How to Create a VPN Server with OpenVPN

Prerequisites

Install OpenVPN

apt update && apt upgrade
systemctl reboot
apt install openvpn easy-rsa

Public Key Infrastructure and Certificate Authorities

Create a Certificate Authority

make-cadir ca
cd ca
nano vars
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="me@myhost.mydomain"
export KEY_OU="MyOrganizationalUnit"
ln -s openssl-1.0.0.cnf openssl.cnf
source vars
./clean-all
./build-ca

Generate Server and Client Certificates and Keys

./build-key-server server
./build-dh
  1. Generate client key (we’ll name it client1 here) and just like above, be careful to answer with “y” to the last two questions to sign the certificate:
  • ./build-key client1
  1. This key will be imported to the phones/computers that we want to authorize to connect to the OpenVPN server. If you’ll be generating multiple keys for multiple devices, you can choose descriptive names such as “iphone”, “homepc”, “worklaptop” for easier administration later on.
  2. If you want to password protect the key, you can generate it with an alternate command:
  • ./build-key-pass client1
cp keys/server.crt /etc/openvpn/
cp keys/server.key /etc/openvpn/
cp keys/ca.crt /etc/openvpn/
cp keys/dh2048.pem /etc/openvpn/

Configure the OpenVPN Server

zcat /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf
nano /etc/openvpn/server.conf
# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# or bridge the TUN/TAP interface to the internet
# in order for this to work properly).
;push "redirect-gateway def1 bypass-dhcp"
push "redirect-gateway def1 bypass-dhcp"
# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses. CAVEAT:
# http://openvpn.net/faq.html#dhcpcaveats
# The addresses below refer to the public
# DNS servers provided by opendns.com.
;push "dhcp-option DNS 208.67.222.222"
;push "dhcp-option DNS 208.67.220.220"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
# It's a good idea to reduce the OpenVPN
# daemon's privileges after initialization.
#
# You can uncomment this out on
# non-Windows systems.
;user nobody
;group nogroup
user nobody
group nogroup
echo -e '\n#Enable HMAC\nauth SHA256' >> /etc/openvpn/server.conf
openvpn --genkey --secret /etc/openvpn/ta.key
systemctl start openvpn@server

Configure the Server to Route Our Internet Packets

echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.d/local.conf
sysctl --system
ip route
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables -A FORWARD -i tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -o eth0 -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -j REJECT
apt install iptables-persistent

Generate Client Profiles (.ovpn Files)

mkdir clientprofiles
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf clientprofiles/client1.ovpn
nano clientprofiles/client1.ovpn
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote my-server-1 1194
;remote my-server-2 1194
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote 203.0.113.2 1194
;remote my-server-2 1194
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca ca.crt
cert client.crt
key client.key
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
;ca ca.crt
;cert client.crt
;key client.key
echo -e '\n#Enable HMAC\nauth SHA256' >> clientprofiles/client1.ovpn
echo "<key>
`cat keys/client1.key`
</key>" >> clientprofiles/client1.ovpn
echo "<cert>
`cat keys/client1.crt`
</cert>" >> clientprofiles/client1.ovpn
echo "<ca>
`cat keys/ca.crt`
</ca>" >> clientprofiles/client1.ovpn
echo "<tls-auth>
`cat /etc/openvpn/ta.key`
</tls-auth>" >> clientprofiles/client1.ovpn

Useful Links and Recommendations

--

--

--

Follow me to keep abreast with the latest technology news, industry insights, and developer trends. Alibaba Cloud website:https://www.alibabacloud.com

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Trust in the age of blockchain

Microsoft Office 365 Data Safety: A Full Overview of the Shared Responsibility Model

{UPDATE} Burgerang - Bekjemp sprø burgere med boomerang Hack Free Resources Generator

For Crypto, Code Less, Compile Quicker and Execute Faster

The History of Malware

Customer Data In Spreadsheets (Why You Should Stop Immediately)

DashboardFox - Self-Service BI Software

Job in Cyber Security: Is it Financially Safe?

Critical Facilities and Services Disrupted/Degraded by Foreign Cyber Actors

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Alibaba Cloud

Alibaba Cloud

Follow me to keep abreast with the latest technology news, industry insights, and developer trends. Alibaba Cloud website:https://www.alibabacloud.com

More from Medium

What is Lint?

How to Create S3 Bucket in AWS Step by Step

Malicious URI aggregator and tracker

Process management, scheduling, and communication in Linux

Message queues