< Previous | Contents | Next >
1.3. Simple Server Configuration
Along with your OpenVPN installation you got these sample config files (and many more if if you check):
root@server:/# ls -l /usr/share/doc/openvpn/examples/sample-config-files/ total 68
-rw-r--r-- 1 root root 3427 2011-07-04 15:09 client.conf
-rw-r--r-- 1 root root 4141 2011-07-04 15:09 server.conf.gz
Start with copying and unpacking server.conf.gz to /etc/openvpn/server.conf.
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/ sudo gzip -d /etc/openvpn/server.conf.gz
Edit /etc/openvpn/server.conf to make sure the following lines are pointing to the certificates and keys you created in the section above.
ca ca.crt
cert myservername.crt key myservername.key dh dh2048.pem
Edit /etc/sysctl.conf and uncomment the following line to enable IP forwarding.
#net.ipv4.ip_forward=1
Then reload sysctl.
sudo sysctl -p /etc/sysctl.conf
That is the minimum you have to configure to get a working OpenVPN server. You can use all the default settings in the sample server.conf file. Now start the server. You will find logging and error messages in your via journal. Dependin on what you look for:
sudo journalctl -xe
If you started a templatized service openvpn@server you can filter for this particular message source with:
sudo journalctl --identifier ovpn-server
Be aware that the "systemctl start openvpn" is not starting your openvpn you just defined. Openvpn uses templatized systemd jobs, openvpn@CONFIGFILENAME. So if for example your configuration file is "server.conf" your service is called openvpn@server. You can run all kind of service and systemctl commands like start/stop/enable/disable/preset against a templatized service like openvpn@server.
ubuntu@testopenvpn-server:~$ sudo systemctl start openvpn@server
ubuntu@testopenvpn-server:~$ sudo systemctl status openvpn@server
. [email protected] - OpenVPN connection to server
Loaded: loaded (/lib/systemd/system/[email protected]; enabled; vendor preset: enabled) Active: active (running) since Tue 2016-04-12 08:51:14 UTC; 1s ago
Docs: man:openvpn(8) https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage https://community.openvpn.net/openvpn/wiki/HOWTO
Process: 1573 ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/
%i.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/%i.conf --writep Main PID: 1575 (openvpn)
Tasks: 1 (limit: 512)
CGroup: /system.slice/system-openvpn.slice/[email protected]
|-1575 /usr/sbin/openvpn --daemon ovpn-server --status /run/openvpn/ server.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/server.conf -- wr
Apr 12 08:51:14 testopenvpn-server ovpn-server[1575]: /sbin/ip route add 10.8.0.0/24 via 10.8.0.2
Apr 12 08:51:14 testopenvpn-server ovpn-server[1575]: UDPv4 link local (bound): [undef] Apr 12 08:51:14 testopenvpn-server ovpn-server[1575]: UDPv4 link remote: [undef]
Apr 12 08:51:14 testopenvpn-server ovpn-server[1575]: MULTI: multi_init called, r=256 v=256 Apr 12 08:51:14 testopenvpn-server ovpn-server[1575]: IFCONFIG POOL: base=10.8.0.4 size=62,
ipv6=0
Apr 12 08:51:14 testopenvpn-server ovpn-server[1575]: ifconfig_pool_read(), in='client1,10.8.0.4', TODO: IPv6
Apr 12 08:51:14 testopenvpn-server ovpn-server[1575]: succeeded -> ifconfig_pool_set() Apr 12 08:51:14 testopenvpn-server ovpn-server[1575]: IFCONFIG POOL LIST
Apr 12 08:51:14 testopenvpn-server ovpn-server[1575]: client1,10.8.0.4
Apr 12 08:51:14 testopenvpn-server ovpn-server[1575]: Initialization Sequence Completed
You can enable/disable various openvpn services on one system, but you could also let Ubuntu do the heavy lifting. There is config for AUTOSTART in /etc/default/openvpn. Allowed values are "all", "none" or space separated list of names of the VPNs. If empty, "all" is assumed. The VPN name refers to the VPN configuration file name. i.e. "home" would be /etc/openvpn/home.conf If you're running systemd, changing this variable will require running "systemctl daemon-reload" followed by a restart of the openvpn service (if you removed entries you may have to stop those manually) After "systemctl daemon-reload" a restart of the "generic" openvon will restart all dependent services that the generator in /lib/systemd/system-generators/ openvpn-generator created for your conf files when you called daemon-reload.
That is the minimum you have to configure to get a working OpenVPN server. You can use all the default settings in the sample server.conf file. Now start the server. You will find logging and error messages in your journal.
Now check if OpenVPN created a tun0 interface:
root@server:/etc/openvpn# ifconfig tun0
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
[...]