Configure Your OpenVPN Server
- First, update your system to the latest version.
sudo apt update && sudo apt upgrade -y
- Next, install OpenVPN and Easy-RSA. OpenVPN is a robust and highly flexible VPN software that uses all of the encryption, authentication, and certification features of the OpenSSL library to implement virtual private network (VPN) techniques. Easy-RSA is a small RSA key management package based on the openssl command line tool. We’ll use it to generate certificates and manage (private) keys.
sudo apt install openvpn easy-rsa -y
- We’ll now copy all VPN configuration files to “/etc/openvpn/”.
# Copy the sample configuration files of OpenVPN and easy-rsa to "/etc/openvpn"
sudo cp -r /usr/share/easy-rsa/ /etc/openvpn
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/ && sudo gzip -d /etc/openvpn/server.conf.gz
- OpenVPN uses PKI (Public Key Infrastructure) for authentication. The client must authenticate the server certificate and the server must authenticate the client certificate before a connection can be established. In the following steps we’ll create 3 pairs of certificates and their associated keys. The first pair is for the server and the second pair is for the client. The last pair is the root certificate (also known as CA, or Certificate Authority), and its private key, which will be used to sign server and client certificates. You create the key-pairs using Easy-RSA:
cd /etc/openvpn/easy-rsa/ # At the command prompt, enter the following command su root # Notice the space between . and vars. . vars # Remove all certificates created previously. ./clean-all # Build the certificate authority (CA) certificate and key. # Pick a unique name as "Common Name". Other fields can be left blank. # To leave a field blank, enter "." ./build-ca # Generate a certificate and private key for the server. # Pick a unique "Common Name" such as "server". # Enter "." when prompted for a challenge password. ./build-key-server server # Build Diffie-Hellman parameters for the server. ./build-dh # create a HMAC firewall openvpn --genkey --secret /etc/openvpn/easy-rsa/keys/ta.key # create a certificate for the client: 97228. # Pick a unique "Common Name" such as "97228". # Enter "." when prompted for a challenge password. ./build-key 97228 # Repeat the above command should you need to add more clients.
- Now we’ll transfer 3 files: ca.crt, 97228.crt, and 97228.key from the “/etc/openvpn/easy-rsa/keys/” directory on the server to the client. Create 3 text files on the client with the same names. On the server, use the “cat” command to display the contents of each file. Copy & paste the contents of each file to the corresponding file on the client.
- We’ll now edit the OpenVPN server configuration file located in: “/etc/openvpn/server.conf”.
# Edit the server configuration file.
sudo vim /etc/openvpn/server.conf
# Include the followings settings. # Which TCP/UDP port should OpenVPN listen on? port 443 # TCP or UDP server? proto tcp # Create a routed IP tunnel dev tun # Point to our ca, cert, key, and dh files. ca /etc/openvpn/easy-rsa/keys/ca.crt cert /etc/openvpn/easy-rsa/keys/server.crt key /etc/openvpn/easy-rsa/keys/server.key # This file should be kept secret dh /etc/openvpn/easy-rsa/keys/dh2048.pem # Network topology topology subnet # Supply a VPN subnet for the server and clients server 10.8.0.0 255.255.255.0 # Assign the previously used IP address ifconfig-pool-persist ipp.txt # Redirect all IP traffic through the VPN push "redirect-gateway def1 bypass-dhcp" # The addresses below refer to the DNS servers from # Comodo DNS. Change to Google DNS should you prefer. push "dhcp-option DNS 220.127.116.11" push "dhcp-option DNS 18.104.22.168" # Allow multiple clients to share the same certificate/key files. duplicate-cn # create an "HMAC firewall" # The server and each client must have # a copy of this key. # The second parameter should be '0' # on the server and '1' on the clients. tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0 key-direction 0 # The keepalive directive causes ping-like # messages to be sent back and forth over # the link so that each side knows when # the other side has gone down. keepalive 10 120 # Select a cryptographic cipher. # This config item must be copied to # the client config file as well. cipher AES-256-CBC auth SHA256 # Enable compression comp-lzo # reduce the OpenVPN daemon's privileges after initialization. user nobody group nobody # The persist options persist-key persist-tun # Logging options status openvpn-status.log log-append /var/log/openvpn.log verb 3 # Add an extra username/password authentication for clients plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so login
- Next, we’ll create a user account for each client so we can authenticate each VPN client by username and password.
# Create a user account with no home directory and shell access. sudo useradd 97228 -M -s /bin/false sudo passwd 97228
- Next, we’ll make a few changes to finalize the setup: enable IP forwarding, automatically start the VPN service when the system boots, adjust the firewall settings to allow VPN traffic.
# Enable IP forwarding sudo vim /etc/sysctl.conf # Uncomment the next line to enable packet forwarding for IPv4 net.ipv4.ip_forward=1 # Save and apply changes. sudo sysctl -p /etc/sysctl.conf # forward traffic between VPN network and WAN sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE # make the iptables rules persistent between each reboot sudo apt install iptables-persistent # start the openvpn service and check errors in the status log sudo systemctl start openvpn@server sudo systemctl status openvpn@server
- (Optional) You can assign your VPN server a DigitalOcean floating IP. A floating IP is a static IP address you can re-map instantly to any VPS, or Droplet. This gives you two major benefits: redundancy, and an extra IP address which is useful when your original IP address is blocked by certain websites. Network traffic between a floating IP and a Droplet flows through the anchor IP that is aliased to a Droplet’s public network interface (
eth0). To make your VPN server accessible by its floating IP, make sure your VPN server is configured to listen on its anchor IP. To display your anchor IP, use the following command.
sudo ip addr show eth0
Next, update the VPN server configuration file to use the anchor IP. Adjust the firewall to allow traffic using the anchor IP.
sudo vim /etc/openvpn/server.conf # Add your anchor ip after 'local' like the following # Which local IP address should OpenVPN # listen on? (optional) local 10.10.0.5 # Adjust the firewall to make OpenVPN traffic go through the anchor IP. sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to 10.10.0.5 sudo service netfilter-persistent save # Restart the OpenVPN service sudo systemctl start openvpn@server sudo systemctl status openvpn@server
Configure Your OpenVPN Client
Your VPN server should now be fully functional and ready to connect with a client (device). To connect a client to the server, first install the OpenVPN software on the client. Next, configure the client to communicate with your VPN server. For a mobile client, install the OpenVPN Connect App; for a desktop computer, download the Tunnelblick App.
Now I will show you how to set up a VPN client on a desktop computer using Tunnelblick.
First, create a folder to contain the configuration files. You can name this folder anything you like as long as it ends with .tblk (so Tunnelblick can access the configuration files). I named my folder NY-97228.tblk to remind me the folder contains the configuration files for VPN user: 97228. The “NY” prefix indicates the VPN server is located in New York.
Next, select the 3 files you transferred from the server to the client in step 5 and copy the files to your .tblk folder. Right click here and save my sample VPN configuration file (config.txt) to your .tblk folder.
Now, open config.txt in a text editor and replace: MY-SERVER-IP, CA-CERTIFICATE.crt, CLIENT-CERTIFICATE.crt, and CLIENT-KEY.key with your own settings by following the comments (lines with a “#” prefix) above each setting. Once you’ve done editing your file, rename it config.conf.
Here is what the sample “config.txt” looks like.
# Sample client-side OpenVPN configuration # Sample client-side OpenVPN configuration # Edit this file by following the instructions here: # https://vpntips.com/how-to-setup-a-vpn-server/ # Lines starting with ‘#’ or ‘;’ are comments # Specify that this is a client. client # Specify the interface to use. Use the same interface the server uses. ;dev tap dev tun # Choose a protocol: TCP or UDP. Use the same protocol the server uses. proto tcp ;proto udp # Specify the IP address (or fully qualified domain name) # and port of the server. remote VPN-SERVER-IP 443 # Keep resolving the host name of the server indefinitely. resolv-retry infinite # No need to bind to a specific local port number. nobind # Downgrade privileges after initialization (non-Windows only) user nobody group nobody # route everything over VPN" via the server redirect-gateway def1 # uses the subnet topology and that it should use the IP address and routing the VPN server provides topology subnet pull # Try to preserve some state across restarts. persist-key persist-tun cipher AES-256-CBC auth SHA256 key-direction 1 remote-cert-tls server # Authenticate client by username/password auth-user-pass # Enable compression on the VPN link. comp-lzo # Set log file verbosity. verb 3 # Specify the names of your CA certificate, client certificate, and client key. ca CA-CERTIFICATE.crt cert CLIENT-CERTIFICATE.crt key CLIENT-KEY.key tls-auth
Finally, you need to allow Tunnelblick to access the configuration files. To do this, drag your .tblk folder and drop it on the Tunnelblick icon in the menu bar, or on the list of configurations located in the Configurations tab of the VPN Details window.
That’s it! Now you’ve got your own VPN server. If you encounter any errors during the setup, please let me know in the comment section below.