@AahanKrish /

Set up OpenVPN on Debian/Ubuntu server

(last upd.) / Aahan Krish

Entirely based on the tutorial, "Secure Communications with OpenVPN on Debian 6 (Squeeze)" in the Linode Library. This article is only to serve as my notes, and a proper live example as to how I set it up on my server.

Make sure all package repositories and installed programs are up-to-date:

apt-get update && apt-get upgrade

Install OpenVPN:

apt-get install openvpn udev

Copy the RSA key management package in OpenVPN (a set of encryption-related tools/scripts under /usr/share/doc/openvpn/examples/easy-rsa/) to /etc/openvpn directory so that they aren't wiped out by a future OpenVPN package upgrade.

cp -R /usr/share/doc/openvpn/examples/easy-rsa/ /etc/openvpn

Configure the variables that'll provide OpenVPN with all the necessary information to be included in certificates you create.

File: /etc/openvpn/easy-rsa/2.0/vars

export KEY_COUNTRY="US"
export KEY_PROVINCE="NY"
export KEY_CITY="New York"
export KEY_ORG="None - Private VPN"
export KEY_EMAIL="xxxxx@yahoo.com"

That's the config. for my personal VPN server.

Initialize the certificate authority and the public key infrastructure (PKI) by issuing the following commands in sequence:

cd /etc/openvpn/easy-rsa/2.0/
. /etc/openvpn/easy-rsa/2.0/vars
. /etc/openvpn/easy-rsa/2.0/clean-all
. /etc/openvpn/easy-rsa/2.0/build-ca

After issuing the last command (above), you'll be prompted to enter some values. Since we've already configured these variables earlier, simply press Enter at each prompt. Now you've successfully configured your certificate authority (self).

Build VPN server certificate and private key: (filmygirl is my server's hostname)

. /etc/openvpn/easy-rsa/2.0/build-key-server filmygirl

If prompted for values, simply hit Enter like we did earlier (also for challenge password and company name), unless you want to use alternate values; and Y (for YES) when asked a question.

Build the VPN client certificate and private key for use on your computer(s): (for-all-my-computers is the OpenVPN client name I chose, 'cause I'll be using the same client certificate and key across all my computers, and the name makes sense)

. /etc/openvpn/easy-rsa/2.0/build-key for-all-my-computers

Generate Diffie Hellman parameters for key exchange and authentication:

. /etc/openvpn/easy-rsa/2.0/build-dh

Move certificates and keys to their appropriate places. Transfer the client certificates and private keys (ca.crt, for-all-my-computers.crt, and for-all-my-computers.key) from the /etc/openvpn/easy-rsa/2.0/keys/ directory on the server to your computer via a secure protocol such as scp or sftp.

Move the server certificates and private keys (ca.crt, ca.key, dh1024.pem, filmygirl.crt, filmygirl.key) from /etc/openvpn/easy-rsa/2.0/keys/ over to /etc/openvpn directory so the OpenVPN server process can access them.

cd /etc/openvpn/easy-rsa/2.0/keys
cp ca.crt ca.key dh1024.pem filmygirl.crt filmygirl.key /etc/openvpn

Let's get into server and client VPN configuration using the example config. files provided in /usr/share/doc/openvpn/examples/sample-config-files directory: server.conf.gz and client.conf.

Server Config.: un-gzip the example server config. file server.conf.gz, copy server.conf as filmygirl.conf to /etc/openvpn/ (i.e. the name of your server as the name of your file), and make the necessary changes as shown below.

cd /usr/share/doc/openvpn/examples/sample-config-files
gunzip -d server.conf.gz
cp server.conf /etc/openvpn/filmygirl.conf

File: /etc/openvpn/filmygirl.conf

# Any X509 key management system can be used.
# OpenVPN can also use a PKCS #12 formatted key file
# (see "pkcs12" directive in man page).
ca ca.crt
cert filmygirl.crt
key filmygirl.key  # This file should be kept secret

[...]

push "redirect-gateway def1"

[...]

push "dhcp-option DNS 10.8.0.1"

File: /etc/sysctl.conf (to ensure that the server is able to forward IPv4 traffic)

net.ipv4.ip_forward=1

Issue the command to make the variable (above) effective immediately.

echo 1 > /proc/sys/net/ipv4/ip_forward

Configure iptables:

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

Insert these iptables rules into the server's /etc/rc.local file to make them reboot-proof:

File: /etc/rc.local

[...]

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

exit 0

Install & Configure dnsmasq:

apt-get install dnsmasq

File: /etc/dnsmasq.conf

listen-address=127.0.0.1,10.8.0.1

bind-interfaces

File: /etc/rc.local

[...]

/etc/init.d/dnsmasq restart

exit 0

Start/Restart OpenVPN and Dnsmasq:

/etc/init.d/openvpn start
/etc/init.d/dnsmasq restart

Client Config.: Transfer client.conf to your computer, and rename it as for-all-my-computers.conf to reflect the name of the VPN user on your server, and make the necessary changes in the file (on your computer) as follows:

File: for-all-my-computers.conf (on your computer now)

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.

remote 98.129.174.16 1194

[...]

# SSL/TLS parms.
# See the server config file for more
# description.  It's best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
ca ca.crt
cert for-all-my-computers.crt
key for-all-my-computers.key

I don't map a domain to my server, so it doesn't have a Fully Qualified Domain Name (FQDN) assigned. Therefore I simply went with the server's IP address in the configuration (above).

Now, lets check all the files we've downloaded to the computer:

  • ca.crt
  • for-all-my-computers.crt
  • for-all-my-computers.key
  • for-all-my-computers.conf

Use them to connect to the VPN server from your PC (you may sometimes have to rename for-all-my-computers.conf to for-all-my-computers.ovpn, for example, on Windows). Various VPN services provide tutorials for this. Here's one for a start.

Notes:

  • I am looking into how OpenSSH and SSH - SOCKS work, as people have told me that these can provide easier VPN and VPN-like services.
(pub.) · Filed under: Notes,