VPN enables two or more systems to communicate privately and securely over the public network or Internet. The network traffic is routed through the Internet, but is encrypted. You can use VPN to set up a secure connection between two datacenters or to access office resources from the leisure of your home. The VPN service is also used to protect your online activities, access location restricted contents, and bypass restrictions imposed by your ISP.
VPN services are implemented with a number of different protocols, such as Point-to-Point Tunneling Protocol (PPTP), Layer two tunneling protocol (L2TP), IPSec, and SSL. In this recipe, we will set up a free VPN server, OpenVPN. OpenVPN is an open source SSL VPN solution and provides a wide range of configurations. OpenVPN can be configured to use either TCP or UDP protocols. In this recipe, we will set up OpenVPN with its default UDP port 1194.
You will need one server and one client system and root or equivalent access to both systems.
$ sudo apt-get update $ sudo apt-get install openvpn easy-rsa
build-ca
script needs root access while writing new keys. Temporarily, change to root account using sudo su
:$ sudo su
Copy the Easy-RSA directory to /etc/openvpn
:
# cp -r /usr/share/easy-rsa /etc/openvpn/
/etc/openvpn/easy-rsa/vars
and change the variables to match your environment:export KEY_COUNTRY="US" export KEY_PROVINCE="ca" export KEY_CITY="your city" export KEY_ORG="your Company" export KEY_EMAIL="[email protected]" export KEY_CN="MyVPN" export KEY_NAME="MyVPN" export KEY_OU="MyVPN"
# cd /etc/openvpn/easy-vars # source vars # ./clean-all # ./build-ca
# ./build-key-server servername
y
and then press the Enter key.# ./build-dh
/etc/openvpn
:# cp /etc/openvpn/easy-rsa/keys/{servername.crt, servername.key, ca.crt, dh2048.pem} /etc/openvpn
# cd /etc/openvpn/easy-rsa # source vars # ./build-key clientname
/etc/openvpn/ca.crt /etc/openvpn/easy-rsa/keys/clientname.crt /etc/openvpn/easy-rsa/keys/clientname.key
$ gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf
server.conf
in your favorite editor:# nano /etc/openvpn/server.conf
ca ca.crt cert servername.crt key servername.key dh dh2048.pen
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222" push "dhcp-option DNS 208.67.220.220"
user
and group
and uncomment the following lines:user nobody group nogroup
comp-lzo
/etc/sysctl
to enable IP forwarding. Find and uncomment the following line by removing the hash, #
, in front of it:#net.ipv4.ip_forward=1
sysctl
settings with the following command:# sysctl -p
# service openvpn start * Starting virtual private network daemon(s) * Autostarting VPN 'server'
tun0
. This can be checked with the ifconfig
command:# ifconfig tun0 tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
/var/log/syslog
. It should list all the steps completed by the OpenVPN service.OpenVPN is the open source VPN solution. It is a traffic-tunneling protocol that works in client-server mode. You might already know that VPN is widely used to create a private and secure network connection between two endpoints. It is generally used to access your servers or access office systems from your home. The other popular use of VPN servers is to protect your privacy by routing your traffic through a VPN server. OpenVPN needs two primary components, namely a server and a client. The preceding recipe installs the server component. When the OpenVPN service is started on the OpenVPN host, it creates a new virtual network interface, a tun device named tun0
. On the client side, OpenVPN provides the client with tools that configure the client with a similar setup by creating a tap device on the client's system.
Once the client is configured with a server hostname or IP address, a server certificate, and client keys, the client initiates a virtual network connection using a tap device on client to a tun device on the server. The provided keys and certificate are used to cross-check server authenticity and then authenticate itself. As the session is established, all network traffic on the client system is routed or tunneled via a tap network interface. All the external services that are accessed by the OpenVPN client, and you get to see the requests as if they are originated from the OpenVPN server and not from the client. Additionally, the traffic between the server and client is encrypted to provide additional security.
In this recipe we have installed and configured OpenVPN server. To use the VPN service from your local system you will need a VPN client tool.
Following are the steps to install and configure VPN client on Ubuntu systems:
$ sudo apt-get update $ sudo apt-get install openvpn
client.conf
configuration file:$ sudo cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/
$ scp user@yourvpnserver:/etc/openvpn/easy-rsa/keys/client1.key /etc/openvpn
client.conf
, enable client mode, and specify the server name or address:client remote your.vpnserver.com 1194
$ service openvpn start
tun0
network interface:$ ifconfig tun0
$ netstat -rn
For Windows and Mac OS systems, OpenVPN provides respective client tools. You need an OpenVPN profile with the .ovpn
extension. A template can be found with the OpenVPN client you are using or on the server under OpenVPN examples. The following is the complete path:
/usr/share/doc/openvpn/examples/sample-config-files/client.conf