Create your own VPN Server on Linux?

0
572
openvpn

In this article, I’m going to guide you, step-by-step install a personal openVPN Server on Linux.A VPN, or Virtual Private Network, creates an encrypted tunnel between your computer and a remote server. It enables a communications between computers and devices across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security and management policies of the private network.

Install and Configure VPN

Server computer

First you should install epel-release to install openvpn packages.

sudo dnf install epel-release -y 
#then
sudo dnf install openvpn -y

you need to download the script for easy installation.

curl -O https://raw.githubusercontent.com/Angristan/openvpn-install/master/openvpn-install.sh
chmod +x openvpn-install.sh

Then run it:

sudo ./openvpn-install.sh
Welcome to the OpenVPN installer!
The git repository is available at: https://github.com/angristan/openvpn-install
I need to ask you a few questions before starting the setup.
You can leave the default options and just press enter if you are ok with them.
I need to know the IPv4 address of the network interface you want OpenVPN listening to.
Unless your server is behind NAT, it should be your public IPv4 address.
IP address: *******
It seems this server is behind NAT. What is its public IPv4 address or hostname?
We need it for the clients to connect to the server.
Public IPv4 address or hostname: ******
Checking for IPv6 connectivity...
Your host does not appear to have IPv6 connectivity.
Do you want to enable IPv6 support (NAT)? [y/n]: n
What port do you want OpenVPN to listen to?
1) Default: 1194
2) Custom
3) Random [49152-65535]
Port choice [1-3]: 1
What protocol do you want OpenVPN to use?
UDP is faster. Unless it is not available, you shouldn't use TCP.
1) UDP
2) TCP
Protocol [1-2]: 1
What DNS resolvers do you want to use with the VPN?
1) Current system resolvers (from /etc/resolv.conf)
2) Self-hosted DNS Resolver (Unbound)
3) Cloudflare (Anycast: worldwide)
4) Quad9 (Anycast: worldwide)
5) Quad9 uncensored (Anycast: worldwide)
6) FDN (France)
7) DNS.WATCH (Germany)
8) OpenDNS (Anycast: worldwide)
9) Google (Anycast: worldwide)
10) Yandex Basic (Russia)
11) AdGuard DNS (Anycast: worldwide)
12) NextDNS (Anycast: worldwide)
13) Custom
DNS [1-12]: 3
Do you want to use compression? It is not recommended since the VORACLE attack make use of it.
Enable compression? [y/n]: n
Do you want to customize encryption settings?
Unless you know what you're doing, you should stick with the default parameters provided by the script.
Note that whatever you choose, all the choices presented in the script are safe. (Unlike OpenVPN's defaults)
See https://github.com/angristan/openvpn-install#security-and-encryption to learn more.
Customize encryption settings? [y/n]: n
Okay, that was all I needed. We are ready to setup your OpenVPN server now.
You will be able to generate a client at the end of the installation.
Press any key to continue...
view raw openvpn-install.sh hosted with ❤ by GitHub
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa/pki
Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020
read EC key
writing EC key
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020
Generating an EC private key
writing new private key to '/etc/openvpn/easy-rsa/pki/easy-rsa-46209.5cFmTY/tmp.vkF2sV'
-----
Using configuration from /etc/openvpn/easy-rsa/pki/easy-rsa-46209.5cFmTY/tmp.ub3ds3
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'server_kgpZLd7egXlDTp62'
Certificate is to be certified until May 2 14:33:40 2023 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020
Using configuration from /etc/openvpn/easy-rsa/pki/easy-rsa-46298.A3JrG1/tmp.JowFip
An updated CRL has been created.
CRL file: /etc/openvpn/easy-rsa/pki/crl.pem
* Applying /usr/lib/sysctl.d/10-default-yama-scope.conf ...
kernel.yama.ptrace_scope = 0
* Applying /usr/lib/sysctl.d/50-coredump.conf ...
kernel.core_pattern = |/usr/lib/systemd/systemd-coredump %P %u %g %s %t %c %h %e
* Applying /usr/lib/sysctl.d/50-default.conf ...
kernel.sysrq = 16
kernel.core_uses_pid = 1
kernel.kptr_restrict = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.promote_secondaries = 1
net.core.default_qdisc = fq_codel
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
* Applying /usr/lib/sysctl.d/50-libkcapi-optmem_max.conf ...
net.core.optmem_max = 81920
* Applying /usr/lib/sysctl.d/50-pid-max.conf ...
kernel.pid_max = 4194304
* Applying /etc/sysctl.d/60-gce-network-security.conf ...
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 1
net.ipv4.conf.default.secure_redirects = 1
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
kernel.randomize_va_space = 2
kernel.panic = 10
* Applying /etc/sysctl.d/99-openvpn.conf ...
net.ipv4.ip_forward = 1
* Applying /etc/sysctl.d/99-sysctl.conf ...
* Applying /etc/sysctl.conf ...
Created symlink /etc/systemd/system/multi-user.target.wants/openvpn-server@server.service → /etc/systemd/system/openvpn-server@.service.
Created symlink /etc/systemd/system/multi-user.target.wants/iptables-openvpn.service → /etc/systemd/system/iptables-openvpn.service.
Tell me a name for the client.
The name must consist of alphanumeric character. It may also include an underscore or a dash.
Client name: sysaix
Do you want to protect the configuration file with a password?
(e.g. encrypt the private key with a password)
1) Add a passwordless client
2) Use a password for the client
Select an option [1-2]: 1
ote: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020
Generating an EC private key
writing new private key to '/etc/openvpn/easy-rsa/pki/easy-rsa-46463.wx1uTZ/tmp.d6dIo3'
-----
Using configuration from /etc/openvpn/easy-rsa/pki/easy-rsa-46463.wx1uTZ/tmp.OWnISg
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'sysaix'
Certificate is to be certified until May 2 14:34:04 2023 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
Client sysaix added.
The configuration file has been written to /home/eozkan/sysaix.ovpn.
Download the .ovpn file and import it in your OpenVPN client.
view raw gistfile1.txt hosted with ❤ by GitHub

When everything is finished,you should see a file that ends with .ovpn. This is a configuration file you will need to configure the client computer.You should download this file on your client computer.

[test@vpnserver ~]$ ls -ltr /home/test/sysaix.ovpn
-rw-r--r--. 1 root root 2766 Jan 27 14:34 /home/test/sysaix.ovpn

You can check your openvpn server with below command.

sudo systemctl status openvpn-server@server.service
Client computer

Install epel repo to install openvpn package.

sudo dnf install epel-release -y 
#then
sudo dnf install openvpn -y

I copied ovpn file on this machine and tried a test connection

sudo openvpn --config sysaix.ovpn

#You should be connected to your OpenVPN server.
ed Jan 27 18:00:09 2021 Incoming Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Wed Jan 27 18:00:09 2021 ROUTE_GATEWAY *********1/255.255.255.0 IFACE=enp1s0 HWADDR=52:55:13:3e:fe:30
Wed Jan 27 18:00:09 2021 TUN/TAP device tun0 opened
Wed Jan 27 18:00:09 2021 TUN/TAP TX queue length set to 100
Wed Jan 27 18:00:09 2021 /sbin/ip link set dev tun0 up mtu 1500
Wed Jan 27 18:00:09 2021 /sbin/ip addr add dev tun0 10.8.0.2/24 broadcast 10.8.0.255
Wed Jan 27 18:00:09 2021 /sbin/ip route add ********/32 via *******
Wed Jan 27 18:00:09 2021 /sbin/ip route add 0.0.0.0/1 via 10.8.0.1
Wed Jan 27 18:00:09 2021 /sbin/ip route add 128.0.0.0/1 via 10.8.0.1
Wed Jan 27 18:00:09 2021 Initialization Sequence Completed

As you can see, a tun0 interface is added to my Fedora system

3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    link/none 
    inet 10.8.0.2/24 brd 10.8.0.255 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::6c56:83b5:4d39:a84f/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever

To test it, open your internet browser and visit any website. You can also check your public IP address and it should be your server address.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.