Installing a VPN Server
Table of Contents
A self-hosted VPN is a simple and secure way to access your home or small business network. For small businesses, this is a great way to set up a VPN connection to allow your employees to work remote. For the rest of us, it is also a great way to secure your Internet connection when using unsecured WiFi.
For a self-hosted VPN, OpenVPN is one of the best and well known solutions. It’s free and there are both desktop and mobile clients available.
With docker-compose you can make an easy and clean installation of OpenVPN, which can be easily upgraded or cleaned-up without affecting the host system and anything else installed on it.
OutlineVPN is another easy to install and setup solution that has emerged recently.
1 Make sure that docker and docker-compose are installed
apt update apt install \ apt-transport-https \ ca-certificates \ curl \ software-properties-common docker_repo=https://download.docker.com/linux/ubuntu add-apt-repository \ "deb [arch=amd64] $docker_repo bionic stable" key_url=https://download.docker.com/linux/ubuntu/gpg curl -fsSL $key_url | apt-key add - apt update apt-cache policy docker-ce apt install docker-ce systemctl status docker docker --version
github_url="https://github.com/docker/compose" release="$github_url/releases/download/1.25.4" curl -L "$release/docker-compose-$(uname -s)-$(uname -m)" \ -o /usr/local/bin/docker-compose chmod +x /usr/local/bin/docker-compose docker-compose --version
2 Setup docker-compose configuration
Make a directory for openvpn:
mkdir -p /srv/openvpn cd /srv/openvpn
Create `docker-compose.yml` like this:
cat << EOF > docker-compose.yml version: '2' services: openvpn: cap_add: - NET_ADMIN image: kylemanna/openvpn container_name: openvpn ports: - "1194:1194/udp" restart: always volumes: - ./config:/etc/openvpn EOF cat docker-compose.yml
Also make sure that the port
1194/udp is open in the firewall, for
example like this:
ufw allow 1194/udp.
3 Initialize and start the server
Initialize the configuration files and the PKI:
docker-compose run --rm openvpn \ ovpn_genconfig -u udp://ovpn.example.org ls config/
Instead of the FQDN of the server we could also use its IP.
Initialize the PKI:
docker-compose run --rm openvpn \ ovpn_initpki
You will be asked for the CA key passphrase.
Start the server:
docker-compose up -d openvpn docker-compose logs docker-compose ps
4 Create OpenVPN clients
Generate client certificates:
docker-compose run --rm openvpn \ easyrsa build-client-full client1 nopass
Don't add the option
nopass if you want a passphrase protected
docker-compose run --rm openvpn \ easyrsa build-client-full client2
Retrieve the client configurations (with embedded certificates):
docker-compose run --rm openvpn \ ovpn_getclient client1 > client1.ovpn docker-compose run --rm openvpn \ ovpn_getclient client2 > client2.ovpn less client1.ovpn
Note: To revoke a client certificate do:
docker-compose run --rm openvpn \ ovpn_revokeclient client1 # remove also crt, key and req files with option 'remove' docker-compose run --rm openvpn \ ovpn_revokeclient client2 remove
5 Sharing client configuration files
Sending configuration files (like
to the clients depends on the case. However an easy way of sharing
them is by using an HTTP server, like this:
# install apache2 on the server apt install apache2 a2enmod ssl cp *.ovpn /var/www/html/ # get configuration file from the client wget --no-check-certificate \ https://ovpn.example.org/client1.ovpn
6 Configuration of the OpenVPN client
First of all make sure that the package
openvpn is installed on the
apt install openvpn
Then make sure that the
openvpn service is running too:
systemctl enable openvpn systemctl start openvpn systemctl status openvpn
Finally copy the configuration file to
/etc/openvpn/, with a
mv client1.ovpn /etc/openvpn/client1.conf
Check the public IP by going to
google.com and searching for
what is my ip. Or check it with one of these commands:
curl ifconfig.co curl icanhazip.com wget -qO - icanhazip.com
First stop the
openvpn service (with
systemctl stop openvpn) and
check the public IP, then start it again (with
openvpn) and check again the public IP.
There are also GUI tools that allow to import an OpenVPN configuration file.
7 Installing OutlineVPN
OutlineVPN is another solution that is easy to install and setup. It can be installed with a couple of commands, like this:
github_url="https://raw.githubusercontent.com" base="$github_url/Jigsaw-Code/outline-server/master/src" script="$base/server_manager/install_scripts/install_server.sh" wget $script bash install_server.sh
For more instructions or details see: https://blog.ssdnodes.com/blog/outline-vpn-tutorial-vps/