App Support.

We're here to help.



Setting up an OpenVPN server with Ubuntu and Viscosity

Virtual Private Networks (VPNs) can be utilized for a number of very useful applications. You can securely connect to any public WiFi hotspot. You can overcome geo-blocking restrictions on your favourite websites. And you can even connect to your home or office network from anywhere in the world, as if you were sitting right at your desk. This guide will walk you through the process of setting up your own OpenVPN server, and connecting to it with your copy of Viscosity.

Running your own OpenVPN server will allow you to encrypt everything you do on the internet, so that you can safely do your online banking on the free WiFi at your favourite cafe. Anything you send over the VPN connection will be encrypted from your device until it reaches your OpenVPN server at home. Setting up your OpenVPN server to access your home or office network gives you full access to all your files on your network.

This guide will walk you through the steps involved in setting up an OpenVPN server on an Ubuntu host that allows you to securely access your home/office network from a remote location and optionally send all of your network traffic through it so you can access the internet securely as well.

Preparation

For this guide, we assume:

  • You have already installed the latest version of Ubuntu (14.04 at time of writing)
  • You have root access to this installation
  • This installation of Ubuntu is a fresh install
  • You already have a copy of Viscosity installed on your client device

If you need to download and install a copy of Ubuntu, information can be found at http://www.ubuntu.com/download. We won't be covering the details of setting up an Ubuntu instance, many guides can be found online. If you are running a different version of Ubuntu, it's very likely that many or even all of the steps outlined in this guide will still apply. If you are looking to setup an OpenVPN server on a different operating system, please check out our other guides.

If you don't have a copy of Viscosity already installed on your client, then please check out this setup guide for installing Viscosity (Mac | Windows).

Unfortunately we cannot provide any direct support for setting up your own OpenVPN server. We provide this guide as a courtesy to help you get started with, and make the most of, your copy of Viscosity. We've thoroughly tested the steps in this guide to ensure that, if you follow the instructions detailed below, you should be well on your way to enjoying the benefits of running your own OpenVPN server.

Accessing the Command Line Interface

The steps outlined in this guide are performed via the command line interface (i.e. terminal) on your Ubuntu server. If you are running this server remotely, you will need to use the SSH application to connect securely between your client device and the server (to "SSH into" your server). If you are setting up your OpenVPN server on a virtual private server (VPS), you may only be familiar with the web interface. Many VPS suppliers provide SSH access in addition to the web interface. Please consult your VPS provider for details.

SSH From Mac

To SSH from a Mac device, you can use the preinstalled ssh program. This program can be accessed by first opening the terminal application. Press + space to bring up the spotlight search bar and type terminal. Once in the Mac terminal, you can SSH into your Ubuntu server by typing:

ssh [email protected]

followed by ENTER. You will then be prompted for your password before being logged in.

SSH From Windows

To SSH from a Windows device, you need to use an SSH client. Windows does not come with an SSH client preinstalled, so you will need to download one. One of the best free-to-use clients is called PuTTY. Download a copy of PuTTY and run it. PuTTY is a very small program, so you don't need to install anything, it will just run as a stand alone executable file. Once opened, enter the IP address of your Ubuntu server in the 'Host Name (or IP address)' section. You will also note that the 'SSH' connection type has been selected by default. If this is the first time you are SSHing into this server from your client device, the SSH protocol will require you to verify that you are connecting to the server you think you are. You will have a 'PuTTY Security Alert' pop up when you attempt to connect. If you have entered the IP address of your server correctly, then you can press 'Yes' to indicate that you trust the server. After you then provide your root username and password, you will be logged into the terminal on your Ubuntu server.

Ubuntu Desktop

If you have local access to your Ubuntu server, then you can perform the steps of this guide directly, without SSHing in to the server. The steps need to be performed in a terminal window, so the first step is to open a terminal window in Ubuntu with root access. From the desktop, open the terminal app by clicking on the “Search your computer and online sources” icon on the top left and typing terminal. This opens a terminal window from which we can continue the rest of the setup.

Now that you have access to the terminal on the Ubuntu server, you need to change the user to root. Type into the terminal window:

sudo -i

then enter your the root password when prompted. You will see that you are now logged in to the root account.

Getting Started

Once logged in to root, we need to ensure that Ubuntu's repository list is up to date by typing the following:

apt-get update

This will run through and make sure Ubuntu knows about the most recent versions of packages that can be downloaded with apt-get. After this completes and before we start setting up the server, we should make sure that all the installed packages and the operating system is up to date. Type:

apt-get dist-upgrade

If any updates are found, you will be asked if you want to continue. Confirm that you do by entering y. You may be informed that you need to restart after the package upgrades complete. If so, make sure to log back in to the terminal as root after restarting.

To set up an OpenVPN server, we need to install OpenVPN. In addition, we will also set up a DNS server (dnsmasq) to protect any DNS requests we make while internet browsing and can also be used to resolve hosts on your home/office network. Type the following into the terminal:

apt-get install openvpn dnsmasq

You will be asked:

Do you want to continue? [Y/n] 

Type y.

OpenVPN Server Configuration

There are a number of different settings we need to customize in the OpenVPN server configuration (.conf) file. If you are familiar with OpenVPN and just want to get started, here is the completed conf file for our server: openvpn.conf. Modify it to suit your configuration.

First, create a new conf file by typing:

nano /etc/openvpn/openvpn.conf

Now paste the following into the nano window:

# The key length is the number of bits used to encrypt the VPN. We'll use 2048
# bits, as this is considered standard (at the time of writing)
dh dh2048.pem

# Our VPN connection will be transported over UDP
proto udp

# The server needs to keep a record of client virtual IP addresses so that they
# can be reassigned if the server goes down
ifconfig-pool-persist ipp.txt

# To ensure that each side of the VPN knows if the connection has been severed,
# we want to ping each side every 10 seconds. If either side fails to recieve a
# ping within 2 minutes, then it will assume the other side is down
keepalive 10 120

# To minimize the bandwidth consumed by the VPN, we want to compress data sent
# over it
comp-lzo

# There can be security issues if you run the OpenVPN server as root, so we will
# downgrade the user and group
user nobody
group nogroup

# To avoid attempting to access resources that may no longer be accessible on
# restart
persist-key
persist-tun

# To write (and rewrite) a short summary of current VPN connections every minute
# to a file
status openvpn-status.log

# The verbosity of this connection logging (displayed in the Viscosity 'Details'
# window) can range from 0 (silent) to 9 extremely verbose. We will use the
# default of 3
verb 3

# To prevent more than 10 duplicates of the same log message in a row from
# flooding the Viscosity log
mute 10

# The credential files
ca ca.crt
cert server.crt
key server.key

# This server will use the default OpenVPN port (1194)
port 1194

# We need the VPN to create a tun network interface through which we can route
# all our traffic
dev tun0

# The VPN requires a private IP subnet. We will use the default OpenVPN IP
# subnet
server 10.8.0.0 255.255.255.0

# We want VPN clients connected to this server to be able to access any hosts
# accessible on your home network. We are assuming that your local network
# subnet is 192.168.0.x/24. If it is something else, you will need to change the
# IP address in the command below
push "route 192.168.0.0 255.255.255.0"

# We want to allow hosts connected to the OpenVPN server to be able to see each
# other
client-to-client

Pay special attention to the IP address in the push "route 192.168.0.0 255.255.255.0". Ensure that this subnet matches your home/office LAN IP subnet. If you are not setting up this VPN server to access your home/office LAN, then you can comment out this line. When you are done, press ctrl + x to exit nano. Save the changes when prompted.

IP Forwarding

In order to forward our requests passing through the VPN, we want the OpenVPN server to act like a router. As such, we need to enable IP forwarding. In the terminal, we can enable IP forwarding on the Ubuntu server by entering:

echo 1 > /proc/sys/net/ipv4/ip_forward

However, every time we reboot the server, this command will be undone. To ensure that doesn't happen, we need to modify the sysctl.conf file using nano. Enter:

nano /etc/sysctl.conf

Scroll down to the section:

# Uncomment the next line to enable packet forwarding for IPv4
#net.ipv4.ip_forward=1

Delete the ‘#’ character at the start of the line so that it now becomes:

net.ipv4.ip_forward=1

When you are done, press ctrl + x to exit nano. Save the changes when prompted.

To ensure that hosts on the home/office network can find the VPN server, we need to make the server respond to any ARP requests:

echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp

where eth0 is the network interface of the home/office network.

Firewall Rules

We will use the uncomplicated firewall (ufw) that is installed by default on Ubuntu to control how traffic is passed through the OpenVPN server. If your Ubuntu server is externally accessible (has a direct connection to the internet with its own IP address, without a router), then you should use ufw to allow the OpenVPN port we have set up above (1194). Otherwise, we will set ufw to allow all traffic and configure the settings for routing.

If your Ubuntu server DOES NOT need ufw to protect it (i.e. it is behind a router or has a different firewall set up), you need to set the default input rule to allow all traffic to pass through ufw by default. To do so, we need to modify the configuration file.

  1. Open this file in nano:
    nano /etc/default/ufw
  2. Scroll down to the section:
    # Set the default input policy to ACCEPT, DROP, or REJECT. Please note that if
    # you change this you will most likely want to adjust your rules.
    DEFAULT_INPUT_POLICY="DROP"
  3. Since our server will not be using this firewall for protection, change this from "DROP" to "ACCEPT"
  4. Scroll down to the section:
    # Set the default forward policy to ACCEPT, DROP or REJECT.  Please note that
    # if you change this you will most likely want to adjust your rules
    DEFAULT_FORWARD_POLICY="DROP"
  5. Change the forward policy from "DROP" to "ACCEPT"
  6. Press ctrl + x to exit nano. Save the changes when prompted.

If your Ubuntu server DOES need ufw to protect it, you need to tell it which ports to allow as it has the default input and forward policies of DROP. If you are running the OpenVPN server from some remote location, you will need to SSH into it to change any settings. As such, we need to tell the firewall to permit SSH traffic.

  1. Entering the following into the terminal:
    ufw allow ssh
  2. The VPN traffic we will send to the OpenVPN server will be over UDP on port 1194, so enter into the terminal:
    ufw allow 1194/udp

If you have other services running on your Ubuntu server, then you need to make sure that you allow their traffic through ufw as well. Make sure to add any allow rules for any other ports your Ubuntu server is listening on (such as a Plex media server or maybe your own email server).

Now, regardless of your network setup, you need to set up the routing rules for ufw.

  1. Open the ufw configuration file in nano:
    nano /etc/ufw/before.rules
  2. Move the cursor below the section:
    #
    # rules.before
    #
    # Rules that should be run before the ufw command line added rules. Custom
    # rules should be added to one of these chains:
    # ufw-before-input
    # ufw-before-output
    # ufw-before-forward
  3. Paste in the following:
    # START OPENVPN RULES
    # NAT table rules
    *nat
    :POSTROUTING ACCEPT [0:0]
    # Allow OpenVPN client to communicate with local home network
    -A POSTROUTING -s 10.8.0.0/24 -d 192.168.0.0/24 -o eth1 -j MASQUERADE
    # Allow traffic from OpenVPN client to eth0
    -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
    COMMIT
    # END OPENVPN RULES
    • The eth0 term assumes the connection from the OpenVPN server to the internet is through the adapter eth0
    • The eth1 term assumes this is the interface connected to the home LAN network. If your Ubuntu server only has a single interface (eth0), then you can comment out this line
    • We assume 192.168.0.0/24 is the subnet for your home/office network
  4. Move the cursor below the section:
    # Don't delete these required lines, otherwise there will be errors
    *filter
    :ufw-before-input - [0:0]
    :ufw-before-output - [0:0]
    :ufw-before-forward - [0:0]
    :ufw-not-local - [0:0]
    # End required lines
  5. Paste in the following:
    #Accept all traffic to and from VPN
    -A ufw-before-input -i tun+ -j ACCEPT
    -A ufw-before-output -i tun+ -j ACCEPT

    # Forward traffic to and from the VPN
    -A ufw-before-forward -s 10.8.0.0/24 -j ACCEPT
    -A ufw-before-forward -d 10.8.0.0/24 -j ACCEPT
  6. Press ctrl + x to exit nano. Save the changes when prompted.

Ufw is now ready to be activated.

  1. In the terminal, type:
    ufw enable
  2. If you are SSH’d into this Ubuntu instance, it will display the prompt:
    Command may disrupt existing ssh connections. Proceed with operation (y|n)?
    To which you should reply with y.

The following output will then be displayed (regardless of SSH or not)

Firewall is active and enabled on system startup

Creating Certificates and Keys

You can use the scripts provided by Easy-RSA to generate the required certificates and keys on your client device. Please follow the steps in our Creating Certificates and Keys.

Transferring Files to the Server

In order to use the credential and conf files you have created to set up your OpenVPN server, you need to transfer them to the server. For OpenVPN to be able to access these files, we need to copy them to the directory /etc/openvpn/. The method which you use will depend very much on your particular setup. If you followed the steps to generate the certificates, your files should be on your client device in the directory: /Users/your-account-name/Documents/Viscosity/client/keys/ (or on Windows: C:\Users\your-account-name\Documents\Viscosity\client\keys\).

Whichever method you choose to transfer these files, be very careful that you use an encrypted method (such as SFTP or SCP). There are a number of GUI applications that you can use to securely transfer these files to the server: Cyberduck, Transmit and WinSCP to name just a few. Alternatively, if you have physical access to the server and client, perhaps transfer them via a USB drive. Just make sure you don’t transfer them over the internet unencrypted.

Below is the command to transfer the files via SCP:

Mac

From the Terminal, type:

scp /Users/your-account-name/Documents/Viscosity/server/keys/* [email protected]:/etc/openvpn/

Windows

From the Cygwin prompt, type:

scp /cygdrive/c/Users/your-account-name/Documents/Viscosity/server/keys/* [email protected]:/etc/openvpn/

Starting the OpenVPN Server

Now that all the required credentials and configuration files are on your Ubuntu server, you can start the OpenVPN server. Type into the terminal:

service openvpn start

To check the server status, enter:

service openvpn status

To which it should reply with:

 * VPN 'openvpn' is running

Your OpenVPN server is now up and running and ready for you to connect to it.

DNS Server

If you are planning on encrypting all network traffic through your VPN server then it is recommended to enable your own DNS server. You first need to disable the dnsmasq instance provided by NetworkManager by default. This default instance is restricted and won't allow us to listen for DNS requests over the VPN.

  1. Open the NetworkManager configuration:
    nano /etc/NetworkManager/NetworkManager.conf
  2. Comment out the line enabling dnsmasq by adding a '#' character to the front of the line:
    dns=dnsmasq
  3. Press ctrl + x to exit nano. Save the changes when prompted.

Next we need to modify some of the default configuration.

  1. Create a backup of the original dnsmasq configuration:
    cp /etc/dnsmasq.conf /etc/dnsmasq.conf.bak
  2. Set the DNS server to listen for requests from the Ubuntu server (127.0.0.1) and from the VPN (10.8.0.1):
    echo -e "listen-address=127.0.0.1, 10.8.0.1\nbind-interfaces" > /etc/dnsmasq.conf
  3. Prevent our DNS requests from flooding the root DNS servers with bad requests:
    echo -e "domain-needed\nbogus-priv" >> /etc/dnsmasq.conf
  4. Use the Google DNS servers to resolve requests (you are free to use your DNS resolution service of choice):
    echo -e "server=8.8.8.8\nserver=8.8.4.4" >> /etc/dnsmasq.conf
  5. Restart the dnsmasq service to activate our changes:
    service dnsmasq restart

You should see a notification that is has restarted:

 * Restarting DNS forwarder and DHCP server dnsmasq [ OK ]

To make check that the DNS server is listening on the addresses we requested, type:

netstat -anup

You should see a list of addresses, including 127.0.0.1 and 10.8.0.1:

Proto Recv-Q Send-Q Local Address         Foreign Address       State     PID/Program name
...
udp        0      0 127.0.0.1:53          0.0.0.0:*                       54892/dnsmasq   
udp        0      0 10.8.0.1:53           0.0.0.0:*                       54892/dnsmasq   
...

Lastly, we need to ensure that dnsmasq is started after OpenVPN on system startup. By default, dnsmasq runs before OpenVPN, which prevents it from setting up the DNS server for the VPN as the VPN doesn't exist yet.

  1. Create a backup of the original file:
    cp /etc/rc.local /etc/rc.local.bak
  2. Type:
    echo -e "service dnsmasq restart\nexit 0" >> /etc/rc.local
  3. Make this script executable:
    chmod +x /etc/rc.local

We are now done setting up the DNS server.

Router Setup

If your Ubuntu server is directly accessible, then you can skip this section. There is no router to configure.

However if your Ubuntu server is behind a router (such as on your home WiFi), then you will need to configure your router to permit VPN traffic. Due to the many different models of router and network configurations, we cannot provide a step by step guide on how to set up your router to allow VPN traffic. However there are a few settings you are likely to need to change, so we will outline them here.

As the the router will be directing all traffic to and from your OpenVPN server, you will need to set up port forwarding so that the OpenVPN server is externally accessible. Port forwarding may be under the section in your router management interface named 'Virtual Servers'. In general, you will want to forward any traffic incoming to the router on the OpenVPN port (1194). You will need to setup a rule to send any UDP traffic on these ports to the local IP address of your OpenVPN server (which is probably something in the range 192.168.0.x).

If you have set up port forwarding please also make a note of your external WAN IP address. This is the IP address assigned to your router by your Internet Service Provider (ISP). This address will be needed when configuring your connection in Viscosity below.

The other main router setting you will need to consider is static routing. Because you will have a VPN set up, there will be traffic sent to your router with a source or destination IP in the range 10.8.0.x. This traffic will need to have static routing in place to ensure that when a host recieves a request from the VPN client (on the 10.8.0.x subnet) and sends a response to that address, the router knows how to convert the 10.8.0.x IP address into an address it understands (i.e. 192.168.0.x). Thus you will need to setup a static routing rule that has the following properties:

Destination: 10.8.0.0
Subnet mask: 255.255.255.0
Default gateway: your-server-IP

where your-server-IP is the IP address of your OpenVPN server on the local network (something in the range 192.168.0.x).

Setting Up Viscosity

The interface provided by the Mac and Windows versions of Viscosity are intentionally very similar. As such, we will focus our guide on the Mac version, pointing out any differences with the Windows version as they arise.

If you do not have Viscosity already running, start Viscosity now. In the Mac version you will see the Viscosity icon appear in the menu bar. In the Windows version you will see the Viscosity icon appear in the system tray.

Click the Viscosity icon in the menu bar (Windows: system tray) and select 'Preferences...':

Mac

Windows

This shows you the list of available VPN connections. We assume you recently installed Viscosity, so this list is empty. Click on the '+' button and select 'New Connection':

Configuring the Connection

You will now need to set the connection parameters as outlined below:

  1. In the General tab, replace the connection name with your desired name for the connection, for example "DemoConnection".
  2. Replace the "Address" field with the IP address needed to connect to the server. If your Ubuntu server is directly reachable from the internet this will be its IP address. If the server is behind a router and port-forwarding has been set up this should be the external IP address of your router (please see the section above).


  3. Click the Authentication tab.
  4. Click the Select ... button next to the CA option. Select the ca.crt file you created earlier (Mac: /Users/your-account-name/Documents/Viscosity/client/keys/, Windows: C:\Users\your-account-name\Documents\Viscosity\client\keys\)
  5. Click the Select ... button next to the Cert option. Select the client1.crt file you created earlier
  6. Click the Select ... button next to the Key option. Select the client1.key file you created earlier


  7. Click on the Networking tab and enter "10.8.0.1" into the "Servers" field in the DNS Settings section.


  8. Click the Save button to save your changes.

(Optional) Allowing Access to the Internet

By default the VPN connection will allow access to the file server and other computers on the home/office (LAN) network. However if you also wish to have all internet traffic sent through the VPN connection it's necessary to make a final edit to the connection:

  1. Double-click on your connection in the Viscosity Preferences window to open the connection editor
  2. Click on the Networking tab.
  3. Tick the "Send all traffic over VPN connection" option. It is not necessary to enter a Default Gateway.
  4. Click the Save button.

Connecting and Using Your VPN Connection

You are now ready to connect. Click on the Viscosity icon in the menu bar (Windows: system tray) and select 'Connect DemoConnection'. That's it, you should see a notification that you're now connected!

To check that the VPN is up and running, you can use the Viscosity details window. Click the Viscosity menu bar (Windows: system tray) icon and select 'Details...'. This will bring up the details window.



This window will show you the traffic passing through the VPN connection.

Accessing Network Resources

Once connected to your VPN, you can access your files or other services by using the LAN IP address you would use if you were connected to them via your home/office local network.

Connect via Mac

To connect to a shared network directory from your Mac connected to the VPN:

  1. Open a Finder window
  2. Click Go on the menu bar and select "Connect to Server..."


  3. In the Server Address, type the LAN IP address of your network resource (something like 192.168.0.x) and click Connect.
  4. Enter the username and password for the network resource
  5. Select the shared volume you want to access and click OK

Network resources you would normally find appearing in the Finder sidebar will not appear when connected to via the VPN. You can find connected network resources in the Computer directory. In a Finder window, press + shift + c to jump to the Computer directory.

Connect via Windows

To connect to a shared network directory from your PC connected to the VPN:

  1. Type the \\lan-ip-address into the Search the web and Windows box in the taskbar and press Enter (something like \\192.168.0.x)


  2. Enter the username and password for the network resource
  3. You will then see the folders shared by this host


That's it, you've set up your very own OpenVPN server. Congratulations, you are now free to enjoy the benefits of operating your own OpenVPN server!