How to configure OpenVPN on your VPS

Who should read this tutorial:

This tutorial is for novice Linux users and DevOps users who need to add encryption to their Internet traffic. A virtual private network (public Internet encrypted network) allowing access to specific networks or services from outside is the solution.

What are we going to cover

  1. Browse the installation of OpenVPN on Ubuntu 18.04
  2. How to install the OpenVPN client on a Windows workstation
  3. Generate a certificate and connect to the VPN server

Why would you do that?

The key advantage of a VPN is to access otherwise inaccessible resources from external networks while maintaining a minimum level of network security.

Adding an encrypted virtual private network connection to your infrastructure is usually a good idea if:

  • you are not sure of the security of the network to which you connect (public wifi, do you like it?)
  • the resources you want to use do not have intrinsic security (such as network communications that do not support high encryption levels)
  • Attempt to access resources protected by multiple levels of network security that should never be publicly available, such as systems that contain payment card, health, or security data.

My personal use case is to access my home security system (MotionEye) when I travel on my laptop or mobile device so that I can keep an eye on my cats, my dogs and protect myself from porch pirates .


Random internet chat

PRECONDITIONS

We recommend:

  • starting with a clean VPS
  • at least 512 MB of RAM
  • 15 GB of available disk space
  • This tutorial is written for Ubuntu 18.04

Skills and tools

  • You need to know how to SSH and bypass the command line
  • an SSH client like mastic
  • a SFTP client like WinSCP
  • The ability to work with files and transfer files

Step One – Make sure you are at the latest and at the best

Log in to your VPS via SSH

Upgrade your repositories to make sure they are up to date. We install git because it's about 500% faster if we use the fantastic Angristan script.

$ sudo apt-get update & sudo apt-get upgrade

$ sudo apt-get install git

Do you know your public IP address and private IP address if you are behind a NAT device (like a router?)

Get the IP of your server

$ ifconfig
eth0: flags = 4163  1500 mtu
inet network mask 192.168.1.166 255.255.255.0 broadcast 192.168.1.255
inet6 fe80 :: 216: 3cff: fe43: prefixlen ba41 64 scopeid 0x20
        ether 00: 16: 3c: 43: ba: 41 txqueuelen 1000 (Ethernet)
RX Packages 11672693 bytes 1049010192 (1.0 GB)
RX Errors 0 Aborted 0 exceed 0 image 0
TX packets 347581 bytes 57193541 (57.1 MB)
TX errors 0 missed 0 exceedances 0 carrier 0 collisions 0

-

If you are behind a device such as a firewall or a router, I visit http://www.whatismyip.com to find my public IP address because it is easier than connecting directly to the router.

Write down these IP addresses on your notebook. You might need them later

The actual installation starts here

The process with the openvpn-install.sh script is extremely simple. We are going to clone the script from github. Then go to the directory that was created and make sure the script is executable, then run it, run it as root or sudo! This will launch the installation dialogs and it is gone.

$ cd ~ 
$ git clone https://github.com/angristan/openvpn-install    openvpn-install
$ cd openvpn-install /
$ ls -l 
$ chmod + x openvpn-install.sh
$ ./openvpn-install.sh

Welcome to the OpenVPN installer!
The git repository is available at: https://github.com/angristan/openvpn-install
I have to ask you a few questions before starting the setup.

You can leave the default options and simply press Enter if you agree with them.

I need to know the IPv4 address of the network interface that you want OpenVPN to listen to.
Unless your server is behind NAT, it should act from your public IPv4 address.

IP address: 192.168.1.111

Verifying IPv6 Connectivity ...

Your host does not seem to have IPv6 connectivity.

Do you want to enable IPv6 support (NAT)? [y/n]: not

Which port do you want OpenVPN to listen to?

        1) Default: 1194
        2) custom
        3) random [49152-65535]

Port selection [1-3]: 2

Custom port [1-65535]: 7777     #You may want 80 or 443 if your local network is filtering elements

Which protocol do you want OpenVPN to use?

UDP is faster. Unless it is not available, you should not use TCP.

        1) UDP
        2) TCP

Protocol [1-2]: 1

Which DNS resolvers do you want to use with VPN?

        1) Current system resolvers (from /etc/resolv.conf)
        2) Self-hosted DNS resolver (Unbound)
        3) Cloudflare (Anycast: worldwide)
        4) Quad9 (Anycast: worldwide)
        5) Quad9 uncensored (Anycast: worldwide)
        6) FDN (France)
        7) DNS.WATCH (Germany)
        8) OpenDNS (Anycast: worldwide)
        9) Google (Anycast: worldwide)
        10) Yandex Basic (Russia)
        11) DNS AdGuard (Russia)

DNS [1-10]: 9

Do you want to use compression? It is not recommended because the VORACLE attack makes use of it.

Enable compression? [y/n]: not

Do you want to customize the encryption settings?

Unless you know what you are doing, you should stick to the default settings provided by the script.

Note that whatever you choose, all the choices presented in the script are safe. (Unlike the default values ​​of OpenVPN)
See https://github.com/angristan/openvpn-install#security-and-encryption for more information.

Customize the encryption settings? [y/n]: not

Ok, that was all I needed. We are ready to configure your OpenVPN server now.
You will be able to generate a customer at the end of the installation.

Press any key to continue ...

Tell me a name for the customer.
Use one word, no special characters.

Customer Name: chad

Do you want to protect the configuration file with a password?

(for example, encrypting the private key with a password)
        1) Add a customer without a password
        2) Use a password for the client

Select an option [1-2]: 2

You will be asked for the client password below




Note: Using the Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.1.0g Nov 2, 2017
Generate an EC private key
write a new private key in &etc./openvpn/easy-rsa/pki/private/chad.key.hYBMPyHfHV'
Enter the PEM passphrase:
Verification - Enter the PEM passphrase:
-----
Using the configuration of /etc/openvpn/easy-rsa/pki/safessl-easyrsa.cnf
Check that the request matches the signature

Signature ok

The distinctive name of the subject is the following
commonName: ASN.1 12: 'chad & # 39;
The certificate must be certified until April 9th. 3:48:48 8:22 GMT (1080 days)

Write the database with 1 new entry
Database updated
Client chad added, the configuration file is available at the address /root/chad.ovpn.

Download the .ovpn file and import it into your OpenVPN client.

Check our work

I like to hit https://www.whatismyip.com while I am logged in and seeing the remote network in the returned page rather than the external IP address of my local network.

Then I like to visit https://speedtest.net and see what kind of flow I get out of the system. I had 28.75 Mbps and 73.31 Mbps. Not bad at all!

User Management

To manage OpenVPN users on the system, simply visit the installation program again. This will detect that OpenVPN has already been installed and gives us 4 management options.

  1. Add a new user
  2. Revoke an existing user
  3. Delete OpenVPN
  4. Exit
-
$ ./openvpn-install.sh 
Looks like OpenVPN is already installed.

What do you want to do?
        1) Add a new user
        2) Revoke an existing user
        3) Remove OpenVPN
        4) exit 

Select an option [1-4]: 1

Tell me a name for the client certificate.
Please, use one word, no special characters.

Customer Name: chad

Using SSL: openssl OpenSSL 1.1.0g Nov 2, 2017
Generating a 2048-bit RSA private key
............ +++
......................... +++
write a new private key in &etc./openvpn/easy-rsa/pki/private/chad.key.YjDIHqlesv'
-----
Using the configuration of /etc/openvpn/easy-rsa/pki/safessl-easyrsa.cnf
Check that the request matches the signature
Signature ok
The distinctive name of the subject is the following

commonName: ASN.1 12: 'chad & # 39;
The certificate must be certified until April 22 02:45:13 20h29 GMT (3650 days)
Write the database with 1 new entry
Database updated
Client chad added, the configuration is available at: /root/chad.ovpn
root @ ubuntu: ~ / openvpn-install #
-

Enter your SFTP client and upload the username.ovpn certificate file to the workstation where the OpenVPN client will be running.

Installing the client on a Windows 10 workstation

On the workstation, download the appropriate client from OpenVPN to https://openvpn.net/community-downloads/

Supposing Windows 10 download and run the installer, then right-click in the system tray the little monitorh a lock on it and import your file chad.ovpn! Then Chad> Connect and you should be ready to go. I like to hit https://whatismyip.com while I am logged in and check that I show the IP address of the OpenVPN server to which I am connected and not the public IP address of my local network.

Installing the OpenVPN Client on your iPhone

https://itunes.apple.com/us/app/openvpn-connect/id590379981 get this thing on the App Store, then use a cloud file utility such as google drive to get the chad.ovpn file or do something really unsafe and send it by email …

References and other options

Alternatives to OpenVPN

About the author

Sean Richards, CISSP, is a 20-year-old Linux enthusiast and security practitioner. He loves family, animals, barbecue and cycling.
https://www.linkedin.com/in/seangrichards/
https://github.com/seangrichards/
https://twitter.com/seangrichards