Set up openvpn server on linux os [ debain ubuntu]

Openvpn is free VPN server solution , i.e if you a have dedicated server or vps with root power you can install openvpn server and use that to push your Internet traffic , your isp 's IP is then not used but you go behind your server ip and all traffic is encrypted , a very handy tool to bypass censorship or traffic shaping plus to make your network secure.

Install OpenVPN



This installs OpenVPN from the Debian/Ubuntu package and creates a new system user/group called "openvpn". It's preferable over using "root" (a major security concern) or "nouser"/"nogroup" (insecure as well, but less so than "root").



Shell cut

apt-get install openvpn

adduser --system --no-create-home --group openvpn
Configure Easy-RSA



Easy-RSA is included with OpenVPN, and makes the task of managing security certificates (CSR's, for granting user/client access to the OpenVPN server) easier.



Shell cut & paste:



mkdir /etc/openvpn/easy-rsa

cp /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa

cd /etc/openvpn/easy-rsa

nano vars
You're now editing the /etc/openvpn/easy-rsa/vars file - scroll down until you see "export KEY_COUNTRY=" and edit accordingly, for example:



export KEY_COUNTRY="GB"

export KEY_PROVINCE="London"

export KEY_CITY="Hammersmith"

export KEY_ORG="My Company"

export KEY_EMAIL="[email protected]"
Exit by pressing CTRL+X and answer Y for "Yes, save".



Shell cut & paste (answer any questions with their default):



source ./vars

./clean-all

chmod 700 /etc/openvpn/easy-rsa/keys/

./build-ca

./build-dh
And in the following shell cut & paste, simply replace the domain name with what you'd like to use instead:



./build-key-server vpn.myserver.com
The above actions has created the following files:



dh:

/etc/openvpn/easy-rsa/keys/dh1024.pem



CA public certificate:

/etc/openvpn/easy-rsa/keys/ca.crt



RA Server certificate & key:

/etc/openvpn/easy-rsa/keys/vpn.myserver.com.crt

/etc/openvpn/easy-rsa/keys/vpn.myserver.com.key



(where "vpn.myserver.com" is obviously replaced by the domain you've chosen).



From now on, if you want to add more domains (as in, more OpenVPN servers), simply use:



cd /etc/openvpn/easy-rsa

source ./vars

./build-key-server



OpenVPN Server Configuration





Here we assume that we call the server "ra-server" and the configuration's filename reflects that. Of course you can change this as you like, and OpenVPN supports multiple .conf files (let's keep it simple for now and stick to one



nano /etc/openvpn/ra-server.conf



and replace any existing contents with the contents below, paying attention to modify whatever the comments (lines starting with a #) specify:



server 10.8.0.0 255.255.255.0

# YOUR LOCAL SERVER IP HERE:

local - server ip



dev tun

proto udp

comp-lzo



# THESE 2 LINES ARE HELPFUL FOR THOSE WITH MOBILE (G3 / G3.5) BROADBAND:

tun-mtu 1500

tun-mtu-extra 32



# ROUTE THE CLIENT'S INTERNET ACCESS THROUGH THIS SERVER:

push "redirect-gateway def1 bypass-dns"



keepalive 10 60



dh /etc/openvpn/easy-rsa/keys/dh1024.pem

ca /etc/openvpn/easy-rsa/keys/ca.crt



# ENSURE THE DOMAIN NAME/FILENAME IS CORRECT:

cert /etc/openvpn/easy-rsa/keys/vpn.myserver.com.crt

key /etc/openvpn/easy-rsa/keys/vpn.myserver.com.key



# LEAVE THE FOLLOWING LINE COMMENTED FOR NOW:

# crl-verify /etc/openvpn/easy-rsa/keys/crl.pem



user openvpn

group openvpn



persist-key

persist-tun
______



OpenVPN Client Configuration



The first step is to create a CSR on the server, or a "remote client access certificate". You do this with the following steps on the server:



cd /etc/openvpn/easy-rsa

source ./vars

./build-key-pkcs12
All you need to do is replace with a memorable name (preferably without spaces), such as "john-laptop".



This will generate a file /etc/openvpn/easy-rsa/keys/.p12, ie. "john-laptop.p12", and is what you will give to the remote VPN user/client (only this file - no other keys/certificates!).



Note: Giving it an "Export" password will cause the remote OpenVPN client to ask for this password (from the user). You can leave this blank if you wish, but you should obviously be aware that this means anyone could potentially use the certificate if it fell in the wrong hands.



finally, configure IP forwarding and IPTables for doing NAT on the server:



echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
You can verify the rule was written correctly with:



iptables -L -t nat
If you made a mistake and want to remove all rules from IPTables:



iptables -F -t nat
Now restart OpenVPN in both client and server and you should be set.



/etc/init.d/openvpn restart
Now, the following OpenVPN client configuration, which is used to configure the remote user's client (thus don't do this on the server), is quite generic:



use notepad or a textfile to write this in opnvpn config



client

dev tun

proto udp



# THE IP OF THE REMOTE OPENVPN SERVER:

remote 91.12.34.56



# THE CSR FILE:

pkcs12 .p12



comp-lzo
However, where this configuration file is stored, depends on the OS. For example, on Linux it's /etc/openvpn/.vpn.myserver.com.conf and on Windows it's C:\Program Files\OpenVPN\config\.vpn.myserver.com.ovpn.



Obviously you replace the as well as the domain name with their actual values. And another note on the filename, you don't have to name these files as such, but I'm doing it here to help you (and the VPN user) to keep tabs on what file belongs to what server & user, simply by looking at the filename.



use scp on linux or winscp on windows to move the csr file from server to client p.c .



right click on openvpn gui and click connect and you just gone off your isp's ip , now all traffic is encrypted and tunneled between your server to you. go to any site like whatismyip.com to check , it should show your server ip. change your dns to google dns or opendns if you don't want to give http info to your isp's dns servers.

looks daunting but hardly takes 15 misn to do it, if have any question feel free to ask here , there still many tweaks to it, like how to stop dns leakage plus ipv6 leakage, that i will come to later , hope it helps.
 

Sai

Messages
2,460
Location
Bharat Ganarajya
ISP
BSNL
Good tutorial.