Dial into your own network from anywhere to access your files and browse the Internet freely
The use of VPN is actually quite common around the world for a number of different reasons.
Companies do it to enable their employees to dial into their office network and access relevant files and software. Individuals do it to dial into their own personal network for much the same reason, as well as being able to then use their own Internet connection to access online material that may be restricted if they happen to be using a hotel’s Internet, for example.
In this tutorial, we are going to show you how to set up your own VPN server within your own network using the excellent OpenVPN software. As long as you have a system that you can keep up for 24 hours a day, this will be very useful for you. We are doing this tutorial on Ubuntu 14.04, but it will be easy to modify for most other systems too.
1. Initial setup
We’re doing this on an Ubuntu machine, but everything we do will be translatable to other systems and servers. On your soon-to-be VPN server, you need to start by installing software with:
$ sudo apt-get install openvpn easy-rsa
Once that’s done we need to get the example setup for us to work from and modify by doing:
$ sudo gunzip -c /usr/share/doc/openvpn/examples/
sample-config-files/server.conf.gz > /etc/openvpn/
server.conf
2. Edit the config file
We’re going to start editing the config file example we just made by opening it first in nano (sudo nano /etc/openvpn/server.conf). Then change the following line:
‘dh dh1024.pem’ to ‘dh dh2048.pem’
Remove the comment (;) from ;push “redirect-gateway def1 bypass-dhcp”. Uncomment the lines below:
;push “dhcp-option DNS 208.67.222.222”
;push “dhcp-option DNS 208.67.220.220”
… and finally, also uncomment the following two lines before saving and exiting:
;user nobody
3. Forward client internet
We can now edit sysctl to forward the packets from the computer that we are connecting from. We can do this by running the following command:
# echo 1 > /proc/sys/net/ipv4/ip_forward
We then need to edit the file sysctl.conf, so open it up in nano from the location /etc/sysctl.conf. Once open, we need to edit the line below:
#net.ipv4.ip_forward=1
… and remove the comment (#) so it looks like:
net.ipv4.ip_forward=1
Then save and exit.
4. An uncomplicated firewall
Uncomplicated firewall, or ufw, is installed by default in Ubuntu from 14.04 onwards and is as uncomplicated as its name suggests. We’re going to allow OpenVPN to connect to and through it using the following two commands:
# ufw allow ssh
# ufw allow 1194/udp
Once those rules have been written, open up the ufw config file with nano at /etc/default/ufw and change DROP to ACCEPT in the following line:
DEFAULT_FORWARD_POLICY=“DROP”
5. Make the rules
We need to make some new rules for the way the network address is translated and the way IP is masqueraded. To do this, we need to open up before.rules using nano at the location /etc/ufw/before.rules, and then add the following after the first paragraph:
# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to eth0
-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
COMMIT
# END OPENVPN RULES
6. Enable the firewall
Once you’ve saved these new settings you can finally enable ufw for use. To do this in the terminal you’ll want to type:
# ufw enable
It will ask you if you really want to enable ufw, to which you can type ‘y’ to confirm. It will inherit all of the settings we’ve just modified and added, which will ultimately enable us to reroute traffic from a client system.
7. Check the firewall status
You can check the status of the firewall using ufw status at any time – it will let you know whether it’s on or not and what rules and actions are currently being taken on certain ports. It only shows what the ports are doing when on, though.
8. Install Certificate Authority
We need to be able to have a way to generate and authenticate certificates for both the server and client to enable for secure communication between the two. To do this, set up a Certificate Authority. Start by copying the RSA scripts we looked at over with:
# cp -r /usr/share/easy-rsa/ /etc/openvpn
… and then create the following directory for key storage:
/etc/openvpn/easy-rsa/keys.
/etc/openvpn/easy-rsa/keys.
9. Easy variables
We need to change the variables for RSA so we can create keys for our specific purposes and location. To do this open up the config file /etc/openvpn/easy-rsa/vars with nano and edit the following to your spec:
export KEY_COUNTRY=“UK”
export KEY_PROVINCE=“DT”
export KEY_CITY=“Bournemouth”
export KEY_ORG=“Amazing, Inc”
export KEY_EMAIL=“rob@amazing.com”
export KEY_OU=“Department of Excellence”
10. Name the server
The final part of the vars file to edit is the ‘export KEY_NAME’ line below these details. For the sake of making this tutorial easy, change it to:
export KEY_NAME=“server”
If you wish to give it a different name, you’ll have to start editing the OpenVPN config files that reference server.key and server.crt. For now then, we will refer to it as server and you can change it if and as you wish.
11. Generate parameters
We need to generate a Diffie-Hellman parameter for the key exchangce – this is a secure way of exchanging encrypted keys over a public network and essential for our server. To do this, you’ll need to type the following command into the terminal:
# openssl dhparam -out /etc/openvpn/dh2048.pem 2048
It takes a while as it calculates everything that’s needed.
12. Build Certificate Authority
We need to do a bit more prep first before we build our CA. Firstly, to make things easier use cd to move into the /etc/openvpn/easy-rsa. From here you can initialise the public key infrastructure using the command below:
# . ./vars
It will warn you that by running clean-all you will be deleting all the current keys. As they’re old and we don’t run them, we are going to do exactly that:
# ./clean-all
Finally, actually build the CA using:
# ./build-ca
13. Server keys
Now we’re going to build a security key for our VPN server. You can do this in the terminal from the same directory as before by using:
# ./build-key-server server
It will ask you again to confirm the details of the location of the server, but it will also ask you to add a password. Leave the password fields blank. You do want to sign and commit the certificate, so hit ‘y’ on those.
14. Turn OpenVPN on
We now need to move the keys to a location that OpenVPN actually expects to see them; in this case it’s /etc/openvpn. We need to do the move using:
# cp /etc/openvpn/easy-rsa/keys/{server.crt,server.
key,ca.crt} /etc/openvpn
Once that’s done, you can finally start the server ready to receive clients by using:
# service openvpn start
Use service openvpn status to check if it’s properly on or not.
15. Create a key for the client
We can now build a unique key for the client that is based partly on the name of the client itself. You can create it from the directory we are already in by using:
# ./build-key [name]
Again, don’t give it a password or optional company info, and make sure you agree to sign the certificate and commit it.
16. Prepare the client configuration
The example file that we can use on all the clients is already in the filesystem, but we need to move it to the right location for us to make the make the most of it. We’re also going to change the filetype of the example during the copy to better suit what the client will expect:
# cp /usr/share/doc/openvpn/examples/sample-
config-files/client.conf /etc/openvpn/easy-rsa/
keys/client.ovpn
17. Move files to client
Once all the keys and example files are set up, you need to move certain files to whatever client you want to use to connect to this server. This includes four specific files: the first two are client-specific and use the name that we specified earlier as follows:
/etc/openvpn/easy-rsa/keys/[name].crt
/etc/openvpn/easy-rsa/keys/[name].key
The other two files are used on every client, and they are:
/etc/openvpn/easy-rsa/keys/client.ovpn
/etc/openvpn/ca.crt
Do this with all the clients.
18. Connect remotely
Once you’ve set up a way to connect to the server from clients, you can begin testing the server out and using the full facilities of a VPN. Whether you’re doing it for business or just at home, it’s an excellent way to work or use the Internet in
an unrestricted way.
an unrestricted way.
No comments :
Post a Comment