Open VPN

A Virtual Private Network (VPN) allows you to surf using “untrusted” networks privately and securely to your server as if you were on a secure and private network. Once you make the secure connection to your server, it then makes the network request (from the server) and returns the results, on the secure line, back to the destination.

OpenVPN is a full-featured open source Secure Socket Layer (SSL) VPN solution that accommodates a wide range of configurations. Here you will see how to set up an OpenVPN server then configure access to it from Windows and Android.

Install

apt-get update
apt-get install openvpn curl openssl

Set up your own Certificate Authority (CA)

The first step is to establish a PKI (public key infrastructure). The PKI consists of:

  • a separate certificate (also known as a public key) and private key for the server and each client
  • a master Certificate Authority (CA) certificate and key which is used to sign each of the server and client certificates.
openssl dhparam -out /etc/openvpn/dh.pem 2048
openssl genrsa -out /etc/openvpn/ca-key.pem 2048
chmod 600 /etc/openvpn/ca-key.pem
openssl req -new -key /etc/openvpn/ca-key.pem -out /etc/openvpn/ca-csr.pem -subj /CN=OpenVPN-CA/
openssl x509 -req -in /etc/openvpn/ca-csr.pem -out /etc/openvpn/ca.pem -signkey /etc/openvpn/ca-key.pem -days 365
echo 01 > /etc/openvpn/ca.srl

Generate Server Config

openssl genrsa -out /etc/openvpn/server-key.pem 2048
chmod 600 /etc/openvpn/server-key.pem
openssl req -new -key /etc/openvpn/server-key.pem -out /etc/openvpn/server-csr.pem -subj /CN=OpenVPN/
openssl x509 -req -in /etc/openvpn/server-csr.pem -out /etc/openvpn/server-cert.pem -CA /etc/openvpn/ca.pem -CAkey /etc/openvpn/ca-key.pem -days 365

Create /etc/openvpn/udp1194.conf and add the following

server 10.8.0.0 255.255.255.0				# OpenVPN subnet
verb 3										# amount of logging to be done
duplicate-cn

key server-key.pem							# point to generated server key
ca ca.pem									# point to generated ca certificate
cert server-cert.pem						# point to generated server certificate
dh dh.pem									# point to generated Diffie-Helman file

keepalive 10 120
persist-key
persist-tun
comp-lzo									# compression

push "redirect-gateway def1 bypass-dhcp"	# all internet will be redirected to the tunnel
push "dhcp-option DNS 8.8.8.8"				# setting the DNS servers
push "dhcp-option DNS 8.8.4.4"				# setting the DNS servers

user nobody									# user is nobody by default
group nogroup								# group is nobody by default

proto udp									# use udp as protocol
port 1194									# port to listen to
dev tun1194									# create a routed ip tunnel
status openvpn-status-1194.log				# location of status log

Generate Client Configuration

You will use the generated client.ovpn file on your client machine. The file will used as the client configuration file.

openssl genrsa -out /etc/openvpn/client-key.pem 2048 > /dev/null 2>&1
chmod 600 /etc/openvpn/client-key.pem
openssl req -new -key /etc/openvpn/client-key.pem -out /etc/openvpn/client-csr.pem -subj /CN=OpenVPN-Client/
openssl x509 -req -in /etc/openvpn/client-csr.pem -out /etc/openvpn/client-cert.pem -CA /etc/openvpn/ca.pem -CAkey /etc/openvpn/ca-key.pem -days 36525

Create /etc/openvpn/client.ovpn with the following

client
nobind
dev tun
redirect-gateway def1 bypass-dhcp
remote $YOUR_SERVER_IP 1194 udp # Use your server IP address
comp-lzo yes

<key>
# Insert the contents of /etc/openvpn/client-key.pem
</key>
<cert>
# Insert the contents of /etc/openvpn/client-cert.pem
</cert>
<ca>
$ Insert the contents of /etc/openvpn/ca.pem
</ca>

Enable net.ipv4.ip_forward

This is a sysctl setting which tells the server’s kernel to forward traffic from client devices out to the Internet. Otherwise, the traffic will stop at the server. Enable packet forwarding during runtime by entering this command:

echo 1 > /proc/sys/net/ipv4/ip_forward

We need to make this permanent so the server still forewords traffic after rebooting. Open /etc/sysctl.conf in your editor and make sure the following line is uncommented.

# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1

Iptables

To allow connections through the server iptables

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source $YOUR_SERVER_IP
iptables-save > /etc/iptables.conf

Create /etc/network/if-up.d/iptables and enter the following and save.

#!/bin/sh
iptables-restore < /etc/iptables.conf

Make sure its executable with:

chmod +x /etc/network/if-up.d/iptables

Restart Service

service openvpn restart

Copy the client.ovpn (in /etc/openvpn) to you client and use it in the OpenVPN GUI