Installing a VPN Server

Reading time ~3 minutes

Installing a VPN Server

Installing a VPN Server

A self-hosted VPN is a simple and secure way to access your home or small business network. For small businesses, this is a great way to set up a VPN connection to allow your employees to work remote. For the rest of us, it is also a great way to secure your Internet connection when using unsecured WiFi.

For a self-hosted VPN, OpenVPN is one of the best and well known solutions. It’s free and there are both desktop and mobile clients available.

With docker-compose you can make an easy and clean installation of OpenVPN, which can be easily upgraded or cleaned-up without affecting the host system and anything else installed on it.

OutlineVPN is another easy to install and setup solution that has emerged recently.

1 Make sure that docker and docker-compose are installed

Install docker:

apt update
apt install \
    apt-transport-https \
    ca-certificates \
    curl \
    software-properties-common

docker_repo=https://download.docker.com/linux/ubuntu
add-apt-repository \
    "deb [arch=amd64] $docker_repo bionic stable"

key_url=https://download.docker.com/linux/ubuntu/gpg
curl -fsSL $key_url | apt-key add -

apt update
apt-cache policy docker-ce
apt install docker-ce

systemctl status docker
docker --version

Install docker-compose:

github_url="https://github.com/docker/compose"
release="$github_url/releases/download/1.25.4"
curl -L "$release/docker-compose-$(uname -s)-$(uname -m)" \
     -o /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
docker-compose --version

2 Setup docker-compose configuration

Make a directory for openvpn:

mkdir -p /srv/openvpn
cd /srv/openvpn

Create `docker-compose.yml` like this:

cat << EOF > docker-compose.yml
version: '2'
services:
  openvpn:
    cap_add:
     - NET_ADMIN
    image: kylemanna/openvpn
    container_name: openvpn
    ports:
     - "1194:1194/udp"
    restart: always
    volumes:
     - ./config:/etc/openvpn
EOF

cat docker-compose.yml

Also make sure that the port 1194/udp is open in the firewall, for example like this: ufw allow 1194/udp.

3 Initialize and start the server

Initialize the configuration files and the PKI:

docker-compose run --rm openvpn \
    ovpn_genconfig -u udp://ovpn.example.org
ls config/

Instead of the FQDN of the server we could also use its IP.

Initialize the PKI:

docker-compose run --rm openvpn \
    ovpn_initpki

You will be asked for the CA key passphrase.

Start the server:

docker-compose up -d openvpn
docker-compose logs
docker-compose ps

4 Create OpenVPN clients

Generate client certificates:

docker-compose run --rm openvpn \
    easyrsa build-client-full client1 nopass

Don't add the option nopass if you want a passphrase protected certificate.

docker-compose run --rm openvpn \
    easyrsa build-client-full client2

Retrieve the client configurations (with embedded certificates):

docker-compose run --rm openvpn \
    ovpn_getclient client1 > client1.ovpn

docker-compose run --rm openvpn \
    ovpn_getclient client2 > client2.ovpn

less client1.ovpn

Note: To revoke a client certificate do:

docker-compose run --rm openvpn \
    ovpn_revokeclient client1

# remove also crt, key and req files with option 'remove'
docker-compose run --rm openvpn \
    ovpn_revokeclient client2 remove

5 Sharing client configuration files

Sending configuration files (like client1.ovpn and client2.ovpn) to the clients depends on the case. However an easy way of sharing them is by using an HTTP server, like this:

# install apache2 on the server
apt install apache2
a2enmod ssl
cp *.ovpn /var/www/html/

# get configuration file from the client
wget --no-check-certificate \
     https://ovpn.example.org/client1.ovpn

6 Configuration of the OpenVPN client

First of all make sure that the package openvpn is installed on the client:

apt install openvpn

Then make sure that the openvpn service is running too:

systemctl enable openvpn
systemctl start openvpn
systemctl status openvpn

Finally copy the configuration file to /etc/openvpn/, with a .conf extension:

mv client1.ovpn /etc/openvpn/client1.conf

Check the public IP by going to google.com and searching for what is my ip. Or check it with one of these commands:

curl ifconfig.co
curl icanhazip.com
wget -qO - icanhazip.com

First stop the openvpn service (with systemctl stop openvpn) and check the public IP, then start it again (with systemctl start openvpn) and check again the public IP.

There are also GUI tools that allow to import an OpenVPN configuration file.

7 Installing OutlineVPN

OutlineVPN is another solution that is easy to install and setup. It can be installed with a couple of commands, like this:

github_url="https://raw.githubusercontent.com"
base="$github_url/Jigsaw-Code/outline-server/master/src"
script="$base/server_manager/install_scripts/install_server.sh"
wget $script
bash install_server.sh

For more instructions or details see: https://blog.ssdnodes.com/blog/outline-vpn-tutorial-vps/

Date: 2020-02-14

Author: Dashamir Hoxha

Created: 2020-02-14 Fri 11:13

Emacs 25.2.2 (Org mode 8.2.10)

Validate

Server Backup With Rsync

Server Backup With RsyncServer Backup With RsyncTable of Contents1. Introduction2. Create a backup user with ssh-key access3. Restrict th...… Continue reading

Block Outgoing Traffic to Private Networks

Published on August 05, 2020