Safety on the internet has never been as paramount as it is today. A VPN (Virtual Private Network), is a secure tunnel where all your incoming and outgoing traffic pass through. In this tunnel, the private network is secured by using encryption techniques among other best security practices to ensure that only permitted users can connect to the network and also that outside parties can not intercept data traveling in this network. What a VPN does essentially is replace your IP so that even if someone did a back trace, they would only come up with the location your VPN is hosted from.
One of the most popular VPN technologies available today is OpenVPN. This is an open source VPN solution that uses specialized protocols to achieve maximum security for users on their network. OpenVPN is so efficient such that it has become a standard for many commercially available VPNs today. Given that it is an open source application, it continues to be safe since community members regularly update the application to ensure it offers maximum security without compromising on speed or performance.
OpenVPN’s Key Features
Since security is one of the main reasons to use a VPN, it is important that the VPN in question has the very best security features. OpenVPN has some strict security features that make it super-efficient. Some of these features include using pre-shared keys for peer authentication, strong encryption by using 256-bit Encryption, a keyed-hash message authentication code (HMAC) among others. OpenVPN is also quite efficient since unlike many VPN technologies it does not need to have root access to secure a device.
Reliability is critical when it comes to VPNs. No one would use a VPN knowing that in case of a network failure or if the VPN went down, their data would leak. OpenVPN gives its clients a measure of reliability in that whenever the VPN goes down, the packet transmission is paused to repair the connection before transmitting any more packets. By doing this, it ensures there are no data leaks, miscommunication or corruption. What’s more, OpenVPN transmits data at optimal speeds. Even when the user changes to a higher bit encryption, OpenVPN is faster than L2TP/IPsec and PPTP.
Device compatibility is critical to the success of a VPN. OpenVPN is one of the most compatible VPN providers in the world. Since it is open source, developers have made sure that it is compatible with most systems out there. Compatibility with the most popular operating systems such as MAC OS, Windows, iOS, Linux, Android, FreeBSD, OpenBSD, Solaris and NetBSD is guaranteed.
For tomato firmware routers, OpenVPN can be used with DD-WRT. When it comes to virtual devices, OpenVPN is compatible with RSA Certificates and X509 PKI, SSL/TLS, and TUN/TAP.
So, what exactly does one need to make a proper connection to OpenVPN? For this article, we will be looking at setting up OpenVPN on an Ubuntu 16.04 server. To successfully run OpenVPN, you need to create a non-root user with administrative privileges known as sudo privileges. For example, this adds a user called “hackins”. Replace it with whatever name you like.
# adduser hackins
You will be asked a few questions such as account password. Hit ENTER to skip any field. To give the user administrative privileges, add the user to the “sudo” group which basically allows the account to run the sudo command.
The first step here is to install OpenVPN. Since it is available on Ubuntu’s default repositories, the apt command is easier to use here.
$sudo apt-get update $sudo apt-get install OpenVPN easy-rsa
The system will complete the download and it will be ready for configuring.
Setting Up the Certificate Authority (CA) Directory
Since OpenVPN uses TLS/SSL to establish secure connections, there is need for certificates that will ensure encryption of traffic between the client and the server. As such, we need to set up a simple CA.
$make-cadir ~/OpenVPN-ca $cd ~/OpenVPN-ca
Configuring the CA
Here, our task is to provide the parameters the CA will use. To do this, we need to edit the vars file inside the directory.
You can use either vim or nano to edit the file. In this case, we will use nano. So, while in the directory open the terminal and type the following command to open the file in nano text editor:
Here, you will get some values that need to be changed according to the user’s preferences. At the bottom, you will find settings for new certificates such as these
. . . export KEY_COUNTRY="US" export KEY_PROVINCE="CA" export KEY_CITY="SanFrancisco" export KEY_ORG="Fort-Funston" export KEY_EMAIL="firstname.lastname@example.org" export KEY_OU="MyOrganizationalUnit" . . .
Now you can change these values to whatever you want but under no circumstances should the fields be left blank. The KEY_NAME value also needs to be edited and for brevity, we will call it “server” in this tutorial.
Save and close the file.
Building the CA
To build our CA, we will use the values we provided and the easy-rsa utilities. Make sure you are inside the CA directory, and find the vars file you edited.
$cd ~/OpenVPN-ca $source vars
If it was sourced correctly, you should see the following output:
NOTE: If you run ./clean-all, you will be doing a rm -rf on /home/user/OpenVPN-ca/keys
To ensure we are on a clean plate, type:
Now you can build the root CA by giving the following command:
This will start the process of creating the root CA certificate and key. To confirm the selections, just hit ENTER through the prompts.
Create the Encryption Files, Key, and Server Certificate
To start off, we will generate the key pair and OpenVPN server certificate.
Press ENTER to accept the default values. You should NOT input a challenging password at this moment since you will be required to do something later on in the setup.
. . . Certificate is to be certified until August 9 05:00:00 2027 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
Then, we can generate a Diffie-Hellman key used during exchanges by typing:
$./build-dh $OpenVPN --genkey --secret keys/ta.key
Generate Key Pair and Client Certificate
For this tutorial, we will only generate one client key/certificate. However, if you have multiple clients, you can repeat the process as many times as you need. For automated connections, credentials without a password are required. Client1 being our first certificate in the command below.
$cd ~/OpenVPN-ca $source vars $./build-key client1
With all these generated files in hand, we can now configure OpenVPN. We need to copy the generated files to the /etc/OpenVPN directory. If you followed the steps above while generating these files, then they were placed in the ~/OpenVPN-ca/keys directory. So, to move them;
$cd ~/OpenVPN-ca/keys $sudo cp ca.crt ca.key server.crt server.key ta.key dh2048.pem /etc/OpenVPN
Next, we need to unzip and copy a sample of the OpenVPN configuration file which we will later use as a basis for the entire setup.
$gunzip -c /usr/share/doc/OpenVPN/examples/sample-config-files/server.conf.gz | sudo tee /etc/OpenVPN/server.conf
Tweak the OpenVPN Configuration
Now that the files are where they should be, we can modify a few things in the server configuration file.
$sudo nano /etc/OpenVPN/server.conf
Here, the first operation is to locate the HMAC section. To do this, you need to locate the tls-auth directive and remove the semicolon, “;” to uncomment the line of command. Afterward, add the key-direction value to “0”;
tls-auth ta.key 0 # This file is secret key-direction 0
Next, get to the cryptographic ciphers by looking for the cipher lines that have comments on them. Remove the semicolon, “;” to uncomment the AES-128-CBC cipher and add an auth line to identify the HMAC message.
cipher AES-128-CBC auth SHA256
Now find the group and user settings and uncomment them as well.
---- user nobody group nogroup ----
Tweak the Server Networking Configuration Settings
Here, we need to change a few settings so that the VPN can route traffic.
Allow IP forwarding
To give the VPN the functionality we need, we need to allow the server to forward traffic. To do this we need to change the /etc/sysctl.conf file; enter the command below:
$sudo nano /etc/sysctl.conf
Inside, we need to identify the command that is responsible for IP forwarding and uncomment it by removing the #.
Save and close when you are done.
Edit the UFW Rules to hide client connections
Since the firewall is most likely turned on by default, you need to modify the rules so that you can manipulate the traffic. To do this, we need a public network interface of the machine we are using. Type:
$ip route | grep default
In our case, the result is the interface named wlp22s0, which should be headed with the word “dev”. In our case the output:
default via 203.0.113.1 dev wlp22s0 proto static metric 600
When this is done, open the /etc/ufw/before.rules file to edit the necessary configurations.
$sudo nano /etc/ufw/before.rules
Remember to change the “wlp22s0” value with the one you discovered in the earlier command:
# # rules.before # # Rules that should be run before the ufw command line added rules. Custom # rules should be added to one of these chains: # ufw-before-input # ufw-before-output # ufw-before-forward # # START OPENVPN RULES # NAT table rules *nat :POSTROUTING ACCEPT [0:0] # Allow traffic from OpenVPN client to wlp11s0 (change to the interface you discovered!) -A POSTROUTING -s 10.8.0.0/8 -o wlp11s0 -j MASQUERADE COMMIT # END OPENVPN RULES # Don't delete these required lines, Otherwise there will be errors *filter . . .
Then save and close.
You also need to give the firewall a directive to allow forwarded packets by default. To implement this, open this file; /etc/default/ufw and locate the DEFAULT_FORWARD_POLICY directive which you can switch from DROP to ACCEPT:
$sudo nano /etc/default/ufw
Save and close the file when done.
Enable the changes on OpenVPN Port
Usually, this is done so that traffic can be allowed to OpenVPN. A few adjustments on port 1194 will do the trick. So, we need to open the /etc/OpenVPN/server.conf file and make the following changes;
$sudo ufw allow 1194/udp $sudo ufw allow OpenSSH
Now, disable then enable UFW to save the changes.
$sudo ufw disable $sudo ufw enable
Starting and enabling the OpenVPN service
Finally, we are ready to start the OpenVPN service. To start the service, we need to call the configuration file. You achieve this using the following command:
$sudo systemctl start OpenVPN@server
To double check whether systems are running properly, type:
$sudo systemctl status OpenVPN@server
To make sure everything is running as planned, type:
$sudo systemctl status OpenVPN@server
If everything is running well, you will get something like this as output:
OpenVPN@server.service - OpenVPN connection to server Loaded: loaded (/lib/systemd/system/OpenVPN@.service; disabled; vendor preset: enabled) Active: active (running) since Thursday 2017-08-11 05:30:05 EDT; 47s ago Docs: man:OpenVPN(8) https://community.OpenVPN.net/OpenVPN/wiki/OpenVPN23ManPage https://community.OpenVPN.net/OpenVPN/wiki/HOWTO Process: 5852 ExecStart=/usr/sbin/OpenVPN --daemon ovpn-%i --status /run/OpenVPN/%i.status 10 --cd /etc/OpenVPN --script-security 2 --config /etc/OpenVPN/%i.conf --writepid /run/OpenVPN/%i.pid (code=exited, sta Main PID: 5856 (OpenVPN) Tasks: 1 (limit: 512) CGroup: /system.slice/system-OpenVPN.slice/OpenVPN@server.service └─5856 /usr/sbin/OpenVPN --daemon ovpn-server --status /run/OpenVPN/server.status 10 --cd /etc/OpenVPN --script-security 2 --config /etc/OpenVPN/server.conf --writepid /run/OpenVPN/server.pid August 11 05:30:05 OpenVPN2 ovpn-server: /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2 August 11 05:30:05 OpenVPN2 ovpn-server: /sbin/ip route add 10.8.0.0/24 via 10.8.0.2 August 11 05:30:05 OpenVPN2 ovpn-server: GID set to nogroup August 11 05:30:05 OpenVPN2 ovpn-server: UID set to nobody August 11 05:30:05 OpenVPN2 ovpn-server: UDPv4 link local (bound): [undef] August 11 05:30:05 OpenVPN2 ovpn-server: UDPv4 link remote: [undef] August 11 05:30:05 OpenVPN2 ovpn-server: MULTI: multi_init called, r=256 v=256 August 11 05:30:05 OpenVPN2 ovpn-server: IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0 August 11 05:30:05 OpenVPN2 ovpn-server: IFCONFIG POOL LIST August 11 05:30:05 OpenVPN2 ovpn-server: Initialization Sequence Completed
To configure the service to run whenever you boot, run:
$sudo systemctl enable OpenVPN@server
By now you should have your OpenVPN server fully set up and ready to go. Enjoy secure browsing!