy-rsa how to generate the PKI files.
• This is where the more recent enhancements to crypto-logy can be utilized instead of the older, less secure and slower encryption methods.
• For this we have to add the following to the vars file:

set_var EASYRSA_ALGO   "ec"
set_var EASYRSA_DIGEST "sha512"
set_var EASYRSA_CURVE  "prime256v1"

• This instruct Easy-rsa to use the Elliptic Curve (instead of RSA algorithm) for encryption.
• Once those changes to the vars file are complete you can issue the following command to initiate the PKI

./easyrsa init-pki

• This is the feedback from the command on my server:

Notice
------
'init-pki' complete; you may now create a CA or requests.
 
Your newly created PKI dir is:
* /home/system/openvpn-ca/pki
 
Using Easy-RSA configuration:
* /home/system/openvpn-ca/vars

• There will now be a pki sub folder which will contain things like certificates and sign requests.
• The last step will be to create the Certificate Authority (CA).
• For this you will need to specify a name (typically an organisation name like RADIUSdesk) and a passphrase.

./easyrsa build-ca

• This is the feedback from the command on my server:

Using Easy-RSA 'vars' configuration:
* /home/system/openvpn-ca/vars
 
Using SSL:
* openssl OpenSSL 3.0.13 30 Jan 2024 (Library: OpenSSL 3.0.13 30 Jan 2024)
 
Enter New CA Key Passphrase: 
 
Confirm New CA Key Passphrase: 
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:RADIUSdesk CA
 
Notice
------
CA creation complete. Your new CA certificate is at:
* /home/system/openvpn-ca/pki/ca.crt

• Now everything is in place for us to sign certificate requests.
• This will be covered in the next section.

• To create a certificate is a two step process.
  • First we generate a sign request for the certificate.
  • Then we (as the CA) sign the request in order generate a complete and usable certificate.

./easyrsa gen-req server nopass

• This is the feedback from the command on my server:

Using Easy-RSA 'vars' configuration:
* /home/system/openvpn-ca/vars
 
Using SSL:
* openssl OpenSSL 3.0.13 30 Jan 2024 (Library: OpenSSL 3.0.13 30 Jan 2024)
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]:
 
Notice
------
Private-Key and Public-Certificate-Request files created.
Your files are:
* req: /home/system/openvpn-ca/pki/reqs/server.req
* key: /home/system/openvpn-ca/pki/private/server.key

• Now we can sign the request. You will be asked to confirm the process by typing yes and you also need to supply the CA's passphrase.

./easyrsa sign-req server server

• This is the feedback from the command on my server:

./easyrsa sign-req server server
Using Easy-RSA 'vars' configuration:
* /home/system/openvpn-ca/vars
 
Using SSL:
* openssl OpenSSL 3.0.13 30 Jan 2024 (Library: OpenSSL 3.0.13 30 Jan 2024)
You are about to sign the following certificate:
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate 
for '825' days:
 
subject=
    commonName                = server
 
Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
 
Using configuration from /home/system/openvpn-ca/pki/openssl-easyrsa.cnf
Enter pass phrase for /home/system/openvpn-ca/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'server'
Certificate is to be certified until Feb 21 12:44:13 2028 GMT (825 days)
 
Write out database with 1 new entries
Database updated
 
Notice
------
Certificate created at:
* /home/system/openvpn-ca/pki/issued/server.crt

• This step is used to harden the OpenVPN installation further and is optional (although recommended)
• Issue the following command:

openvpn --genkey tls-crypt-v2-server tls-crypt-v2-server.key

• This will create the tls-crypt-v2-server.key file which looks like this on my server:

cat tls-crypt-v2-server.key 
-----BEGIN OpenVPN tls-crypt-v2 server key-----
a/T1frlxbTuUYojvB/0P2csxOC04prDtWWuPIbQC+o2I+DuMWkzK0OFalucBQPki
9JcEXN3sZNCWYP1bohAzIYkzxiRNWSPwtzSg/etfZIXWWseJvGQ+UqbEBjQjTRVE
9zfhjdL6Ltm5J6LiEC1N4mqV0BTwe77xSIBJsy2LjYk=
-----END OpenVPN tls-crypt-v2 server key-----

• When tls-crypt-v2 is specified in the OpenVPN config file, each client connecting will also be required to have this item defined in its config file. The client's key needs to generated using the server key.
• This is an extra obfuscation on OpenVPN's control channel to hide metadata which can be used to gain more insights on the OpenVPN instance running on the server.
• All the required items are now present to have a working OpenVPN server.

• This is how our /etc/openvpn/server.conf file looks:

port 1194
proto udp
dev tun
 
# --- PKI / TLS (ECC only, no DH) ---
ca ca.crt
cert server.crt
key server.key
 
# No "dh none" when using EC certificates
dh none
 
# Optional but recommended: match your Easy-RSA curve (if you set EASYRSA_CURVE)
# ecdh-curve prime256v1
 
# Protect and hide the control channel
tls-crypt-v2 tls-crypt-v2-server.key
 
# Only allow modern TLS
tls-version-min 1.2
remote-cert-eku "TLS Web Client Authentication"
 
# --- VPN network ---
topology subnet
server 10.8.0.0 255.255.255.0
 
# Push default route + DNS to clients (adjust if you want split tunnel)
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 9.9.9.9"
 
# --- Encryption (data channel) ---
data-ciphers AES-256-GCM:CHACHA20-POLY1305
data-ciphers-fallback AES-256-GCM
 
# --- Misc hardening / behavior ---
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
verb 3

• We also have to make sure the all the files from our PKI location is copied to the /etc/openvpn directory:

sudo cp pki/ca.crt pki/issued/server.crt pki/private/server.key tls-crypt-v2-server.key /etc/openvpn/

sudo systemctl start openvpn@server
sudo systemctl enable openvpn@server
sudo systemctl status openvpn@server