OpenVPN using VPS

Published 11/9/2015 08:35:05 AM  |  Last update 4/25/2019 11:01:11 PM
Tags: ssl, vpn, openvpn, vps

Virtual private network (VPN) extends a private network and the belonging resources across public networks like the Internet, allowing a host computer to send and receive data across shared or public networks as if it were a private network with all the functionality, security and management policies of the private network. This is done by establishing a virtual point-to-point connection using dedicated connections and/or encryption. OpenVPN, written by James Yonan, is an open source software application for implementation of VPN using a custom security protocol based SSL/TLS protocols, and is capable of traversing network address translators (NATs) and firewalls.

Implementation of OpenVPN using a virtual private server (VPS) is to extend the private network, from your local host as a client, to that remote server. In the following tutorial, I will show how to install OpenVPN on either a Yum Linux VPS or a Debian Linux VPS. I chose using Linux VPS because it is cheap; just $5 a year compared with $30/month of Windows VPS of the same configurations. If you prefer lightweight Linux distros then Debian is one of your choice.

  • The first step is to check whether the /dev/tun device is enable on your VPS. This can be done using the follwing commands:
    ls -al /dev/net/tun
    cat /dev/net/tun
    # If the device is enable then the results are as below,
    # crw------- 1 root 500 10, 200 Dec 18 19:58 /dev/net/tun
    # "File descriptor in bad state"
    You may contact your VPS provider to have the device enable if needed. In the rest of this tutorial, I will show the installation commands for both the Yum platforms, in the first block, and Debian platforms, in the second block in every step.
  • Make Linux' repos up-to-date then install OpenVPN
    ### Yum
    yum -y update
    yum -y install openvpn && yum -y install easy-rsa
    ### Debian
    apt-get update && apt-get install openvpn
    It is now good to go with the next steps for setting up point-to-point tunnel using OpenVPN which was installed as in the previous step. Assume that the remote server, which has the IP address x-xx-xxx-xxxx, is identified by "tinyray"; and your PC, the client, will be identified by "lnt".
  • Create a folder for keys and certificates. Copy openvpn keys and configuration samples there.
    ### Yum
    mkdir /etc/openvpn/sample && mkdir /etc/openvpn/easy-rsa
    cp -rp /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa
    cp -rp /usr/share/doc/openvpn-*/sample/sample-config-files/* /etc/openvpn/sample/
    ### Debian
    mkdir /etc/openvpn/easy-rsa
    cp -rp /usr/share/easy-rsa/* /etc/openvpn/easy-rsa
    cp -rp /usr/share/doc/openvpn/examples/sample-config-files/ /etc/openvpn/sample
  • Customize the key configuration: the server information, key and certificate encryption methods.
    cd /etc/openvpn/easy-rsa/
    # remove previously created certificates and keys
    ./clean-all
    # enter the sub-shell
    sh vars
    # customize your openvpn
    vi vars
      # Make sure the following parameters are set; I choose encrypto key of size 2048
      # export KEY_SIZE=2048
      # export KEY_EMAIL="user@example.net"
      # export KEY_CN="tinyray"
      # export KEY_ALTNAMES="tinyray"
    
  • Commit the server information and encryption settings
    source ./vars
      # If problem then
         vi vi /etc/openvpn/easy-rsa/whichopensslcnf
      # add the following into if block 
         elif $OPENSSL version | grep -E "1\.1\.[[:digit:]][[:alnum:]]?" > /dev/null; then
              cnf="$1/openssl-1.0.0.cnf"
      # then start over from "cd /etc/openvpn/easy-rsa/"
  • Generate the Diffie-Hellman key for client-server communication
    ./build-dh
    You should have the DH key generated or else, please redo from "./clean-all".
  • Build the certificate authority
    ./build-ca
    # press ENTER at every prompt to use the default value, 
    # but where it asks for "Common Name", please enter "tinyray"
    # or whatever you choose for your server name.
    
  • Generate server key and certificate
    ./build-key-server tinyray
    # use the default values;
    # leave "A challenge password" and "An optional company name" blank
  • Generate client key and certificate
    ./build-key lnt
    # use the default values;
    # leave "A challenge password" and "An optional company name" blank
  • Copy server key, certificate and dh key to openvpn folder
    cd /etc/openvpn/easy-rsa/keys
    cp tinyray.key tinyray.crt ca.crt dh2048.pem /etc/openvpn/
    # please note that I choose encrypto key of size 2048
  • Making OpenVPN server config file using the sample
    cd /etc/openvpn/sample
    ### Debian— please additionally do the following job
    gunzip server.conf.gz
    vi server.conf
      # please change: server.crt &rarror; tinyray.crt, 
      # server.key &rarror; tinyray.key, dh1024.pem &rarror; dh2048.pem; 
      # set max-clients to a reason number of users
      # copy the server config file to openvpn folder
    cp ./server.conf /etc/openvpn/
  • Making OpenVPN client config file using the sample
    cd /etc/openvpn/sample
    vi client.conf
    # change my-server-1 to x.xx.xxx.xxxx (the IP address of your VPS) 
    # change "client.crt" to "lnt.crt", "client.key" to "lnt.key"
  • Export the four OpenVPN client files to /root which are then downloaded to client
    cd /etc/openvpn/easy-rsa/keys/
    cp lnt.key lnt.crt ca.crt /root
    cd ../..
    openvpn --genkey --secret ta.key
    cp ta.key /root
    cp sample/client.conf /root/client.ovpn
    ### Yum: Start OpenVPN service chkconfig --add openvpn && chkconfig openvpn on /etc/init.d/openvpn start # check if the service runs: ps -aux | grep openvpn
    
  • At this point, you have successfully set up the tunnel between client and server. This tunnel however does not support internet connection through the server. To make this possible, you need to set up NAT (Network Address Translation) routing on the server (the remote host).
    # /etc/openvpn/server.conf; update with the following
    push "redirect-gateway"
    push "dhcp-option DNS 8.8.8.8"
    push "dhcp-option DNS 8.8.4.4"
    #/etc/sysctl.conf
    net.ipv4.ip_forward=1
    # Issue the following command to support the above setting
    echo 1 > /proc/sys/net/ipv4/ip_forward
    # Issue the following commands to configure iptables # to properly forward traffic through the VPN
    # Note: this step may be skipped by a system rebooting
    # after having the following settings applied.
    
    iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
    iptables -A FORWARD -j REJECT
    iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to-source x.xx.xxx.xxxx
    iptables -t nat -A POSTROUTING -o eth0 -s 10.8.0.0/24 -j MASQUERADE
    # Copy these setting to "/etc/rc.local". Make sure this file exists on the system, otherwise need to make it following how to add "/etc/rc.local". Once ready: vi /etc/rc.local, looks like the following:
    #!/bin/sh -e
    #
    # [...]
    #
    
    iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
    iptables -A FORWARD -j REJECT
    iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to-source x.xx.xxx.xxxx
    iptables -t nat -A POSTROUTING -o eth0 -s 10.8.0.0/24 -j MASQUERADE
    
    exit 0
    then: REBOOT
  • The final step is to install OpenVPN client software on the client. The software is downloadable by clicking here.
  • Running OpenVPN client the first time: Assume that the four exported OpenVPN client files were downloaded to the local folder 'd:/openvpn', run the OpenVPN client program,
    1. Select "Connection profiles",
    2. Select "Local file",
    3. Browse for "client.ovpn" in "d:/openvpn". The VPN connection will be then shown in the list of OpenVPN client programs, just click it and enjoy.

To make sure that you get OpenVPN work properly, just visit this website. If the input box shows the IP address of your VPS then you are done!.

 

© 2024 blog.tinyray.com  by tinyray