Designdesk

Setup an OpenVPN server

Running your own VPN can be useful to access your network from the outside in a secure way or to secure your network traffic when you are on the go. This is a basic setup.

Install apt-get update && apt-get install openvpn easy-rsa

gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf Extract default config file

Edit configuration

nano /etc/openvpn/server.conf Edit default configuration file

line ~87, replace

dh dh1024.pem with dh dh4096.pem to use 4096 bits keys

line ~187, replace

;push "redirect-gateway def1 bypass-dhcp" with push "redirect-gateway def1 bypass-dhcp" to enable web traffic gateway

line~196-197, replace

;push "dhcp-option DNS 208.67.222.222"
;push "dhcp-option DNS 208.67.220.220"

with

push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"

to push opendns servers instead of letting client rely on its own dns servers.

line ~262-263, replace

;user nobody
;group nogroup

with

user nobody
group nogroup

Packet forwarding

echo 1 > /proc/sys/net/ipv4/ip_forward to enable packet forwarding

nano /etc/sysctl.conf around line 28 replace #net.ipv4.ip_forward=1 with net.ipv4.ip_forward=1 to enable it permanently

Firewall

You can use UFW to configure your firewall for OpenVPN. Setup a firewall with UFW interface for iptables

Allow anyone to connect to OpenVPN ufw allow 1194/udp

Then you must setup the forwarding policy nano /etc/default/ufw

Around line 19 replace DEFAULT_FORWARD_POLICY="DROP" with DEFAULT_FORWARD_POLICY="ACCEPT"

nano /etc/ufw/before.rules around line 11 add

# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to eth0
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT
# END OPENVPN RULES

ufw disable then ufw enable

Certificate authority

Copy Easy-RSA generation scripts cp -r /usr/share/easy-rsa/ /etc/openvpn

Create directory for keys mkdir /etc/openvpn/easy-rsa/keys

Generate Diffie-Helman parameters openssl dhparam -out /etc/openvpn/dh4096.pem 4096

Generate key cd /etc/openvpn/easy-rsa . ./vars clear old keys ./clean-all build certificate authority ./build-ca

Generate certificate authority ./build-key-server EasyRSA leave 'extra' attributes blank : press enter twice then answer y twice.

Moving certificate and keys

cp /etc/openvpn/easy-rsa/keys/{EasyRSA.crt,EasyRSA.key,ca.crt} /etc/openvpn

Start server service openvpn start Check status service openvpn status

This should appear in the message if you succeed Active: active (exited) since...

Generating certificate and keys for the client

Building

cd /etc/openvpn/easy-rsa ./build-key clientA leave 'extra' attributes blank : press enter twice then answer y twice.

cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/easy-rsa/keys/client.ovpn

nano /etc/openvpn/easy-rsa/keys/client.ovpn

At line 42 replace ;remote my-server-2 1194 with your ip or domain remote 77.88.99.11 1194

At line 61 replace

;user nobody
;group nogroup

with

user nobody
group nogroup

At line 88 replace

ca ca.crt
cert client.crt
key client.key

with

;ca ca.crt
;cert client.crt
;key client.key

Build ovpn file

clientA.ovpn is an example name, you can use anything you want.

cp /etc/openvpn/easy-rsa/keys/client.ovpn /etc/openvpn/easy-rsa/keys/clientA.ovpn

Include certificates and key to .ovpn file

echo -e '\n\n<ca>' >> /etc/openvpn/easy-rsa/keys/clientA.ovpn
cat /etc/openvpn/ca.crt >> /etc/openvpn/easy-rsa/keys/clientA.ovpn

echo -e '</ca>\n\n<cert>' >> /etc/openvpn/easy-rsa/keys/clientA.ovpn
cat /etc/openvpn/easy-rsa/keys/clientA.crt >> /etc/openvpn/easy-rsa/keys/clientA.ovpn

echo -e '</cert>\n\n<key>' >> /etc/openvpn/easy-rsa/keys/clientA.ovpn
cat /etc/openvpn/easy-rsa/keys/clientA.key >> /etc/openvpn/easy-rsa/keys/clientA.ovpn

echo '</key>' >> /etc/openvpn/easy-rsa/keys/clientA.ovpn

Add more clients

cd /etc/openvpn/easy-rsa source ./vars ./build-key clientB

Then repeat Build ovpn file steps replacing clientA with clientB (or anything)

Share key between clients

To connect multiple clients using the same key, there is a simple method, instead of generating one key per client. Make sure you understand the security implications.

nano /etc/openvpn/server.conf at line ~217 replace ;duplicate-cn with duplicate-cn then service openvpn restart

Client configuration

You can use /etc/openvpn/easy-rsa/keys/clientA.ovpn file to connect to your vpn from windows (OpenVPN GUI), android (OpenVPN Connect), or linux :

apt-get install openvpn then openvpn --config clientA.ovpn For quick connection.

To use as a service : Client side mv clientA.ovpn /etc/openvpn/client.conf then /etc/init.d/openvpn start or systemctl start openvpn@client.service

Check status systemctl status openvpn Restart systemctl restart openvpn@client.service Stop systemctl stop openvpn

Or /etc/init.d/openvpn status - /etc/init.d/openvpn stop - /etc/init.d/openvpn restart

Disable update-rc.d openvpn disable Enable update-rc.d openvpn enable

Source, OpenVPN on Github