Skip to content

OpenVPN: fix guide for Ubuntu 24.04+ #296

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

OpenVPN: fix guide for Ubuntu 24.04+ #296

Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
e7e5b85
OpenVPN: fix typo in path 'etc/openvpn' reported by @panlinux
valerio-bozzolan Jun 17, 2025
5c859ae
OpenVPN: fix position of server.conf since Ubuntu 22.04 LTS
valerio-bozzolan Jun 15, 2025
5a82051
OpenVPN: add explicit tls-auth server configuration
valerio-bozzolan Jun 15, 2025
d89fb00
OpenVPN: fix deprecated genkey usage
valerio-bozzolan Jun 15, 2025
be8ab66
OpenVPN: troubleshooting: mention pitfall about "tls-auth" 1 VS 0
valerio-bozzolan Jun 15, 2025
693a975
OpenVPN: fix missing /usr/share/doc under Docker
valerio-bozzolan Jun 17, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 24 additions & 7 deletions how-to/security/install-openvpn.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -100,13 +100,28 @@ Since the client certificates and keys are only required on the client machine,
Included with your OpenVPN installation are these (and many more) sample configuration files:

```bash
root@server:/# ls -l /usr/share/doc/openvpn/examples/sample-config-files/
total 68
-rw-r--r-- 1 root root 3427 2011-07-04 15:09 client.conf
-rw-r--r-- 1 root root 4141 2011-07-04 15:09 server.conf.gz
root@server:/# ls /usr/share/doc/openvpn/examples/sample-config-files/*
/usr/share/doc/openvpn/examples/sample-config-files/client.conf
/usr/share/doc/openvpn/examples/sample-config-files/server.conf
```

Start by copying and unpacking `server.conf.gz` to `/etc/openvpn/server.conf`:
If these files under `/usr/share/doc/*` are not available:

> Official minimal environments like Ubuntu Docker are optimized to never install stuff like documentation files (you probably also have not `sudo` there, etc).
> To re-install the necessary documentation, at this point you can run these commands, as the root user:
>
> ```bash
> echo 'path-include=/usr/share/doc/openvpn/examples/*' > /etc/dpkg/dpkg.cfg.d/my-openvpn
> apt install --reinstall openvpn
> ```
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this is the right place for this information. Nowhere else in the server guide do we talk about how to tweak such minimal environments when describing a particular service. If we want to go down this route, I believe it's better to document such steps in a separate entry in the server guide, perhaps near the installation docs, or even a new one that talks about minimal images.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Indeed. Could I try mentioning this in the troubleshooting section, in a line, very shortly? 👍

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think suggesting to change your ubuntu installation just to fetch these sample config files is overkill. How about a link to fetch these from the internet? We could link directly to the package git repository. For example, those example files can be seen here: https://git.launchpad.net/ubuntu/+source/openvpn/tree/sample/sample-config-files?h=applied/ubuntu/noble-devel

We can link directly:

These are stable links guaranteed to always point at these files from the latest release of openvpn for Ubuntu Noble 24.04.


Start by copying the example server configuration to `/etc/openvpn/server.conf`:

```bash
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf /etc/openvpn/myserver.conf
```

In Ubuntu 20.04 or older, do this instead:

```bash
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/myserver.conf.gz
Expand All @@ -120,12 +135,13 @@ ca ca.crt
cert myservername.crt
key myservername.key
dh dh.pem
tls-auth ta.key 0
```

Complete this set with a TLS Authentication (TA) key in `etc/openvpn` for `tls-auth` like this:
Complete this set with a TLS Authentication (TA) key in `/etc/openvpn` for `tls-auth` like this:

```bash
sudo openvpn --genkey --secret ta.key
sudo openvpn --genkey secret ta.key
```

Edit `/etc/sysctl.conf` and uncomment the following line to enable IP forwarding:
Expand Down Expand Up @@ -340,6 +356,7 @@ If the above didn't work for you, check the following:
- Client and server must use same protocol and port, e.g. UDP port 1194, see `port` and `proto` config options.
- Client and server must use the same compression configuration, see `comp-lzo` config option.
- Client and server must use same config regarding bridged vs. routed mode, see `server vs server-bridge` config option
- Client must use the config `tls-auth` with index `1` (example client config: `tls-auth ta.key 1`), but server must use `tls-auth` with index `0` (example server config: `tls-auth ta.key 0`).

## Advanced configuration

Expand Down