Using the excellent Digital Ocean tutorial as my base I decided to setup an OpenVPN server on a Linux Mint 18 computer running on my home network so that I can have an extra layer of protection when connecting to those less than reputable WiFi hotspots at airports and hotels.
While this post is not meant to be an in-depth guide, you should use the original for that, it is meant to allow me to look back at this at some point in the future and easily re-create my setup.
1. Install everything you need
sudo apt-get update
sudo apt-get install openvpn easy-rsa
2. Setup Certificate Authority (CA)
make-cadir ~/openvpn-ca
cd ~/openvpn-ca
nano vars
3. Update CA vars
Set these to something that makes sense:
export KEY_COUNTRY=”US”
export KEY_PROVINCE=”CA”
export KEY_CITY=”SanFrancisco”
export KEY_ORG=”Fort-Funston”
export KEY_EMAIL=”me@myhost.mydomain”
export KEY_OU=”MyOrganizationalUnit”
Set the KEY_NAME to something that makes sense:
export KEY_NAME=”server”
4. Build the CA
source vars
./clean-all
./build-ca
5. Build server certificate and key
./build-key-server server
./build-dh
openvpn –genkey –secret keys/ta.key
6. Generate client certificate
source vars
./build-key-pass clientname
7. Configure OpenVPN
cd ~/openvpn-ca/keys
sudo cp ca.crt ca.key server.crt server.key ta.key dh2048.pem /etc/openvpn
gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | sudo tee /etc/openvpn/server.conf
Edit config file:
sudo nano /etc/openvpn/server.conf
Uncomment the following:
tls-auth ta.key 0
cipher AES-128-CBC
user nobody
group nogroup
push “redirect-gateway def1 bypass-dhcp”
push “route 192.168.10.0 255.255.255.0”
push “route 192.168.20.0 255.255.255.0”
Add the following:
key-direction 0
auth SHA256
Edit config file:
sudo nano /etc/sysctl.conf
Uncomment the following:
net.ipv4.ip_forward=1
Run:
sudo sysctl -p
8. Setup UFW rules
Run:
ip route | grep default
To find the name of the network adaptor. For example:
default via 192.168.x.x dev enp3s0 src 192.168.x.x metric 202
Edit config file:
sudo nano /etc/ufw/before.rules
Add the following, replacing your network adaptor name, above the bit that says # Don’t delete these required lines…
# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to eth0
-A POSTROUTING -s 10.8.0.0/8 -o enp3s0 -j MASQUERADE
COMMIT
# END OPENVPN RULES
Edit config file:
sudo nano /etc/default/ufw
Change DEFAULT_FORWARD_POLICY to ACCEPT.
DEFAULT_FORWARD_POLICY=”ACCEPT”
Add port and OpenVPN to ufw, allow it and restart ufw to enable:
sudo ufw allow 1194/udp
sudo ufw allow OpenSSH
sudo ufw disable
sudo ufw enable
9. Start OpenVPN Service and set it to enable at boot
sudo systemctl start openvpn@server
sudo systemctl enable openvpn@server
10. Setup client configuration
mkdir -p ~/client-configs/files
chmod 700 ~/client-configs/files
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client-configs/base.conf
Edit config file:
nano ~/client-configs/base.conf
Replace remote server_IP_address port with the external IP address and port you are planning on using. The IP address can also be a hostname, such as a re-director.
Add the following:
cipher AES-128-CBC
auth SHA256
key-direction 1
Uncomment the following:
user nobody
group nogroup
Comment out the following:
#ca ca.crt
#cert client.crt
#key client.key
11. Make a client configuration generation script
Create the file:
nano ~/client-configs/make_config.sh
Add the following to it:
#!/bin/bash
# First argument: Client identifier
KEY_DIR=~/openvpn-ca/keys
OUTPUT_DIR=~/client-configs/files
BASE_CONFIG=~/client-configs/base.confcat ${BASE_CONFIG} \
<(echo -e ‘<ca>’) \
${KEY_DIR}/ca.crt \
<(echo -e ‘</ca>\n<cert>’) \
${KEY_DIR}/${1}.crt \
<(echo -e ‘</cert>\n<key>’) \
${KEY_DIR}/${1}.key \
<(echo -e ‘</key>\n<tls-auth>’) \
${KEY_DIR}/ta.key \
<(echo -e ‘</tls-auth>’) \
> ${OUTPUT_DIR}/${1}.ovpn
And mark it executable:
chmod 700 ~/client-configs/make_config.sh
12. Generate the client config file
cd ~/client-configs
./make_config.sh clientname
13. Transfer client configuration to device
You can now transfer the client configuration file found in ~/client-configs/files to your device.
[…] This post originally appeared on my personal website here. […]