5 minutes 964 Words
2017-01-27 00:00
OpenVPN Ubuntu Server
There are plenty of VPN’s over the internet we can use to keep our anonymity and privacy on the internet, some are free, some paid, and some free that claims to be as good as the paid ones, well … that’s a discussion for another day. If you’re like me and like to have your own things, here is how I managed to setup an OpenVPN server in an Ubuntu server VPS.
First things first!
I don’t like to have to write “sudo” at the beginning of each command I give to a Linux machine. Especially when it comes to servers where we have to be always using files and directories that require root privileges. SO just…
su root
But … Isn’t it dangerous? well.. it is as dangerous as sudo if you don’t know what you’re doing.
And if there’s someone reading this, I expect it to be
ME, HELLO FUTURE ME READING THIS!!! Yes, I will use my own blog from time to tome to remember some things I know I’ve already done but I don’t remember exactly how they’re done.
Someone with at least some Linux knowledge.
Having this said, let’s get back to the track, and if you don’t like to be logged in as root, then just use sudo at the beginning of each line.apt-get install openvpn easy-rsa
Copy Easy-Rsa to OpenVpn directory
mkdir /etc/openvpn/easy-rsa/
cp -r /usr/share/easy-rsa/* /etc/openvpn/easy-rsa/
Optional Step
The next step not mandatory, however it can make the whole process faster and easier, sparing you from having to answer all the certificate questions everytime you generate a new certificate
Edit vars file in /etc/openvpn/easy-rsa
and change
export KEY_COUNTRY="COUNTRY"
export KEY_PROVINCE="PROVINCE"
export KEY_CITY="CITY"
export KEY_ORG="KEYORIGIN"
export KEY_EMAIL="[email protected]"
export KEY_OU="OFFICE"
export KEY_NAME="KEYNAME"
Generate Server and Client certificates
Yes, we want privacy, for privacy we need to encrypt our communications and have a safe way to authenticate in the server, otherwise, everyone will be able to use it, we don’t what that to happen.
cd /etc/openvpn/easy-rsa/
source vars
./clean-all
Create CA certificate
./build-ca
answer the questions according to your needs
Server Private Key
./build-key-server servername
Answer the questions and answer yes to the two yes or no questions.
Build Diffie Hellman
What the hell is Diffie Hellman? Well… I will not explain it here, just Google It.
./build-dh
Create openvpn ta.key for ssl connection
openvpn --genkey secret keys/ta.key
Copy Certificates to “etc/openvpn”
cd keys
cp myservername.crt myservername.key ca.crt dh2048.pem ta.key /etc/openvpn
Create client Certificates
Check if you are into /etc/openvpn/easy-rsa if not, cd into /etc/openvpn/easy-rsa
source vars
./build-key client1
answer the questions and answer yes like previous certs
Copy ca.crt client.crt client.key and ta.key to client machine
mkdir clientcrts
cp ca.crt ta.key clientcrts && mv client.crt client.key clientcrts/
Move clientcrts to a location where you can reach through scp
Example
let’s say that we are with root user and that your server does not allow you to do SSH login with root user. move clientcrts to a place where you can easily reach via ssh with the ssh user.
mv clientcrts /home/sshuser/ && chown -R sshuser:sshuser /home/sshuser/clientcrts
Copy the files from the server to a local machine.
scp -r sshuser@serveraddress:/path/to/cliencrts /Local/machine/Path
OpenVPN server setup
Copy sample config file
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
cd /etc/openvpn
gzip -d server.conf.gz
Edit server.conf
port 1194
Or you can change it to whatever you like.
Point to the right cert paths
ca ca.crt
cert myservername.crt
key myservername.key
dh dh2048.pem
Uncoment
#tls-auth ta.key 0
obs: the 0 means the key direction is 0, it means in the client u have to set up key direction 1.
Drop openvpn user pervileges and change
;user nobody
;group nogroup
to
user nobody
group nogroup
Force clients traffic to be forwarded trough our vpn server
push "redirect-gateway def1 bypass-dhcp"
push "remote-gateway SERVER IP ADDRESS"
Give DNS to clients
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
NOTE
these are google DNS servers if you like, you can change it to whatever DNS you want. OpenVPN should be OK now, but there are more configs that need to be done. in order to VPN work correctly.
Enable Ip forwarding
edit /etc/sysctl.d/sysctl.conf
and uncoment
#net.ipv4.ip_forward=1
and then do
sysctl -p /etc/sysctl.conf
Firewall
If you are using ubuntu server, probably you will have ufw, which must be configured to forward all packets from tun0 to eth0, otherwise our clients wont be able to reach the internet.
edit /etc/ufw/before.rules
after editing the file it should look like this:
#
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
# ufw-before-input
# ufw-before-output
# ufw-before-forward
#
# START OPENVPN RULES
# NAT table rules
\*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to eth0
-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
COMMIT
# END OPENVPN RULES
# Don't delete these required lines, otherwise there will be errors
\*filter
...
NOTE: this lines need to be like this example. the rules must be in the begining of the before.rules file. (arround line 10)
Change Default Forward policy to ACCEPT
edit /etc/default/ufw
and change the following line to be like this.
DEFAULT_FORWARD_POLICY="ACCEPT"
Open UFW ports to allow trafic and users to connect
ufw allow 1194/udp (or another port if you are using a custom port)
Just in case, Add the following rules also.
ufw allow OpenSSH ( not mandatory but, just in case )
ufw allow 22 ( or your ssh port if have ssh in a different port)
ufw disable
ufw enable
Now you should be good to go and browse the web without with relative security, privacy, and anonymity.
systemctl start openvpn@server
if you want to enable the VPN at startup
systemctl enable openvpn@server
Hope you found this post usefull. Have fun!