Creation of a private network (VPN) using OpenVPN

Requirements:

OpenVPN is a free software that allows you to create a virtual private network (VPN).
Basically it allows you to encrypt the traffic between two remote hosts.

This tutorial is based on Ubuntu 14.04

Installation

On the server and the Linux clients

apt-get install openvpn easy-rsa

On a Windows client

You can download the version corresponding to your computer here: https://openvpn.net/index.php/open-source/downloads.html

On a recent PC, it is generally the following version that you need: Installer (64-bit), Windows Vista and later

Configuration on the Serveur

Generation of the required files

We start by copying the configuration examples:

cp -R /usr/share/easy-rsa/ /etc/openvpn/easy-rsa/

Now enter the directory to edit the concerned files:

cd /etc/openvpn/easy-rsa/
nano vars
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="me@myhost.mydomain"
export KEY_OU="MyOrganizationalUnit"

# X509 Subject Field
export KEY_NAME="EasyRSA"

Modify these lines depending on your needs, then save the file and close nano.

Now we will create the files required for the function of our server and our client:

source ./vars
./clean-all
./build-dh
./pkitool --initca
./pkitool --server server
./build-key client1

The last line with “client1” has to be repeated as many times as many clients you want to connect to the VPN.

We generate the key for the TLS-Auth:

openvpn --genkey --secret keys/ta.key

And copy the files in the root directory of OpenVPN:

cd keys/ && cp ca.crt dh2048.pem server.crt server.key ta.key ../../

Configuration

Now we continue by editing the configuration file of the server:

nano /etc/openvpn/server.conf
port 1194
proto udp
dev tun
topology subnet
ca ca.crt
cert server.crt
key server.key # Not to change
dh dh2048.pem
server 172.31.42.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
ifconfig-pool-persist ipp.txt
client-to-client
keepalive 10 120
tls-auth ta.key 0 # A Not to change
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3

Now restart the OpenVPN server: sudo service openvpn restart

Now we will address ourself to the firewall configuration.
We assign a private IP to our client.
We will use NAT on the server to enable browsing on the Internet.

Start by adding or decommenting the following line in /etc/sysctl.conf :

net.ipv4.ip_forward = 1

Then take the changes into effect: sysctl -p

We will now install the package iptables-persistent to load the rules at each boot.

apt-get install iptables-persistent

It will ask you if you want to save existing rules. See if you already have set-up some, and if necessary, back them up.

Now we will place the rules:

nano /etc/iptables/rules.v4
# Règles de Translation d'adresses
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -s 172.31.42.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 172.31.42.2/24 -o eth0 -j MASQUERADE

COMMIT

# Règles de filtrage
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

-A FORWARD -i tun0 -o eth0 -j ACCEPT
-A FORWARD -i tun0 -j ACCEPT
-A FORWARD -o tun0 -j ACCEPT
-A OUTPUT -o tun0 -j ACCEPT

COMMIT

Restart now the daemon to take the changes into effect: sudo service iptables-persistent restart

These rules are very basic. You can modify them to have the functions you need.

On the Client

Now you have to transfer the files onto your client. By using SCP for example. The files to transfer are:

  • ca.crt
  • clientX.crt
  • clientX.key
  • ta.key

Make sure you download the correct files by replacing “X” with the number of the client.

Now we have to enter the clients configuration file: nano /etc/openvpn/client.conf

client
dev tun
proto udp
remote ip.of.the.server
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key # Do not change
ns-cert-type server
tls-auth ta.key 1 # Do not change
comp-lzo
verb 3

Do not forget to edit the configuration and place the IP of your server.


Now you have a working openVPN connection.