path: root/content/weblog/2018-11-02_your-own-vpn/index.md

+++
title = "Setting up your own VPN"
date = 2018-11-02T05:43:00Z
+++

There are many reasons why you would want to use a VPN, especially in this day
and age. The major one would be to securely and more privately surf the web, but
that is far from the only reason. I for one use it as well to be able to set up
a remote network with my desktop PC while I'm away from home, so that I can
access all of my files through SSH. There are a ton of other reasons as to why a
VPN could be useful, but that is not the topic of this post, rather I will be
writing here about to set up your own VPN (yes your own!) on a VPS, or any other
kind of linux server for that matter, using OpenVPN.

<!-- more -->

I am in fact running my own VPN in the same server that I use to host this site
and other projects of mine. However due to certain circumstances I need to
migrate to another VPS, and so I decided to write this little guide to refresh
my memory on how to set up OpenVPN.

Before we begin to set up our VPN, we need to install OpenVPN. I am using Debian
Stretch, so your install process may differ depending on your distro.

```sh
# apt-get install openvpn easy-rsa
```

## Configuring OpenVPN

After installing the necessary packages, we proceed to configure OpenVPN. First
we need to extract the sample OpenVPN server configuration file to /etc/openvpn

```sh
# gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf
```

Next we proceed to edit it.

```sh
# vim /etc/openvpn/server.conf
```

Inside we will make changes to basically use higher-level encryption, forward
web traffic to destination, prevent DNS leaking, and set up permissions.

First we make sure that we are using 2048 bit-length keys instead of 1024. In my
case it was already set to 2048 bit by default, however, the first time that I
set up OpenVPN the default was 1024, so find this line

```
dh dh2048.pem
```

If instead you see "dh1024.pem" change it so that it is like in this example.

Next we make sure to redirect all traffic to its proper destination. Find this
line

```
push "redirect-gateway def1 bypass-dhcp"
```

If it has a semicolon (;) at the beginning, remove it so that it is uncommented.

Now we will tell OpenVPN to use OpenDNS for DNS resolution. This will help
prevent DNS requests from leaking outside of the VPN connection.

Immediately after the previous setting, you will see a block of comments
followed by two commented lines

```
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
```

As previously, just remove the semicolon character from the beginning of the
line.

Next we should comment the next line with a # or ; character. It is supposed to
be used as an extra security measure especially against DoS attacks, however, we
don't really need it

```
tls-auth ta.key 0 # This file is secret
```

If you really want to leave that on, you will need to generate it

```sh
openvpn --genkey --secret ta.key
```

And last but not least in our server.conf file, we need to adjust permissions.
Find and uncomment these lines

```
user nobody
group nogroup
```

This way OpenVPN doesn't run as the root user. And we don't want any random
program wildly running as root, especially ones that are exposed to the
interwebz, no sir we don't ( ͡° ͜ʖ ͡°).

After having made all the needed changes, just write them and close the editor.

## Configuring network and firewall

We need to enable packet forwarding, otherwise our traffic will not leave the
server.

So that we don't have to reboot our server (let's leave all that rebooting to
windows systems), we can enable it on runtime by running the following command

```sh
# sysctl net.ipv4.ip_forward=1
```

However, we need to make this change permanent as well, so we open the following
file

```sh
# vim /etc/sysctl.conf
```

And uncomment the following line by removing the hash character (#) at the
beginning of the line

```sh
net.ipv4.ip_forward=1
```

Save your changes and close the editor.

Now we need to properly set up our firewall. Personally I use ufw as front-end
to iptables, since it is pretty easy to set up and use (as its name suggests,
uncomplicated firewall). If you don't have it installed yet, you can go ahead
and run

```sh
# apt-get install ufw
```

By default ufw denies all incoming connections and allow all outgoing. Those
defaults are fine for my case, some might prefer to deny all outgoing
connections by default, some riskier guys (or gals) might prefer to allow all by
default (however, you wouldn't have unprotected fun time with just any partner,
now would you?( ͡° ͜ʖ ͡°)), however explaining all the details about ufw is out of
the scope of this tutorial, but I invite you use your duckduckgo-fu if you're
interested in learning more about ufw.

Now, as ufw denies all incoming connections by default, we need to configure it
so that we don't get locked out of our server. If you use the standard ssh port,
just run the following command

```sh
# ufw allow ssh
```

ufw comes with some presets for the most common services, so that in fact allows
connections from port 22 over tcp. If you, like me, prefer to use another port
for SSH, you need to specify the port and protocol manually, so, if say, you
connect to SSH over port 3333, you would run

```sh
# ufw allow 3333/tcp
```

(Of course that is not the actual port I myself use for ssh, so don't even try
(That is however not an open invitation to try and guess my SSH port and hack
yourself into my server (seriously, please don't hack me ´༎ຶ ͜ʖ ༎ຶ ))).

In this tutorial we will be using OpenVPN on port 1194 over UDP, so we must
allow it

```sh
# ufw allow 1194/udp
```

Next we need to set ufw's forwarding policy, so we open the primary
configuration file

```sh
# vim /etc/default/ufw
```

Modify the following line

```
DEFAULT_FORWARD_POLICY="DROP"
```

So that it looks like this

```
DEFAULT_FORWARD_POLICY="ACCEPT"
```

Save and exit.

Open this file

```sh
# vim /etc/ufw/before.rules
```

And add the rules for OpenVPN somewhere after the first block of comments

```
# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to eth0
-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
COMMIT
# END OPENVPN RULES
```

Once more, save and exit.

Now we can safely enable ufw

```sh
# ufw enable
```

It will say something about disrupting current SSH connections, however, since
we just added the needed rules for SSH we can go ahead and answer y.

## Configuring the Certificate Authority

Now we are going to setup our own CA. This is crucial since OpenVPN encrypts
traffic (what use is a VPN that doesn't encrypt traffic?)

First we need to copy the RSA generation scripts

```sh
# cp -r /usr/share/easy-rsa/ /etc/openvpn
```

Next, we create a directory to house our keys

```sh
# mkdir /etc/openvpn/easy-rsa/keys
```

Now we open the variables files

```sh
# vim /etc/openvpn/easy-rsa/vars
```

And modify these lines according to our needs/preferences (they are not that
really important)

```sh
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="me@myhost.mydomain"
export KEY_OU="MyOrganizationalUnit"
```

Then, in the same file, we need to change the name of the key. For simplicity's
sake we will use the name "server", since that's the name that OpenVPN uses to
reference the .key and .crt files by default. If you decide to use a different
name, you will need to modify the OpenVPN configuration files that reference the
aformentioned files.

So change this

```sh
# X509 Subject Field
export KEY_NAME="EasyRSA"
```

Into this

```sh
# X509 Subject Field
export KEY_NAME="server"
```

Save and exit.

Next we will use OpenSSL to generate the Diffie-Helman parameters. Grab a cup of
tea, take a seat, it might take some minutes

```sh
# openssl dhparam -out /etc/openvpn/dh2048.pem 2048
```

Now that our certificate is ready, it's time to generate a key. For that, we
first switch into the easy-rsa folder

```sh
# cd /etc/openvpn/easy-rsa
```

Now we start setting up the CA. We first, need to initialize the Public Key
Infrastructure (PKI). For that we need to source the vars file

```sh
# . ./var
```

If you get something like this in your output

```
  No /etc/openvpn/easy-rsa/openssl.cnf file could be found
  Further invocations will fail
```

Your .cnf might have a different name (due to differing versions of OpenSSL).
Just copy it like this

```sh
# cp openssl-*.cnf openssl.cnf
```

And source the vars file one more time.

After sourcing the vars file, it will give us a warning about removing some
files. Don't sweat it, it's fine, since right now that folder is empty. So we go
ahead and clear any and all keys that might interfere with out setup

```sh
# ./clean-all
```

Finally, we can go ahead and build our CA using the following command

```sh
# ./build-ca
```

We can skip through each prompt since we set up that info previously inside the
vars file. The CA is now ready to go.

## Generating a certificate and key for our server

Now we can proceed to actually setting up and launching OpenVPN.

While still on the easy-rsa folder, we input this command

```sh
# ./build-key-server server
```

server is the name of the key that we set up earlier in the vars file. We can go
ahead, and as earlier leave the defaults which we configured in the vars file.

Upon reaching these prompts

```
A challenge password []:
An optional company name []:
```

Just press enter for both. We won't be needing them for this setup.

The last two entries require a y answer

```
Sign the certificate? [y/n]
1 out of 1 certificate requests certified, commit? [y/n]
```

Now that our server certificate and key are ready, we need to copy them over to
/etc/openvpn, since that the directory in which OpenVPN will be looking for them

```sh
# cp /etc/openvpn/easy-rsa/keys/{server.crt,server.key,ca.crt} /etc/openvpn
```

Now we can start OpenVPN

```sh
# systemctl start openvpn
```

You can check if it launched correctly by running

```sh
# systemctl status openvpn
```

It should say something like "Active: active (exited) since..." then,
congratulations! OpenVPN is now running in your server. If it says otherwise,
maybe something like "inactive (dead)...", you might to check the log file
"/var/log/syslog" for errors.

If all is fine and dandy, you can enable the OpenVPN service so that it
automatically starts on each reboot

```sh
# systemctl enable openvpn
```

## Generating certificates keys for clients

Ideally each client that needs to connect to the VPN should have their own
unique certificate and key. Actually, by default, OpenVPN doesn't allow
simultaneous connections using the same certificate.

Because of that you will need to repeat the steps in this section for each
device that you wish to allow to connect to your VPN, just changing the name
"desktop" below, to something different like "laptop" or "phone". This way you
can also later deactivate a specific device/client from accessing if needed be.

I will start by building the key and certificate for my desktop computer, so I
will be using the "desktop" name as an example. We still should be in our
easy-rsa directory

```sh
# ./build-key desktop
```

Once more, as with the server's cert and key, we will asked about some info
which we set on the vars, so we should skip all that by pressing enter
(including setting the passwords). Just press y both times at the end to
confirm.

Now we need the sample profile to the keys folder. We need to change its
extension to ovpn, since that will be the file that OpenVPN will use on each
device to automatically set the profile to connect to our VPN server

```sh
# cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/easy-rsa/keys/client.ovpn
```

The name of this file doesn't need to be related to our client's cert and key
filenames, we can actually name to something that will describe our VPN, since
that will be the name that OpenVPN will be pick up by default in our client
device for our profile. So you can name it "work.ovpn" or maybe something more
rich like "muhfreedumbs.ovpn"

```sh
# mv keys/client.ovpn keys/muhfreedumbs.ovpn
```

After that we need to make some modifications to our ovpn file, so open it up

```sh
# vim keys/muhfreedumbs.ovpn
```

And edit the line starting with remote with your server's ip address

```
remote your.ip.address.here 1194
```

And if you chose to leave out the "ta.key" file protection option, don't forget
to comment this line

```
tls-auth ta.key 0
```

Next we find these two lines and uncomment them (remove the ; character at the
beginning of each line)

```
user nobody
group nogroup
```

That's it. All that's left is to copy the client key and certificate, and the
ovpn file over to our device. First we need to copy them to another folder that
is available to our standard (non-root) user on the server for reading, since it
is not a good idea to have root login enabled on SSH. For example, we could
create a "vpnkeys" folder in our user's home directory

```sh
$ mkdir /home/yaroslav/vpnkeys
```

And then copy the need files over to that folder

```sh
# cp /etc/openvpn/easy-rsa/keys/{desktop.key,desktop.crt,muhfreedumbs.ovpn} /home/yaroslav/vpnkeys/
```

There is one more file that we need to copy, the server's certificate

```sh
# cp /etc/openvpn/ca.crt /home/yaroslav/vpnkeys/
```

If you previously also left the secret "ta.key" file enabled and generated it,
you should copy that too.

Note that the "ca.crt" and the ovpn files will be the same for all devices. If
you wish to create a new key/cert pair for another device/client, you DO NOT
need to create a new ovpn file, just run the "./build-key clientkeyname" command
as before and copy the same old ovpn and ca.crt file along with client key and
cert to your other device.

Now we need to actually copy the keys to our device. You can use rsync or scp
for that. For example, I will be using scp to copy them to my Keys folder

```sh
$ scp -P portno -r yaroslav@ipaddressorurl:/home/yaroslav/vpnkeys ~/Keys/
```

If you need to use your VPN on your mobile device, just copy them first to your
computer through SSH, and then transfer them over to your mobile device.

After transferring them to the device, you should delete the keys from the home
directory.

## Conclusion

Now that all is setup on the server side of things, you can go ahead and add
your VPN profile on your device. This process will vary greatly from device to
device.

On most Linux distros/DEs, for example, you would go to your network manager,
and select "Configure VPN..." or something like that. Then, a window with a list
of (VPN) connections will appear, and you should be able to add your profile by
clicking on the plus (+) button. After another window like this should pop up

![VPN dialog](vpndialog.png)

You should select the option that says "Import a saved VPN configuration..."

Note that the "openvpn" and "networkmanager-openvpn" packages should be
installed in your (client) system.

Once you have connected to your VPN, you can head over to
[https://dnsleaktest.com/](https://dnsleaktest.com/) to check your connectivity.

Now you can more safely and securely browse the interwebz, and be sure that no
third-party VPN company is logging your activity.