Setup an OpenVPN server
Running your own VPN can be useful to access your network from the outside in a secure way or to secure your network traffic when you are on the go. This is a basic setup.
Install apt-get update && apt-get install openvpn easy-rsa
gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf Extract default config file
Edit configuration
nano /etc/openvpn/server.conf Edit default configuration file
line ~87, replace
dh dh1024.pem with dh dh4096.pem to use 4096 bits keys
If you want to access the internet through the VPN server, at line ~187, replace
;push "redirect-gateway def1 bypass-dhcp"
with push "redirect-gateway def1 bypass-dhcp"
line~196-197, replace
;push "dhcp-option DNS 208.67.222.222" ;push "dhcp-option DNS 208.67.220.220"
with
push "dhcp-option DNS 208.67.222.222" push "dhcp-option DNS 208.67.220.220"
to push opendns servers instead of letting client rely on its own dns servers.
line ~262-263, replace
;user nobody ;group nogroup
with
user nobody group nogroup
Packet forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward to enable packet forwarding
nano /etc/sysctl.conf around line 28 replace #net.ipv4.ip_forward=1 with net.ipv4.ip_forward=1 to enable it permanently
Firewall
You can use UFW to configure your firewall for OpenVPN. Setup a firewall with UFW interface for iptables
Allow anyone to connect to OpenVPN ufw allow 1194/udp
Then you must setup the forwarding policy nano /etc/default/ufw
Around line 19 replace DEFAULT_FORWARD_POLICY="DROP" with DEFAULT_FORWARD_POLICY="ACCEPT"
nano /etc/ufw/before.rules around line 11 add
# START OPENVPN RULES # NAT table rules *nat :POSTROUTING ACCEPT [0:0] # Allow traffic from OpenVPN client to eth0 -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE COMMIT # END OPENVPN RULES
ufw disable then ufw enable
Certificate authority
Copy Easy-RSA generation scripts cp -r /usr/share/easy-rsa/ /etc/openvpn
Create directory for keys mkdir /etc/openvpn/easy-rsa/keys
Generate Diffie-Helman parameters openssl dhparam -out /etc/openvpn/dh4096.pem 4096
Generate key cd /etc/openvpn/easy-rsa . ./vars clear old keys ./clean-all build certificate authority ./build-ca
Generate certificate authority ./build-key-server EasyRSA leave 'extra' attributes blank : press enter twice then answer y twice.
Moving certificate and keys
cp /etc/openvpn/easy-rsa/keys/{EasyRSA.crt,EasyRSA.key,ca.crt} /etc/openvpn
Start server service openvpn start
Check status service openvpn status
This should appear in the message if you succeed Active: active (exited) since...
Generating certificate and keys for the client
Building
cd /etc/openvpn/easy-rsa ./build-key clientA leave 'extra' attributes blank : press enter twice then answer y twice.
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/easy-rsa/keys/client.ovpn
nano /etc/openvpn/easy-rsa/keys/client.ovpn
At line 42 replace ;remote my-server-2 1194 with your ip or domain remote 77.88.99.11 1194
At line 61 replace
;user nobody ;group nogroup
with
user nobody group nogroup
At line 88 replace
ca ca.crt cert client.crt key client.key
with
;ca ca.crt ;cert client.crt ;key client.key
Build ovpn file
clientA.ovpn is an example name, you can use anything you want.
cp /etc/openvpn/easy-rsa/keys/client.ovpn /etc/openvpn/easy-rsa/keys/clientA.ovpn
Include certificates and key to .ovpn file
echo -e '\n\n<ca>' >> /etc/openvpn/easy-rsa/keys/clientA.ovpn cat /etc/openvpn/ca.crt >> /etc/openvpn/easy-rsa/keys/clientA.ovpn echo -e '</ca>\n\n<cert>' >> /etc/openvpn/easy-rsa/keys/clientA.ovpn cat /etc/openvpn/easy-rsa/keys/clientA.crt >> /etc/openvpn/easy-rsa/keys/clientA.ovpn echo -e '</cert>\n\n<key>' >> /etc/openvpn/easy-rsa/keys/clientA.ovpn cat /etc/openvpn/easy-rsa/keys/clientA.key >> /etc/openvpn/easy-rsa/keys/clientA.ovpn echo '</key>' >> /etc/openvpn/easy-rsa/keys/clientA.ovpn
Add more clients
cd /etc/openvpn/easy-rsa source ./vars ./build-key clientB
Then repeat Build ovpn file steps replacing clientA with clientB (or anything)
Share key between clients
To connect multiple clients using the same key, there is a simple method, instead of generating one key per client. Make sure you understand the security implications.
nano /etc/openvpn/server.conf at line ~217 replace ;duplicate-cn with duplicate-cn then service openvpn restart
Run the server
systemctl start openvpn@server.service
Check status systemctl status openvpn@server.service Restart systemctl restart openvpn@server.service Stop systemctl stop openvpn@server.service
Enable automatic startup update-rc.d openvpn enable Disable automatic startup update-rc.d openvpn disable
Client configuration
You can use /etc/openvpn/easy-rsa/keys/clientA.ovpn file to connect to your vpn from windows (OpenVPN GUI), android (OpenVPN Connect), or linux :
apt-get install openvpn then openvpn --config clientA.ovpn For quick connection.
To use as a service : Client side mv clientA.ovpn /etc/openvpn/client.conf then systemctl start openvpn@client.service
Check status systemctl status openvpn@client.service Restart systemctl restart openvpn@client.service Stop systemctl stop openvpn@client.service
Optimization
Disable comp-lzo by commenting it out ;comp-lzo in both server and client configuration files. In many cases this improves performances, drives data usage and overhead down.