Configuring OpenVPN in Ubuntu using TUN/TAP

A device which connects a computer to another computer or network is called a network device. Normal network devices, say for example eth0 will have a hardware component or a wire connected to it. On the contrary there are virtual network devices which are completely controlled by software. They are called tun/tap devices. They are entirely virtual and all activities are managed by the underlying kernel. They are most commonly used where VPN (Virtual Private Network) setups are required. This article describes how you can enable tun/tap in an Ubuntu OpenVZ Cheap VPS Hosting Server, how to install and configure OpenVPN in Ubuntu server, how to install and setup OpenVPN client and how to connect to server from client. Step by step instructions are provided with expected output and images, which would help you proceed with the setup without difficulty.

Enabling tun/tap support in a physical Ubuntu server

Tun/tap needs to be enabled at the kernel level. Most latest operating systems have support for tun/tap enabled by default. You just need to insert the required kernel module for it to work. First, login to your main node as root and insert the module as follows.

 

How to enable tun/tap in a VPS Server

If you are on a KVM VPS, then you can enable tun/tap as mentioned above because KVM does not use a shared kernel. Just like a cheap dedicated server, the KVM VPS uses a dedicated and isolated kernel. If you are on OpenVZ VPS, then the support needs to be enabled in the node first. OpenVZ uses a shared kernel for all VPS, hence if a VPS owner wants tun/tap, it has to be set by us in the main node. After that you can enable it from your VPS Control Panel as follows.

  • Login to your VPS control panel using your username and password.
  • Click the ‘Manage’ button to the right of the VPS in which you want to enable tun/tap
  • Under Controls -> Settings tab, click on ‘Enable TUN/TAP’
  • A dialog box appears asking for confirmation, hit yes

enable tubtap in solusvm for openvpn in ubuntu

  • Now TUN/TAP will be enabled in your VPS and a confirmation message will be displayed in your control panel screen.
    TUN TAP enabled in Ubuntu linux

TUN/TAP is now enabled and you can verify that it is working correctly as follows. Login to your VPS and execute the following command.

If the output shows “File descriptor in bad state”, then it means it is working correctly.

Install OpenVPN in Ubuntu server

Now that tun/tap is enabled, we can proceed to install openvpn. I have chosen an Ubuntu server for setting up OpenVPN. Login to the server as root and first update the packages in the server and then execute the installation command for openvpn.

The next step in the process is setting up certificates. OpenVPN works on a Public Key Infrastructure which includes a public key and a private key for the server and each vpn client, and also a master CA certificate which is used to sign the server and client certificates. OpenVPN works by the server and client authenticating each other, which is done by checking whether the certificates are signed by the master CA.

Generate Server and Client Certificates

The openvpn installation automatically downloads sample configuration files at /usr/share/doc/openvpn/examples/. To setup the certificates for OpenVPN in Ubuntu server, first create a folder easy-rsa under /etc/openvpn and then copy the contents from /usr/share/doc/openvpn/examples/easy-rsa/2.0 folder to /etc/openvpn/easy-rsa.

Next step is to open the vars file and edit the following contents to suit yours.

Now we are going to generate the master CA certificate and key based on the details above. For that, perform the following steps. For the questions asked, enter your details and not the default presented.

 

You can now see that the master certificate and key files are generated in /etc/openvpn/easy-rsa/keys , namely ca.crt and ca.key. Next step is to generate the server certificate (public key) and private key for the server. It will again ask for the details asked above, go for the defaults based on the vars file or you can enter them again. Enter your server’s hostname for Common Name. It will ask for a challenge password and confirmation to sign the certificate, enter the password and enter ‘y’ to confirm.

Though certificates are used in openvpn for encryption it also requires the generation of Diffie Helman parameters for better encryption. It can be generated as follows.

Now all the required certificates and keys will be present in /etc/openvpn/easy-rsa/keys. We will copy them to /etc/openvpn now.

Now that the server certificate and key sections are over, we will move to creating client certificates. Each client connecting to the openvpn server will require a different certificate to authenticate to the server. The client certificates are created as follows.

The build-key command will again ask details as asked above while creating the certificate. This time enter the client details. You can give any name for client certificate instead of ‘clientname’.

To connect to the openvpn server from an openvpn client, you will require the following three files. Copy them to your client machine using any secure means.

  1. The master CA certificate present at /etc/openvpn/ca.crt
  2. The client certificate present at /etc/openvpn/easy-rsa/keys/clientname.crt
  3. The client key present at /etc/openvpn/easy-rsa/keys/clientname.key

Now the certificate part is over, we next need to move to the server configuration part.

OpenVPN Server Configuration

As in the case with certificates, the openvpn installation provides sample config files also at /usr/share/doc/openvpn/examples/sample-config-files. Two files named client.conf and server.conf.gz are the ones we require now. First, copy the compressed server.conf.gz to /etc/openvpn and uncompress it.

After uncompressing, you will get a file named server.conf at /etc/openvpn. Open that file and edit the following section in it to match the certificates present in your server.

Save and quit the file. This is the last step in the configuration of openvpn server in Ubuntu. You can now restart the openvpn service in the server and see if it gets started successfully.

OpenVPN has started successfully now, without errors. You can confirm that it is running fine by executing the following. The logs and errors related to OpenVPN will be present in syslog at /var/log/syslog .

OpenVPN uses the virtual network device tun to connect. So when openvpn is started, you will see a tun interface when you execute the ifconfig command in the server as follows.

OpenVPN Client Configuration

After having your OpenVPN Server ready, you can now ready this article about how to configure an OpenVPN Client in Windows

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *