Ubuntu 18.04 LTS Set Up OpenVPN Server In 5 Minutes

Originally published at: https://www.cyberciti.biz/faq/ubuntu-18-04-lts-set-up-openvpn-server-in-5-minutes/

I am a new Ubuntu Linux 18.04 LTS server user. How do I set up an OpenVPN Server on Ubuntu Linux version 18.04 LTS server to shield my browsing activity from bad guys on public Wi-Fi, and more?

I’m quite surprised you pull up this approach. That installer script is full of issues, and tries to do stuff which is really not good.

First of all … The CA setup here is insecure. It leaves an unprotected (yupp, no passwords!) CA private key on a publicly available server. So if this host is broken into, issuing new client and server certificates is a breeze. And with server certificates, setting up a MITM host is even simpler and users of that VPN won’t even notice.

Secondly your advice to use the openvpn@.service unit files is bad. OpenVPN 2.4 has added several patches which requires newer unit files to integrate better with systemd. Without these integration steps, OpenVPN will not behave well within a systemd environment. In addition, we’ve started the path to restrict the privileges the OpenVPN process has as well. So rather put server configs into /etc/openvpn/server and client configs into /etc/openvpn/client and use the new openvpn-{client,server}@.service unit files. If the package maintainer is doing the right thing, the OpenVPN package should now carry the upstream version of systemd unit files and not the package maintainers version, so fixes should now be handled more centrally make all distros behave more or less the same way.

But in general, such “quick setup scripts” need to be used with utmost carefulness and carefully reviewed before running them. Running random scripts from the Internet as root is a receipt for disaster if not carefully reviewed. Which is why the OpenVPN community recommends to go through this “Getting Started How-To” instead of various blog posts or “simple scripts”.

https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN

yes, I will cover direct setup. Did you look into another script https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh ? This one seems to address most of your concern. What do you think?

Hi. Even though not secure enough, this serves my purpose of being able to access my local network over the internet.
Is there any way to look at active users connected to the VPN?
Is there a log to look at?

Is there a command like arp -a I can run on the vpn interface to look at the active clients?

Thanks

Yes, look into OpenVPN log file named /var/log/openvpn/status.log on server:

sudo tail -f /var/log/openvpn/status.log
grep 'public-IPv4-OR-IPv6-address' /var/log/openvpn/status.log
grep 'private-IPv4-address' /var/log/openvpn/status.log

This is how it looks:

OpenVPN CLIENT LIST
Updated,Sat May  2 09:07:27 2020
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
HomeLinuxDesktop,103.xxx.yyy.zzz:37719,153376,145685,Sat May  2 09:04:41 2020
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
10.8.0.2,HomeLinuxDesktop,103.xxx.yyy.zzz:37719,Sat May  2 09:07:26 2020
fd42:42:42:42::1000,HomeLinuxDesktop,103.xxx.yyy.zzz:37719,Sat May  2 09:04:41 2020
GLOBAL STATS
Max bcast/mcast queue length,0
END

There is no log file in that directory. The VPN does work as I do get client to client pings working, as you can see last login was from one of the clients.

The other installation script you’ve made works better I guess. I installed it on another server and I am getting the logs on that one.
I guess I’ll just install the new one everywhere.

By any chance if you have any guide/idea on monitoring all http and https requests made by the clients let me know. Since the server is the actual machine that makes the requests of the clients, is it possible to log every web browsing activity?
I wanted to see the complete URL of the request made.
I was able to use httpry and ntopng but there seems to be no easy way to monitor https traffic completely. I understand that https works like that and I’ll have to use some kind of certificate and proxy.

Thank you for your creating this easy installation guide by the way.

How to enable OpenVPN logs

Add the following line in your /etc/openvpn/server.conf

status /var/log/openvpn/status.log

And restart the OpenVPN. You will have logs.

Monitoring HTTPS URL

This is tricky but doable. HTTPS by design encrypts everything, so there is no way to see what end users are doing. However, one can still see URLs if they want. Typically a proxy server such as SQUID is installed and it can do what you want (it is called SSL interception), but it put privacy and security of your users at risk due to MITM.


Linux sysadmin blog - Linux/Unix Howtos and Tutorials - Linux bash shell scripting wiki