Setting up a VPN server is one hell of a job. I really thought it’d be easy to just set up and go. Setting up a static key VPN using OpenVPN is really straightforward but we don’t use static keys out here. It’s a good start though, in terms of familiarizing yourself with how OpenVPN works and all but holy balls, lol. I remember seeing a tool that created a VPN automatically for you using your own DigitalOcean1 account to handle making the VPS. For $5/month, your own controlled VPN sounds really good. But as always, I was curious how I could incorporate this VPN building into oa. OpenVPN can use TLS for its encryption since I figured since I managed to get the blog using TLS, why not have the VPN do the same?2.
Before we continue, I should remind you that this is a reflection post of me setting up OpenVPN on Debian. If you’re looking to do so yourself, check out Debian’s and OpenVPN’s official documentation before continuing here.
A bit of background here, I initially assumed the version of OpenVPN installed on Debian Wheezy to be really freaking old. It wasn’t incredibly old, but the packages I needed to make this easy for use weren’t available via OpenVPN’s sources so I stuck with the version in Debian for now3. Getting those packages installed are as simple as running the following:
The second package
openvpn-blacklist gives you
openvpn-vulnkey to check for
bad 2048-bit keys when used pre-shared keys. Useful if you’re using that
approach but we won’t do that here.
From here, we’d copy over the directory that Debian’s version of OpenVPN provides for quick-and-easy setting up of SSL certificates and keys.
After that, you’re going to want to update the variables files that’d be used
for the generation of the certificates and the likes. That file would be located
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 export EASY_RSA=/etc/openvpn/easyrsa export CA_EXPIRE=100 export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA` export KEY_COUNTRY="US" export KEY_PROVINCE="NY" export KEY_CITY="NewYork" export KEY_ORG="stark.industries" # This can be anything. export KEY_EMAIL="<a href="mailto:vpn%40stark.com" class="email-link">email@example.com</a>" export KEY_EMAIL=<a href="mailto:vpn%40stark.com" class="email-link">firstname.lastname@example.org</a> export KEY_NAME=vpn.stark export KEY_OU=vpn.stark export KEY_SIZE=2048 export KEY_EXPIRE=100 export KEY_DIR="$EASY_RSA/keys" # Issue rm -rf warning echo "NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR" export PKCS11_MODULE_PATH="dummy" export PKCS11_PIN="dummy" export PKCS11_MODULE_PATH=/etc/openvpn/pkcs11 export PKCS11_PIN=3919 export OPENSSL="openssl" export PKCS11TOOL="pkcs11-tool" export GREP="grep"
With the variables down, you can go ahead and set up the configuration of your VPN server now. Here’s a sample configuration. Encryption and the likes are disabled so that you can slowly upgrade the ciphers and authentication for other devices you might want to support.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 port 1194 proto udp dev tun server 10.8.0.1 255.255.255.0 tls-server ca /etc/openvpn/easyrsa/keys/ca.crt cert /etc/openvpn/easyrsa/keys/server.crt key /etc/openvpn/easyrsa/keys/server.key dh /etc/openvpn/easyrsa/keys/dh2048.pem log-append /var/log/openvpn.log status /var/log/openvpn-status.log ifconfig-pool-persist ipp.txt verb 3 mute 10 user nobody persist-key persist-tun comp-lzo keepalive 10 120 cipher none auth none push "dhcp-option DNS 10.8.0.1" push "redirect-gateway def1 bypass-dhcp local"
The setup of the configuration above is really compressed, I apologize. But I didn’t want to litter it with potentially wrong documentation. I haven’t found a hub of information about the configuration options available in OpenVPN either so that made things a bit more difficult. I’ll update this post with information when I can.
Now here comes the relatively fun part. Only because it’s mostly automated. The
easy-rsa folder has a few scripts to handle the generation of the SSL
certificates and keys. The following commands help you walk through that
process. First things first, prime the environment to work with the scripts
Then sterilize the environment.
Now build the server-side SSL requirements (your CA and VPN key).
And now you’d generate keys for the devices you’d want to connect to VPN.
Keep in mind, the only files you’d want are the
server.caand the keys and certificates from
keys/client_*for sharing amongst your devices. Do not share anything else. If you’re familiar with PGP, I recommend generating a temporary key for the server to encrypt and then share said keys over a trusted medium like SSH. If someone got a handle of these keys, then they could masquerade as one of the provided devices on your private network; a big no-no.
Spinning Things Up
You got your configuration in place, your keys and certificates on the
appropriate devices and now the only thing left is to start the server. Long
On the server side, that’s all that’s needed for OpenVPN. You’d want to open up port 1194 over UDP (or TCP, if you changed it to that) for connectivity purposes if you’re using a firewall on your server. You’d also want to allow for NAT forwarding, in the event you got this hooked up to your router which is in turn hooked up to your console (XBox, Ouya, Playstation, etc).
From here, you can do a few things:
Experiment with different ciphers and authorizations! Try out
AES-256-CBC, the one commonly used for higher grade encryption.
Enable client-to-client in your server so you can chat with other devices on the network. Useful for making private Web services avaiable on only VPN users.