Installing a VPN Server
Table of Contents
A self-hosted VPN is a simple and secure way to access your home or small business network. For small businesses, this is a great way to set up a VPN connection to allow your employees to work remote. For the rest of us, it is also a great way to secure your Internet connection when using unsecured WiFi.
For a self-hosted VPN, OpenVPN is one of the best and well known solutions. It’s free and there are both desktop and mobile clients available.
With docker-compose you can make an easy and clean installation of OpenVPN, which can be easily upgraded or cleaned-up without affecting the host system and anything else installed on it.
OutlineVPN is another easy to install and setup solution that has emerged recently.
1 Make sure that docker and docker-compose are installed
Install docker:
apt update
apt install \
apt-transport-https \
ca-certificates \
curl \
software-properties-common
docker_repo=https://download.docker.com/linux/ubuntu
add-apt-repository \
"deb [arch=amd64] $docker_repo bionic stable"
key_url=https://download.docker.com/linux/ubuntu/gpg
curl -fsSL $key_url | apt-key add -
apt update
apt-cache policy docker-ce
apt install docker-ce
systemctl status docker
docker --version
Install docker-compose:
github_url="https://github.com/docker/compose"
release="$github_url/releases/download/1.25.4"
curl -L "$release/docker-compose-$(uname -s)-$(uname -m)" \
-o /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
docker-compose --version
2 Setup docker-compose configuration
Make a directory for openvpn:
mkdir -p /srv/openvpn cd /srv/openvpn
Create `docker-compose.yml` like this:
cat << EOF > docker-compose.yml
version: '2'
services:
openvpn:
cap_add:
- NET_ADMIN
image: kylemanna/openvpn
container_name: openvpn
ports:
- "1194:1194/udp"
restart: always
volumes:
- ./config:/etc/openvpn
EOF
cat docker-compose.yml
Also make sure that the port 1194/udp is open in the firewall, for
example like this: ufw allow 1194/udp.
3 Initialize and start the server
Initialize the configuration files and the PKI:
docker-compose run --rm openvpn \
ovpn_genconfig -u udp://ovpn.example.org
ls config/
Instead of the FQDN of the server we could also use its IP.
Initialize the PKI:
docker-compose run --rm openvpn \
ovpn_initpki
You will be asked for the CA key passphrase.
Start the server:
docker-compose up -d openvpn docker-compose logs docker-compose ps
4 Create OpenVPN clients
Generate client certificates:
docker-compose run --rm openvpn \
easyrsa build-client-full client1 nopass
Don't add the option nopass if you want a passphrase protected
certificate.
docker-compose run --rm openvpn \
easyrsa build-client-full client2
Retrieve the client configurations (with embedded certificates):
docker-compose run --rm openvpn \
ovpn_getclient client1 > client1.ovpn
docker-compose run --rm openvpn \
ovpn_getclient client2 > client2.ovpn
less client1.ovpn
Note: To revoke a client certificate do:
docker-compose run --rm openvpn \
ovpn_revokeclient client1
# remove also crt, key and req files with option 'remove'
docker-compose run --rm openvpn \
ovpn_revokeclient client2 remove
5 Sharing client configuration files
Sending configuration files (like client1.ovpn and client2.ovpn)
to the clients depends on the case. However an easy way of sharing
them is by using an HTTP server, like this:
# install apache2 on the server
apt install apache2
a2enmod ssl
cp *.ovpn /var/www/html/
# get configuration file from the client
wget --no-check-certificate \
https://ovpn.example.org/client1.ovpn
6 Configuration of the OpenVPN client
First of all make sure that the package openvpn is installed on the
client:
apt install openvpn
Then make sure that the openvpn service is running too:
systemctl enable openvpn systemctl start openvpn systemctl status openvpn
Finally copy the configuration file to /etc/openvpn/, with a .conf
extension:
mv client1.ovpn /etc/openvpn/client1.conf
Check the public IP by going to google.com and searching for
what is my ip. Or check it with one of these commands:
curl ifconfig.co curl icanhazip.com wget -qO - icanhazip.com
First stop the openvpn service (with systemctl stop openvpn) and
check the public IP, then start it again (with systemctl start
openvpn) and check again the public IP.
There are also GUI tools that allow to import an OpenVPN configuration file.
7 Installing OutlineVPN
OutlineVPN is another solution that is easy to install and setup. It can be installed with a couple of commands, like this:
github_url="https://raw.githubusercontent.com" base="$github_url/Jigsaw-Code/outline-server/master/src" script="$base/server_manager/install_scripts/install_server.sh" wget $script bash install_server.sh
For more instructions or details see: https://blog.ssdnodes.com/blog/outline-vpn-tutorial-vps/
8 References
- https://github.com/kylemanna/docker-openvpn/blob/master/docs/docker-compose.md
- https://katacoda.com/dashohoxha/courses/misc/openvpn
- https://blog.ssdnodes.com/blog/outline-vpn-tutorial-vps/
- https://medium.com/@gurayy/set-up-a-vpn-server-with-docker-in-5-minutes-a66184882c45
- https://heavymetaldev.com/openvpn-with-docker