Road Warrior OpenVPN Part 2
In part 1 we looked at getting OpenVPN set up and configured on your VPS as a way to encrypt and protect your traffic when utilizing wifi hotspots. In this part we’ll continue to work on that. Last time we left off having tweaked the OpenVPN configuration to meet our needs. Next we need to configure port forwarding on the server so that the incoming VPN traffic destined to the rest of the internet can be forwarded on.
How to Configure Port Forwarding
This is done by editing the /etc/sysctl.conf file:
sudo nano /etc/sysctl.conf
You are looking for a line looking like this:
#net.ipv4.ip_forward=1
Remove the hash (#) symbol at the start of the line to uncomment it, then save and exit the file.
This change will only take effect after the server has rebooted, so to enable this for the rest of the current session we’ll use the following command:
sudo echo 1 > /proc/sys/net/ipv4/ip_forward
How to Configure a Certificate Authority
The next major step in getting OpenVPN ready is configuring a certificate authority. OpenVPN uses certificates that it creates and manages in order to develop trust between the client and server. For this we are using Easy-RSA, so we’ll start by copying some scripts for that to our OpenVPN configuration directory, then make a directory to store our keys in:
sudo cp -r /usr/share/easy-rsa/ /etc/openvpn/
sudo mkdir /etc/openvpn/easy-rsa/keys
Now we need to configure the variables we need for our key generation. To do this edit the /etc/openvpn/easy-rsa/vars file.
sudo nano /etc/openvpn/easy-rsa/vars
Scroll down until you find a section entitled:
# These are the default values for fields
# which will be placed in the certificate.
Next come lines containing the following variables: “KEY_COUNTRY”, “KEY_PROVINCE”, “KEY_CITY”, “KEY_ORG”, “KEY_EMAIL”, and “KEY_OU”. These variables should be changed to suit your requirements and should reflect your details.
You should also change the “KEY_NAME” in the section beneath. In this example we will call it “vpsvpn”, so after changing the line should look like this:
export KEY_NAME=”vpsvpn”
With these changes made, save and exit the file.
Now we need to use OpenSSL to create the Diffie-Hellman key parameters we specified in the server.conf file:
sudo openssl dhparam -out /etc/openvpn/dh2048.pem 2048
This will warn that it will take a long time, so you may need to sit and wait while the screen fills with dots and plus symbols.
With that done, we can then look at creating the Certificate Authority for OpenVPN to use:
cd /etc/openvpn/easy-rsa
. ./vars
The second line should give you a warning about running “./clean-all” If not, make sure you got the dots and the space correct in the command. As we haven’t put anything in the directory that will be wiped, we’ll go ahead and run clean-all:
sudo ./clean-all
Now you just need to create the CA with the following command:
sudo ./build-ca
It will prompt for some values, but you’ll note that it shows the same values in square brackets that you set in the vars file. These are the defaults that will be used, so you can just skip through by hitting the enter key. With that done, your certificate authority is ready.
Now we need to build our server’s key, which we can do with the following command:
sudo touch /etc/openvpn/easy-rsa/keys/index.txt
sudo echo 01 > /etc/openvpn/easy-rsa/keys/serial
sudo ./build-key-server vpsvpn
Note that we used vpsvpn here as the name of the server as set in the vars file. If you used a different server name you’ll need to change it to meet your requirements. Once done, you’ll be prompted with familiar questions for details for the key, which again you can skip through by hitting enter. There are also some additional questions about setting a password and optional company name, but hit enter to leave those blank. After that you will be asked to sign the certificate and then commit the certificate signing. Answer “y” to both of these.
Finalizing the openvpn Setup
Finally, we need to copy these files to the /etc/openvpn directory:
sudo cp /etc/openvpn/easy-rsa/keys/vpsvpn.crt /etc/openvpn
sudo cp /etc/openvpn/easy-rsa/keys/vpsvpn.key /etc/openvpn
sudo cp /etc/openvpn/easy-rsa/keys/ca.crt /etc/openvpn
Note here that the filenames link to the name you gave the server, so replace “vpsvpn” with the server name you gave.
After this OpenVPN should be ready to start with the following command:
service openvpn start
You can confirm that it is running with the following command:
service openvpn status
While this has the OpenVPN server running, we’ve got more to set up before having clients connect to the service – something we will look at next time.