Sam - September 20, 2016

How to Install OpenVPN in 15 minutes on Vultr.com and Connect using OSX

Introduction

OpenVPN is pretty much the most secure protocol available that is easy to setup and wildly supported across all major devices. Unlike other protocols such as IKEv2 you’ll find that OpenVPN is supported on Mac OSX, Windows, Linux, Android, Windows Phone, etc.

Vultr.com

These guys are competitors to DigitalOcean and provide slightly higher specifications with their cloud instances. I will write another article showing the main differences between the two.

Let’s get started

This guide can be used on any Ubuntu platform but I’ll specifically be talking about setting up on Vultr.com (competitor to DigitalOcean).

Step 1 – Create your cloud instance

I will be using Ubuntu 16.04 x64 on the $5 per month plan which includes 768mb ram and 1TB bandwidth per month which is more than enough for a personal VPN.

Find the perfect Proxy Product.

Proxyrack offers a multiple options to suit most use cases, if you are unsure our 3 Day Trial allows you to test them all.
Security

Residential proxies

Never get blocked, choose your location
View all option available
Vault

Datacenter proxies

Super fast and reliable
View all option available
Try

3 Day Trial

Test all products to find the best fit
View all option available

Step 2 – Update and install packages

Since this is a brand new server it’s always a good habit to update your repositories and make sure your packages are the latest versions available to minimize any security risks or outdated software.

sudo apt-get -y update && sudo apt-get -y upgrade

Now let’s install OpenVPN and the certification generator

sudo apt-get -y install openvpn bind9 easy-rsa

Step 3 – Configure OpenVPN /etc/openvpn/server.conf

Paste everything below into the file /etc/openvpn/server.conf

In the next step we will replace the text IP_ADDRESS

server IP_ADDRESS 255.255.255.0
port 443
proto udp
dev tun
ca      easy-rsa/keys/ca.crt
cert    easy-rsa/keys/server.crt
key     easy-rsa/keys/server.key
dh      dh2048.pem
keepalive 10 30
comp-lzo
persist-key
persist-tun
status openvpn-status.log 20
status-version 2
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

# Username and Password authentication.
client-cert-not-required
username-as-common-name
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so login
verb 4
log-append /var/log/openvpn.log

Now replace the part at the top that says IP_ADDRESS with your primary devices IP and change the last subnet to .0

You can do this in a single command like below:

ip route get 8.8.8.8 | awk '{print $NF; exit}' | sed 's/\.[0-9]*$/.0/'

Output:

45.32.109.0

Now replace this part:

server IP_ADDRESS 255.255.255.0

With this:

server 45.32.109.0 255.255.255.0

Step 3 – Certificate generation

Let’s copy across the easy-rsa generation files

cp -r /usr/share/easy-rsa/ /etc/openvpn/

You can edit the variables in /etc/openvpn/easy-rsa/vars but this is not required and since we are wanting to set this up as quickly as possible we will skip this

Now run the command:

openssl dhparam -out /etc/openvpn/dh2048.pem 2048

This will take some time and will output numerous dots and + signs.

Now run

./clean-all && ./build-ca

You will be asked to enter a bunch of variables, you can just keep pressing enter and use the default values

root@vpn-tutorial:/etc/openvpn/easy-rsa# ./build-ca
Generating a 2048 bit RSA private key
............................+++
..........+++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [Fort-Funston]:
Organizational Unit Name (eg, section) [MyOrganizationalUnit]:
Common Name (eg, your name or your server's hostname) [Fort-Funston CA]:
Name [EasyRSA]:
Email Address [me@myhost.mydomain]:

Next let’s generate the server.key file

./build-key-server server

Just like above, you can keep pressing ENTER and use the default variables the only additional thing it will bring up is the certification request, you can use the default values for this too.

Output:

root@vpn-tutorial:/etc/openvpn/easy-rsa# ./build-key-server server
Generating a 2048 bit RSA private key
....................................................+++
........+++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [Fort-Funston]:
Organizational Unit Name (eg, section) [MyOrganizationalUnit]:
Common Name (eg, your name or your server's hostname) [server]:
Name [EasyRSA]:
Email Address [me@myhost.mydomain]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :PRINTABLE:'CA'
localityName          :PRINTABLE:'SanFrancisco'
organizationName      :PRINTABLE:'Fort-Funston'
organizationalUnitName:PRINTABLE:'MyOrganizationalUnit'
commonName            :PRINTABLE:'server'
name                  :PRINTABLE:'EasyRSA'
emailAddress          :IA5STRING:'me@myhost.mydomain'
Certificate is to be certified until Sep 18 06:16:20 2026 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

When it asks you if you want to

Sign the certificate? [y/n]

Choose yes (enter y)

1 out of 1 certificate requests certified, commit? [y/n]

Choose yes (enter y)

Step 4 – iptables rules and more

We need to enter one iptables with your primary network interface.

You will need to know what your interface name is which you can get from ifconfig or alternatively use this command:

iptables -t nat -A POSTROUTING -o `ip route get 8.8.8.8 | awk '{ print $5; exit }'` -j MASQUERADE

Now we have to enable IP forwarding by executing the following command:

sudo sysctl -w net.ipv4.ip_forward=1

Step 5 – Add a user

Now we simply need to add a user to our server, since we are authenticating with PAM (the linux user system) we can just use the inbuilt user management system.

Add the user by typing:

useradd vpnusername

Now set a password:

passwd vpnusername

Enter the password twice for confirmation

Output:

root@vpn-tutorial:/etc/openvpn# passwd vpnuseruser
Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully

Great.. We are almost done!

The last two things we need to do are:

Restart OpenVPN service

Run this command to restart the service

service openvpn restart

You can get a full list of commands by typing the same as here:

root@vpn-tutorial:/etc/openvpn# service openvpn
Usage: /etc/init.d/openvpn {start|stop|reload|restart|force-reload|cond-restart|soft-restart|status}

Install OpenVPN on OSX and create our configuration file

We are going to use Homebrew for Mac OSX, if you don’t have this you can install it with one command by visiting

http://brew.sh/

Now that you have it installed simply install the openvpn package by typing

brew install openvpn

You won’t need to answer any prompts but this will take some time to complete

Once this has been completed, or while it is running (if you want to save time) we will need to create our .ovpn configuration file.

This is a simple file with some parameters that openvpn will read to connect to our server.

Copy this to a local file on your Desktop and name it “myconnection.ovpn” (or whatever you want)

client
dev tun
proto udp
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
verb 3
route-method exe
route-delay 2
pull
auth-user-pass
setenv opt block-outside-dns
remote YOUR_IP_ADDRESS 443
<ca>
YOUR_CERTIFICATE
</ca>

Now you just need to replace two variables inside this file

Replace YOUR_IP_ADDRESS with the servers IP address (your vultr instance IP).

Replace YOUR_CERTIFICATE with the ca.crt contents that are inside /etc/openvpn/easy-rsa/keys/ca.crt

You can get this by typing the following command on your server

cat /etc/openvpn/easy-rsa/keys/ca.crt

output:

root@vpn-tutorial:~# cat /etc/openvpn/easy-rsa/keys/ca.crt
-----BEGIN CERTIFICATE-----
MIIFEjCCA/qgAwIBAgIJAJZj4+fW7xL3MA0GCSqGSIb3DQEBCwUAMIG2MQswCQYD
VQQGEwJVUzELMAkGA1UECBMCQ0ExFTATBgNVBAcTDFNhbkZyYW5jaXNjbzEVMBMG
A1UEChMMRm9ydC1GdW5zdG9uMR0wGwYDVQQLExRNeU9yZ2FuaXphdGlvbmFsVW5p
dDEYMBYGA1UEAxMPRm9ydC1GdW5zdG9uIENBMRAwDgYDVQQpEwdFYXN5UlNBMSEw
HwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW4wHhcNMTYwOTIwMDYxMzM1
WhcNMjYwOTE4MDYxMzM1WjCBtjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRUw
EwYDVQQHEwxTYW5GcmFuY2lzY28xFTATBgNVBAoTDEZvcnQtRnVuc3RvbjEdMBsG
A1UECxMUTXlPcmdhbml6YXRpb25hbFVuaXQxGDAWBgNVBAMTD0ZvcnQtRnVuc3Rv
biBDQTEQMA4GA1UEKRMHRWFzeVJTQTEhMB8GCSqGSIb3DQEJARYSbWVAbXlob3N0
Lm15ZG9tYWluMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvMITXeTp
ediiQpPjHMRPiKO9t9ZnWn1uSZA+y3lmQvz2NstHAJLsi+5JtvehvHDWDE3HMumr
cuRvoAzNPymytBWtQAq5eIXQ1XOGaWWEyNx4phHnVWJVdPwPn+o/GQWv8tXDa58C
XWWxGuq2yQVAklnAQlitdvE6LEZ3NL+xbUDT6UdhINksLHjgr6IwO7DgOh6ZN1lI
Mqr47O3XRnFtBp3MkK7b8mrnzpOTKsV9NLhHBpeiOtTTjYfdDBFJdP4oHBaAL5WH
sw5F+l2ACnS/Zu4Bm/drKQjznKdZmqF9K2v7/vwa5RupuLgZcIpY0YIeIdyGtzng
Glu1haSuSY3yxQIDAQABo4IBHzCCARswHQYDVR0OBBYEFPFBeY4LRhqNgqbPnfF2
wrISluyRMIHrBgNVHSMEgeMwgeCAFPFBeY4LRhqNgqbPnfF2wrISluyRoYG8pIG5
MIG2MQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFTATBgNVBAcTDFNhbkZyYW5j
aXNjbzEVMBMGA1UEChMMRm9ydC1GdW5zdG9uMR0wGwYDVQQLExRNeU9yZ2FuaXph
dGlvbmFsVW5pdDEYMBYGA1UEAxMPRm9ydC1GdW5zdG9uIENBMRAwDgYDVQQpEwdF
YXN5UlNBMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW6CCQCWY+Pn
1u8S9zAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAJDgA9b1Axxum8
j/bSdHuh/HP+drTUIUqMdOEwlrexs7Z8nEptmCvpTI/fIMqsFD95tYwZ9KTrjR0c
XfKHskV4BHQXu/uVr5H2AuJjtv0c9AP9zaiHejiiMW471p7iJrYI9Y1MaY5IAAnm
rChD2QvCTluJ0kcYj5FgEpYs0vYJHQbLngDhHIkrMFrSD8/QNZjYprw8JDuqPXx1
xg07pW6Bp6Qst6oJBs/OJrle4o7HgsQlGUIura1C9/9ENAxPwsIJ0Zvv+hz6IJv4
W6+/EYWa6sXy1LSeG7G5QPBTJGMSh4FqYHVdxMszrCK1rQTJJJ0mS9AClFnbzUl0
QvWY7SAB
-----END CERTIFICATE-----

Now save the file

We’re ready to connect!

Great, assuming that everything has gone to plan we’re not ready to connect to our personal OpenVPN server.

On our local computer you can initiate the connection by typing:

sudo openvpn –config ~/Desktop/myconnection.ovpn

You will probably be first prompted for your password since we are executing using sudo, enter your local OSX password here.

Then you will be prompted to enter your username and password in our case it was vpnusername and whatever password you chose previously.

sbook:~ scross$ sudo openvpn --config ~/Desktop/myconnection.ovpn 
Tue Sep 20 16:07:39 2016 Unrecognized option or missing parameter(s) in myconnection.ovpn:14: block-outside-dns (2.3.10)
Tue Sep 20 16:07:39 2016 OpenVPN 2.3.10 x86_64-apple-darwin15.2.0 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Jan  6 2016
Tue Sep 20 16:07:39 2016 library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.09
Enter Auth Username:vpnusername
Enter Auth Password:

There will then be a bunch of more messages, some will look like errors such as:

"ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address"

You can safely ignore this, it is just OpenVPN doing its thing.

Finished!

Now load up your web browser and visit http://www.ipchicken.com you should now see your server / cloud instance IP address instead of your usual IP.

Give yourself a pat on the back if it was your first time setting up a VPN server and connecting.

If you have any issues at all setting it up, just comment below and we can troubleshoot it together.

Find the perfect Proxy Product.

Proxyrack offers a multiple options to suit most use cases, if you are unsure our 3 Day Trial allows you to test them all.
Security

Residential proxies

Never get blocked, choose your location
View all option available
Vault

Datacenter proxies

Super fast and reliable
View all option available
Try

3 Day Trial

Test all products to find the best fit
View all option available

Get Started by signing up for a Proxy Product