Ubuntu Server as a VPN Gateway

 To connect multiple Ubuntu devices (clients) to one central Ubuntu server and share the connection securely over a VPN, here’s a detailed, step-by-step guide.

---

Step 1: Set Up the Ubuntu Server as a VPN Gateway

This server will act as the central point, allowing other devices to connect to it.

1.1 Install OpenVPN on the Server

1. Log into your central Ubuntu server.
2. Update package lists:

   
   sudo apt update
   

3. Install OpenVPN:

   
   sudo apt install openvpn -y
   

1.2 Set Up Easy-RSA for Key and Certificate Management

OpenVPN requires certificates and keys for secure connections.

1. Install easy-rsa to help with certificate creation:

   
   sudo apt install easy-rsa -y
   

2. Create a new directory for the PKI (Public Key Infrastructure):

   
   make-cadir ~/openvpn-ca
   cd ~/openvpn-ca
   

3. Initialize the PKI:

   
   ./easyrsa init-pki
   

4. Build the CA (Certificate Authority) and follow the prompts:

   
   ./easyrsa build-ca
   

5. Generate the server certificate and key:

   
   ./easyrsa gen-req server nopass
   

6. Sign the server certificate:

   
   ./easyrsa sign-req server server
   

7. Generate Diffie-Hellman parameters:

   
   ./easyrsa gen-dh
   

8. Copy the keys and certificates to OpenVPN’s directory:

   
   sudo cp pki/ca.crt pki/private/server.key pki/issued/server.crt /etc/openvpn/
   sudo cp pki/dh.pem /etc/openvpn/dh2048.pem
   

1.3 Configure the OpenVPN Server

1. Create a configuration file for the server:

   
   sudo nano /etc/openvpn/server.conf
   

2. Paste the following configuration into server.conf:

   
   port 1194
   proto udp
   dev tun
   ca ca.crt
   cert server.crt
   key server.key
   dh dh2048.pem
   server 10.8.0.0 255.255.255.0
   ifconfig-pool-persist ipp.txt
   push "redirect-gateway def1 bypass-dhcp"
   push "dhcp-option DNS 8.8.8.8"
   keepalive 10 120
   cipher AES-256-CBC
   user nobody
   group nogroup
   persist-key
   persist-tun
   status openvpn-status.log
   verb 3
   

1.4 Enable IP Forwarding for Internet Sharing

1. Open /etc/sysctl.conf:

   
   sudo nano /etc/sysctl.conf
   

2. Find or add the line below to enable IP forwarding:

   
   net.ipv4.ip_forward = 1
   

3. Apply the change immediately:

   
   sudo sysctl -p
   

1.5 Set Up Firewall Rules for OpenVPN

1. Allow OpenVPN traffic through the firewall:

   
   sudo ufw allow 1194/udp
   

2. Enable NAT (Network Address Translation) to allow VPN clients to reach the internet through the server:

   
   sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
   

   Replace eth0 with your server’s network interface if it differs.

1.6 Start and Enable the OpenVPN Service

1. Start the OpenVPN service:

   
   sudo systemctl start openvpn@server
   

2. Enable it to start at boot:

   
   sudo systemctl enable openvpn@server
   

---

Step 2: Set Up VPN Clients (Each of the 10 Ubuntu Devices)

Each client needs its own certificate and configuration to connect securely to the VPN server.

2.1 Create a Certificate for Each Client

On the server:

1. Go back to the ~/openvpn-ca directory:

   
   cd ~/openvpn-ca
   

2. Generate a certificate and key for each client (e.g., client1, client2, etc.):

   
   ./easyrsa gen-req client1 nopass
   ./easyrsa sign-req client client1
   

3. Copy the client’s certificates and keys to a separate directory to transfer them:

   
   cp pki/ca.crt pki/issued/client1.crt pki/private/client1.key ~/client1
   

2.2 Create Client Configuration File

1. On the server, create a client configuration file for each client (e.g., client1.ovpn):

   
   nano ~/client1/client1.ovpn
   

2. Add this configuration, replacing your_server_ip with the server's public IP address:

   
   client
   dev tun
   proto udp
   remote your_server_ip 1194
   resolv-retry infinite
   nobind
   persist-key
   persist-tun
   remote-cert-tls server
   cipher AES-256-CBC
   verb 3
   
   <ca>
   # Paste contents of ca.crt here
   </ca>
   <cert>
   # Paste contents of client1.crt here
   </cert>
   <key>
   # Paste contents of client1.key here
   </key>
   

2.3 Install OpenVPN on Each Client Device

On each Ubuntu client:

1. Install OpenVPN:

   
   sudo apt update
   sudo apt install openvpn -y
   

2. Copy the client1.ovpn configuration file from the server to each client.

2.4 Connect Each Client to the VPN

On each client device, use the configuration file to connect:

sudo openvpn --config /path/to/client1.ovpn

To run this automatically on boot, copy the configuration to /etc/openvpn/client/ as client.conf and enable the OpenVPN service:

sudo cp /path/to/client1.ovpn /etc/openvpn/client.conf
sudo systemctl enable openvpn-client@client

---

Step 3: Testing and Sharing Data Across Clients

1. Verify VPN Connectivity: From each client, ping the VPN server to ensure the connection.

   
   ping 10.8.0.1
   

2. Enable File Sharing (Optional): Use SSH/SCP or set up an NFS shared folder on the VPN server to allow clients to access shared data.

---

By following these steps, you will connect 10 Ubuntu devices through a VPN to a central Ubuntu server, securely sharing resources and internet access across the network.