How To Deploy OpenVPN Server

VPN is a virtual private network created over public networks. Thus, VPN is a secure tunnel (point-to-point connection), developing on the basis of a public network between a server and several computers or networks.

The main traits of VPN are user authentication and access control, coding of the data disseminated through the tunnel. No one, including your internet provider, will be able to reveal which sites you visit and what information you receive/impart.

Where VPN is used

There is no shade of a doubt about expediency of using VPN technology in the corporate sphere. First of all, it allows protecting corporate network and all sensitive information from your competitors. In the modern business environment VPN is an actual necessity because it provides:

• Secure access from a local corporate network to the Internet;
• Secure connection between local corporate networks of remote branch offices;
• Limit access to a private network;
• Secure cannel access to a local corporate network for casual workers;

Deployment of the VPN-server is popular among individuals as well. Still, it is a question, why one should surf the Internet through the coded tunnel. The reasons are quite a number:

• Security of received/imparted data, such as passwords, personal information, while using open Wi-Fi access points in public places, i.g. hotels;
• Withholding information about traffic from you provider;
• Using a static IP (server address), which may be a prerequisite for an access to some internet resources and game servers;
• Ability to visit various sites, forums, write anonymous comments (no one will be able to detect your location, as only the server IP will be shown);
• Visiting sites that are banned or prohibited in your region;
• Ability to override the lock-out of Vkontakte, YouTube and other entertainment online resources at your working place;
• Faster loading of websites (data is not only coded, but also compressed).

Types of VPN protocol

• IPSec (IP security) is widely used with IPv4.
• PPTP sets a secure point-to-point connection (a tunnel) within an exposed network. Data is transferred in a way of IP-packets (frames). The protocol has been simultaneously developed by several companies, including Microsoft.
• PPPoE is a point-to-point protocol via the Ethernet channel.
• L2TP is a protocol which is mostly used in projects of Microsoft і Cisco. It is based on PPTP technology and is particularly secure.
• OpenVPN SSL is a VPN protocol, distributed with the open license. Among its advantages are PPP support, bridge, point-to-point, multi-client server, simple and flexible settings, reliability, free software distribution.

Which is better: an individual VPN-server or a commercial service?

Nowadays there is a wide choice of commercial services that offer preconfigured VPN-servers and open proxy-services. So why should one reject that shortcut?

There are a number of reasons to deploy your own VPN-server. First of all, for the sake of security. The majority of open proxy-servers, which allow overriding the lock-out of sites and visiting online resources anonymously, do not guarantee your personal data security. Many companies fraud through tracing the flow of transferred data. Furthermore, many foreign sites have already added IPs of open servers to the blacklist, so there is no guarantee that you’ll succeed in visiting another site banned in the Russian Federation.

Secondly, for the sake of price. Indeed, there are valid service providers who offer to lease configured VPN-servers, but it often costs gradually higher than to lease a VPS-server.

OpenVPN-server installation

In this text the installation process is described for Linux Debian system. The system is particularly reliable and has minimal hardware resources demands.

Firstly, you should connect to the server with the root privileges. You should start the installation of the software on the Linux operating system family with updating packet index up to the latest version. To do this you should enter the command:

apt-get update
apt-get upgrade

During the installation operating system sends a request to a repository, downloads and installs the necessary files. The operation may take several minutes.

To install the OpenVPN and OpenSSL software on the server you should enter:

apt-get install openvpn openssl

In the process of installation a dialogue box opens, where you have to indicate, whether you want to continue. You should enter Y and press Enter .

It is advisable to create a separate folder for the generated keys, in order not to get confused and accidentally delete an important file. Another reason is a possible configuration failure in case of the server update. The next step is to enter:

mkdir /etc/openvpn/easy-rsa/

For generation of encryption keys you need special utilities. They are already preinstalled in the system’s document folder, so you only need to copy the components into a new directory:

cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/

Pay attention! We use the OpenVPN 2.2.1-2 version, which includes an easy-rsa packet. For the OpenVPN 2.3 and higher versions you’ll have to download and install it yourself. The operation may take 2 or 3 minutes. To install the packet you should enter:
apt-get install easy-rsa
File location will be different, so to copy it you’ll need to enter:
cp -r /usr/share/easy-rsa/* /etc/openvpn/easy-rsa/

To avoid entering the same data again and again during the keys installation you should edit vars document:

nano /etc/openvpn/easy-rsa/vars

At the end of the document you should edit the block:

The result should be the following:

It is advisable to enter valid data, although you may choose to enter unverified data or change nothing. After you finish, you should save the document. Then you should move to the directory with the vars file and activate the changes you’ve made:

cd /etc/openvpn/easy-rsa/
source vars

Now all the necessary preparations are done and new keys can be generated. They will be available in the subdirectory /keys. The directory is created automatically, so there is no need to go elsewhere. Still, you should clear the folder from the present keys and configuration files:

./clean-all

Then you should create a root certificate:

./build-ca

And a server key:

./build-key-server server

During the installation your system will suggest to create a password (you may leave the field empty). You should accept the certification twice (press Y and Enter ).

Next you should create a client certificate. Further you’ll need to copy it onto your computer:

./build-key user

At this stage the system will suggest to create a password once again, but you should just skip it.

Then you should create a Diffie-Hellman cryptographic key:

./build-dh

After that you should create a tls-authentication key:

openvpn --genkey --secret keys/ta.key

The generated keys should be copied into /etc/openvpn – it is that very directory which the OpenVPN-server requests:

cd keys 
cp server.crt server.key ca.crt dh1024.pem ta.key /etc/openvpn/

Pay attention to the files in the folder: user.crt, user.key, ca.crt, ta.key. They will be used by the local PC, which you want to get an anonymous access to the Internet. The last file (ta.key) is used for the tls-authentication.

Configuration of OpenVPN-server

First of all, you should create a server.conf file, which should contain the basic settings for the VPN-server: the path to the files with keys, the quantity of maximum connections, etc. right out of the box there is a file with working configuration, however you should change some of the parameters before starting the OpenVPN-server.

To do that you should copy the file with the configurations to the working directory of the VPN-server:

cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/

Then you’ll need to extract a document from an archive:

gzip -d /etc/openvpn/server.conf.gz

After, you should open the file (nano etc/openvpn/server.conf) and find the following lines:

ca ca.crt
cert server.crt
key server.key
dh dh1024.pem

Before the name of each key you should write a path like this:

ca etc/openvpn/ca.crt
cert etc/openvpn/server.crt
key etc/openvpn/server.key
dh etc/openvpn/dh1024.pem

Now you can turn on the encryption and redirect the traffic from your computer through the VPN-server.

To activate the tsl-encryption you’ll need the following lines of code:

tls-auth ta.key 0 
cipher DES-EDE3-CBC

You’ll have to delete the sign “;” before them (to uncomment), so that the lines were processed, and then add the path to the key: tls-auth /etc/openvpn/ta.key 0.

Now you only need to redirect the traffic. For that you should uncomment the following lines:

push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 193.183.98.154"
push "dhcp-option DNS 217.12.210.54"

The first line allows the access to the Internet. If you don’t uncomment it in the configuration file, you’ll have access only to the computer in the local network. The second and the third lines are DNS-servers. You may choose other servers.

Next step is to enter the traffic routing rule:

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

Now the VPN-server is installed and configured. To start it you should enter:

openvpn /etc/openvpn/server.conf

Then you should stop the daemon, so that it doesn’t distract the server’s work.

etc/init.d/openvpn stop

After that you should restart the OpenVPN.

Pay attention! On some VPS-servers the TUN network driver, essential for the work of the OpenVPN-server, might be turned off. To check this out you should enter these commands:
openvpn --dev tun1 --ifconfig 10.9.8.1 10.9.8.2
ifconfig –a
If the system fails with an error, you should contact your provider to launch the driver.

Configuration of Windows-client

Firstly, you should copy client keys from the server to your computer. It is convenient to use WinSCP for this sake (you can download it here: https://winscp.net/eng/download.php#download2). Start the program:

In the field “Host Name” you should enter your IP address, “User Name” is “root” by default. In the next field you should enter your password, and press “Enter”. After that you’ll see the graphical client, which looks similar to the Norton Commander. On the left there is data of the local PC, on the right – data of the server. On the server’s side you should go to /etc/openvpn/easy-rsa/keys and simply drag the files (user.crt, user.key, ca.crt, ta.key) to the similar folder on your PC.

The OpenVPN-client may be downloaded from the link.

During the installation you shouldn’t change the standard settings. After you finish, go to the folder with the software - openvpn/sample-config. There are examples of configuration files. There you’ll find the document client.ovpn, which contains configurations for the work of client. You need the following line:

remote my-server-1 1194

Here you should change «my-server-1» for the IP address of the VPN-server. Save the changes and copy the file to the main OpenVPN folder. Also, you should put here the keys (copied in advance): user.crt, user.key, ca.crt and change “user” for “client” in their names.

In addition, you should find and uncomment the following lines, without any changes:

tls-auth ta.key 1
cipher DES-EDE3-CBC

Pay attention! Parameter tls-auth ta.key ends with “1” on the client computer, but with “0” on the server.

To start connection right click on client.ovpn > Start OpenVPN.

Once connection is established, the traffic from your PC will go through the remote VPN-server.