This is an old revision of the document!

Install OpenVPN on Ubuntu 24.04

Introduction

  • When installing OpenVPN on a server, the item that takes the most preparation is the setup of the PKI.
  • Although it is easy once you figured it out, because OpenVPN has been around for such a long time there are lots of outdated or over complicated documentation out there.
  • Even when I asked one of the AI engines for instructions it provided me with old outdated instructions.
  • The following instructions should work well on any of the recent versions of OpenVPN

Install OpenVPN

  • We will install openvpn and easy-rsa.
  • Easy-rsa is a CLI utility to build and manage a PKI CA.
sudo apt update && sudo apt upgrade -y
sudo apt install openvpn easy-rsa -y

Create PKI

  • Easy-rsa includes a couple of utility programs which you should use in a specific sequence to get a working PKI.
  • Start of by using the make-cadir program and specify the folder name where the CA / PKI files will live.
make-cadir ~/openvpn-ca
cd ~/openvpn-ca
  • You will see the following files inside the CA directory.
ls -l
total 20
lrwxrwxrwx 1 system system   27 Nov 18 11:57 easyrsa -> /usr/share/easy-rsa/easyrsa
-rw-r--r-- 1 system system 5145 Nov 18 11:57 openssl-easyrsa.cnf
-rw-r--r-- 1 system system 9085 Nov 18 11:57 vars
lrwxrwxrwx 1 system system   30 Nov 18 11:57 x509-types -> /usr/share/easy-rsa/x509-types
  • We need to edit the vars file in order to direct Easy-rsa how to generate the PKI files.
  • This is where the more recent enhancements to crypto-logy can be utilized instead of the older, less secure and slower encryption methods.
  • For this we have to add the following to the vars file:
set_var EASYRSA_ALGO   "ec"
set_var EASYRSA_DIGEST "sha512"
set_var EASYRSA_CURVE  "prime256v1"
  • This instruct Easy-rsa to use the Elliptic Curve (instead of RSA algorithm) for encryption.
  • Once those changes to the vars file are complete you can issue the following command to initiate the PKI
./easyrsa init-pki
  • This is the feedback from the command on my server:
Notice
------
'init-pki' complete; you may now create a CA or requests.
 
Your newly created PKI dir is:
* /home/system/openvpn-ca/pki
 
Using Easy-RSA configuration:
* /home/system/openvpn-ca/vars
  • There will now be a pki sub folder which will contain things like certificates and sign requests.
  • The last step will be to create the Certificate Authority (CA).
  • For this you will need to specify a name (typically an organisation name like RADIUSdesk) and a passphrase.
./easyrsa build-ca
  • This is the feedback from the command on my server:
Using Easy-RSA 'vars' configuration:
* /home/system/openvpn-ca/vars
 
Using SSL:
* openssl OpenSSL 3.0.13 30 Jan 2024 (Library: OpenSSL 3.0.13 30 Jan 2024)
 
Enter New CA Key Passphrase: 
 
Confirm New CA Key Passphrase: 
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:RADIUSdesk CA
 
Notice
------
CA creation complete. Your new CA certificate is at:
* /home/system/openvpn-ca/pki/ca.crt
  • Now everything is in place for us to sign certificate requests.
  • This will be covered in the next section.

Generate Server Certificate, Key

  • To create a certificate is a two step process.
    • First we generate a sign request for the certificate.
    • Then we (as the CA) sign the request in order generate a complete and usable certificate.
./easyrsa gen-req server nopass
  • This is the feedback from the command on my server:
Using Easy-RSA 'vars' configuration:
* /home/system/openvpn-ca/vars
 
Using SSL:
* openssl OpenSSL 3.0.13 30 Jan 2024 (Library: OpenSSL 3.0.13 30 Jan 2024)
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]:
 
Notice
------
Private-Key and Public-Certificate-Request files created.
Your files are:
* req: /home/system/openvpn-ca/pki/reqs/server.req
* key: /home/system/openvpn-ca/pki/private/server.key
  • Now we can sign the request. You will be asked to confirm the process by typing yes and you also need to supply the CA's passphrase.
./easyrsa sign-req server server
  • This is the feedback from the command on my server:
./easyrsa sign-req server server
Using Easy-RSA 'vars' configuration:
* /home/system/openvpn-ca/vars
 
Using SSL:
* openssl OpenSSL 3.0.13 30 Jan 2024 (Library: OpenSSL 3.0.13 30 Jan 2024)
You are about to sign the following certificate:
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate 
for '825' days:
 
subject=
    commonName                = server
 
Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
 
Using configuration from /home/system/openvpn-ca/pki/openssl-easyrsa.cnf
Enter pass phrase for /home/system/openvpn-ca/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'server'
Certificate is to be certified until Feb 21 12:44:13 2028 GMT (825 days)
 
Write out database with 1 new entries
Database updated
 
Notice
------
Certificate created at:
* /home/system/openvpn-ca/pki/issued/server.crt
  • install_24_4_openvpn.1763470053.txt.gz
  • Last modified: 2025/11/18 14:47
  • by system