There are plenty of VPN's over the internet we can use to keep our anonymity and privacy on the internet, some are free, some paid, and some free that claims to be as good as the paid ones, well ... that's a discussion for another day. If you're like me and like to have your own things, here is how I managed to setup an OpenVPN server in an Ubuntu server VPS.
First things first!
I don't like to have to write "sudo" at the beginning of each command I give to a Linux machine. Especially when it comes to servers where we have to be always using files and directories that require root privileges. SO just...
But ... Isn't it dangerous? well.. it is as dangerous as sudo if you don't know what you're doing.
And if there's someone reading this, I expect it to be
1 - ME, HELLO FUTURE ME READING THIS!!! Yes, I will use my own blog from time to tome to remember some things I know I've already done but I don't remember exactly how they're done.
2 - Someone with at least some Linux knowledge.
Having this said, let's get back to the track, and if you don't like to be logged in as root, then just use sudo at the beginning of each line.
apt-get install openvpn easy-rsa
Copy Easy-Rsa to OpenVpn directory
mkdir /etc/openvpn/easy-rsa/ cp -r /usr/share/easy-rsa/* /etc/openvpn/easy-rsa/
Optional StepThe next step not mandatory, however it can make the whole process faster and easier, sparing you from having to answer all the certificate questions everytime you generate a new certificate
Edit vars file in /etc/openvpn/easy-rsa and change
export KEY_COUNTRY="COUNTRY" export KEY_PROVINCE="PROVINCE" export KEY_CITY="CITY" export KEY_ORG="KEYORIGIN" export KEY_EMAIL="EMAIL@SOMETHING.COM" export KEY_OU="OFFICE" export KEY_NAME="KEYNAME"
Generate Server and Client certificatesYes, we want privacy, for privacy we need to encrypt our communications and have a safe way to authenticate in the server, otherwise, everyone will be able to use it, we don't what that to happen.
cd /etc/openvpn/easy-rsa/ source vars ./clean-all
Create CA certificate
answer the questions according to your needs
Server Private Key
Answer the questions and answer yes to the two yes or no questions.
Build Diffie Hellman
What the hell is Diffie Hellman? Well... I will not explain it here, just Google It.
Create openvpn ta.key for ssl connection
openvpn --genkey secret keys/ta.key
Copy Certificates to /etc/openvpn
cd keys cp myservername.crt myservername.key ca.crt dh2048.pem ta.key /etc/openvpn
Create client Certificates
Check if you are into /etc/openvpn/easy-rsa if not, cd into /etc/openvpn/easy-rsa
source vars ./build-key client1
answer the questions and answer yes like previous certs
Copy ca.crt client.crt client.key and ta.key to client machine
mkdir clientcrts cp ca.crt ta.key clientcrts && mv client.crt client.key clientcrts/
Move clientcrts to a location where you can reach through scp
Examplelet's say that we are with root user and that your server does not allow you to do SSH login with root user. move clientcrts to a place where you can easily reach via ssh with the ssh user.
mv clientcrts /home/sshuser/ && chown -R sshuser:sshuser /home/sshuser/clientcrts
Copy the files from the server to a local machine.
scp -r sshuser@serveraddress:/path/to/cliencrts /Local/machine/Path
OpenVPN server setup
Copy sample config file
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/ cd /etc/openvpn gzip -d server.conf.gz
Or you can change it to whatever you like.
Point to the right cert paths
ca ca.crt cert myservername.crt key myservername.key dh dh2048.pem
#tls-auth ta.key 0
obs: the 0 means the key direction is 0, it means in the client u have to set up key direction 1.
Drop openvpn user pervileges and change
;user nobody ;group nogroup
user nobody group nogroup
Force clients traffic to be forwarded trough our vpn server
push "redirect-gateway def1 bypass-dhcp" push "remote-gateway SERVER IP ADDRESS"
Give DNS to clients
push "dhcp-option DNS 220.127.116.11" push "dhcp-option DNS 18.104.22.168"
Obs: these are google DNS servers if you like, you can change it to whatever DNS you want. OpenVPN should be OK now, but there are more configs that need to be done. in order to VPN work correctly.
Enable Ip forwarding
edit /etc/sysctl.d/sysctl.conf and uncoment
and then do
sysctl -p /etc/sysctl.conf
FirewallIf you are using ubuntu server, probably you will have ufw, which must be configured to forward all packets from tun0 to eth0, otherwise our clients wont be able to reach the internet.
edit /etc/ufw/before.rules after editing the file it should look like this:
# # rules.before # # Rules that should be run before the ufw command line added rules. Custom # rules should be added to one of these chains: # ufw-before-input # ufw-before-output # ufw-before-forward # # START OPENVPN RULES # NAT table rules \*nat :POSTROUTING ACCEPT [0:0] # Allow traffic from OpenVPN client to eth0 -A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE COMMIT # END OPENVPN RULES # Don't delete these required lines, otherwise there will be errors \*filter . . .
OBS: this lines need to be like this example. the rules must be in the begining of the before.rules file. (arround line 10)
Change Default Forward policy to ACCEPT
edit /etc/default/ufw and change the following line to be like this.
Open UFW ports to allow trafic and users to connect
ufw allow 1194/udp (or another port if you are using a custom port)
Just in case, Add the following rules also.
ufw allow OpenSSH ( not mandatory but, just in case ) ufw allow 22 ( or your ssh port if have ssh in a different port) ufw disable ufw enable
Now you should be good to go and browse the web without with relative security, privacy, and anonymity.
systemctl start openvpn@server
if you want to enable the VPN at startup
systemctl enable openvpn@server
Hope you found this post usefull. Have fun!