Sam - September 20, 2016
OpenVPN is pretty much the most secure protocol available that is easy to setup and wildly supported across all major devices. Unlike other protocols such as IKEv2 you’ll find that OpenVPN is supported on Mac OSX, Windows, Linux, Android, Windows Phone, etc.
These guys are competitors to DigitalOcean and provide slightly higher specifications with their cloud instances. I will write another article showing the main differences between the two.
This guide can be used on any Ubuntu platform but I’ll specifically be talking about setting up on Vultr.com (competitor to DigitalOcean).
I will be using Ubuntu 16.04 x64 on the $5 per month plan which includes 768mb ram and 1TB bandwidth per month which is more than enough for a personal VPN.
Since this is a brand new server it’s always a good habit to update your repositories and make sure your packages are the latest versions available to minimize any security risks or outdated software.
sudo apt-get -y update && sudo apt-get -y upgrade
Now let’s install OpenVPN and the certification generator
sudo apt-get -y install openvpn bind9 easy-rsa
Paste everything below into the file /etc/openvpn/server.conf
In the next step we will replace the text IP_ADDRESS
server IP_ADDRESS 255.255.255.0
port 443
proto udp
dev tun
ca easy-rsa/keys/ca.crt
cert easy-rsa/keys/server.crt
key easy-rsa/keys/server.key
dh dh2048.pem
keepalive 10 30
comp-lzo
persist-key
persist-tun
status openvpn-status.log 20
status-version 2
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
# Username and Password authentication.
client-cert-not-required
username-as-common-name
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so login
verb 4
log-append /var/log/openvpn.log
Now replace the part at the top that says IP_ADDRESS with your primary devices IP and change the last subnet to .0
You can do this in a single command like below:
ip route get 8.8.8.8 | awk '{print $NF; exit}' | sed 's/\.[0-9]*$/.0/'
Output:
45.32.109.0
Now replace this part:
server IP_ADDRESS 255.255.255.0
With this:
server 45.32.109.0 255.255.255.0
Let’s copy across the easy-rsa generation files
cp -r /usr/share/easy-rsa/ /etc/openvpn/
You can edit the variables in /etc/openvpn/easy-rsa/vars but this is not required and since we are wanting to set this up as quickly as possible we will skip this
Now run the command:
openssl dhparam -out /etc/openvpn/dh2048.pem 2048
This will take some time and will output numerous dots and + signs.
Now run
./clean-all && ./build-ca
You will be asked to enter a bunch of variables, you can just keep pressing enter and use the default values
root@vpn-tutorial:/etc/openvpn/easy-rsa# ./build-ca
Generating a 2048 bit RSA private key
............................+++
..........+++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [Fort-Funston]:
Organizational Unit Name (eg, section) [MyOrganizationalUnit]:
Common Name (eg, your name or your server's hostname) [Fort-Funston CA]:
Name [EasyRSA]:
Email Address [me@myhost.mydomain]:
Next let’s generate the server.key file
./build-key-server server
Just like above, you can keep pressing ENTER and use the default variables the only additional thing it will bring up is the certification request, you can use the default values for this too.
Output:
root@vpn-tutorial:/etc/openvpn/easy-rsa# ./build-key-server server
Generating a 2048 bit RSA private key
....................................................+++
........+++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [Fort-Funston]:
Organizational Unit Name (eg, section) [MyOrganizationalUnit]:
Common Name (eg, your name or your server's hostname) [server]:
Name [EasyRSA]:
Email Address [me@myhost.mydomain]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :PRINTABLE:'CA'
localityName :PRINTABLE:'SanFrancisco'
organizationName :PRINTABLE:'Fort-Funston'
organizationalUnitName:PRINTABLE:'MyOrganizationalUnit'
commonName :PRINTABLE:'server'
name :PRINTABLE:'EasyRSA'
emailAddress :IA5STRING:'me@myhost.mydomain'
Certificate is to be certified until Sep 18 06:16:20 2026 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
When it asks you if you want to
Sign the certificate? [y/n]
Choose yes (enter y)
1 out of 1 certificate requests certified, commit? [y/n]
Choose yes (enter y)
We need to enter one iptables with your primary network interface.
You will need to know what your interface name is which you can get from ifconfig or alternatively use this command:
iptables -t nat -A POSTROUTING -o `ip route get 8.8.8.8 | awk '{ print $5; exit }'` -j MASQUERADE
Now we have to enable IP forwarding by executing the following command:
sudo sysctl -w net.ipv4.ip_forward=1
Now we simply need to add a user to our server, since we are authenticating with PAM (the linux user system) we can just use the inbuilt user management system.
Add the user by typing:
useradd vpnusername
Now set a password:
passwd vpnusername
Enter the password twice for confirmation
Output:
root@vpn-tutorial:/etc/openvpn# passwd vpnuseruser
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
The last two things we need to do are:
Run this command to restart the service
service openvpn restart
You can get a full list of commands by typing the same as here:
root@vpn-tutorial:/etc/openvpn# service openvpn
Usage: /etc/init.d/openvpn {start|stop|reload|restart|force-reload|cond-restart|soft-restart|status}
We are going to use Homebrew for Mac OSX, if you don’t have this you can install it with one command by visiting
http://brew.sh/
Now that you have it installed simply install the openvpn package by typing
brew install openvpn
You won’t need to answer any prompts but this will take some time to complete
Once this has been completed, or while it is running (if you want to save time) we will need to create our .ovpn configuration file.
This is a simple file with some parameters that openvpn will read to connect to our server.
Copy this to a local file on your Desktop and name it “myconnection.ovpn” (or whatever you want)
client
dev tun
proto udp
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
verb 3
route-method exe
route-delay 2
pull
auth-user-pass
setenv opt block-outside-dns
remote YOUR_IP_ADDRESS 443
<ca>
YOUR_CERTIFICATE
</ca>
Now you just need to replace two variables inside this file
Replace YOUR_IP_ADDRESS with the servers IP address (your vultr instance IP).
Replace YOUR_CERTIFICATE with the ca.crt contents that are inside /etc/openvpn/easy-rsa/keys/ca.crt
You can get this by typing the following command on your server
cat /etc/openvpn/easy-rsa/keys/ca.crt
output:
root@vpn-tutorial:~# cat /etc/openvpn/easy-rsa/keys/ca.crt
-----BEGIN CERTIFICATE-----
MIIFEjCCA/qgAwIBAgIJAJZj4+fW7xL3MA0GCSqGSIb3DQEBCwUAMIG2MQswCQYD
VQQGEwJVUzELMAkGA1UECBMCQ0ExFTATBgNVBAcTDFNhbkZyYW5jaXNjbzEVMBMG
A1UEChMMRm9ydC1GdW5zdG9uMR0wGwYDVQQLExRNeU9yZ2FuaXphdGlvbmFsVW5p
dDEYMBYGA1UEAxMPRm9ydC1GdW5zdG9uIENBMRAwDgYDVQQpEwdFYXN5UlNBMSEw
HwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW4wHhcNMTYwOTIwMDYxMzM1
WhcNMjYwOTE4MDYxMzM1WjCBtjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRUw
EwYDVQQHEwxTYW5GcmFuY2lzY28xFTATBgNVBAoTDEZvcnQtRnVuc3RvbjEdMBsG
A1UECxMUTXlPcmdhbml6YXRpb25hbFVuaXQxGDAWBgNVBAMTD0ZvcnQtRnVuc3Rv
biBDQTEQMA4GA1UEKRMHRWFzeVJTQTEhMB8GCSqGSIb3DQEJARYSbWVAbXlob3N0
Lm15ZG9tYWluMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvMITXeTp
ediiQpPjHMRPiKO9t9ZnWn1uSZA+y3lmQvz2NstHAJLsi+5JtvehvHDWDE3HMumr
cuRvoAzNPymytBWtQAq5eIXQ1XOGaWWEyNx4phHnVWJVdPwPn+o/GQWv8tXDa58C
XWWxGuq2yQVAklnAQlitdvE6LEZ3NL+xbUDT6UdhINksLHjgr6IwO7DgOh6ZN1lI
Mqr47O3XRnFtBp3MkK7b8mrnzpOTKsV9NLhHBpeiOtTTjYfdDBFJdP4oHBaAL5WH
sw5F+l2ACnS/Zu4Bm/drKQjznKdZmqF9K2v7/vwa5RupuLgZcIpY0YIeIdyGtzng
Glu1haSuSY3yxQIDAQABo4IBHzCCARswHQYDVR0OBBYEFPFBeY4LRhqNgqbPnfF2
wrISluyRMIHrBgNVHSMEgeMwgeCAFPFBeY4LRhqNgqbPnfF2wrISluyRoYG8pIG5
MIG2MQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFTATBgNVBAcTDFNhbkZyYW5j
aXNjbzEVMBMGA1UEChMMRm9ydC1GdW5zdG9uMR0wGwYDVQQLExRNeU9yZ2FuaXph
dGlvbmFsVW5pdDEYMBYGA1UEAxMPRm9ydC1GdW5zdG9uIENBMRAwDgYDVQQpEwdF
YXN5UlNBMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW6CCQCWY+Pn
1u8S9zAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAJDgA9b1Axxum8
j/bSdHuh/HP+drTUIUqMdOEwlrexs7Z8nEptmCvpTI/fIMqsFD95tYwZ9KTrjR0c
XfKHskV4BHQXu/uVr5H2AuJjtv0c9AP9zaiHejiiMW471p7iJrYI9Y1MaY5IAAnm
rChD2QvCTluJ0kcYj5FgEpYs0vYJHQbLngDhHIkrMFrSD8/QNZjYprw8JDuqPXx1
xg07pW6Bp6Qst6oJBs/OJrle4o7HgsQlGUIura1C9/9ENAxPwsIJ0Zvv+hz6IJv4
W6+/EYWa6sXy1LSeG7G5QPBTJGMSh4FqYHVdxMszrCK1rQTJJJ0mS9AClFnbzUl0
QvWY7SAB
-----END CERTIFICATE-----
Now save the file
Great, assuming that everything has gone to plan we’re not ready to connect to our personal OpenVPN server.
On our local computer you can initiate the connection by typing:
sudo openvpn –config ~/Desktop/myconnection.ovpn
You will probably be first prompted for your password since we are executing using sudo, enter your local OSX password here.
Then you will be prompted to enter your username and password in our case it was vpnusername and whatever password you chose previously.
sbook:~ scross$ sudo openvpn --config ~/Desktop/myconnection.ovpn
Tue Sep 20 16:07:39 2016 Unrecognized option or missing parameter(s) in myconnection.ovpn:14: block-outside-dns (2.3.10)
Tue Sep 20 16:07:39 2016 OpenVPN 2.3.10 x86_64-apple-darwin15.2.0 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Jan 6 2016
Tue Sep 20 16:07:39 2016 library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.09
Enter Auth Username:vpnusername
Enter Auth Password:
There will then be a bunch of more messages, some will look like errors such as:
"ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address"
You can safely ignore this, it is just OpenVPN doing its thing.
Now load up your web browser and visit http://www.ipchicken.com you should now see your server / cloud instance IP address instead of your usual IP.
Give yourself a pat on the back if it was your first time setting up a VPN server and connecting.
If you have any issues at all setting it up, just comment below and we can troubleshoot it together.