This tutorial will help you setup a private OpenVPN server. By private I mean the server is intended for only one or two clients.
Before proceeding further, I assume you have some basic knowledge about computer networking and the *nix systems.
Examine the network diagram below to make sure this tutorial is suitable for you. The laptop's traffic will be routed through the server, thus it will appear as if laptop is the server. When VPN is working, your laptop's external IP should be your server's IP (google "what is my ip").
+----------+ +---------------------+ +------------------+
| INTERNET |======|{eth0 Server {tun0} |===(GATEWAY)===| Laptop (LAN) |
| | | tun0: 10.8.0.1/24 | | 192.168.0.0/24 |
+----------+ +---------------------+ +------------------+
Essentially it's just level 3 routing performed by OpenVPN and Ubuntu's iptables. You could also do bridging which works on level 2, but bridging is not covered in this tutorial.
To begin, install openvpn and generate the certificates and keys (server and client) by following the instructions here: OpenVPN, don't worry about any configurations yet.
Pick a memorable name for the client certificate. Suppose the client is called "fred", then KEY_CN should be "fred", and certificate file should be fred.crt and key file should be fred.key. This client name will be used for IP address assignment in OpenVPN. (See the paragraph after server config file for more.)
Start configuring openvpn from the example server.conf file. It is recommended that you take a bit of time to read through the comments and understand the settings. Sample TCP configuration file is given below.
Note that it doesn't matter whether OpenVPN is listening on TCP or UDP, all packets will be redirected. If you want to tunnel traffic over UDP, just change proto tcp to proto udp. And if you want to have the OpenVPN server listen on both UDP and TCP, you will need to create two different configuration files.
## OpenVPN server, TCP
port 1194
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh1024.pem
server 10.8.0.0 255.255.255.0
# Assign IP to client by name
ifconfig-pool-persist ipp.txt
client-config-dir ccd
# Push the correct gateway to client
# Note: need iptables for NAT
push "redirect-gateway def1 bypass-dhcp"
keepalive 10 120
tls-auth ta.key 0 # This file is secret
# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
cipher AES-128-CBC # AES
# Enable compression on the VPN link.
# If you enable it here, you must also
# enable it in the client config file.
comp-lzo
max-clients 3
# It's a good idea to reduce the OpenVPN
# daemon's privileges after initialization.
;user nobody
;group nogroup
# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun
# Output a short status file showing
# current connections, truncated
# and rewritten every minute.
status openvpn-status.log
# Set the appropriate level of log
# file verbosity.
verb 3
There are additional files needed to assign IP address to client by name. First the IP needs to be reserved, so create ipp.txt in /etc/openvpn and paste this line in:
fred,10.8.0.4
This line will reserve 10.8.0.4 for fred. Now create directory ccd, and create file fred in ccd and paste this line in:
ifconfig-push 10.8.0.4 10.8.0.1
This line will tell the client to use 10.8.0.4 as its IP address and 10.8.0.1 as the gateway. That's all we need to make sure fred always gets assigned 10.8.0.4. The reason why you might want this is to allow WLAN connections to get to fred, which can be done easily via iptables.
Now that the OpenVPN server is configured, try to start it. If it fails, it's usually because the tun device doesn't exist. Look at the log to find out what exactly went wrong. For certain hosts you have to enable it in the control panel or ask for it to be enabled. If OpenVPN successfully starts, you should see at least one tunnel interface (tun0) when you run ifconfig.
For the client, I'm using Tunnelblick on Mac OS X 10.8.3 (as of writing) and my config file is as follows:
# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client
dev tun
proto tcp
remote 1.2.3.4 1194
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# Most clients don't need to bind to
# a specific local port number.
nobind
# Try to preserve some state across restarts.
persist-key
persist-tun
ca ca.crt
# don't forget to rename these files
cert fred.crt
key fred.key
# If a tls-auth key is used on the server
# then every client must also have the key.
tls-auth ta.key 1
cipher AES-128-CBC
# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo
# Set log file verbosity.
verb 3
# Get the correct gateway from server
pull
If the client can connect to server, then we've almost got everything to work. At this point, you should try pinging the server from client and pinging the client from server, at least one of the pings should work. Also check that client is assigned the correct IP.
Now it is time to get the packets routed properly with iptables NAT rules.
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
If your VPS uses OpenVZ you'll have venet0, then use these rules:
iptables -A FORWARD -i venet0 -o tun0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i tun0 -o venet0 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j SNAT --to 1.2.3.4
iptables -t nat -A POSTROUTING -j SNAT --to-source 1.2.3.4
Double check the rules are correctly added.
$ iptables -t nat -nvL
I mentioned before that you could allow external WLAN connections to get to clients within the VPN, this is done by opening a port and forward incoming traffic of that port to the client. Use this rule (assuming the client's IP is always 10.8.0.4):
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 1234 -j DNAT --to-destination 10.8.0.4
If you have any confusions, this wiki page is pretty helpful: OpenVPN - ArchWiki. Also don't forget to enable IP forwarding, which is covered in that link too.
Now restart the server and have the client reconnect. Tunnelblick should automatically tell you your IP has been changed, that means your VPN is working. Double check that in the routing tables:
$ netstat -rn
Pay attention to the gateway, your server's IP should show up as the gateway, that confirms your external IP has been changed. Also, in case you have any DNS troubles, I always use Google's DNS servers: 8.8.8.8 and 8.8.4.4.
For additional security/stealth you should consider stunnel, follow the instructions here: Install and Setup OpenVPN Stealth with Stunnel on Ubuntu 12 +. It's very easy to setup, but note that it works with TCP only.
Lastly, don't forget to save the iptables rules with iptables-save. Or look at the script solution on this page: IptablesHowTo.
Last updated on 2013-08-19.