Personal VPN Server (OpenVPN)

Internet providers are collecting more and more data about our internet activities, but what can we do about it ?

You want to have secure access to your home servers, nas, devices ?

Virtual Private Network aka VPN is a solution for your needs!

 

1.Instalation

apt-get install openvpn easy-rsa

2.openvpn configuration

touch /etc/openvpn/server.conf

#edit /etc/openvpn/server.conf 
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 10 120
cipher AES-256-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3

3.some system tweaks

echo 1 > /proc/sys/net/ipv4/ip_foward

#edit /etc/sysctl.conf
net.ipv4.ip_forward=1

4.Instalation and configuration firewall tool (so you don’t need to be iptables ninja)

apt-get install ufw

ufw allow 1194/udp

#edit /etc/default/ufw
DEFAULT_FORWARD_POLICY="ACCEPT"

#edit /etc/ufw/before.rules
#
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
#   ufw-before-input
#   ufw-before-output
#   ufw-before-forward
#
# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to eth0
-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
COMMIT
# END OPENVPN RULES
# Don't delete these required lines, otherwise there will be errors
*filter

ufw enable
ufw status | grep '1194/udp'


5.generate CA, certs and keys for server

cp -r /usr/share/easy-rsa/ /etc/openvpn 
mkdir /etc/openvpn/easy-rsa/keys 

#edit /etc/openvpn/easy-rsa/vars
export KEY_COUNTRY="COUNTRY"
export KEY_PROVINCE="PROVINCE"
export KEY_CITY="CITY"
export KEY_ORG="ORGANIZATION"
export KEY_EMAIL="email@"
export KEY_OU="Organization Unit"
# X509 Subject Field (key name)
export KEY_NAME="server"

openssl dhparam -out /etc/openvpn/dh2048.pem 2048 

cd /etc/openvpn/easy-rsa 
. ./vars
./clean-all
./build-ca 

Just now we prepeared system envirement to generate, sign and distribute our certs thanks to CA (Certificate Authority).

Lets finish the fun with certs:

cd /etc/openvpn/easy-rsa
./build-key-server server 
# leave password and 'company name' empty
Sign the certificate?
Y

Move created certs and keys created for server:

cp /etc/openvpn/easy-rsa/keys/{server.crt,server.key,ca.crt} /etc/openvpn

 

and check if openvpn still starts (if not be sure there is no typo in config file or you moved correct files to correct location):

service openvpn start
service openvpn status

 

6.Creating certs and keys for clients:

cd /etc/openvpn/easy-rsa
./build-key client1 
# leave password and 'company name' empty
Sign the certificate? Y

cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/easy-rsa/keys/client.ovpn 
#edit /etc/openvpn/easy-rsa/keys/client.ovpn 
client
dev tun
proto udp
remote ip_serwera 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
comp-lzo
verb 3

Attention: user/group setting is not compatible with Windows

Client config file is still missing the paths for cert/key combo 🙂 but we will overcome this with one of two ways:

 

7a. Unified config file (one file to rule them all)

echo '<ca>' >> /etc/openvpn/easy-rsa/keys/client.ovpn
cat /etc/openvpn/ca.crt >> /etc/openvpn/easy-rsa/keys/client.ovpn
echo '</ca>' >> /etc/openvpn/easy-rsa/keys/client.ovpn 

echo '<cert>' >> /etc/openvpn/easy-rsa/keys/client.ovpn
cat /etc/openvpn/easy-rsa/keys/client.crt >> /etc/openvpn/easy-rsa/keys/client.ovpn
echo '</cert>' >> /etc/openvpn/easy-rsa/keys/client.ovpn 

echo '<key>' >> /etc/openvpn/easy-rsa/keys/client.ovpn
cat /etc/openvpn/easy-rsa/keys/client.key >> /etc/openvpn/easy-rsa/keys/client.ovpn
echo '</key>' >> /etc/openvpn/easy-rsa/keys/client.ovpn

7b. Maybe you dont want to include cert inside profile file then we need to add this and copy needed files:

ca ca.crt
cert klient.crt
key klient.key

 

Leave a Reply

Your email address will not be published.

*