Are you feeling unsecured about your data transmitting over Internet? Want to access blocked content in your country? (Please comply with your country's law, failing to which you may land in jail) This article will guide you to set a OpenVPN Server on your server for accessing content over Internet securely.
To start with lets see what is a VPN. A virtual private network (VPN) extends a private network across public networks like the Internet. It enables a host computer to send and receive data across shared or public networks as if they were an integral part of the private network with all the functionality, security and management policies of the private network.
Why you need VPN?
- Concerning Privacy: Accessing free WiFi Internet from Airport/cafe/Malls? Well there may be chance that your data can be intercepted. A secured connection by VPN make sure that your data is not getting intercepted.
- Accessing Blocked Content: I live in a country where I cannot access premium content like Pandora or TV channels due to licence restriction. A VPN Server set up in abroad where these content are available make sure I can access these.
- Security: Using VPN make sure you and your data transmitted are away from praying eyes.
- Setting Private Network over Internet: It can be used to set up a Gaming LAN network over internet when you cannot access each other due to port blocking. It can be used for accessing other services which are exclusively used by your firm.
In this article we have used a US based Virtual Private Server(VPS) and Ubuntu 12.10 with root access.
Make sure TUN Adapter is enabled on your hosting
To know if TUN Adapter is enabled or not pass following command:
cat /dev/net/tun
If output is "cat: /dev/net/tun: File descriptor in bad state"
In case it is different ask your hosting provider to enable the TUN.
Getting Started:
Installing Package:
Install the "openssl" and "openvpn" Package
apt-get install openssl openvpn
Copy Configuration Files:
cp -avr /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/openvpn/easy-rsa
Edit variables:
Edit the /etc/openvpn/easy-rsa/vars file
Find the line which has export EASY_RSA="`pwd`"
Edit it as
export EASY_RSA="/etc/openvpn/easy-rsa"
now change directory
cd /etc/openvpn
Pass following commands :
. ./easy-rsa/vars ./easy-rsa/clean-all
Building Certificate Authority File:
./easy-rsa/build-ca OpenVPN
Building Server Key:
./easy-rsa/build-key-server server
Several question will be asked, leave it as default. After that two Yes/No question will be asked, put y and proceed
Building Client Key:
./easy-rsa/build-key user1
Several question will be asked, leave it as default. After that two Yes/No question will be asked, put y and proceed. Repeat the above command with user2, user3 and so on to add number of user.
Creating Diffie Hellman Parameters:
./easy-rsa/build-dh
When done, a new directory called "keys" will be created in "/etc/openvpn/easy-rsa"
Creating OpenVPN Configuration File:
Assumptions :
- UDP port number 8080 used
- 8.8.8.8 and 4.2.2.2 is used as DNS server
Create and edit configuration file "/etc/openvpn/openvpn.conf" with following content:
Enable Packet Forwarding: edit the "/etc/sysctl.conf" file and uncomment the following lineproto udp port 8080 dev tun0 ca /etc/openvpn/easy-rsa/keys/ca.crt cert /etc/openvpn/easy-rsa/keys/server.crt key /etc/openvpn/easy-rsa/keys/server.key dh /etc/openvpn/easy-rsa/keys/dh1024.pem server 10.8.0.0 255.255.255.0 push "redirect-gateway def1" push "dhcp-option DNS 4.2.2.2" push "dhcp-option DNS 8.8.8.8" keepalive 10 190 user nobody group nogroup persist-key persist-tun client-to-client comp-lzo verb 3 log-append /var/log/openvpn
net.ipv4.ip_forward=1[/codesyntax]
Adding IPTable rule
[codesyntax lang="text"]
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -0 eth0 -j SNAT --to YOUR.EXTERNAL.IP
In this, replace eth0 with your external adapter (venet0 if you have OpenVZ based server) and Your.External.IP with your external IP address.
Restart Services:
/etc/init.d/openvpn restart
And if you configured everything correctly, your OpenVPN server is running 🙂
Client Side Configuration:
Copy the following files from "/etc/openvpn/easy-rsa/keys"
- ca.crt
- user1.crt (copy user2.crt and so on if you created multiple certificates)
- user1.key(copy user2.key and so on if you created multiple certificates)
Create user1.ovpn file on your machine with following content
dev tun
client
proto udp
remote YOUR.VPS.IP 8080
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert user1.crt
key user1.key
comp-lzo
verb 3
fast-io
pull
remote-random
route-delay 2
redirect-gateway
Replace YOUR.VPS.IP with your server IP
replace "cert user1.crt" and "key user1.key" file with your certificate and key file.
Now import the profile into your OpenVPN client and get connected to your VPN 🙂