Introduction
In the wake of New Zealand's decision to abandon plans to ban VPNs, this tutorial will teach you how to set up and manage a secure VPN connection using OpenVPN, a widely-used open-source VPN solution. This hands-on guide will help you understand VPN architecture, configure a basic server, and connect securely to it. Understanding VPNs is crucial for anyone interested in digital privacy, network security, or managing secure remote access.
Prerequisites
- A Linux-based system (Ubuntu/Debian recommended) or a virtual machine with internet access
- Basic command-line knowledge
- Root or sudo privileges
- Understanding of networking concepts (IP addresses, ports, firewalls)
- Basic knowledge of OpenSSL and certificate management
Step-by-step instructions
1. Setting Up the OpenVPN Server Environment
1.1 Update System Packages
Before installing OpenVPN, ensure your system is up-to-date to avoid compatibility issues.
sudo apt update
sudo apt upgrade -y
Why this step: Ensures you have the latest security patches and package versions for a stable installation.
1.2 Install OpenVPN and Easy-RSA
Install the required packages for OpenVPN server setup.
sudo apt install openvpn easy-rsa -y
Why this step: OpenVPN provides the core VPN functionality, while Easy-RSA handles certificate generation for secure authentication.
2. Generating Server Certificates and Keys
2.1 Set Up Easy-RSA Environment
Copy the Easy-RSA files to a local directory for customization.
make-cadir ~/openvpn-ca
cd ~/openvpn-ca
Why this step: Creates a secure, isolated environment for certificate management to prevent conflicts with system-wide certificates.
2.2 Configure Certificate Variables
Edit the vars file to define your certificate parameters.
vim vars
Modify the following variables to match your organization:
export KEY_COUNTRY="NZ"
export KEY_PROVINCE="Auckland"
export KEY_CITY="Auckland"
export KEY_ORG="MyOrg"
export KEY_EMAIL="[email protected]"
export KEY_OU="MyOrg-IT"
Why this step: These variables define the certificate authority (CA) identity that will sign all server and client certificates.
2.3 Build Certificate Authority (CA)
Initialize the PKI (Public Key Infrastructure) and generate the CA certificate.
source vars
./clean-all
./build-ca
Why this step: The CA is the root of trust for all certificates in your VPN infrastructure.
3. Creating Server Certificate and Key
3.1 Generate Server Certificate
Create the server certificate and key for your VPN server.
./build-key-server server
Why this step: The server certificate authenticates the VPN server to connecting clients.
3.2 Generate Diffie-Hellman Parameters
Create the Diffie-Hellman parameters for secure key exchange.
./build-dh
Why this step: DH parameters enable perfect forward secrecy, ensuring that even if one key is compromised, past sessions remain secure.
4. Configure OpenVPN Server
4.1 Copy Required Files
Move generated certificates to the OpenVPN configuration directory.
sudo cp ~/openvpn-ca/keys/{ca.crt,server.crt,server.key,dh2048.pem} /etc/openvpn/
Why this step: These files are essential for the server to authenticate itself and establish secure connections.
4.2 Configure OpenVPN Server
Create the main OpenVPN configuration file.
sudo vim /etc/openvpn/server.conf
Add the following configuration:
# OpenVPN Server Configuration
port 1194
proto udp
dev tun
ca ca.crt
key server.key
cert server.crt
dh dh2048.pem
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
Why this step: This configuration defines the network topology, security parameters, and routing behavior for your VPN server.
5. Enable IP Forwarding and Firewall Rules
5.1 Enable IP Forwarding
Allow the server to forward packets between VPN clients and the internet.
echo 'net.ipv4.ip_forward=1' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p
Why this step: IP forwarding is essential for routing traffic through the VPN tunnel.
5.2 Configure UFW Firewall
Allow OpenVPN traffic through the firewall.
sudo ufw allow 1194/udp
sudo ufw allow OpenSSH
Why this step: Proper firewall rules ensure that only legitimate VPN traffic can reach your server.
6. Start and Test OpenVPN Server
6.1 Start OpenVPN Service
Launch the OpenVPN service with the new configuration.
sudo systemctl start openvpn@server
sudo systemctl enable openvpn@server
Why this step: Starts the VPN service and ensures it starts automatically on system boot.
6.2 Test Server Status
Verify that the server is running correctly.
sudo systemctl status openvpn@server
Why this step: Ensures the service is properly configured and running without errors.
7. Create Client Configuration
7.1 Generate Client Certificate
Create a certificate for a client to connect to the VPN.
cd ~/openvpn-ca
source vars
./build-key client1
Why this step: Each client needs its own certificate for secure authentication to the VPN server.
7.2 Create Client Configuration File
Generate a client.ovpn configuration file.
cat > ~/client1.ovpn << EOF
client
dev tun
proto udp
remote YOUR_SERVER_IP 1194
resolv-retry infinite
cert client1.crt
key client1.key
ca ca.crt
comp-lzo
verb 3
EOF
Why this step: The client configuration file contains all necessary parameters for connecting securely to the VPN server.
Summary
This tutorial demonstrated how to set up a basic OpenVPN server, generate certificates, configure network settings, and create client configurations. Understanding these concepts is crucial for implementing secure remote access solutions. While New Zealand's government decision to not ban VPNs protects user privacy, learning VPN implementation helps you understand the technology's importance and security mechanisms. This knowledge is valuable for network administrators, security professionals, and anyone interested in digital privacy and secure communication.



