OpenVPN on Ubuntu


# OpenVPN
apt-get install --no-install-recommends openvpn

# Each VPN daemon should run with a dedicated user/group to downgrade privileges
export VPN_NAME="cameleon"

# Create a system user (no password and shell defaulting to /bin/false)
adduser --quiet --system --no-create-home --home /nonexistent --group --disabled-login ovpn-$VPN_NAME

# Setup the VPN chroot
export VPN_CHROOT="/etc/openvpn/$VPN_NAME/chroot"
mkdir -p $VPN_CHROOT/etc
cp /etc/localtime $VPN_CHROOT/etc/   # for log with timestamps in the right timezone

# Do not use a status file. SIGUSR2 is sent to the OpenVPN
# PID when those stats are needed
sed -i 's/#\(STATUSREFRESH=0\)/\1/' /etc/default/openvpn

Client Configuration

Add the following to your configuration file :

# Security
script-security 1
remote-cert-tls server      # Remote cert type must match
chroot /etc/openvpn/chroot  # Chroot to (almost) empty dir
user  openvpn               # Drop root privileges
group openvpn               # Drop root privileges

# Make sure local net are not going through the VPN
route-metric 50