How To Set Up And Configure An OpenVPN Server On Ubuntu 22.04

Step 7 — Configuring OpenVPN

Like many other widely used open-source tools, OpenVPN has numerous configuration options available to customize your server for your specific needs. In this section, we will provide instructions on how to set up an OpenVPN server configuration based on one of the sample configuration files that is included within this software’s documentation.

First, copy the sample server.conf file as a starting point for your own configuration file:

1. sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf /etc/openvpn/server/

Open the new file for editing with nano or the text editor of your choice:

1. sudo nano /etc/openvpn/server/server.conf

You’ll need to change a few lines in this file. First, find the HMAC section of the configuration by searching for the tls-auth directive. This line will be enabled by default. Comment it out by adding a ; to the beginning of the line. Then add a new line after it containing the value tls-crypt ta.key only:

/etc/openvpn/server/server.conf ;tls-auth ta.key 0 # This file is secret tls-crypt ta.key

Next, find the section on cryptographic ciphers by looking for the cipher lines. The default value is set to AES-256-CBC, however, the AES-256-GCM cipher offers a better level of encryption, performance, and is well supported in up-to-date OpenVPN clients. Comment out the default value by adding a ; sign to the beginning of this line, and then add another line after it containing the updated value of AES-256-GCM:

/etc/openvpn/server/server.conf ;cipher AES-256-CBC cipher AES-256-GCM

Right after this line, add an auth directive to select the HMAC message digest algorithm. For this, SHA256 is a good choice:

/etc/openvpn/server/server.conf auth SHA256

Next, find the line containing a dh directive, which defines Diffie-Hellman parameters. Since you configured all the certificates to use Elliptic Curve Cryptography, there is no need for a Diffie-Hellman seed file. Comment out the existing line that looks like dh dh2048.pem or dh dh.pem. The filename for the Diffie-Hellman key may be different than what is listed in the example server configuration file. Then add a line after it with the contents dh none:

/etc/openvpn/server/server.conf ;dh dh2048.pem dh none

Next, OpenVPN should run with no privileges once it has started, so you’ll need to tell it to run with a user nobody and group nogroup. To enable this, find and uncomment the user nobody and group nogroup lines by removing the ; sign from the beginning of each line:

/etc/openvpn/server/server.conf user nobody group nogroup

(Optional) Push DNS Changes to Redirect All Traffic Through the VPN

The settings above will create the VPN connection between your client and server, but will not force any connections to use the tunnel. If you wish to use the VPN to route all of your client traffic over the VPN, you will likely want to push some extra settings to the client computers.

To get started, find and uncomment the line containing push "redirect-gateway def1 bypass-dhcp". Doing this will tell your client to redirect all of its traffic through your OpenVPN Server. Be aware that enabling this functionality can cause connectivity issues with other network services, like SSH:

/etc/openvpn/server/server.conf push "redirect-gateway def1 bypass-dhcp"

Just below this line, find the dhcp-option section. Again, remove the ; from the beginning of both of the lines to uncomment them:

/etc/openvpn/server/server.conf push "dhcp-option DNS 208.67.222.222" push "dhcp-option DNS 208.67.220.220"

These lines will tell your client to use the free OpenDNS resolvers at the listed IP addresses. If you prefer other DNS resolvers you can substitute them in place of the highlighted IPs.

This will assist clients in reconfiguring their DNS settings to use the VPN tunnel as the default gateway.

(Optional) Adjust the Port and Protocol

By default, the OpenVPN server uses port 1194 and the UDP protocol to accept client connections. If you need to use a different port because of restrictive network environments that your clients might be in, you can change the port option. If you are not hosting web content on your OpenVPN server, port 443 is a popular choice since it is usually allowed through firewall rules.

To change OpenVPN to listen on port 443, open the server.conf file and find the line that looks like this:

/etc/openvpn/server/server.conf port 1194

Edit it so that the port is 443:

/etc/openvpn/server/server.conf # Optional! port 443

Oftentimes, the protocol is restricted to that port as well. If so, find the proto line below the port line and change the protocol from udp to tcp:

/etc/openvpn/server/server.conf # Optional! proto tcp

If you do switch the protocol to TCP, you will need to change the explicit-exit-notify directive’s value from 1 to 0, as this directive is only used by UDP. Failing to do so while using TCP will cause errors when you start the OpenVPN service.

Find the explicit-exit-notify line at the end of the file and change the value to 0:

/etc/openvpn/server/server.conf # Optional! explicit-exit-notify 0

If you have no need to use a different port and protocol, it is best to leave these settings unchanged.

(Optional) Point to Non-Default Credentials

If you selected a different name during the ./easyrsa gen-req server command earlier, modify the cert and key lines in the server.conf configuration file so that they point to the appropriate .crt and .key files. If you used the default name, server, this is already set correctly:

/etc/openvpn/server/server.conf cert server.crt key server.key

When you are finished, save and close the file.

You have now finished configuring your OpenVPN general settings. In the next step, you’ll customize the server’s networking options.