Setup OpenVPN with Clients able to communicate to each other

Target of this Tutorial is to setup a OpenVPN Server on a Ubuntu or Debian based System. This tutorial will guide you thrue all packages that are required, the initial setup, server configuration and hints, the first connection and future improvements. For example if you use this tutorial and have a Server Hoster in the US, then you can order things from the US that are restricted to this area or even watch all the new series on Netflix. A second good aspect is security and encryption. You can create for your Friends a VPN Key so they no longer have to open ports on there Firewall just for you.

Requirements:

  • vServer from any Provider that has TUN/TAP Support (i would NOT go with openvz containers, as most of them dont support TUN/TAP
  • Server needs to have a Static IP
  • My HomeNetwork has a LAN and DMZ, LAN has 10.1.0.0/24 , DMZ has 10.2.0.0/24 , so for VPN i will use 10.3.0.0/24 depending on your networks you want to adjust them
  • Some basic knowledge in Linux would be recommended to do this, because thats not a tutorial about VI or nano A Internetconnection with at least 1MBit to the server
  • Available free Port, i will use 443
  • Full UDP Internet access

1. Get started with the Server Thirst we need to install the needed Packages. For this we want to have always the newest Version installed so we dont run in to bugs/or missing Security fixes.

sudo apt-get update

This command refreshes your source list, so that your system sees the newest packages. The next point is to install all needed packages.

sudo apt-get install openvpn openssl -y

This will install the OpenVPN Server and openssl for the certificates that you need for encrypting your tunnel. Because i dont like to mess with SSL configuration to much there is a small little helper :-) Called easy-rsa to install it do the following:

sudo wget --no-check-certificate -O ~/easy-rsa.tar.gz https://github.com/OpenVPN/easy-rsa/archive/2.2.2.t
sudo tar xzf ~/easy-rsa.tar.gz -C ~/
sudo mkdir -p /etc/openvpn/easy-rsa/2.0/
sudo cp ~/easy-rsa-2.2.2/easy-rsa/2.0/* /etc/openvpn/easy-rsa/2.0/
sudo rm -rf ~/easy-rsa-2.2.2
sudo rm -rf ~/easy-rsa.tar.gz

Then we first need to change the directory and change the name of the openssl config file. Change to the following directory: /etc/openvpn/easy-rsa/2.0 and copy the file as follow

sudo cp -u -p openssl-1.0.0.cnf openssl.cnf

Per default and because of the NSA that worked most of the encryption out, they set the default encryption to 1024 which of course is much much to less for todays standards, so we need to increase that to 2048 or even higher.

sudo sed -i 's|export KEY_SIZE=1024|export KEY_SIZE=2048|' /etc/openvpn/easy-rsa/2.0/vars

This will change the keys to 2048 where needed. For OpenVPN to work properly we need our own PKI (Private Key Infrastructure)

sudo su    
. /etc/openvpn/easy-rsa/2.0/vars
. /etc/openvpn/easy-rsa/2.0/clean-all
export EASY_RSA="${EASY_RSA:-.}"
"$EASY_RSA/pkitool" --initca $*
export EASY_RSA="${EASY_RSA:-.}"
"$EASY_RSA/pkitool" --server server
# Setting the Client Keys
export KEY_CN="$CLIENT"
export EASY_RSA="${EASY_RSA:-.}"
"$EASY_RSA/pkitool" $CLIENT
. /etc/openvpn/easy-rsa/2.0/build-dh

That was it with the server certificates. Lets start with the OpenVPN Server configuration and moving the Keys to the right places.

cd /usr/share/doc/openvpn/examples/sample-config-files
gunzip -d server.conf.gz
cp server.conf /etc/openvpn/
cd /etc/openvpn/easy-rsa/2.0/keys
cp ca.crt ca.key dh2048.pem server.crt server.key /etc/openvpn
cd /etc/openvpn

Now we will change some settings in the server.conf of openvpn.

sed -i 's|dh dh1024.pem|dh dh2048.pem|' server.conf
sed -i 's|;push "redirect-gateway def1 bypass-dhcp"|push "redirect-gateway def1 bypass-dhcp"|' server.conf
sed -i "s|port 1194|port 443|" server.conf
sed -i 's|;push "dhcp-option DNS 8.8.8.8"|push "dhcp-option DNS 8.8.8.8"|' server.conf
sed -i 's|;push "dhcp-option DNS 8.8.4.4"|push "dhcp-option DNS 8.8.4.4"|' server.conf

We changed some configuration settings like gateway, certificate, port, dns server (please change for your requirement i recommend also some DNS Server that support DNSSEC like the googlers)…. Also our System needs some settings changed in order to work properly

sed -i 's|#net.ipv4.ip_forward=1|net.ipv4.ip_forward=1|' /etc/sysctl.conf
echo 1 > /proc/sys/net/ipv4/ip_forward

The first of those 2 commands will remove the comment of ipv4 fowarding in the sysctl configuration, the second one writes a 1 (and with that activates) the ip_foward. For more security and DNS redirects we will setup also iptables

((( PLEASE REPLASE $IP WITH YOUR SERVERS IP )))
apt-get install iptables
iptables -t nat -A PREROUTING -p udp -d $IP --dport 53 -j REDIRECT --to-port 443
sed -i "1 a\iptables -t nat -A PREROUTING -p udp -d $IP --dport 53 -j REDIRECT --to-port 443" /etc/rc.local
iptables -t nat -A POSTROUTING -s 10.3.0.0/24 ! -d 10.3.0.0/24 -j SNAT --to $IP
sed -i "1 a\iptables -t nat -A POSTROUTING -s 10.3.0.0/24 ! -d 10.3.0.0/24 -j SNAT --to $IP" /etc/rc.local

Our Server is configured and we just need to restart openvpn and prepare the client config ovpn file.

/etc/init.d/openvpn restart
sed -i "s|remote my-server-1 1194|remote $IP 443|" /usr/share/doc/openvpn/examples/sample-config-files/client.conf

The first command restarts the open vpn service and the second command replaces changes the default client configuration so that we are not forced to change it on every user we create newly. Also remember on the second command to replace $IP with your vServer IP.

2. Create a Client configuration File

Now we create a new configuration file for each client that you want to connect to this network. Change the MikeJans which is my name to a device name that you remember or a friends name….

cd /etc/openvpn/easy-rsa/2.0/
source ./vars
export KEY_CN="MikeJans" 
export EASY_RSA="${EASY_RSA:-.}"
"$EASY_RSA/pkitool" MikeJans  
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/MikeJans.ovpn
sed -i "/ca ca.crt/d" ~/MikeJans.ovpn 
sed -i "/cert client.crt/d" ~/MikeJans.ovpn
sed -i "/key client.key/d" ~/MikeJans.ovpn
echo "<ca>" >> ~/MikeJans.ovpn
cat /etc/openvpn/easy-rsa/2.0/keys/ca.crt >> ~/MikeJans.ovpn
echo "</ca>" >> ~/MikeJans.ovpn
echo "<cert>" >> ~/MikeJans.ovpn
cat /etc/openvpn/easy-rsa/2.0/keys/MikeJans.crt >> ~/MikeJans.ovpn
echo "</cert>" >> ~/MikeJans.ovpn
echo "<key>" >> ~/MikeJans.ovpn
cat /etc/openvpn/easy-rsa/2.0/keys/MikeJans.key >> ~/MikeJans.ovpn
echo "</key>" >> ~/MikeJans.ovpn

In your Home folder you will find now the X.ovpn file. Copy this file to your local machine where you have Tunnelblick (mac) , Securepoint SSL VPN (win) or openvpn client on linux. Add it to your VPN Client and connect.

3. Changes i made Per default Clients can not speak together and not even with the server. I wanted to be able to let my clients talk with each other and all the outgoing traffic is going over my VPN Server. So i was forced to change some settings in the /etc/openvpn/server.conf file.

push "route 10.3.0.0 255.255.255.0" # This provides the route for the Client for the internal assigned Virtual IP
route 10.8.0.0 255.255.255.0 # So the server itself nows where the right route goes
push "redirect-gateway bypass-dhcp" # This will force all clients to send all traffic over OpenVPN
client-to-client # This is one setting that allows Clients to communicate to each other, if they are in the same subnet.

If you should encounter any trouble please leave a comment…

comments powered by Disqus