Configuring OpenVPN in Ubuntu using TUN/TAP

A device which connects a computer to another computer or network is called a network device. Normal network devices (say for example eth0) will have a hardware component or a wire connected to it. On the oposite, there are virtual network devices which are completely controlled by software. They are the tun/tap devices.

These are entirely virtual, and the kernel manages all activities. Most commonly used where VPN (Virtual Private Network) setups are necessary. This article describes how you can enable tun/tap in an Ubuntu OpenVZ Cheap VPS Hosting Server. Also explains how to install and configure OpenVPN in Ubuntu server, how to install and setup OpenVPN client and how to connect to server from client. Step by step instructions will be provided here with expected output and images, which would help you proceed with the setup without difficulty.

Enabling tun/tap support in a physical Ubuntu server

You need to enable Tun/tap at the kernel level. Most latest operating systems have support for tun/tap enabled by default. You just need to insert the required kernel module for it to work. First, login to your main node as root and insert the module as follows.

root@node ~# modprobe tun

 

How to enable tun/tap in a VPS Server

If you are on a KVM VPS, then you can enable tun/tap as mentioned above because KVM does not use a shared kernel. Just like a cheap dedicated server, the KVM VPS uses a dedicated and isolated kernel. If you are on OpenVZ VPS, then the support needs to be enabled in the node first. OpenVZ uses a shared kernel for all VPS, hence if a VPS owner wants tun/tap, it has to be set by us in the main node. After that you can enable it from your VPS Control Panel as follows.

  • Login to your VPS control panel using your username and password.
  • Click the ‘Manage’ button to the right of the VPS in which you want to enable tun/tap
  • Under Controls -> Settings tab, click on ‘Enable TUN/TAP’
  • A dialog box appears asking for confirmation, hit yes

enable tubtap in solusvm for openvpn in ubuntu

  • Now TUN/TAP will be enabled in your VPS and a confirmation message will be displayed in your control panel screen.
    TUN TAP enabled in Ubuntu linux

TUN/TAP is now enabled and you can verify that it is working correctly as follows. Login to your VPS and execute the following command.

root@teste6:~# cat /dev/net/tun
cat: /dev/net/tun: File descriptor in bad state

If the output shows “File descriptor in bad state”, then it means it is working correctly.

Install OpenVPN in Ubuntu server

Now that tun/tap is enabled, we can proceed to install openvpn. I have chosen an Ubuntu server for setting up OpenVPN. Login to the server as root and first update the packages in the server and then execute the installation command for openvpn.

root@teste6:~# apt-get update

root@teste6:~# apt-get install openvpn

The next step in the process is setting up certificates. OpenVPN works on a Public Key Infrastructure which includes a public key and a private key for the server. It’s also based on a vpn client, and also a master CA certificate which is used to sign the server and client certificates. OpenVPN works by the server and client authenticating each other, throught comparing whether the certificates are signed by the master CA.

Generate Server and Client Certificates

The openvpn installation automatically downloads sample configuration files at /usr/share/doc/openvpn/examples/. To setup the certificates for OpenVPN in Ubuntu server, first create a folder easy-rsa under /etc/openvpn . Then, copy the contents from /usr/share/doc/openvpn/examples/easy-rsa/2.0 folder to /etc/openvpn/easy-rsa.

root@teste6:~# mkdir /etc/openvpn/easy-rsa

root@teste6:~# cd /usr/share/doc/openvpn/examples/easy-rsa/2.0/

root@teste6:/usr/share/doc/openvpn/examples/easy-rsa/2.0# cp -pr * /etc/openvpn/easy-rsa

Next step is to open the vars file and edit the following contents to suit yours.

root@teste6:~# vi /etc/openvpn/easy-rsa/vars

export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="sales@copahost.com"

Now we are going to generate the master CA certificate and key based on the details above. For that, perform the following steps. For the questions asked, enter your details and not the default presented.

root@teste6:~# cd /etc/openvpn/easy-rsa/


root@teste6:/etc/openvpn/easy-rsa# source vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys


root@teste6:/etc/openvpn/easy-rsa# ./clean-all


root@teste6:/etc/openvpn/easy-rsa# ./build-ca
Generating a 1024 bit RSA private key
....................................++++++
....................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:US
State or Province Name (full name) [CA]:CA
Locality Name (eg, city) [SanFrancisco]:SanFrancisco
Organization Name (eg, company) [Fort-Funston]:CopaOpenVPN
Organizational Unit Name (eg, section) [changeme]:COPAVPN
Common Name (eg, your name or your server's hostname) [changeme]:ovpn.copahost.com
Name [changeme]:COpa
Email Address [sales@copahost.com]:sales@copahost.com

The master certificate files

You can now see that the master certificate and key files are in /etc/openvpn/easy-rsa/keys , namely ca.crt and ca.key. Next step is to generate the server certificate (public key) and private key for the server. It will again ask for the details asked above, go for the defaults based on the vars file or you can enter them again. Enter your server’s hostname for Common Name. It will ask for a challenge password and confirmation to sign the certificate, enter the password and enter ‘y’ to confirm.

root@teste6:/etc/openvpn/easy-rsa# ./build-key-server ovpn.copahost.com
Generating a 1024 bit RSA private key
.......................++++++
...........++++++
writing new private key to 'ovpn.copahost.com.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:US
State or Province Name (full name) [CA]:CA
Locality Name (eg, city) [SanFrancisco]:SanFrancisco
Organization Name (eg, company) [Fort-Funston]:CopaOpenVPN
Organizational Unit Name (eg, section) [changeme]:COPAVPN
Common Name (eg, your name or your server's hostname) [ovpn.copahost.com]:ovpn.copahost.com
Name [changeme]:COpa
Email Address [sales@copahost.com]:sales@copahost.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:copa123#
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :PRINTABLE:'CA'
localityName          :PRINTABLE:'SanFrancisco'
organizationName      :PRINTABLE:'CopaOpenVPN'
organizationalUnitName:PRINTABLE:'COPAVPN'
commonName            :PRINTABLE:'ovpn.copahost.com'
name                  :PRINTABLE:'COpa'
emailAddress          :IA5STRING:'sales@copahost.com'
Certificate is to be certified until May  9 04:58:26 2026 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Though certificates are used in openvpn for encryption it also requires the generation of Diffie Helman parameters for better encryption. It can be generated as follows.

root@teste6:/etc/openvpn/easy-rsa# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
............................................................................................+.........
++*++*

Now all the required certificates and keys will be present in /etc/openvpn/easy-rsa/keys. We will copy them to /etc/openvpn now.

root@teste6:/etc/openvpn/easy-rsa/keys# cp ca.crt  dh1024.pem ovpn.copahost.com.crt 
ovpn.copahost.com.key /etc/openvpn/

Create client certificates

Now that the server certificate and key sections are over, we will move to creating client certificates. Each client connecting to the openvpn server will require a different certificate to authenticate to the server. The client certificates are created as follows.

root@teste6:~# cd /etc/openvpn/easy-rsa/
root@teste6:/etc/openvpn/easy-rsa# source vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys
root@teste6:/etc/openvpn/easy-rsa# ./build-key clientname

The build-key command will again ask details as asked above while creating the certificate. This time enter the client details. You can give any name for client certificate instead of ‘clientname’.

To connect to the openvpn server from an openvpn client, you will require the following three files. Copy them to your client machine using any secure means.

  1. The master CA certificate present at /etc/openvpn/ca.crt
  2. The client certificate present at /etc/openvpn/easy-rsa/keys/clientname.crt
  3. The client key present at /etc/openvpn/easy-rsa/keys/clientname.key

Now the certificate part is over, we next need to move to the server configuration part.

OpenVPN Server Configuration

As in the case with certificates, the openvpn installation provides sample config files also at /usr/share/doc/openvpn/examples/sample-config-files. Two files named client.conf and server.conf.gz are the ones we require now. First, copy the compressed server.conf.gz to /etc/openvpn and uncompress it.

root@teste6:/usr/share/doc/openvpn/examples/sample-config-files# cp server.conf.gz /etc/openvpn/
root@teste6:/usr/share/doc/openvpn/examples/sample-config-files# cd /etc/openvpn/

root@teste6:/etc/openvpn# gunzip -d server.conf.gz

After uncompressing, you will get a file named server.conf at /etc/openvpn. Open that file and edit the following section in it to match the certificates present in your server.

root@teste6:/etc/openvpn# vi server.conf

ca ca.crt
cert ovpn.copahost.com.crt
key ovpn.copahost.com.key

dh dh1024.pem

Save and quit the file. This is the last step in the configuration of openvpn server in Ubuntu. You can now restart the openvpn service in the server and see if it gets started successfully.

root@teste6:/etc/openvpn# /etc/init.d/openvpn start
 * Starting virtual private network daemon(s)...                                                                                         
*   Autostarting VPN 'server'

OpenVPN has started successfully now, without errors. You can confirm that it is running fine by executing the following. The logs and errors related to OpenVPN will be present in syslog at /var/log/syslog .

root@teste6:/etc/openvpn# ps aux | grep openvpn
root      5736  0.0  0.1  21972  1268 ?        Ss   09:42   0:00 /usr/sbin/openvpn --writepid /var/run/openvpn.server.pid --daemon ovpn-server --cd /etc/openvpn --config /etc/openvpn/server.conf --script-security 2

OpenVPN uses the virtual network device tun to connect. So when openvpn is started, you will see a tun interface when you execute the ifconfig command in the server as follows.

root@teste6:~# ifconfig tun0
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

OpenVPN Client Configuration

After having your OpenVPN Server ready, you can now ready this article about how to configure an OpenVPN Client in Windows

 

 

Share the Post:
Picture of Gustavo Bastos

Gustavo Bastos