What is a VPN ?
A VPN or Virtual Private Network is a method used to add security and privacy to private and public networks, like WiFi Hotspots and the Internet. VPNs are most often used by corporations to protect sensitive data.
It allows us to bypass geo-blocked site and increase your privacy or safety online.
OpenVPN is a SSL-based VPN which uses the SSL/TLS protocol to secure the connection. OpenVPN also uses HMAC in combination with a digest (or hashing) algorithm for ensuring the integrity of the packets delivered.
It can be configured to use pre-shared keys as well as X.509 certificates. These features are rare in other SSL-based VPNs.
OpenVPN is a client based VPN. OpenVPN supports Linux, Unix, Windows, Mac OS, as well as iOS/Android devices.
It is an open source software and distributed under the GNU GPL. Here’s a list of advantages and disadvantages of OpneVPN.
Advantages of OpenVPN
- highly configurable
- Easy to deploy in restricted networks even in NAT’ed networks.
- Security features are strong as IPSec-based VPN’s.
Disadvantages of OpenVPN
- Requires Client side software.
- Not highly Scalable.
OpenVPN is available in many packages.
- Open source community version of OpenVPN
- Closed-source commercial offering of OpenVPN by OpenVPN Inc.
- The mobile platform versions of OpenVPN.
In this tutorial we will discuss how to easily setup OpenVPN server and Client.
The setup includes following steps.
- Creating a Server in DigitalOcean.
- Adding SSH keys in DigitalOcean Server.
- Creating OpenVPN server.
- Configuring Client Side.
- Connecting with OpenVPN server using Linux/Windows/Android/IOS client.
- Verify connectivity.
Creating a Server in DigitalOcean.
we will setup a OpenVPN server and for that we will first create a server.
I am going to use digitalocean for this tutorial and if you already have a server than you can skip this step.
Creating a server in digitalocean is really easy and we can easily have a server in less than a minute.
For OpenVPN server you don’t need to have a high end server, A low specs server with 256 mb RAM is more than enough for this task.
Here’s how you can create a server in DigitalOcean.
Go to DigitalOcean web page –> Create an account and Click Create Servlet , then follow these steps.
Steps here will describe how to create a 512 MB RAM ubuntu 16.04 64-bit server.
Click Create to create the servlet.
If you don’t know how SSH keys work or how to add them in DigitalOcean then follow these steps.
Adding SSH keys in DigitalOcean Server.
In simple terms SSH keys are a pair of keys which allows your computer to connect to a server if the server recognizes the keys you’re using from you’re computer or vice versa. SSH keys are very-2 hard to crack.
Steps in using SSH keys.
- Create a Pair of Public and Private keys for SSH.
- Copy the Public key to server you want to communicate with.
- Connect with the server using SSH keys.
First you need to create SSH keys in your server.
Login to you’re server and use ssh-keygen command to create a pair of public and private keys.
root@debyum:~# ssh-keygen -b 2048 -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: 9e:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:f1:35 root@debyum The key's randomart image is: +---[RSA 2048]----+ | | | | | | | | | S | | ..o | | .. .E. | | .o.+=+ o | | .=XOB*+ | +-----------------+ root@debyum:~#
The flags we have used here are.
-b specify the bits for Keys generation. e.g 1024, 2048, 4096.
-t specify the encryption algorithm to be used. e.g. rsa, dsa, ecdsa.
This command will generate a pair of Public and Private keys which you need to store safely, especially the Private key.. Here we are using the default locations which are safe enough.
Now that we have created the SSH keys , we need to copy the Public key ( id_rsa.pub ) only and use it in DigitalOcean. Copy the Public Key.
Here’s how to add the public key in DigitalOcean. Click the New SSH Key.
And paste the Public key in section labeled “Public SSH Key”.
For the section labeled “Name”, Enter the name for the key. Use name similar to name of the computer you created the key pair on.
Click Add SSH Key to add this key.
Now you can add this key easily into the server.
We have a server now and we can create OpenVPN server in it.
Creating OpenVPN server.
We will be configuring an OpenVPN “road warrior” server on Ubuntu Linux 16.04 LTS version which will include ufw/iptables firewall configuration.
Road warrior is a script created by NYR in github to install OpenVPN in various Linux distros.
It has been designed to be as unobtrusive and universal as possible. It includes all the steps required to setup the sever. And you can edit it anyway you want to customize it according to your needs.
Anyways we will use this script to install OpenVPN, Create User configs and other things.
Now login to your newly created server with.
And run this command. It will run the openvpn-install.sh in you’re server.
root@vpn:~# wget https://git.io/vpn -O openvpn-install.sh && bash openvpn-install.sh
Net you will see a welcome message. Enter your IP Address. Select a DNS to use, and enter a name for client cert.
Press any key to continue.
Now you have a created new client config which you can use later to connect with this VPN.
If you want to add another user in VPN then simply run this script again with
root@vpn:~# bash openvpn-install.sh
we are running this procedure in /root directory and contents of /root directory are.
root@vpn:~# ls -l /root/ total 32 -rw-r--r-- 1 root root 8134 Oct 6 17:38 newuser.ovpn -rw-r--r-- 1 root root 13189 Oct 3 19:56 openvpn-install.sh -rw-r--r-- 1 root root 8140 Oct 6 17:37 vpnOpened.ovpn
Now copy these client certs ( *.ovpn ) to their respective Computers or Devices.
I have downloaded both the certs to my local computer.
To start/stop/restart OpenVPN server on Ubuntu 16.04 LTS use.
Type the following command stop the OpenVPN service:
# systemctl stop openvpn@server
Type the following command start the OpenVPN service:
# systemctl start openvpn@server
Type the following command restart the OpenVPN service:
# systemctl restart openvpn@server
Configuring OpenVPN Client Side.
There is no GUI for OpenVPN in Linux and you need to install openvpn client package to configure Client side of OpenVPN.
Installing an OpenVPN client.
The easiest way to install an OpenVPN client is to use the package management system for your particular Linux distribution. Run one of the following commands (as root):
root@engy:~# apt-get install openvpn
root@engy:~# yum install openvpn
Once the openvpn package is installed, run the client with the –version argument to make sure that it is version 2.1.
NOTE: OpenVPN Access Server is not compatible with any version below the 2.1 OpenVPN Community/Linux client!
root@engy:~# openvpn --version OpenVPN 2.3.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Feb 2 2016 library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.08 Originally developed by James Yonan ................................... ...................................
Running the OpenVPN client.
Go to location of downloaded client config file and run.
root:engy:~# openvpn --config /home/engy/Desktop/vpnOpened.ovpn
I have downloaded client config files in /home/engy/Desktop/vpnOpened.ovpn.
Don’t stop this process. Now your OpenVPN client config is complete.
To check if VPN is working or not , First close this process by pressing ctrl + c and go to google.com to check your public IP address.
now again start this process by running that command again.
root:engy:~# openvpn --config /home/engy/Desktop/vpnOpened.ovpn
Now again test your Public IP address.
This means we are connected with VPN and it is hiding our IP address. another proof is here.
To automatically connect your linux machine when it restart
$ sudo /etc/init.d/openvpn start
Now your OpenVPN server is ready and running.
That’s all on How to configure OpenVPN server and Client in ubuntu 16.04.
I have tried to cover all the basic to advance concepts with their examples. Still if I have missed anything please update us through comment box. I will keep updating the same based on feedback’s received.