Introduction
OpenVPN is an open-source software application used for establishing secure point-to-point or site-to-site connections over public networks like the internet. This Virtual Private Network (VPN) solution leverages industry-standard encryption protocols to tunnel traffic through encrypted channels between devices across an unsecured intermediary network.
OpenVPN allows remote users to securely access a private business or home network. It essentially extends a secure virtualized private LAN to client machines thereby protecting communication privacy, web traffic anonymity, and facilitating access controls.
This guide outlines the necessary steps for installing and configuring OpenVPN on the Linux Mint operating system. Following this process will furnish a functional VPN server and client instance on your network for remote access usage.
Prerequisites
Before installation, some prerequisites must be satisfied:
- Root/sudo access privileges on the Linux Mint system are necessary for adding packages and modifying critical network configuration files during setup.
- Verify correct system date and time configuration on Linux Mint. Certificate generation utilizes time settings which can cause verification issues if incorrect.
- Maintain internet access on the Linux Mint platform throughout installation to download additional components from software repositories. Offline package installations may fail or require manual downloads outside this guide.
Once those conditions get confirmed on the Linux Mint platform, we can proceed installing the OpenVPN core packages and dependencies.
Installing OpenVPN on Linux Mint
The OpenVPN software suite requires support from the OpenSSL cryptography library and the TUN/TAP virtual networking driver to furnish encrypted tunnel connectivity on Linux systems.
Linux Mint closely tracks Ubuntu LTS releases, therefore installation follows the Debian/Ubuntu convention by fetching packages via APT:
Copy code
sudo apt update
sudo apt install openvpn openssl ca-certificatesThose commands update APT repositories on the system before pulling in the latest OpenVPN, OpenSSL and CA bundle software through the system package manager.
With binaries set up next comes configuring the Linux networking component.
Configuring Network Bridging in Linux Mint
To route traffic internally between the VPN tunnel interface and the physical network interface requires bridging the connections. The Linux kernel natively includes bridging support.
First check whether the br_netfilter module got loaded:
Copy code
lsmod | grep br_netfilterIf empty, enable module loading on boot:
Copy code
echo 'br_netfilter' | sudo tee -a /etc/modulesThen load the module manually:
Copy code
sudo modprobe br_netfilterMake sure /proc/sys/net/bridge shows bridge-nf settings all enabled:
Copy code
cat /proc/sys/net/bridge/*Finally persist the bridge filtering config across reboots by editing sysctl.conf:
Copy code
sudo nano /etc/sysctl.confAdd these lines:
Copy code
net.bridge.bridge-nf-call-arptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1Save the file and reload rules with:
Copy code
sudo sysctl -pThat sets up the Linux bridge module for correctly passing traffic between network interfaces.
Creating CA Certificate Authority
OpenVPN uses public key infrastructure for managing client certificates during authentication. This requires creating our own Certificate Authority (CA) to sign and generate certs.
Under the /etc/openvpn directory, initialize the CA hierarchy:
Copy code
sudo make-cadir /etc/openvpn/pkiDefine certificate details in a vars file:
Copy code
sudo nano /etc/openvpn/varsFill with site-specific values:
Copy code
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="[email protected]"
export KEY_OU="MyVPN"Source the var file:
Copy code
sudo . /etc/openvpn/varsGenerate the master CA certificate and key:
Copy code
sudo bash -c "openssl req -nodes -new -x509 \
-keyout /etc/openvpn/pki/private/ca-key.pem \
-out /etc/openvpn/pki/ca.crt"Enter info matching details in vars file when prompted. The certificate ca.crt and private key ca-key.pem populate under /etc/openvpn/pki to complete CA setup.
With the certificate authority initialized, we can proceed generating server and client certificates signed by the CA for authentication.
Generate OpenVPN Certificates
The server certificate secures the OpenVPN daemon instance itself running locally and facilitating the VPN termination point. Meanwhile client certificates get dynamically generated upon first user connection to the VPN then issued to their device to allow future connections after authentication.
Set Up Server Certificate
Navigate to the PKI directory:
Copy code
cd /etc/openvpn/pkiGenerate server certificate and key:
Copy code
sudo bash -c "openssl req -nodes -new -x509 \
-keyout private/server-key.pem \
-out certs/server-cert.pem \
-days 365 -extensions server \
-config /etc/openvpn/pki/openssl.cnf"Enter the info matching CA vars file details again when prompted then confirm certificate issuance.
Generate Client Certificates
To start, first customize the certificate authority extension config:
Copy code
sudo nano /etc/openvpn/pki/openssl.cnfWithin the [ CA_default ] section add this line:
Copy code
extendedKeyUsage = clientAuthSave changes once added to authorize client auth.
Similarly to the server process, invoke the openssl command for client certificate generation:
Copy code
sudo bash -c "openssl req -nodes -new \
-keyout private/client1-key.pem \
-out certs/client1-cert.pem \
-days 365 -extensions client \
-config /etc/openvpn/pki/openssl.cnf"Repeat running that command replacing client1 identifiers for additional VPN clients needing access. Supply requested data fields matching CA vars file details for each.
The generated *.pem files get placed in relevant subdirectories within /etc/openvpn/pki. These authorize future client connections.
Configure OpenVPN Network Routing
At this phase OpenVPN installation completed but requires plugin configuration to correctly route traffic through Linux Mint system network interfaces.
Linux integrates the netfilter framework for managing firewall policies and NAT routing. OpenVPN requires adding custom iptables rules to handle tunneling packets between the tun0 virtual VPN interface and local physical networking ports.
Initialize the VPN server configuration skeleton:
Copy code
gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | sudo tee /etc/openvpn/server.confEdit server.conf with nano or vim to specify the VPN networking mode – either bridged or routed:
Copy code
dev tun
server 10.8.0.0 255.255.255.0
mode server
tls-server
proto udp
port 1194
ifconfig 10.8.0.1 10.8.0.2
Save changes and enable IP packet forwarding in sysctl:
Copy code
sudo su
echo 1 > /proc/sys/net/ipv4/ip_forward
exitAllow IPv4 traffic forwarding:
Copy code
sudo nano /etc/sysctl.confUncomment:
Copy code
net.ipv4.ip_forward=1Save and reload sysctl rules:
Copy code
sudo sysctl -pFinally add iptables policies to handle VPN/LAN bridging:
Copy code
sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
sudo iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i eth0 -o tun0 -j ACCEPTThose iptables commands effectively bridge VPN client subnet traffic through the default network interface out to the internet.
With server-side configuration complete we can establish client connectivity.
Connect Linux Mint Client to OpenVPN
Clients leverage generated auth certificates under /etc/openvpn/pki from the Certificate Authority to securely connect to the OpenVPN server instance. Configuration requires transferring necessary credential files to client devices first before activating the VPN tunnel.
On the OpenVPN server, locate generated client crt/key files for transfer.
Zip the keypair for example client1:
Copy code
cd /etc/openvpn/pki/certs/
zip client1.zip