Who should read this tutorial:
This tutorial is for novice Linux users and DevOps users who need to add encryption to their Internet traffic. A virtual private network (public Internet encrypted network) allowing access to specific networks or services from outside is the solution.
What are we going to cover
- Browse the installation of OpenVPN on Ubuntu 18.04
- How to install the OpenVPN client on a Windows workstation
- Generate a certificate and connect to the VPN server
Why would you do that?
The key advantage of a VPN is to access otherwise inaccessible resources from external networks while maintaining a minimum level of network security.
Adding an encrypted virtual private network connection to your infrastructure is usually a good idea if:
- you are not sure of the security of the network to which you connect (public wifi, do you like it?)
- the resources you want to use do not have intrinsic security (such as network communications that do not support high encryption levels)
- Attempt to access resources protected by multiple levels of network security that should never be publicly available, such as systems that contain payment card, health, or security data.
My personal use case is to access my home security system (MotionEye) when I travel on my laptop or mobile device so that I can keep an eye on my cats, my dogs and protect myself from porch pirates .
Random internet chat
- starting with a clean VPS
- at least 512 MB of RAM
- 15 GB of available disk space
- This tutorial is written for Ubuntu 18.04
Skills and tools
- You need to know how to SSH and bypass the command line
- an SSH client like mastic
- a SFTP client like WinSCP
- The ability to work with files and transfer files
Step One – Make sure you are at the latest and at the best
Log in to your VPS via SSH
Upgrade your repositories to make sure they are up to date. We install git because it's about 500% faster if we use the fantastic Angristan script.
$ sudo apt-get update & sudo apt-get upgrade
$ sudo apt-get install git
Do you know your public IP address and private IP address if you are behind a NAT device (like a router?)
Get the IP of your server
$ ifconfig eth0: flags = 4163
1500 mtu inet network mask 192.168.1.166 255.255.255.0 broadcast 192.168.1.255 inet6 fe80 :: 216: 3cff: fe43: prefixlen ba41 64 scopeid 0x20 ether 00: 16: 3c: 43: ba: 41 txqueuelen 1000 (Ethernet) RX Packages 11672693 bytes 1049010192 (1.0 GB) RX Errors 0 Aborted 0 exceed 0 image 0 TX packets 347581 bytes 57193541 (57.1 MB) TX errors 0 missed 0 exceedances 0 carrier 0 collisions 0 -
If you are behind a device such as a firewall or a router, I visit http://www.whatismyip.com to find my public IP address because it is easier than connecting directly to the router.
Write down these IP addresses on your notebook. You might need them later
The actual installation starts here
The process with the openvpn-install.sh script is extremely simple. We are going to clone the script from github. Then go to the directory that was created and make sure the script is executable, then run it, run it as root or sudo! This will launch the installation dialogs and it is gone.
$ cd ~ $ git clone https://github.com/angristan/openvpn-install openvpn-install $ cd openvpn-install / $ ls -l $ chmod + x openvpn-install.sh $ ./openvpn-install.sh Welcome to the OpenVPN installer! The git repository is available at: https://github.com/angristan/openvpn-install I have to ask you a few questions before starting the setup. You can leave the default options and simply press Enter if you agree with them. I need to know the IPv4 address of the network interface that you want OpenVPN to listen to. Unless your server is behind NAT, it should act from your public IPv4 address. IP address: 192.168.1.111 Verifying IPv6 Connectivity ... Your host does not seem to have IPv6 connectivity. Do you want to enable IPv6 support (NAT)? [y/n]: not Which port do you want OpenVPN to listen to? 1) Default: 1194 2) custom 3) random [49152-65535] Port selection [1-3]: 2 Custom port [1-65535]: 7777 #You may want 80 or 443 if your local network is filtering elements Which protocol do you want OpenVPN to use? UDP is faster. Unless it is not available, you should not use TCP. 1) UDP 2) TCP Protocol [1-2]: 1 Which DNS resolvers do you want to use with VPN? 1) Current system resolvers (from /etc/resolv.conf) 2) Self-hosted DNS resolver (Unbound) 3) Cloudflare (Anycast: worldwide) 4) Quad9 (Anycast: worldwide) 5) Quad9 uncensored (Anycast: worldwide) 6) FDN (France) 7) DNS.WATCH (Germany) 8) OpenDNS (Anycast: worldwide) 9) Google (Anycast: worldwide) 10) Yandex Basic (Russia) 11) DNS AdGuard (Russia) DNS [1-10]: 9 Do you want to use compression? It is not recommended because the VORACLE attack makes use of it. Enable compression? [y/n]: not Do you want to customize the encryption settings? Unless you know what you are doing, you should stick to the default settings provided by the script. Note that whatever you choose, all the choices presented in the script are safe. (Unlike the default values of OpenVPN) See https://github.com/angristan/openvpn-install#security-and-encryption for more information. Customize the encryption settings? [y/n]: not Ok, that was all I needed. We are ready to configure your OpenVPN server now. You will be able to generate a customer at the end of the installation. Press any key to continue ... Tell me a name for the customer. Use one word, no special characters. Customer Name: chad Do you want to protect the configuration file with a password? (for example, encrypting the private key with a password) 1) Add a customer without a password 2) Use a password for the client Select an option [1-2]: 2 You will be asked for the client password below Note: Using the Easy-RSA configuration from: ./vars Using SSL: openssl OpenSSL 1.1.0g Nov 2, 2017 Generate an EC private key write a new private key in &etc./openvpn/easy-rsa/pki/private/chad.key.hYBMPyHfHV' Enter the PEM passphrase: Verification - Enter the PEM passphrase: ----- Using the configuration of /etc/openvpn/easy-rsa/pki/safessl-easyrsa.cnf Check that the request matches the signature Signature ok The distinctive name of the subject is the following commonName: ASN.1 12: 'chad & # 39; The certificate must be certified until April 9th. 3:48:48 8:22 GMT (1080 days) Write the database with 1 new entry Database updated Client chad added, the configuration file is available at the address /root/chad.ovpn.
Download the .ovpn file and import it into your OpenVPN client.
Check our work
I like to hit https://www.whatismyip.com while I am logged in and seeing the remote network in the returned page rather than the external IP address of my local network.
Then I like to visit https://speedtest.net and see what kind of flow I get out of the system. I had 28.75 Mbps and 73.31 Mbps. Not bad at all!
To manage OpenVPN users on the system, simply visit the installation program again. This will detect that OpenVPN has already been installed and gives us 4 management options.
- Add a new user
- Revoke an existing user
- Delete OpenVPN
- $ ./openvpn-install.sh Looks like OpenVPN is already installed. What do you want to do? 1) Add a new user 2) Revoke an existing user 3) Remove OpenVPN 4) exit Select an option [1-4]: 1 Tell me a name for the client certificate. Please, use one word, no special characters. Customer Name: chad Using SSL: openssl OpenSSL 1.1.0g Nov 2, 2017 Generating a 2048-bit RSA private key ............ +++ ......................... +++ write a new private key in &etc./openvpn/easy-rsa/pki/private/chad.key.YjDIHqlesv' ----- Using the configuration of /etc/openvpn/easy-rsa/pki/safessl-easyrsa.cnf Check that the request matches the signature Signature ok The distinctive name of the subject is the following commonName: ASN.1 12: 'chad & # 39; The certificate must be certified until April 22 02:45:13 20h29 GMT (3650 days) Write the database with 1 new entry Database updated Client chad added, the configuration is available at: /root/chad.ovpn root @ ubuntu: ~ / openvpn-install # -
Enter your SFTP client and upload the username.ovpn certificate file to the workstation where the OpenVPN client will be running.
Installing the client on a Windows 10 workstation
On the workstation, download the appropriate client from OpenVPN to https://openvpn.net/community-downloads/
Supposing Windows 10 download and run the installer, then right-click in the system tray the little monitorh a lock on it and import your file chad.ovpn! Then Chad> Connect and you should be ready to go. I like to hit https://whatismyip.com while I am logged in and check that I show the IP address of the OpenVPN server to which I am connected and not the public IP address of my local network.
Installing the OpenVPN Client on your iPhone
https://itunes.apple.com/us/app/openvpn-connect/id590379981 get this thing on the App Store, then use a cloud file utility such as google drive to get the chad.ovpn file or do something really unsafe and send it by email …
References and other options
Alternatives to OpenVPN
About the author
Sean Richards, CISSP, is a 20-year-old Linux enthusiast and security practitioner. He loves family, animals, barbecue and cycling.