Linux Server Build: OpenVPN From Scratch – Hak5 2019
Articles,  Blog

Linux Server Build: OpenVPN From Scratch – Hak5 2019

Secure your internet traffic for free We are building a vpn server the hard way And it’s not that hard this time on Hak5 Hello and welcome to Hak5 my name is Darren Kitchen My name is Shannon Morse it’s your weekly dose of technolust And we are wearing funny hats Yes we are Because- We won an award Maybe. kind of I think we did, pretty sure We’ll talk about that at the end of the episode But first we should probably get into what we’re doing today HaHa install vanilla ubuntu 14.04 server to SSH into as ROOT install a few packages and configure some config files for OpenVPN, some firewall rules, generate some certificate authority, generate some KEYS -build scripts will make this easy. Once generated we will copy to our device. Any OpenVPN client – we will generate client.ovpn file ! YAY SSH into server install openvpn & easy-rsa unzip server.conf.gz putting it in /etc/openvpn calling it server.conf edit server.conf – tells port, TCP or UDP, TAP or TUN edit dh to 2048 uncomment redirect-gateway – remove semicolon uncomment DNS change DNS to whatever you want – and uncomment nobody in order to run as unprivileged user – save &close these settings are being PUSHED TOTHE CLIENTS turn a switch on in a file using echo, change from “0” to “1” in order to tell the firewall to let the bits flow – forward ipv4 traffic we are going to want this to happen every time we boot up /etc/sysctl.conf. uncomment net.ipv4.ip_forward=1 now set up some IP tables (basically a FIREWALL) UFW ufw allow ssh and ufw allow 1194/udp edit /etc/default/ufw to accept the packets in forwarding policy next we enable NAT and MASQUERADING in clients edit /etc/ufw/before.rules *nat
COMMIT ………………………..IP address scheme of our openVPN server config file ufw enable Time for PKI copy some files from easy-rsa over to OpenVPN make keys directory go into /etc/openvpn/easy-rsa/vars and make appropriate changes to country etc etc and remember the “KEY_NAME” time to generate some KEYS Generate the 2048 bit Diffie-Hellman pem file we pointed to in the openvpn config
openssl dhparam -out /etc/openvpn/dh2048.pem 2048 move to the easy-rsa directory Set the variables we configured
. ./vars
./build-ca #Accept all defaults
./build-key-server server #Accept all defaults Move the newly generated certificates to /etc/openvpn
cp server.crt server.key ca.crt /etc/openvpn Time to start openvpn service start the OpenVPN service
service openvpn start
service openvpn status Time to get clients going now that the server is up and running OPENVPN! Setup keys for the first client LAZY WAY use one key for all client devices NOT RECOMMENDED!
uncomment duplicate-on Setup keys for the first client

./build-key client
ls keys in home directory create folder named “client” Make a new directory to merge the client configuration and keys
mkdir ~/client Copy the example client configuration renaming the file extension from conf to ovpn
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client/pineapple.ovpn cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client/pineapple.ovpn

cd /etc/openvpn/easy-rsa/keys
cp client.crt client.key client.ovpn ~/client
cp /etc/openvpn/ca.crt ~/client Determine public IP address

nano pineapple.ovpn
# find remote and replace my-server-1 with IP address of VPN server
# uncomment group nogroup
# uncomment user nobody
# comment out the ca, cert and key directives
# save and exit create a unified file echo “ca” to pineapple.ovpn
cat ca.crt to pineapple.ovpn
echo “/ca” to pineapple.ovpn

echo “cert” to pineapple.ovpn
cat client.crt to pineapple.ovpn
echo “/cert” to pineapple.ovpn

echo “key” to pineapple.ovpn
cat client.key to pineapple.ovpn
echo “/key” to pineapple.ovpn HAT TIME!


  • Touhidur Rahman

    Dear Hak5 Team, it was a great tutorial! It helped me learning the complete process of setting up VPN very clearly. But I was wondering how to scale it up? For example, the openvpn server is running in one instance now. But how to use another instance behind a DNS (or Load balancer) so that the IP remain same but my service can handle more clients? Need this concept for academic purpose. Will you please make a tutorial on this topic, it will be really helpful. Thanks

  • DerBauer

    great show guys loved the detailed content and the long duration with comprehensive walk through. much appreciated.

  • Tariq Quadeer

    How would i change the rules differently if i used iptables instead of ufw? ufw was giving me other problems, i have iptables setup.

  • Yuuki Sakai

    I'm a total hacking noob, but this was so much fun to watch. I'll get this running, and I'll also enjoy seeing your videos about raspberry pi and RF. Keep up the good work!

  • Chris Summers

    I have been taking a strong liking to your show and have been learning tons on my "re-learning" of my linux knowledge. It's been a while since I've been into Linux and I've been getting back into it. You guys (and Gal) have been a great help. Thank you!

  • Egel Urip

    Wow this is great. I tried this. I followed every step. In my router (connected to the modem), I setup Port forwarding (port 1194 and Local IP of the machine that will be running the openvpn). I manage to connect to the openvpn server but I could not browse the net. As if internet is not working. Can anyone help?

  • xram

    I had some problems and wanted to share my solution. I am running this on a Ubuntu Server. There was an error that I could not figure out at first, the commands to build did not work unless I was logged in as the Root user! Sudo did not work. Besides that I also noticed that writing ". ./vars" did not work, I had to write "source ./vars". After that Everything worked!

  • Adam W.

    Hey, I have some problems to run OVPN connection from Raspberry Pi0w/ Pi3 as a client ( with Jessie edition ). Can I set up access to server using network manager with VPN option ?.
    Is there any manual how to setup Raspberry based clients or maybe is there any dedicated client for Raspberry PI ?

  • Svetlana Vostok

    yes vote for ipv6 – any chance of another for the export key for another country like uk? so far 100 hrs of search simply says move to CA as you said. and thanks for providing these tuts. 1 more thing, how do i fix /etc/openvpn/easy-rsa/openssl-1.0.0.conf being blank?

  • Pavel Kononov

    Ну из черновиков и что дальше, чего там поменялось то :), показали стандартную процедуру, растянули ее на час эфирного времени. пипец.

  • Cameron Modding

    You could buy a external drive with either windows or Linux and your HDD with the opposite so you can switch easily. that's what I do 😉

  • Ankit Tiwari

    How can I add ssl certificate generated by other authorities so that client can proceed to login page without adding exception.

  • Andrew Joy

    unzip is wrong you need to echo the gz file to the conf file gunzip -c /usr/share/doc/openvpn>
    /examples/sample-config-files/server.conf.gz /etc/openvpn/server.conf

  • brian420

    WHEN YOU GET A FILE NOT FOUND ERROR DURING ./build-ca then you can create a link to the latest file using "ln -s openssl-1.0.0.cnf openssl.cnf"

  • fisher man

    can you help me with building a VPN on a VDS/VPS? i have been using centos but can convert to any operating system you suggest. Running into a few issues and cant find any good threads or videos online.

  • Michael Portela

    Hi. created a VM with ubuntu server in microsoft azure. i follow all the steps in this video. i import the .ovpn file to my iphone, it doesn't connect to the server. i also configure the network security group on the Azure VM setting to allow port 1194/UDP. still not working. please help. thanks

  • Shreehari R

    Hello Hak5. Thank you, this seems to work when the two devices are in the same network. But fails to connect if the devices are in different network. Please do help

  • mrfreeferrari

    thank you guys ver helpfull tut . and if the content is good we never mind a long video. can you guys re-do it with easy-rsa 3.0.3 and CenOS Linux

  • qwarlock Z

    This was a great run through. Thanks so much for making this pretty straight forward. This gave me what I did not have before. Going through docs and tutorials and the like it always had a LOT of extra. This was just a handbook on "Lets just make this work." You rock!

  • John Roby

    ./build-ca didnt work for me.

    KEY_CONFIG is pointing to the wrong version of openssl.cnf: /etc/openvpn/easy-rsa/openssl.cnf
    The correct version should have a comment that says: easy-rsa version 2.x

  • No_Name

    If you’re getting a KEY_CONFIG error stating the openssl.cnf is not correct or similar, use this while in the specified directory of the issue (where build-ca is located): ln -s openssl-1.0.0.cnf openssl.cnf

  • Nefferson Sylvestre

    If I want 2 concurrent clients from different networks to be able to access resources on each other network, is there any additional configuration I should do ?

  • WookieFanboi

    I know, I know, 2 years later…

    First, thanks for this – its very informative, and you'd be surprised how few VPN server setup walkthroughs there are out there. If you all are still paying attention to comments, it might be cool to give a refresher on why "allow ssh" on its own isn't very safe (just explain you're keeping your putty session active). Not sure if you guys have done a ssh keypair video but i'd love to see an updated/current one.

  • D. Shvan

    I've done this on my Ubuntu Server 16.04 running behind NAT on VMware. However, I'm not able to connect outside clients to my OpenVPN. I've also tried to port forward all incoming packets on UDP 1194 to my server. Didn't help.. Any suggestions?


    openvpn.service – OpenVPN service

    Loaded: loaded (/lib/systemd/system/openvpn.service; enabled; vendor preset: enable

    Active: active (exited) since Xxx **-**-** *:**:
    * XXX; 2min 10s ago

    Process: 487 ExecStart=/bin/true (code=exited, status=0/SUCCESS)

    Main PID: 487 (code=exited, status=0/SUCCESS)

    CGroup: /system.slice/openvpn.service

    Active: active (exited)

    Can't figure out what is going wrong
    need help on this

  • David Juhl

    What actually gets encrypted once you activate the client? I have a nginx server with phpmyadmin installed. Do I need to tell nginx the ip address off the openvpn client, or is any traffic on my lan encrypted once the client is activated?

  • Silent Note

    Question : how to make a LINUX PC run 2 PCI M-Audio Delta 1010 ( that model with Breakout Box ), to be used with COKOS REAPER DAW ( Digital Audio Workstation ) for LINUX ??? Please consider making a VIDEO showing that … Please …

  • Trond Nyløkken

    Hi Is this method possible to get a ip adress for other country so it looks like I am in other country?
    I have a private network and ubuntu servers one with 6 websites in wordpress and some computer and a static ip.
    I like to use the vpn to let me see norwegian tv on internet when I am abroad. Is this what I need?

  • harmanpreet kaur

    i am using virtual machine and ufw is not installed and i am unable to do that hoe can i install ufw ? any one plz

  • kelvin klufio

    In the demo, you guys used ovpn, is that going to work for just any client; link me connecting CentOS client machine?

  • Aydin Jamshidi

    Please make OpenVPN with OBFS proxy video (Scrambling the traffic). I searched the internet and youtube and couldn’t find any good guide about it. OpenVPN traffic is blocked in some countries for censoring the internet .

  • Von Doom

    I love my Pi, but i bought a refurbished HP ProLiant DL360 G7 for less than $200 off Amazon and this thing is a beast. I’m loading down every home service I need, from Plex-Media to DNS Blackhole. I’m looking forward to testing this OpenVPN install video when I get home tonight.
    Thanks Hak5. As always, your tutorials are second to none. Fun, detailed, and insightful in ways only seasoned veterans of the field can provide.

  • John Henry

    It appears that there have been a number of changes since 2016. Wondering if you might do an update for 2019?
    (I initially thought this was a 2019 tutorial because of the title.)

  • Jonathan Pascal

    don't you have to port forward in you router ? i'm confused this is different from other OpenVPN setups
    I did all of this and it's not what i'm looking for, BUT HEY I LEARNED SO MUCH ABOUT LINUX FROM THIS VIDEO !!! thanks guys.

  • Vansh Tiwari

    I'm make the openvpn server & client they are connecte properly..
    But please tell me how to access ip camera, plc & hmi they are connected to client side mean i want to access these three devices by ovpen network
    In this my medium us raspberry pi 3

  • Roman

    IIIIIIIIIIII LOOOOOOOOOOOOOOOOOOOOOOOOOOVEEEEEE YOUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU I spent straight 3 hour on the Arch wiki and now it work omg I was so so close 17:41 I put tun0 instead of the real one lmaoooo i'm so glad it work

Leave a Reply

Your email address will not be published. Required fields are marked *