News

VPN tutorial – access your network anywhere

Work around insecure and restrictive internet access with your own virtual private network

You can add the VPN server to an existing Linux setup

This tutorial will show you how to add a VPN server to your existing Linux setup. This means that you can connect, securely, to a computer that you trust by using a technique called ‘tunnelling’. Using this connection, you can securely access the internet from your ‘remote’ computer, bypassing any filtering that is part of the policy of the Wi-Fi provider. You can access anything that your properly set up computer in your home or your office can access. The connection is a secure, encrypted one. This is significant, because in theory it is possible to eavesdrop on the communications that are carried out using a public Wi-Fi hotspot.

In addition, you can use a VPN (virtual private network) connection to access resources on your network, because effectively you are on that network. So you need never curse yourself for forgetting to bring that important file with you again.

Once the server is set up, you can connect to it using a variety of clients. On a Linux machine, you will typically use the same service as the server with a slightly different configuration file. Microsoft Windows computers and Android devices such as smartphones and tablets have official and third-party OpenVPN clients available for them.

You can add the VPN server to an existing Linux setup
You can add the VPN server to an existing Linux setup

Step by step

Step 01 Install OpenVPN on the server

Install OpenVPN using the package manager. For Red Hat, type yum install openvpn or apt-get install openvpn on Debian (both root). In addition, install easy-rsa, a collection of scripts that aid in the creation of the certificates and keys that we need.

Step 02 Copy easy-rsa scripts

We can’t run easy-rsa from where it is installed because we need to alter it. Find the installation directory with find /usr -name easy-rsa. Copy the directory to your current directory with (for example) cp -r /usr/share/ easy-rsa/. and move into it with the cd command.

Step 03 Install OpenVPN on the server

Open the file vars in a text editor. The official OpenVPN documentation recommends that you edit at least the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG and KEY_EMAIL fields. Set KEY_CN to ‘server’. Close and save the file.

Step 04 Build server certificates and keys

Type source ./vars followed by ./clean-all and then ./build-ca. Fill in the questions when prompted – you should be able to hit Return to accept the defaults in most cases. Build the certificates and keys for the server with the command ./build-key-server server. Answer questions as before and accept server as the Common Name. Don’t specify the challenge password or optional company name when asked. Answer y when asked about signing the certificate and when asked to commit. Diffie-Hellman parameters are an element in the encryption scheme that OpenVPN employs. Type ./build-dh to create the parameter file.

Step 05 Copy the server keys

Enter the keys directory with the cd command, and type ls keys to examine the key files that we have created. Use cp * /etc/openvpn/ (as root) to copy all of the keys to where OpenVPN can see them. Then do chmod 400 /etc/openvpn/{server.key,server. crt,ca.crt,ta.key}.

Step 06 Generate three client keys

Use the command ./build-key client1 to generate the first of the client keys. When prompted, accept client1 as the common name. Each key must have a unique common name. Now repeat the procedure for two more client keys. As
before, agree to sign the certificate and commit.

Step 07 Begin server configuration

The server and each client use a configuration file located in the /etc/openvpn folder. On the server, when the OpenVPN service starts, it scans that directory and launches a service instance for every valid configuration file it finds. Start by shutting down the OpenVPN service by typing service openvpn stop (as root).

Step 08 Locate the example configuration

Use find /usr -name server.conf* to locate the example server configuration file. Use cut and paste within the terminal to copy it to the current directory with the cp [name of file] . command sequence. If it has a .gz extension, it’s compressed. If so, decompress with gunzip [name of file].

Step 09 Edit server configuration

Open server.conf in a text editor and give it a quick examination to get an idea of what you can change, but we’ll leave most of it as it is. For now, just add /etc/openvpn/ to the start of the key filenames.

Step 10 Start the server

For now, we’ll start the server manually so that we can see the text output and check for errors. Type openvpn server.conf (as root). If everything is working okay, the final message should be ‘Initialization Sequence Completed’.

Step 11 Configure the client

Move to another Linux machine on your LAN (the client). Install OpenVPN using the package management system. Now run find /usr -name client.conf to find the example client configuration file and copy it to the current directory. Copy the files client1.key, ca.crt and client1.crt to /etc/openvn/ on the client machine. How you do this is up to you, but bear security in mind as anyone who has these files can, potentially, use them to access your server. A memory stick (delete them afterwards) or a trusted network such as your LAN should be fine.

Step 12 Edit the client configuration

Open client.conf in a text editor. Change remote to the IP address of the server. For now, use the IP address of the server on your LAN (run ifconfig on it). Later, we’ll change this to the external IP address so that it can be accessed from the internet. Change the CA certificate (ca) to ca.crt, the user certificate (cert) to client1.crt and the private key (key) to client1.key, each with /etc/openvpn/ at the beginning of the name. Each client needs a copy of the CA and unique versions of the other two files.

Step 13 Test the client

Type openvpn client.conf (as root) to start the client. Type ifconfig to confirm the creation of the tun0 device. If you can ping the server from the client by typing ping 10.8.0.1, you have now established a tunnelled, encrypted connection between the client and the server.

Step 14 Enable packet forwarding

As it stands, we can connect to the server, via the tunnel, but we can’t yet access the internet. Start by editing /etc/sysctl.con and uncomment the line net/ipv4/ip_forward=1 to enable packet forwarding. Now restart the server machine.

Step 15 Forward traffic with iptables

On the server, type iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE (as root) to enable forwarding of traffic through the tunnel to the internet- connected interface (eth0). Install the dnsmasq package to your system. Add the line interface=tun0 to /etc/dnsmasq.conf. Restart dnsmasq by typing service dnsmasq restart.

Step 16 Set up routing for the client

Add the lines push “redirect-gateway def1” and push “dhcp-option DNS 10.8.0.1” to server.conf. This causes the clients to execute the appropriate route commands to direct all network traffic via the VPN. You may have to manually add the DNS server to the client: add the line nameserver 10.8.0.1 to /etc/resolvconf/ resolv.conf.d/head and type resolvconf -u (all as root). You should now be able to ping and browse to sites on the internet from the client.

Step 17 Forward traffic with iptables

On the server, copy server.conf to /etc/ openvpn/. We now control the OpenVPN server with service openvpn [command]. ‘Command’ can be start, stop or restart and the check command makes the service start on boot. Add
the iptables we used to the end of /etc/rc.local.

Step 18 Connecting from the outside

Set up your router to forward UDP port 1194 to the IP address of your server. How you do this depends on the model of your router (see portforward.com for a comprehensive database of router models). Update the remote field in your client.conf files to point to the external IP address of your network (use www.whatismyip.com to find it). Consider using a dynamic IP service such as No-IP (www.noip.com) so that you don’t have to update the clients every time the address on your router changes.

Step 19 Connecting from an Android device

Most Android phones and tablets don’t include built-in OpenVPN support. Search for an OpenVPN client on Google Play. Your choice of client may depend on compatibility with your device, and some applications require a rooted device. Copy the key files to your SD card and use the setup page of the client.

Step 20 Connecting from a Windows client

The OpenVPN website (openvpn.net) has a client that runs on Windows. Copy the three client files to the machine, then install the client and follow the on-screen prompts. The Windows client can make use of the push directives that we added to server.conf, so we don’t need to set up DNS manually.

×