Monday, 15 February 2016

Create your own VPN server

The use of VPNs is actually quite common around the world for a number of different reasons. Companies do it to enable their employees to dial into their office network and access relevant files and software. Individuals do it to dial into their own personal network for much the same reason, as well as being able to then use their own Internet connection to access online material that may be restricted if they happen to be using a hotel’s Internet, for example.

In this tutorial, we are going to show you how to set up your own VPN server within your own network using the excellent OpenVPN software. As long as you have a system that you can keep up for 24 hours a day, this will be very useful for you. We are doing this tutorial on Ubuntu 14.04, but it will be easy to modify for most other systems too.

1. Initial setup

We’re doing this on an Ubuntu machine, but everything we do will be translatable to other systems and servers. On your soon-to-be VPN server, you need to start by installing software with:

  $ sudo apt-get install openvpn easy-rsa

Once that’s done we need to get the example setup for us to work from and modify by doing:

  $ sudo gunzip -c /usr/share/doc/openvpn/examples/

sample-config-files/server.conf.gz > /etc/openvpn/


2. Edit the config file

We’re going to start editing the config file example we just made by opening it first in nano (sudo nano /etc/openvpn/server.conf). Then change the following line:

  ‘dh dh1024.pem’ to ‘dh dh2048.pem’

Remove the comment (;) from ;push “redirect-gateway def1 bypass-dhcp”. Uncomment the lines below:

  ;push “dhcp-option DNS”

  ;push “dhcp-option DNS”

… and finally, also uncomment the following two lines before saving and exiting:

  ;user nobody

Create your own VPN server

3. Forward client internet

We can now edit sysctl to forward the packets from the computer that we are connecting from. We can do this by running the following command:

  # echo 1 > /proc/sys/net/ipv4/ip_forward

We then need to edit the file sysctl.conf, so open it up in nano from the location /etc/sysctl.conf. Once open, we need to edit the line below:


… and remove the comment (#) so it looks like:


Then save and exit.

4. An uncomplicated firewall

Uncomplicated firewall, or ufw, is installed by default in Ubuntu from 14.04 onwards and is as uncomplicated as its name suggests. We’re going to allow OpenVPN to connect to and through it using the following two commands:

  # ufw allow ssh

  # ufw allow 1194/udp

Once those rules have been written, open up the ufw config file with nano at /etc/default/ufw and change DROP to ACCEPT in the following line:


5. Make the rules

We need to make some new rules for the way the network address is translated and the way IP is masqueraded. To do this, we need to open up before.rules using nano at the location /etc/ufw/before.rules, and then add the following after the first paragraph:


  # NAT table rules



  # Allow traffic from OpenVPN client to eth0




6. Enable the firewall

Once you’ve saved these new settings you can finally enable ufw for use. To do this in the terminal you’ll want to type:

  # ufw enable

It will ask you if you really want to enable ufw, to which you can type ‘y’ to confirm. It will inherit all of the settings we’ve just modified and added, which will ultimately enable us to reroute traffic from a client system.

7. Check the firewall status

You can check the status of the firewall using ufw status at any time – it will let you know whether it’s on or not and what rules and actions are currently being taken on certain ports. It only shows what the ports are doing when on, though.

8. Install Certificate Authority

We need to be able to have a way to generate and authenticate certificates for both the server and client to enable for secure communication between the two. To do this, set up a Certificate Authority. Start by copying the RSA scripts we looked at over with:

  # cp -r /usr/share/easy-rsa/ /etc/openvpn

… and then create the following directory for key storage:

9. Easy variables

We need to change the variables for RSA so we can create keys for our specific purposes and location. To do this open up the config file /etc/openvpn/easy-rsa/vars with nano and edit the following to your spec:

  export KEY_COUNTRY=“UK”

  export KEY_PROVINCE=“DT”

  export KEY_CITY=“Bournemouth”

  export KEY_ORG=“Amazing, Inc”

  export KEY_EMAIL=“”

  export KEY_OU=“Department of Excellence”

Create your own VPN server

10. Name the server

The final part of the vars file to edit is the ‘export KEY_NAME’ line below these details. For the sake of making this tutorial easy, change it to:

  export KEY_NAME=“server”

If you wish to give it a different name, you’ll have to start editing the OpenVPN config files that reference server.key and server.crt. For now then, we will refer to it as server and you can change it if and as you wish.

11. Generate parameters

We need to generate a Diffie-Hellman parameter for the key exchangce – this is a secure way of exchanging encrypted keys over a public network and essential for our server. To do this, you’ll need to type the following command into the terminal:

  # openssl dhparam -out /etc/openvpn/dh2048.pem 2048

It takes a while as it calculates everything that’s needed.

Create your own VPN server

12. Build Certificate Authority

We need to do a bit more prep first before we build our CA. Firstly, to make things easier use cd to move into the /etc/openvpn/easy-rsa. From here you can initialise the public key infrastructure using the command below:

  # . ./vars

It will warn you that by running clean-all you will be deleting all the current keys. As they’re old and we don’t run them, we are going to do exactly that:

  # ./clean-all

Finally, actually build the CA using:

  # ./build-ca

13. Server keys

Now we’re going to build a security key for our VPN server. You can do this in the terminal from the same directory as before by using:

  # ./build-key-server server

It will ask you again to confirm the details of the location of the server, but it will also ask you to add a password. Leave the password fields blank. You do want to sign and commit the certificate, so hit ‘y’ on those.

14. Turn OpenVPN on

We now need to move the keys to a location that OpenVPN actually expects to see them; in this case it’s /etc/openvpn. We need to do the move using:

  # cp /etc/openvpn/easy-rsa/keys/{server.crt,server.

key,ca.crt} /etc/openvpn

Once that’s done, you can finally start the server ready to receive clients by using:

  # service openvpn start

Use service openvpn status to check if it’s properly on or not.

15. Create a key for the client

We can now build a unique key for the client that is based partly on the name of the client itself. You can create it from the directory we are already in by using:

  # ./build-key [name]

Again, don’t give it a password or optional company info, and make sure you agree to sign the certificate and commit it.

Create your own VPN server

16. Prepare the client configuration

The example file that we can use on all the clients is already in the filesystem, but we need to move it to the right location for us to make the make the most of it. We’re also going to change the filetype of the example during the copy to better suit what the client will expect:

  # cp /usr/share/doc/openvpn/examples/sample-

config-files/client.conf /etc/openvpn/easy-rsa/


17. Move files to client

Once all the keys and example files are set up, you need to move certain files to whatever client you want to use to connect to this server. This includes four specific files: the first two are client-specific and use the name that we specified earlier as follows:



The other two files are used on every client, and they are:



Do this with all the clients.

18. Connect remotely

Once you’ve set up a way to connect to the server from clients, you can begin testing the server out and using the full facilities of a VPN. Whether you’re doing it for business or just at home, it’s an excellent way to work or use the Internet in
an unrestricted way. 

from Linux User & Developer – the Linux and FOSS mag for a GNU generation

No comments:

Post a Comment



Donate Towards More Raspberry PI's for Projects