Step 1: Install OpenVPN

Let’s start by updating our apt cache and installing both openvpn and easy-rsa, which we’ll use to set up certificates.

Step 2: Set up the Certificate Authority

The OpenVPN server uses certificates to encrypt traffic between the server and various clients. Thus, we need to set up a certificate authority (CA) on the VPS to create and manage these certificates.

We can utilize the easy-rsa template by copying it to a new directory, and then entering that directory to move into the configuration.

We need to edit some of the variables that help decide how to create the certificates. Use nano—or another favorite editor—to open the file. We’ll be editing some variables toward the end of the file.

Look for the section below—the easy-rsa template provides some default fields for these variables, but you should change them according to your needs. Make sure you also change the KEY_NAME variable as well. It’s not so important what you change these to, rather that you don’t leave them in the default state, or blank.

After some tweaks:

Now, source the vars file you just edited. If there aren’t any errors, you’ll see the following output.

Now we can clean up the environment and then build up our CA.

A new RSA key will be created, and you’ll be asked to confirm the details you entered into the vars file earlier. Just hit Enter to confirm.

Step 3: Create the server public/private keys

Next up, you need to create the server certificate and key pair. When you run the below command you can change [server] to the name of your choice. Later, you’ll need to reference this name. For the sake of this tutorial, we’re choosing with vpnserver.

Note: When prompted, do not enter a password.

Finally, you’ll be asked two questions about signing the certificate and committing it. Hit y and then Enterfor both, and you’ll be done.

Next, you need to build Diffie-Hellman keys.

Finally, you need to generate an HMAC signature to strengthen the certificate.

Step 4: Create the client public/private keys

This process will create a single client key and certificate. If you have multiple users, you’ll want to create multiple pairs.

When running the below command, hit Enter to confirm the variables we set and then leave the password field blank.

If you want to create password-protected credentials, use build-key-pass instead:

Step 5: Configure the OpenVPN server

First, you need to copy the keyfiles we created in ~/openvpn-ca into the /etc/openvpn directory. Note: change the vpnserver.crt and vpnserver.key files according to the [server] name you chose earlier.

Now, extract a sample OpenVPN configuration to the default location.

We now need to make some edits to the configuration file.

First, let’s ensure that OpenVPN is looking for the right .crt and .key files.

Before:

After (change according to the [server] name you chose earlier):

Next, enforce identical HMAC between clients and the server.

Before:

After:

Because we are going to use this VPN to route our traffic to the internet, we need to uncomment a few lines to help us establish DNS. You should also remove bypass-dhcp from the first line in question.

If you would prefer to use a DNS other than opendns, you should change the two lines that begin with push "dhcp-option.

Before:

After:

Then we need to select the ciphers to use. Uncomment the AES cipher and change it to 256, and then add auth SHA512 at the bottom of the block.

Before:

After:

Finally, let’s have OpenVPN use a non-privileged user account instead of root, which isn’t particularly secure.

You can now save and close this file in order to create that user:

The OpenVPN server should now be set up!

Step 6: Start up the OpenVPN server

Before we configure our clients, let’s make sure the OpenVPN server is running as we hope it will.

Make sure to turn on TUN/TAP in the SSD Nodes dashboard.

You can double-check that OpenVPN is running with the systemctl status command:

If you’re having problems getting OpenVPN to start, commenting out the LimitNPROC in /lib/systemd/system/[email protected], as discovered in this Ask Ubuntu thread may be useful. You’ll then need to run sudo systemctl daemon-reload and then sudo systemctl start [email protected].

You will also need to set up iptables to properly direct traffic. First, look for the default interface.

The venet0 field is what we’re looking for. And then we set up iptables. In order to ensure this rule is persistent between reboots, isntall the iptables-persistent package, which will prompt you to save existing rules. Choose Yes and your rules will be persisted movign forward.

Step 7: Configure clients

Lastly, you need to create client configurations. You can store these in any folder you’d like—they don’t need to be kept secret—as long as it isn’t the /etc/openvpn folder. We’ll create a directory in home for this purpose.

Now, copy the sample client configuration into this new directory, and then open it in nano for editing.

Look for the following block of lines. You’ll need to change the my-server-1 to the public IP address of this VPS. You can find this information in the SSD Nodes dashboard, or by typing in the ifconfig command and looking for the inet field that does not look like 127.0.0.x.

Next, uncomment the following two lines by removing the semicolon.

Before:

After:

Because we’ll be adding keys and certificates directly into the .ovpn file, let’s comment out the following lines by adding semicolons to the beginning.

Before:

After:

Finally, jump to the bottom of the file and add the following lines. The first two mirror the cipher/auth options we added to the server.conf file earlier, and the third establishes that this files will be used to connect to the server, not the other way around.

We’re also adding three commented-out files that should be uncommented for Linux-based systems that use update-resolv-conf.

Finally, you need to embed the keys and certificates into an .ovpn file using base.conf as a framework. Copy this entire command and execute it to embed the keys and create a final client1.ovpn file.

This tutorial won’t cover client configurations in detail, but we’ll share one easy way to transfer the .ovpn file to your Linux or OS X client. This command will ssh into your VPS, and then use cat to write a new client1.ovpn file on your local machine.

Once you configure your client, you should be able to connect to the VPN and access the wider internet through it. Congratulations!

分类: Linux

0 条评论

发表评论

电子邮件地址不会被公开。 必填项已用*标注

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据