beta.blog

I’ve used OpenVPN for various reasons in the past. My major purpose was to build up a virtual private network with my server. In addition I also wanted to use my server as a gateway, this way I could surf the web with a German IP address. Anyway, setting everything up was a quite hard job, thus I’m going to write a brief installation instruction explaining the basic steps:

1.) Login to your (Ubuntu) server via SSH. Enter the following commands:

apt-get update
apt-get install sudo
apt-get install iptables
apt-get install -y openvpn --force-yes

This will update your repositories, install sudo (if you don’t already have it installed), install iptables (in order to later forward traffic from your VPN to the WWW) and OpenVPN itself.

2.) Then copy a sample configuration file and gunzip it:

cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
gunzip /etc/openvpn/server.conf.gz
cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/openvpn/easy-rsa2

3.) Now it’s time to edit it. I’ve used my favourite text-editor (vim):

vim /etc/openvpn/easy-rsa2/vars

And change the configuration file according to what applies for you.

export KEY_COUNTRY=DE
export KEY_PROVINCE=NRW
export KEY_CITY=Düsseldorf
export KEY_ORG="Vpntest"
export KEY_EMAIL="dontspamme@myhomepage.net"

4.) The following commands will create the certificates and keys. Follow the on-screen instructions.

mkdir /etc/openvpn/easy-rsa2/keys
cd /etc/openvpn/easy-rsa2/
source /etc/openvpn/easy-rsa2/vars
sudo -E /etc/openvpn/easy-rsa2/clean-all
sudo -E /etc/openvpn/easy-rsa2/build-ca
sudo -E /etc/openvpn/easy-rsa2/build-key-server server
sudo -E /etc/openvpn/easy-rsa2/build-key ersterclient
sudo -E /etc/openvpn/easy-rsa2/build-dh

5.) Edit the server.conf.

vim /etc/openvpn/server.conf

This is the content of my file. Replace xxx.xx.xxx.xxx with your server’s IP address:

user    nobody
group   nogroup
dev     tun
local   xxx.xx.xxx.xxx
port    443
proto   udp
ca      /etc/openvpn/easy-rsa2/keys/ca.crt
cert    /etc/openvpn/easy-rsa2/keys/server.crt
key     /etc/openvpn/easy-rsa2/keys/server.key  # This file should be kept secret
dh      /etc/openvpn/easy-rsa2/keys/dh1024.pem
server  10.66.66.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway"
client-to-client
keepalive 10 120
comp-lzo
persist-tun
persist-key
verb 3
log-append      /var/log/openvpn/openvpn.log
plugin  /usr/lib/openvpn/openvpn-auth-pam.so common-auth
client-cert-not-required
username-as-common-name
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"

6.) Forward traffic to- and from your VPN. Replace xxx.xx.xxx.xxx with your server’s IP address.

iptables -t nat -A POSTROUTING -s 10.66.66.0/24 -o venet0 -j SNAT --to xxx.xx.xxx.xxx

7.) Restart OpenVPN

sudo /etc/init.d/openvpn restart

If something goes wrong while restarting OpenVPN (for instance FAIL) you’re probably using a VPS. In this case the following commands might solve the problem (applies for a few OpenVZ containers):

sudo mkdir -p /dev/net
sudo mknod /dev/net/tun c 10 200
sudo chmod 600 /dev/net/tun
sudo /etc/init.d/openvpn restart

Alright, so the server has been installed successfully. Now it’s time to configure the client.

1.) Install the OpenVPN client for your OS
2.) Go to INSTALLDIR/config/ and copy the ca.crt from your server into this directory.
3.) Edit INSTALLDIR/config/client.ovpn

Here’s the content of my client.ovpn. Replace xxx.xx.xxx.xxx with your server’s IP address:

client
dev     tun
proto   udp
remote  xxx.xx.xxx.xxx 443
resolv-retry infinite
nobind
persist-key
persist-tun
auth-user-pass
ca ca.crt
comp-lzo
verb 3
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"

And save the file. Finally you should be able to estabilish a connection with your VPN server using a user account from your server. (those user accounts are regular linux users). You’ve successfully setup an Open VPN server and can connect to it via a client.