New Zealand rules out a VPN ban after a fierce privacy backlash
Back to Tutorials
techTutorialintermediate

New Zealand rules out a VPN ban after a fierce privacy backlash

July 7, 20267 views5 min read

Learn how to set up and configure an OpenVPN server, generate certificates, and create secure client connections. This hands-on tutorial teaches the fundamentals of VPN technology and implementation.

Introduction

In the wake of New Zealand's decision to abandon plans to ban VPNs, this tutorial will teach you how to set up and manage a secure VPN connection using OpenVPN, a widely-used open-source VPN solution. This hands-on guide will help you understand VPN architecture, configure a basic server, and connect securely to it. Understanding VPNs is crucial for anyone interested in digital privacy, network security, or managing secure remote access.

Prerequisites

  • A Linux-based system (Ubuntu/Debian recommended) or a virtual machine with internet access
  • Basic command-line knowledge
  • Root or sudo privileges
  • Understanding of networking concepts (IP addresses, ports, firewalls)
  • Basic knowledge of OpenSSL and certificate management

Step-by-step instructions

1. Setting Up the OpenVPN Server Environment

1.1 Update System Packages

Before installing OpenVPN, ensure your system is up-to-date to avoid compatibility issues.

sudo apt update
sudo apt upgrade -y

Why this step: Ensures you have the latest security patches and package versions for a stable installation.

1.2 Install OpenVPN and Easy-RSA

Install the required packages for OpenVPN server setup.

sudo apt install openvpn easy-rsa -y

Why this step: OpenVPN provides the core VPN functionality, while Easy-RSA handles certificate generation for secure authentication.

2. Generating Server Certificates and Keys

2.1 Set Up Easy-RSA Environment

Copy the Easy-RSA files to a local directory for customization.

make-cadir ~/openvpn-ca
cd ~/openvpn-ca

Why this step: Creates a secure, isolated environment for certificate management to prevent conflicts with system-wide certificates.

2.2 Configure Certificate Variables

Edit the vars file to define your certificate parameters.

vim vars

Modify the following variables to match your organization:

export KEY_COUNTRY="NZ"
export KEY_PROVINCE="Auckland"
export KEY_CITY="Auckland"
export KEY_ORG="MyOrg"
export KEY_EMAIL="[email protected]"
export KEY_OU="MyOrg-IT"

Why this step: These variables define the certificate authority (CA) identity that will sign all server and client certificates.

2.3 Build Certificate Authority (CA)

Initialize the PKI (Public Key Infrastructure) and generate the CA certificate.

source vars
./clean-all
./build-ca

Why this step: The CA is the root of trust for all certificates in your VPN infrastructure.

3. Creating Server Certificate and Key

3.1 Generate Server Certificate

Create the server certificate and key for your VPN server.

./build-key-server server

Why this step: The server certificate authenticates the VPN server to connecting clients.

3.2 Generate Diffie-Hellman Parameters

Create the Diffie-Hellman parameters for secure key exchange.

./build-dh

Why this step: DH parameters enable perfect forward secrecy, ensuring that even if one key is compromised, past sessions remain secure.

4. Configure OpenVPN Server

4.1 Copy Required Files

Move generated certificates to the OpenVPN configuration directory.

sudo cp ~/openvpn-ca/keys/{ca.crt,server.crt,server.key,dh2048.pem} /etc/openvpn/

Why this step: These files are essential for the server to authenticate itself and establish secure connections.

4.2 Configure OpenVPN Server

Create the main OpenVPN configuration file.

sudo vim /etc/openvpn/server.conf

Add the following configuration:

# OpenVPN Server Configuration
port 1194
proto udp
dev tun

ca ca.crt
key server.key
cert server.crt
dh dh2048.pem

server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3

Why this step: This configuration defines the network topology, security parameters, and routing behavior for your VPN server.

5. Enable IP Forwarding and Firewall Rules

5.1 Enable IP Forwarding

Allow the server to forward packets between VPN clients and the internet.

echo 'net.ipv4.ip_forward=1' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

Why this step: IP forwarding is essential for routing traffic through the VPN tunnel.

5.2 Configure UFW Firewall

Allow OpenVPN traffic through the firewall.

sudo ufw allow 1194/udp
sudo ufw allow OpenSSH

Why this step: Proper firewall rules ensure that only legitimate VPN traffic can reach your server.

6. Start and Test OpenVPN Server

6.1 Start OpenVPN Service

Launch the OpenVPN service with the new configuration.

sudo systemctl start openvpn@server
sudo systemctl enable openvpn@server

Why this step: Starts the VPN service and ensures it starts automatically on system boot.

6.2 Test Server Status

Verify that the server is running correctly.

sudo systemctl status openvpn@server

Why this step: Ensures the service is properly configured and running without errors.

7. Create Client Configuration

7.1 Generate Client Certificate

Create a certificate for a client to connect to the VPN.

cd ~/openvpn-ca
source vars
./build-key client1

Why this step: Each client needs its own certificate for secure authentication to the VPN server.

7.2 Create Client Configuration File

Generate a client.ovpn configuration file.

cat > ~/client1.ovpn << EOF
client
dev tun
proto udp
remote YOUR_SERVER_IP 1194
resolv-retry infinite
cert client1.crt
key client1.key
ca ca.crt
comp-lzo
verb 3
EOF

Why this step: The client configuration file contains all necessary parameters for connecting securely to the VPN server.

Summary

This tutorial demonstrated how to set up a basic OpenVPN server, generate certificates, configure network settings, and create client configurations. Understanding these concepts is crucial for implementing secure remote access solutions. While New Zealand's government decision to not ban VPNs protects user privacy, learning VPN implementation helps you understand the technology's importance and security mechanisms. This knowledge is valuable for network administrators, security professionals, and anyone interested in digital privacy and secure communication.

Source: TNW Neural

Related Articles