Background

Over time, we use multiple VPN products such as ExpressVPN and IPVanish and they are excellent products. But then we found that it’s underutilised so we decided to find alternative but cost-effective. We found OpenVPN which is open-source. Since we have multiple virtual machines in the clouds, we decided to explore and install this into one of our Ubuntu servers.

Solution

Here’s the step-by-step:

Installation

First, we need to check the minimum system requirements on the OpenVPN website.

We log in to the Ubuntu server.

We update and upgrade the packages. To do this, we run the following command:

apt update

apt upgrade

Then, we install the required dependencies. We run the following command:

apt install ca-certificates wget net-tools gnupg

We add the OpenVPN server to the repository list. To do this, we run a few commands:

wget -qO - https://as-repository.openvpn.net/as-repo-public.gpg | apt-key add -

echo "deb http://as-repository.openvpn.net/as/debian focal main" > /etc/apt/sources.list.d/openvpn-as-repo.list

apt update

We install the OpenVPN Access Server (AS). To install, we run the command:

apt install openvpn-as

Once installed, we write down the username and password.

Access

To access the Admin dashboard, we open up a browser and access https://[your-ip-address]:943/admin

Note: If you are running a firewall, ensure to open this port 943

Note: In our case, we managed to get in BUT previously somehow we were in the loop that keeps coming up with the welcome message and then went to the login page. It did not go to the dashboard page for some reason. We follow this solution – FAQ – Why can’t I access the Adminclient UI

To access client software (Windows, Mac, iOS, Android and Linux), we open up a browser and access https://[your-ip-address]:943

We then download the relevant operating system and install the client.

Configuration

To improve the security of the VPN, we make some adjustments to settings.

We log in to the admin.

Under the Configuration, we click TLS settings.

We set the TLS 1.3 to the Yes option.

Then, we click the Save Settings button.

Under VPN, we go to the DNS settings section.

We change the Have clients use a specific DNS server to the Yes option.

Primary Address: 1.1.1.1
Secondary Address: 1.0.0.1

Note: We use the Cloudflare DNS server.

Still, under VPN, we go to the Routing section and we change Should VPN clients have access to private subnets (non-public network on the server-side) to No.

We then click the Save Settings button to save.

Under the Advanced VPN, we go to the TLS Control Channel Security section and select the tls-cryptv2 to Yes option.

To disable the logs, we modify few configurations. The OpenVPN stored logs in 2 places: /usr/local/openvpn_as/etc/db/log.db and /var/log/openvpsas.logOpen up the OpenVPN config file: /usr/local/openvpn_as/etc/as.conf

We modify the log_db entry in the log.db file.

From:

# log DB
log_db=sqlite:///~/db/log.db

to

# log DB 
log_db=/dev/null

We then save the config file.

Next, we modify the process running.

We go to the console and we run the command.

systemctl edit --full openvpnas

This will open a text file.

Under ExecStart=xxx, we then replace:

from:

--logfile=/var/log/openvpnas.log

to

--logfile=/dev/null

We save the file and overwrite it.

We restart the service by running the following command:

systemctl restart openvpnas

We check the 2 log files and we run a few commands:

cat /usr/local/openvpn_as/etc/db/log.db

cat /var/log/openvpsas.log

We then delete 2 logs by running a few commands:

echo "" > /usr/local/openvpn_as/etc/db/log.db

echo "" > /var/log/openvpsas.log

We access the OpenVPN client and turn on the profile to activate the VPN.

We access a few websites and go back to the console to verify the 2 log files – it should be null.

The End

Congratulation on reaching the end of this article. We hope that we have been able to shed some light on outlining what you need to know to install and configure OpenVPN on Ubuntu.

We write this in such a way that this is not a fixed article. Like in this journey, we learn as we go and we re-write some parts of the article so please keep pinging with this article or any general tech posts.

We also would love to hear about how you deal with the situation and what IT-related challenges you might be facing. Please feel free to leave us a comment below this article or you can contact us on the Dewacorp website for your IT support, application integration, application development, or other IT-related. Alternatively, you can casually have a chat on Dewachat. Let us know if you have any questions that we can help with!

Big thank you for the photo by Kevin Paster from Pexels.

If you want to boost your product and service to the wider web community, you can visit our Dewalist classified website – home to 15,000+ active users and 25,000+ active advertising so far. Check it out!

If you love this security article or any security posts and you would like to receive an update of this article or our latest post, please sign up for the form below: