- Setup your droplet
- Setup OpenVPN Access Server
I’m not going to spend any time talking about why you should be using a VPN, or how a VPN works. If you’re here, you know that already. If you need a refresher on the different types of VPNs, see below.
This tutorial is going to be about setting up your own OpenVPN server, using OpenVPN Access Server. OpenVPN-AS is a dead-simple way to setup OpenVPN, without editing config files via terminal or troubleshooting different settings. OpenVPN Access Server consists of three major components, wrapped into one:
- OpenVPN Server
- Web interface (both admin and client)
- OpenVPN Connect client
OpenVPN-AS allows you to install an OpenVPN server and admin/client web interface onto any server. The admin web interface will give you access to configure OpenVPN settings via a GUI. The client web interface will allow users to download client applications, and pre-configured client profiles, directly from your OpenVPN-AS server.
For this tutorial, I’m going to be using DigitalOcean to setup a server, but you could very easily set this up in your own home behind your router (don’t forget to forward ports).
Setup your droplet
In the DigitalOcean Control Panel:
- Click Create Droplet
- Name your droplet (e.g., webserver1, openvpn1, etc…)
- Select a size* (I recommend 512MB RAM with 1 CPU and size-up if needed)
- Select a region**
- Select any necessary options
- Select an image***
- Skip SSH keys for now, as we’ll set these up later.
- Click Create Droplet and wait 55 seconds! In a minute, you’ll have an email with your droplet’s IPv4 address and root password.
*When selecting a droplet, keep in mind the amount of transfer allowed. If you go over your limit on the VPN, you’ll need to pay more or wait until the next month.
**To improve load times, select a region closest to you.
***I chose Ubuntu 14.04 x64. Ubuntu LTS relases are supported for 5 years, as opposed to 1.5 years for regular releases.
Create SSH keys
Do this on each machine you’ll be using to access your droplet. Once we setup SSH authentication, we won’t be able to login from a machine without a SSH key (other than the console in the Control Panel). Change the comment as necessary.
ssh-keygen -b 4096 -t rsa -C "Logan on Arch"
Then, cat out the newly created public key for use in the next step.
Note – In this scenario, I’m creating multiple public/private key pairs. However, you could copy your private key onto a flash drive and use that on multiple machines, instead of having a different key pair for each machine.
Create admin user
Start by logging into your droplet using the information that was emailed to you.
When you login, you’ll be prompted to change the root password. You should use one of the many available password generators to create a secure password. Chances are, you won’t be logging into the root account very often, so this should be long and complex. Later on, we’re going to disable root SSH access, so you’ll only ever be able to su – to root after you’re already logged in as a standard user.
Speaking of that, it is recommended to create a user other than root to perform most tasks. This user will have sudo access if they need temporary root privileges. Change the username as necessary and set a password for the user.
useradd -m -G sudo,adm -s /bin/bash testuser passwd testuser
This password will also need to be complex, but you’re going to be using it often.
Setup SSH authentication
Now, su – from root to your new account, create the .ssh directory, then paste in your public key(s). Obviously, substitute your own public key(s).
su - testuser mkdir ~/.ssh chmod 700 ~/.ssh touch ~/.ssh/authorized_keys chmod 600 ~/.ssh/authorized_keys cat >> ~/.ssh/authorized_keys << EOF ssh-rsa AAAB3NzaC1yc2EAAAADAQABAAACAQC1sIaRVcN9hHIf+5YBOgK2l27JwrVBFC0KYTqmjyvcGEqX2Gd1H8tjeK+9eGOXGSMhylJgNjQzemgXckMjpDlvHimFcVKN+j2Ch/i1uKKIk6upqnmcyE+XwEKAt7UlIoKTQfW0+BVf4MEk58Qi2zqJherKlJLrSfjgpVygOLJQEL3fAuGm2ZGiArWSv/R+1WmKWmdgQF1Xy2oXogMZg9PMuFwTX/9ggSRDEvEXil99WanEwoCSLAdhhGGfIrGBDCmV/CFZezxdx08qjFb37r5Yc/g3ffqZMiPDSKqOf6ZzqqVpfeEshASXFrsz6eZ6mWm3C4k9ufqS97cValLWUtZjmY5OJG3m+VKlz5JlNGvd8Mg5STVh7DKIGBcF+LjbuZdyINKixY6orUDH3z/fhfwpE3g4DQIyM77hKdaFWpcFZdAr5t/sGhhFNl9jX1KTbFC2di8DiZATQ37OpLTwzjojqjxHCHZLrZ6RQLBNTWHbPFvUxuFWH4h4BvEX4JnAIlzCQzzZPIjH+Fr0oECUa/WISnVYUT0A1q5MNCPWRJTTHSUhvGBWVtjXPegnmN4WQbyLog3m8Ee6Jf/BjKbMjTNSZnPEvKWRyM8balGTP9aqqTquDjHG15C8RpiVU4uGQ7QhCf0NJn47r9/0cDn36VZtOUpOop/EMGEyMyoZnI/FEQ== Logan on Arch EOF
When you are done, exit back to root.
Now, we’re going to disable root login via SSH, change the SSH port, and turn off password authentication by editing the /etc/ssh/sshd_config file. Substitute 1234 with your desired port.
sed -i "s/PermitRootLogin yes/PermitRootLogin no/g" /etc/ssh/sshd_config sed -i "s/Port 22/Port 1234/g" /etc/ssh/sshd_config sed -i "s/#PasswordAuthentication yes/PasswordAuthentication no/g" /etc/ssh/sshd_config service ssh restart exit
Now, login as the new user on the new port. You should not be using your password here, since you have SSH setup for the user named testuser.
ssh firstname.lastname@example.org -p 1234
If you need root access, you can su – to root, or use sudo.
Update Ubuntu Server
For security purposes, you should install any updates right away.
sudo apt-get update && sudo apt-get upgrade
To update the kernel, use the command below. You’ll need to then follow the instructions here to select a new kernel in the DigitalOcean Control Panel.
sudo apt-get update && sudo apt-get dist-upgrade
I’m also installing a few tools that I use often.
sudo apt-get update && sudo apt-get install htop ntp rsync ufw unzip
First, select the correct timezone.
sudo dpkg-reconfigure tzdata
Then, manually sync the time (only once) and start the NTP service.
sudo ntpdate pool.ntp.org sudo service ntp start
Check the status of UFW.
sudo ufw status verbose
Set the default state of UFW to deny incoming and allow outgoing.
sudo ufw default deny incoming sudo ufw default allow outgoing
Edit the /etc/ufw/applications.d/openssh-server file to change the SSH port from 22 to 1234 (or whatever port you used). Otherwise, you’ll lock yourself out of SSH.
sudo sed -i "s/ports=22\/tcp/ports=1234\/tcp/g" /etc/ufw/applications.d/openssh-server
We also need to create a UFW application entry for OpenVPN-AS.
sudo sh -c "cat > /etc/ufw/applications.d/openvpn << EOF [OpenVPN] title=OpenVPN description=OpenVPN ports=443/tcp|1194/udp EOF"
List all of the current apps that have UFW rules.
sudo ufw app list
Enable OpenSSH, OpenVPN, and NTP access.
sudo ufw allow OpenSSH sudo ufw allow OpenVPN sudo ufw allow ntp
Finally, turn on UFW.
sudo ufw enable
Then, check the status again.
sudo ufw status verbose
Create a swapfile to help RAM usage. The swapfile should be equal to, or the double the size of, your RAM. Here, I’m setting the swappiness to 15.
sudo fallocate -l 2G /swapfile sudo chmod 600 /swapfile sudo chown root:root /swapfile sudo mkswap /swapfile sudo swapon /swapfile sudo sh -c 'echo "/swapfile none swap sw 0 0" >> /etc/fstab' sudo sysctl -w vm.swappiness=15 sudo sh -c 'echo "vm.swappiness = 15" > /etc/sysctl.conf' sudo reboot
Setup OpenVPN Access Server
cd ~ sudo wget http://swupdate.openvpn.org/as/openvpn-as-2.0.20-Ubuntu14.amd_64.deb sudo dpkg -i openvpn-as-2.0.20-Ubuntu14.amd_64.deb sudo rm openvpn-as-2.0.20-Ubuntu14.amd_64.deb
When the setup is completed, you should make note of the two addresses provided.
Change default password
By default, the OpenVPN-AS package creates an admin user called openvpn. We need to start by changing the password for this user.
sudo passwd openvpn
Create VPN users
You’ll want to create a different VPN user, since openvpn is the admin user. This new user won’t ever SSH to your server, but will need to exist to use OpenVPN-AS.
sudo useradd vpntest sudo passwd vpntest
Configure OpenVPN server
Use the admin address to login to the console. You’ll receive a warning that the connection is not secure. That’s OK, since OpenVPN-AS created a self-signed certificate upon setup.
Once you’re logged in, accept the terms of the license to be greeted by the admin web interface.
Feel free to change any settings in here (e.g., users, ports, IPs, etc…). However, remember that you’ll need to issue new configs to your clients every time you change a setting in the admin web interface.
Configure OpenVPN client
OpenVPN-AS makes client connections dead-simple. Visit the client address from a client device (e.g., laptop, phone, etc..) and login with the client username/password. Depending on the type of device you’re using (e.g., Windows, Mac, Linux, Android, iOS), you’ll have the option to download an OpenVPN client and profile directly from your OpenVPN-AS server.
Start by logging into the client web interface on your Android phone.
When prompted, download the OpenVPN Connect for Android app.
Once completed, download the profile for yourself (user-locked profile).
Once completed, tap on the profile to import it into the OpenVPN Connect app.
Sign in with your username/password and tap Connect to establish a connection.
Verify your connection on the next screen.
Linux setup is easier than Android. Start by installing the OpenVPN package for your distribution.
sudo pacman -S openvpn
Next, login to the client web interface in your browser to download the profile for yourself (user-locked profile).
Finally, start OpenVPN with your config, as shown below.
sudo openvpn --config client.ovpn
Did you setup your server differently? If so, let me know!