There are plenty of VPN’s over the internet we can use to keep our anonymity and privacy on the internet, some are free, some paid, and some free that claims to be as good as the paid ones, well … that’s a discussion for another day. If you’re like me and like to have your own things, here is how I managed to setup an OpenVPN server in an Ubuntu server VPS.

First things first!

I don’t like to have to write “sudo” at the beginning of each command I give to a Linux machine. Especially when it comes to servers where we have to be always using files and directories that require root privileges. SO just…

su root

But … Isn’t it dangerous? well.. it is as dangerous as sudo if you don’t know what you’re doing.
And if there’s someone reading this, I expect it to be

  1. ME, HELLO FUTURE ME READING THIS!!! Yes, I will use my own blog from time to tome to remember some things I know I’ve already done but I don’t remember exactly how they’re done.

  2. Someone with at least some Linux knowledge.
    Having this said, let’s get back to the track, and if you don’t like to be logged in as root, then just use sudo at the beginning of each line.

    apt-get install openvpn easy-rsa

Copy Easy-Rsa to OpenVpn directory

mkdir /etc/openvpn/easy-rsa/
cp -r /usr/share/easy-rsa/* /etc/openvpn/easy-rsa/

Optional Step

The next step not mandatory, however it can make the whole process faster and easier, sparing you from having to answer all the certificate questions everytime you generate a new certificate

Edit vars file in /etc/openvpn/easy-rsa and change

export KEY_COUNTRY="COUNTRY"
export KEY_PROVINCE="PROVINCE"
export KEY_CITY="CITY"
export KEY_ORG="KEYORIGIN"
export KEY_EMAIL="[email protected]"
export KEY_OU="OFFICE"
export KEY_NAME="KEYNAME"

Generate Server and Client certificates

Yes, we want privacy, for privacy we need to encrypt our communications and have a safe way to authenticate in the server, otherwise, everyone will be able to use it, we don’t what that to happen.

cd /etc/openvpn/easy-rsa/
source vars
./clean-all

Create CA certificate

./build-ca

answer the questions according to your needs

Server Private Key

./build-key-server servername

Answer the questions and answer yes to the two yes or no questions.

Build Diffie Hellman

What the hell is Diffie Hellman? Well… I will not explain it here, just Google It.

./build-dh

Create openvpn ta.key for ssl connection

openvpn --genkey secret keys/ta.key

Copy Certificates to “etc/openvpn”

cd keys
cp myservername.crt myservername.key ca.crt dh2048.pem ta.key /etc/openvpn

Create client Certificates

Check if you are into /etc/openvpn/easy-rsa if not, cd into /etc/openvpn/easy-rsa

source vars
./build-key client1

answer the questions and answer yes like previous certs

Copy ca.crt client.crt client.key and ta.key to client machine

mkdir clientcrts
cp ca.crt ta.key clientcrts && mv client.crt client.key clientcrts/

Move clientcrts to a location where you can reach through scp

Example

let’s say that we are with root user and that your server does not allow you to do SSH login with root user. move clientcrts to a place where you can easily reach via ssh with the ssh user.

mv clientcrts /home/sshuser/ && chown -R sshuser:sshuser /home/sshuser/clientcrts

Copy the files from the server to a local machine.

scp -r sshuser@serveraddress:/path/to/cliencrts /Local/machine/Path

OpenVPN server setup

Copy sample config file

sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
cd /etc/openvpn
gzip -d server.conf.gz

Edit server.conf

port 1194

Or you can change it to whatever you like.

Point to the right cert paths

ca ca.crt
cert myservername.crt
key myservername.key
dh dh2048.pem

Uncoment

#tls-auth ta.key 0

obs: the 0 means the key direction is 0, it means in the client u have to set up key direction 1.

Drop openvpn user pervileges and change

;user nobody
;group nogroup

to

user nobody
group nogroup

Force clients traffic to be forwarded trough our vpn server

push "redirect-gateway def1 bypass-dhcp"
push "remote-gateway SERVER IP ADDRESS"

Give DNS to clients

push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

NOTE

these are google DNS servers if you like, you can change it to whatever DNS you want. OpenVPN should be OK now, but there are more configs that need to be done. in order to VPN work correctly.

Enable Ip forwarding

edit /etc/sysctl.d/sysctl.conf and uncoment

#net.ipv4.ip_forward=1

and then do

sysctl -p /etc/sysctl.conf

Firewall

If you are using ubuntu server, probably you will have ufw, which must be configured to forward all packets from tun0 to eth0, otherwise our clients wont be able to reach the internet.

edit /etc/ufw/before.rules after editing the file it should look like this:

#
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
#   ufw-before-input
#   ufw-before-output
#   ufw-before-forward
#

# START OPENVPN RULES
# NAT table rules
\*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to eth0
-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
COMMIT
# END OPENVPN RULES

# Don't delete these required lines, otherwise there will be errors
\*filter
...

NOTE: this lines need to be like this example. the rules must be in the begining of the before.rules file. (arround line 10)

Change Default Forward policy to ACCEPT

edit /etc/default/ufw and change the following line to be like this.

DEFAULT_FORWARD_POLICY="ACCEPT"

Open UFW ports to allow trafic and users to connect

ufw allow 1194/udp (or another port if you are using a custom port)

Just in case, Add the following rules also.

ufw allow OpenSSH ( not mandatory but, just in case )
ufw allow 22 ( or your ssh port if have ssh in a different port)
ufw disable
ufw enable

Now you should be good to go and browse the web without with relative security, privacy, and anonymity.

systemctl start openvpn@server

if you want to enable the VPN at startup

systemctl enable openvpn@server

Hope you found this post usefull. Have fun!