Skip to content
Home » OpenVPN Linux Mint

OpenVPN Linux Mint

  • by

Introduction

OpenVPN is an open-source software application used for establishing secure point-to-point or site-to-site connections over public networks like the internet. This Virtual Private Network (VPN) solution leverages industry-standard encryption protocols to tunnel traffic through encrypted channels between devices across an unsecured intermediary network.

OpenVPN allows remote users to securely access a private business or home network. It essentially extends a secure virtualized private LAN to client machines thereby protecting communication privacy, web traffic anonymity, and facilitating access controls.

This guide outlines the necessary steps for installing and configuring OpenVPN on the Linux Mint operating system. Following this process will furnish a functional VPN server and client instance on your network for remote access usage.

Prerequisites

Before installation, some prerequisites must be satisfied:

  • Root/sudo access privileges on the Linux Mint system are necessary for adding packages and modifying critical network configuration files during setup.
  • Verify correct system date and time configuration on Linux Mint. Certificate generation utilizes time settings which can cause verification issues if incorrect.
  • Maintain internet access on the Linux Mint platform throughout installation to download additional components from software repositories. Offline package installations may fail or require manual downloads outside this guide.

Once those conditions get confirmed on the Linux Mint platform, we can proceed installing the OpenVPN core packages and dependencies.

Installing OpenVPN on Linux Mint

The OpenVPN software suite requires support from the OpenSSL cryptography library and the TUN/TAP virtual networking driver to furnish encrypted tunnel connectivity on Linux systems.

Linux Mint closely tracks Ubuntu LTS releases, therefore installation follows the Debian/Ubuntu convention by fetching packages via APT:

Copy code

sudo apt update
sudo apt install openvpn openssl ca-certificates

Those commands update APT repositories on the system before pulling in the latest OpenVPN, OpenSSL and CA bundle software through the system package manager.

With binaries set up next comes configuring the Linux networking component.

Configuring Network Bridging in Linux Mint

To route traffic internally between the VPN tunnel interface and the physical network interface requires bridging the connections. The Linux kernel natively includes bridging support.

First check whether the br_netfilter module got loaded:

Copy code

lsmod | grep br_netfilter

If empty, enable module loading on boot:

Copy code

echo 'br_netfilter' | sudo tee -a /etc/modules

Then load the module manually:

Copy code

sudo modprobe br_netfilter

Make sure /proc/sys/net/bridge shows bridge-nf settings all enabled:

Copy code

cat /proc/sys/net/bridge/*

Finally persist the bridge filtering config across reboots by editing sysctl.conf:

Copy code

sudo nano /etc/sysctl.conf

Add these lines:

Copy code

net.bridge.bridge-nf-call-arptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1

Save the file and reload rules with:

Copy code

sudo sysctl -p

That sets up the Linux bridge module for correctly passing traffic between network interfaces.

Creating CA Certificate Authority

OpenVPN uses public key infrastructure for managing client certificates during authentication. This requires creating our own Certificate Authority (CA) to sign and generate certs.

Under the /etc/openvpn directory, initialize the CA hierarchy:

Copy code

sudo make-cadir /etc/openvpn/pki

Define certificate details in a vars file:

Copy code

sudo nano /etc/openvpn/vars

Fill with site-specific values:

Copy code

export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="[email protected]"
export KEY_OU="MyVPN"

Source the var file:

Copy code

sudo . /etc/openvpn/vars

Generate the master CA certificate and key:

Copy code

sudo bash -c "openssl req -nodes -new -x509 \
-keyout /etc/openvpn/pki/private/ca-key.pem \
-out /etc/openvpn/pki/ca.crt"

Enter info matching details in vars file when prompted. The certificate ca.crt and private key ca-key.pem populate under /etc/openvpn/pki to complete CA setup.

With the certificate authority initialized, we can proceed generating server and client certificates signed by the CA for authentication.

Generate OpenVPN Certificates

The server certificate secures the OpenVPN daemon instance itself running locally and facilitating the VPN termination point. Meanwhile client certificates get dynamically generated upon first user connection to the VPN then issued to their device to allow future connections after authentication.

Set Up Server Certificate

Navigate to the PKI directory:

Copy code

cd /etc/openvpn/pki

Generate server certificate and key:

Copy code

sudo bash -c "openssl req -nodes -new -x509 \
-keyout private/server-key.pem \
-out certs/server-cert.pem \
-days 365 -extensions server \
-config /etc/openvpn/pki/openssl.cnf"

Enter the info matching CA vars file details again when prompted then confirm certificate issuance.

Generate Client Certificates

To start, first customize the certificate authority extension config:

Copy code

sudo nano /etc/openvpn/pki/openssl.cnf

Within the [ CA_default ] section add this line:

Copy code

extendedKeyUsage = clientAuth

Save changes once added to authorize client auth.

Similarly to the server process, invoke the openssl command for client certificate generation:

Copy code

sudo bash -c "openssl req -nodes -new \
-keyout private/client1-key.pem \
-out certs/client1-cert.pem \
-days 365 -extensions client \
-config /etc/openvpn/pki/openssl.cnf"

Repeat running that command replacing client1 identifiers for additional VPN clients needing access. Supply requested data fields matching CA vars file details for each.

The generated *.pem files get placed in relevant subdirectories within /etc/openvpn/pki. These authorize future client connections.

Configure OpenVPN Network Routing

At this phase OpenVPN installation completed but requires plugin configuration to correctly route traffic through Linux Mint system network interfaces.

Linux integrates the netfilter framework for managing firewall policies and NAT routing. OpenVPN requires adding custom iptables rules to handle tunneling packets between the tun0 virtual VPN interface and local physical networking ports.

Initialize the VPN server configuration skeleton:

Copy code

gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | sudo tee /etc/openvpn/server.conf

Edit server.conf with nano or vim to specify the VPN networking mode – either bridged or routed:

Copy code

dev tun

server 10.8.0.0 255.255.255.0

mode server

tls-server

proto udp

port 1194

ifconfig 10.8.0.1 10.8.0.2

Save changes and enable IP packet forwarding in sysctl:

Copy code

sudo su
echo 1 > /proc/sys/net/ipv4/ip_forward
exit

Allow IPv4 traffic forwarding:

Copy code

sudo nano /etc/sysctl.conf

Uncomment:

Copy code

net.ipv4.ip_forward=1

Save and reload sysctl rules:

Copy code

sudo sysctl -p

Finally add iptables policies to handle VPN/LAN bridging:

Copy code

sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
sudo iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT

Those iptables commands effectively bridge VPN client subnet traffic through the default network interface out to the internet.

With server-side configuration complete we can establish client connectivity.

Connect Linux Mint Client to OpenVPN

Clients leverage generated auth certificates under /etc/openvpn/pki from the Certificate Authority to securely connect to the OpenVPN server instance. Configuration requires transferring necessary credential files to client devices first before activating the VPN tunnel.

On the OpenVPN server, locate generated client crt/key files for transfer.

Zip the keypair for example client1:

Copy code

cd /etc/openvpn/pki/certs/
zip client1.zip
Tags: