How to Create a VPN Server with OpenVPN

Prerequisites

Log in to the ECS Cloud Console, create a new instance and choose Debian 9 as your Linux distribution. If you can’t find Debian 9 in the drop-down list, you have to change the instance type. For example, at the time of writing, on an “ecs.t5-lc2m1.nano” only Debian 8.9 is available, which is too old. 1GB of RAM will suffice.

Install OpenVPN

Update package manager information and apply all available upgrades:

apt update && apt upgrade
systemctl reboot
apt install openvpn easy-rsa

Public Key Infrastructure and Certificate Authorities

The public key infrastructure is too complex to describe in a short tutorial section. But it’s important to understand how it’s useful for OpenVPN. easy-rsa is a package that allows us to create our own certificate authority. Through clever cryptographic algorithms this facilitates the generation of unique certificates and signatures that cannot be forged by those without access to a set of secrets (usually in the form of private keys). With the help of these certificates we can encrypt, decrypt, authenticate, sign, verify signatures, actions meant to ensure secure communication and trust between parties (in our case, between client and server). The OpenVPN server will only allow clients with valid certificates to connect to it. Furthermore, it will encrypt data in such a way, that only the client that owns that certificate can decrypt it. By checking signatures and fingerprints, clients can also validate the authenticity of the server they are connecting to. This helps avoid attacks such as “man in the middle”, where the connection gets hijacked and re-routed through an intermediary, which could then intercept and manipulate network traffic.

Create a Certificate Authority

Create the “ca” directory and copy the easy-rsa tools there:

make-cadir ca
cd ca
nano vars
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="me@myhost.mydomain"
export KEY_OU="MyOrganizationalUnit"
ln -s openssl-1.0.0.cnf openssl.cnf
source vars
./clean-all
./build-ca

Generate Server and Client Certificates and Keys

Build a certificate for the VPN server:

./build-key-server server
./build-dh
  1. Generate client key (we’ll name it client1 here) and just like above, be careful to answer with “y” to the last two questions to sign the certificate:
  • ./build-key client1
  1. This key will be imported to the phones/computers that we want to authorize to connect to the OpenVPN server. If you’ll be generating multiple keys for multiple devices, you can choose descriptive names such as “iphone”, “homepc”, “worklaptop” for easier administration later on.
  2. If you want to password protect the key, you can generate it with an alternate command:
  • ./build-key-pass client1
cp keys/server.crt /etc/openvpn/
cp keys/server.key /etc/openvpn/
cp keys/ca.crt /etc/openvpn/
cp keys/dh2048.pem /etc/openvpn/

Configure the OpenVPN Server

Extract the template configuration file:

zcat /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf
nano /etc/openvpn/server.conf
# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# or bridge the TUN/TAP interface to the internet
# in order for this to work properly).
;push "redirect-gateway def1 bypass-dhcp"
push "redirect-gateway def1 bypass-dhcp"
# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses. CAVEAT:
# http://openvpn.net/faq.html#dhcpcaveats
# The addresses below refer to the public
# DNS servers provided by opendns.com.
;push "dhcp-option DNS 208.67.222.222"
;push "dhcp-option DNS 208.67.220.220"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
# It's a good idea to reduce the OpenVPN
# daemon's privileges after initialization.
#
# You can uncomment this out on
# non-Windows systems.
;user nobody
;group nogroup
user nobody
group nogroup
echo -e '\n#Enable HMAC\nauth SHA256' >> /etc/openvpn/server.conf
openvpn --genkey --secret /etc/openvpn/ta.key
systemctl start openvpn@server

Configure the Server to Route Our Internet Packets

The OpenVPN server will act as an intermediary between our client devices and the rest of the Internet. For it to be able to do this, we need to enable a few things such as IP forwarding:

echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.d/local.conf
sysctl --system
ip route
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables -A FORWARD -i tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -o eth0 -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -j REJECT
apt install iptables-persistent

Generate Client Profiles (.ovpn Files)

“.ovpn” files will contain all the required information (settings, keys and certificates) to connect to the OpenVPN server. Create the directory where these files will be stored:

mkdir clientprofiles
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf clientprofiles/client1.ovpn
nano clientprofiles/client1.ovpn
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote my-server-1 1194
;remote my-server-2 1194
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote 203.0.113.2 1194
;remote my-server-2 1194
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca ca.crt
cert client.crt
key client.key
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
;ca ca.crt
;cert client.crt
;key client.key
echo -e '\n#Enable HMAC\nauth SHA256' >> clientprofiles/client1.ovpn
echo "<key>
`cat keys/client1.key`
</key>" >> clientprofiles/client1.ovpn
echo "<cert>
`cat keys/client1.crt`
</cert>" >> clientprofiles/client1.ovpn
echo "<ca>
`cat keys/ca.crt`
</ca>" >> clientprofiles/client1.ovpn
echo "<tls-auth>
`cat /etc/openvpn/ta.key`
</tls-auth>" >> clientprofiles/client1.ovpn

Useful Links and Recommendations

OpenVPN client for the Windows platform: https://openvpn.net/index.php/open-source/downloads.html

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Alibaba Cloud

Alibaba Cloud

Follow me to keep abreast with the latest technology news, industry insights, and developer trends. Alibaba Cloud website:https://www.alibabacloud.com