Setting Up an OpenVPN Server on a Cloud Server

A Virtual Private Network (VPN) allows encrypting and isolating communication between devices, such as between customer service agents’ laptops and the company’s headquarters via the Internet. For this, a server with a fixed IP address, ideally available 24/7, is necessary. A hosting.fr Cloud server is well-suited for this purpose.

There are several software solutions for VPN servers. This article describes the configuration of the OpenVPN software. The main components of OpenVPN are under an Open Source GPL license and can therefore be used freely. The connection encryption is done using “OpenSSL” or “mbed TLS”. A paid “OpenVPN Access Server” also exists. In this guide, we will show how to replicate a similar functionality to this server using Open Source components.

For security reasons, it is recommended to configure identification and authentication of communication partners based on asymmetric cryptography methods and public key cryptography. The server receives a TLS certificate and can create certificates with which clients can authenticate.

Prerequisites

• You have a hosting.fr Cloud server.
• This guide shows the configuration on a Cloud server with Debian 10 “Buster”. Configuration on other operating systems, such as Ubuntu or CentOS, is similar but may differ in some details.
• You need root access on the server.
• A text editor, such as nano or vim, is necessary to edit configuration files.

Installing OpenVPN

Please connect via SSH to your hosting.fr Cloud server:

ssh demoserver.mustermann-domain.de

and switch to root mode to obtain the necessary rights:

sudo -s

Then update the package sources and install the necessary packages:

apt update
apt install openvpn easy-rsa

Then create with a text editor the file /etc/openvpn/easy-rsa/vars on the server with the following contents:

export KEY_COUNTRY="FR"
export KEY_PROVINCE="IDF"
export KEY_CITY="Paris"
export KEY_ORG="Société Mustermann"
export KEY_EMAIL="info@mustermann-domain.fr"

Please adapt the values to your needs.

Configuration

Create the Server Certificate Chain

Create the server’s RSA certificate chain using the following commands:

cd /etc/openvpn
make-cadir easy-rsa/

Then create the certificate chain using the following commands:

cd /etc/openvpn/easy-rsa
./easyrsa init-pki

The output should look like this:

Note: using Easy-RSA configuration from: ./vars

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa/pki

Next, we will create a certification authority (CA) using the command:

./easyrsa build-ca

During creation, you will be prompted to enter a passphrase to protect the CA’s private key. Choose a secure password here. Please use the server’s full hostname as the “Common Name”, i.e., for example, demoserver.mustermann-domain.de. The command output should look like this:

Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.1.1d  10 Sep 2019

Enter New CA Key Passphrase: 
Re-Enter New CA Key Passphrase: 
Generating RSA private key, 2048 bit long modulus (2 primes)
..............+++++
...................+++++
e is 65537 (0x010001)
Can't load /etc/openvpn/easy-rsa/pki/.rnd into RNG
139654556873856:error:2406F079:random number generator:RAND_load_file... 
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:demoserver.mustermann-domain.de

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa/pki/ca.crt

Now, a certificate and a key for the server must be created. First, a request certificate and a private key for the server must be created:

./easyrsa gen-req demoserver.mustermann-domain.de nopass

Then, the certificate must be signed using the CA’s key. At this point, you will need to enter the passphrase you set earlier with the following command:

./easyrsa sign-req server demoserver.mustermann-domain.de

Finally, the Diffie-Hellman parameters must also be created, which can take some time:

./easyrsa gen-dh

An HMAC signature is also necessary:

openvpn --genkey --secret ta.key

This can also provide additional protection against denial-of-service (DoS) attacks.

Modify the Server Configuration Files

Please modify the /etc/openvpn/server.conf file, for example using the text editor, and add the following content:

port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/demoserver.mustermann-domain.de.crt
key /etc/openvpn/easy-rsa/pki/private/demoserver.mustermann-domain.de.key
dh /etc/openvpn/easy-rsa/pki/dh.pem
server 10.8.0.0 255.255.255.0
server-ipv6 fd8f:d4dc:abcd::/64
keepalive 10 120
tls-auth /etc/openvpn/easy-rsa/ta.key 0
user nobody
group nogroup
ifconfig-pool-persist ipp.txt
persist-key
persist-tun
status      /var/log/openvpn/openvpn-status.log
log         /var/log/openvpn/openvpn.log
log-append  /var/log/openvpn/openvpn.log
verb 3
cipher AES-256-CBC
explicit-exit-notify 1

Then start the server with:

systemctl start openvpn@server

Check the server status with:

systemctl status openvpn@server

Enable server autostart:

systemctl enable openvpn@server

Internet Access for Clients via VPN Tunnel and NAT with the Server as a Gateway

Of course, you can use the VPN tunnel only for communication between the client and the server, as well as between the clients themselves. However, you often also want to tunnel all Internet traffic from clients through the VPN. This is particularly interesting for professional mobile devices that can often be in unprotected Wi-Fi networks, for example in hotels or at clients. You can configure a “Network Address Translation” (NAT) on the server, allowing devices in the VPN to use the server’s IP addresses.

Modify the /etc/sysctl.conf file and add the following lines:

net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1

or, if there is already a commented line, remove the # to enable this option. To make the configuration active, run the command

sudo sysctl -p /etc/sysctl.conf

To configure a Network Address Translation (NAT), proceed as follows. Starting with Debian Buster, nftables is used by default instead of iptables to configure the firewall. If nftables is not installed, please first install it with:

sudo -s
apt install nftables
systemctl enable nftables.service

Create now the corresponding NAT rules by adding the following lines in the /etc/nftables.conf file:

table ip nat {
        chain postrouting {
                type nat hook postrouting priority 100; policy accept;
                ip saddr 10.8.0.0/24 oif "eth0" snat to <IPV4_IP_DES_SERVERS>
        }
}

table ip6 nat {
        chain postrouting {
                type nat hook postrouting priority 100; policy accept;
                ip6 saddr fd8f:d4dc:abcd::/64  oif "eth0" snat to <IPV6_IP_DES_SERVERS>
        }
}

Replace <IPV4_IP_DES_SERVERS> with your server’s public IPv4 address and <IPV6_IP_DES_SERVERS> with your server’s public IPv6 address. The interface identifier eth0 may need to be adapted to the actual identifier of the interface on which the public IP addresses are configured. You can find out which it is with ifconfig. To activate the new rules, run the following command with root rights:

nft -f /etc/nftables.conf

Additional lines must be added to the OpenVPN server configuration file to route all VPN client traffic through the VPN tunnel:

push "redirect-gateway def1 bypass-dhcp"
push "redirect-gateway ipv6"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
push "dhcp-option DNS 2620:119:35::35"
push "dhcp-option DNS 2620:119:53::53"

Here, the DNS servers of OpenDNS are used. Alternatively, you can also use the DNS servers of the hosting.fr data center 95.129.51.51 and 80.244.244.244.

Preparing for Client Certificate Creation

To avoid having to copy multiple files to the client, it is advisable to group all necessary data into one file. This can be done with an .ovpn file. To create the file, you can use the following script. Please save the following lines in the /etc/openvpn/easy-rsa/new-client.sh file. Use a text editor for this. Please adjust the hostname demoserver.mustermann-domain.de to match your server in the script.

#!/bin/bash

## here parameters to be set

SERVER="demoserver.mustermann-domain.de"

## do not change anything from here

cat_file() {
  if [ -f "$1" ]; then
    cat $1
  else
    >&2 echo "Error: $1 does not exist."
  fi
}

if [ $# -eq 0 ]
  then
    >&2 echo "Please specify a client name."
  else

# Create the certificates and keys

./easyrsa gen-req "$1" nopass   # Create a request
./easyrsa sign-req client "$1"  # Sign the request

systemctl restart openvpn@server

# Create the ovpn file

cat - > "$1".ovpn <<EOF
client
dev tun
proto udp
remote $SERVER 1194
resolv-retry infinite
nobind
persist-key
persist-tun
<ca>
$(cat_file pki/ca.crt)
</ca>
<cert>
$(cat_file pki/issued/"$1".crt)
</cert>
<key>
$(cat_file pki/private/"$1".key)
</key>
remote-cert-tls server
<tls-auth>
$(cat_file ta.key)
</tls-auth>
key-direction 1
cipher AES-256-CBC
verb 3
EOF

chmod 600 "$1".ovpn

fi

Then make the file executable on the server with:

chmod +x /etc/openvpn/easy-rsa/build-ovpn.sh

Creating Client Certificates

On the server, the new-client.sh script we created earlier can be used to create the keys and certificates, as well as the necessary .ovpn file.

To create a new client, for example called mustermann-windows, you can proceed as follows:

cd /etc/openvpn/easy-rsa
./new-client.sh mustermann-windows

The script will ask a few questions. Please confirm with yes if necessary and enter the passphrase you have already set when prompted.

In our example, the script will generate the mustermann-windows.ovpn file, which is required by the client.

The key and certificate for the client can be created directly on the server and then copied via a secure channel, for example SFTP, to the client.

Client Configuration

In this section, we will explain how the OpenVPN client can be configured.

Windows

The OpenVPN client must be installed, and can be downloaded from the official OpenVPN site.

Please copy the ovpn file to the client via a secure connection. For this purpose, for example, WinSCP can be used. Then, please launch the “OpenVPN GUI” program. You can then right-click on the corresponding icon in the taskbar and select “Import a file…”:

Select the previously imported ovpn file and import it. After import, you can choose the “Connect” option in the same menu:

A window with detailed information will briefly open:

If the connection is successful, the window disappears and a short message appears, indicating that the connection has been successfully established:

If the connection fails, the window with the status information or log outputs remains open, allowing you to directly troubleshoot. After establishing the connection, you can, for example, ping the device’s IP from the server or check that the client is browsing the Internet with the server’s IP address if NAT has been configured previously.

Linux

We will show here an example of configuring a client with Debian Linux version 10. First, install OpenVPN with the following commands:

sudo apt update 
sudo apt install openvpn

Create the ovpn file for the new Linux client on the server as described above. Then copy the file, for example, with:

scp root@demoserver.mustermann-domain.de:/etc/openvpn/easy-rsa/mustermann-linux.ovpn .

move the file on your machine to /etc/openvpn/client/client.conf and ensure that the file has the appropriate access permissions:

sudo mv mustermann-linux.ovpn /etc/openvpn/client/client.conf
sudo chmod 600 /etc/openvpn/client/client.conf

To ensure that the server’s DNS options are also automatically applied on the Linux client, additional work is necessary. This step is only necessary if you want to route all client traffic through the server.

Please install the openresolv package:

sudo apt install openresolv

and add the following lines to the /etc/openvpn/client/client.conf file under Debian:

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

(On other Linux distributions, it may be necessary to replace “update-resolv-conf” with “update-resolv-conf.sh”.)

Then start the OpenVPN client:

sudo systemctl start openvpn-client@client.service

With the command

sudo systemctl status openvpn-client@client.service

you can display the current status of the client. If the output contains “Active: active (running)”, then the client is working. You can then, for example, ping the device’s IP from the server or, if NAT has been configured previously, check that the client is using the server’s IP address to browse the Internet.

If you want the OpenVPN client to automatically establish a connection at computer startup, run the following command:

sudo systemctl enable openvpn-client@client.service

Android

Please copy the ovpn file you created on the server to the device. This can be done, for example, via USB cable, using an SSH client, or also via an encrypted ZIP file in a Nextcloud.

Install the OpenVPN app from the Google Playstore. After starting the OpenVPN app, you will see the following view:

Then click on the “+” symbol to define a new VPN profile:

Then select the ovpn file on your phone. An import protocol will appear:

Click on the floppy disk to save the new profile. If necessary, you can change the profile name beforehand. The profile will then appear in the list of existing profiles. When you click on the profile, the connection to the OpenVPN server will be established:

If you return to the overview, the connection status will be displayed:

Verify the connection by pinging, for example, the phone’s IP address or by going to https://www.whatsmyip.org/ to check if the server’s IP address is displayed from your smartphone and if NAT is working correctly.

iOS

Please install the “OpenVPN Connect” app from the AppStore. Use the “Import a profile” option and then choose the *.ovpn file you previously transferred to your phone by the most secure means possible, for example via USB or Nextcloud:

After selecting the *.ovpn file, an overview will appear. Please click on “ADD”:

Once the profile is successfully imported, the following message will appear:

Click here on “ADD”. The profile is now imported and can be activated with the slider:

Then, iOS will ask if OpenVPN can act as a VPN provider:

If the connection is successfully established, the message “CONNECTED” will appear:

If problems occur during the connection, you can view the log via the corresponding section at the top right:

Verify the connection by pinging, for example, the phone’s IP address or by visiting https://www.whatsmyip.org/ to see if the server’s IP address is displayed from your iPhone and if NAT is working correctly.

References

• OpenVPN - Debian Wiki
• Hardening OpenVPN Security - OpenVPN Inc.
• Performing Network Address Translation (NAT), Wiki nftables
• Installation Guide for OpenVPN Connect Client on Windows, OpenVPN Inc.
• Using DNS Servers Pushed to Clients, OpenVPN Inc.
• OpenVPN resolv-conf Update, Alfredo Palhares on Github

Don't hesitate to subscribe to our newsletter

Back to form

Thank you for subscribing to the hosting.fr newsletter.

E-mail

Verification

Subscribe