How to install and use OpenVPN

powersj · July 17, 2019, 10:07pm

Note:
This documentation has moved to a new home! Please update your bookmarks to the new URL for the up-to-date version of this page.

dumitru-alex · February 21, 2020, 12:41pm

Greetings! I’m struggling with openVPN configuration in bridged mode to forward layer 2 frames between two sites. The client and the server run Ubuntu 18.

In this script:

Instead of eth0 it shouldn’t be enp0s31f6 ?
Because you defined the ethernet interface enp0s31f6 in netplan.

powersj · February 21, 2020, 5:48pm

Correct! I have updated the page. Thank you for taking the time to let us know it was incorrect!

xster · July 23, 2020, 5:59am

I think this is missing a step in between. When you make-cadir, it produces a directory with no read permission for anyone. Who is running easyrsa in the next step?

lucaskanashiro · July 23, 2020, 12:38pm

Thanks for the heads-up, I just made a small change mentioning to run the easy-rsa commands as root user.

mikn · August 25, 2020, 3:43pm

I’m running on a fresh and updated Ubuntu 18.04 LTS server I created just to run OpenVPN, etc. I installed both OpenVPN and Easy-RSA with “sudo apt install openvpn easy-rsa”.

The current web page says

I did that, but I don’t seem to have any executable or script named easyrsa. Certainly not in my newly created directory. There’s nothing named like that in /usr/share/easy-rsa, either. And ‘find / -iname “easyrsa”’ returns nothing.

Is this a documentation bug, an Ubuntu packaging bug, or is something else going on here? Can someone recommend a workaround, link to a workaround, or link to a more appropriate place to ask?

mikn · August 25, 2020, 4:21pm

Looks like a version difference. Was ./easyrsa introduced in version 3.0? That seems to be the issue.

gongshu · October 31, 2021, 7:01pm

Why do you generate the server keypair twice?

Server Keys and Certificates

Next, we will generate a key pair for the server:
./easyrsa gen-req myservername nopass
Diffie Hellman parameters must be generated for the OpenVPN server. The following will place them in pki/dh.pem.
./easyrsa gen-dh
And finally a certificate for the server:
./easyrsa gen-req myservername nopass
./easyrsa sign-req server myservername

the second time is requesting me if I want to overwrite the previous configuration.

robsonvn · November 7, 2021, 5:05am

dh dh2048.pem

should read

dh dh.pem

costarican · July 18, 2022, 10:04pm

Hello everyone,

I feel like there is a bit missing in the guide. The guide is simple to follow but there is context information that would be of great help for someone who is just installing OpenVPN for the first time. Bridging is already not a simple task to perform.
On the “Advanced bridged VPN configuration on server” section, I would have liked a clarifying note on why 10.0.1.100/24 was used in the the netplan file, and why 10.0.0.0/24 was used on the server.conf file. It might seem obvious, but is not.

costarican · August 9, 2022, 11:40pm

I did follow this OpenVPN guide, and everything worked, with one small detail missing: I would end up with a bridge ‘br0’ connection with the assigned IP, I would get a tap0 device, but the device does not come up as per the instructions. I had to manually bring it up with a simple: ifconfig tap0 up command, which I later scripted. Then the VPN connection worked as outlined.
I was having a problem with having multiple tap connections appearing at the client and breaking the connection. Spent a bit of time of diagnosing…very silly mistake…I had more than one conf file in the /etc/openvpn directory and when using the Network Manager GUI had an extra instance as well.

swin · July 31, 2023, 11:40am

During the CA setup, you outline:

Certificate Authority Setup

…
As root user change to the newly created directory /etc/openvpn/easy-rsa and run:

./easyrsa init-pki
./easyrsa build-ca

You are asked to provide a key phrase for the CA server. It would be good to detail when this key phrase would be needed.

In addition, in the initial steps to generate a key pair for the server (after the ca have been established), you outline:

Server Keys and Certificates

…
And finally a certificate for the server:

./easyrsa gen-req myservername nopass
./easyrsa sign-req server myservername

You have already generated the key pair, so there is no need to do this a second time. The line ./easyrsa gen-req myservername nopass can therefore be removed.

Cheers

lucaskanashiro · August 1, 2023, 7:13pm

Thanks! I addressed your comments.

bmankowski · June 13, 2024, 5:48am

Hi,
could you please change in myserver.conf description from:

ca ca.crt
cert myservername.crt
key myservername.key
dh dh2048.pem

to:

ca ca.crt
cert myservername.crt
key myservername.key
**dh dh.pem**

Best regards