Using the excellent Digital Ocean tutorial as my base I decided to setup an OpenVPN server on a Linux Mint 18 computer running on my home network so that I can have an extra layer of protection when connecting to those less than reputable WiFi hotspots at airports and hotels.

While this post is not meant to be an in-depth guide, you should use the original for that, it is meant to allow me to look back at this at some point in the future and easily re-create my setup.

1. Install everything you need

sudo apt-get update

sudo apt-get install openvpn easy-rsa

2. Setup Certificate Authority (CA)

make-cadir ~/openvpn-ca

cd ~/openvpn-ca

nano vars

3. Update CA vars

Set these to something that makes sense:

export KEY_COUNTRY=”US”

export KEY_PROVINCE=”CA”

export KEY_CITY=”SanFrancisco”

export KEY_ORG=”Fort-Funston”

export KEY_EMAIL=”me@myhost.mydomain”

export KEY_OU=”MyOrganizationalUnit”

Set the KEY_NAME to something that makes sense:

export KEY_NAME=”server”

4. Build the CA

source vars

./clean-all

./build-ca

5. Build server certificate and key

./build-key-server server

./build-dh

openvpn –genkey –secret keys/ta.key

6. Generate client certificate

source vars

./build-key-pass clientname

7. Configure OpenVPN

cd ~/openvpn-ca/keys

sudo cp ca.crt ca.key server.crt server.key ta.key dh2048.pem /etc/openvpn

gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | sudo tee /etc/openvpn/server.conf

Edit config file:

sudo nano /etc/openvpn/server.conf

Uncomment the following:

tls-auth ta.key 0

cipher AES-128-CBC

user nobody

group nogroup

push “redirect-gateway def1 bypass-dhcp”

push “route 192.168.10.0 255.255.255.0”

push “route 192.168.20.0 255.255.255.0”

Add the following:

key-direction 0

auth SHA256

Edit config file:

sudo nano /etc/sysctl.conf

Uncomment the following:

net.ipv4.ip_forward=1

Run:

sudo sysctl -p









8. Setup UFW rules

Run:

ip route | grep default

To find the name of the network adaptor. For example:

default via 192.168.x.x dev enp3s0 src 192.168.x.x metric 202

Edit config file:

sudo nano /etc/ufw/before.rules

Add the following, replacing your network adaptor name, above the bit that says # Don’t delete these required lines…

# START OPENVPN RULES

# NAT table rules

*nat

:POSTROUTING ACCEPT [0:0] # Allow traffic from OpenVPN client to eth0

-A POSTROUTING -s 10.8.0.0/8 -o enp3s0 -j MASQUERADE

COMMIT

# END OPENVPN RULES

Edit config file:

sudo nano /etc/default/ufw

Change DEFAULT_FORWARD_POLICY to ACCEPT.

DEFAULT_FORWARD_POLICY=”ACCEPT”

Add port and OpenVPN to ufw, allow it and restart ufw to enable:

sudo ufw allow 1194/udp

sudo ufw allow OpenSSH

sudo ufw disable

sudo ufw enable

9. Start OpenVPN Service and set it to enable at boot

sudo systemctl start openvpn@server

sudo systemctl enable openvpn@server

10. Setup client configuration

mkdir -p ~/client-configs/files

chmod 700 ~/client-configs/files

cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client-configs/base.conf

Edit config file:

nano ~/client-configs/base.conf

Replace remote server_IP_address port with the external IP address and port you are planning on using. The IP address can also be a hostname, such as a re-director.

Add the following:

cipher AES-128-CBC

auth SHA256

key-direction 1

Uncomment the following:

user nobody

group nogroup

Comment out the following:

#ca ca.crt

#cert client.crt

#key client.key

11. Make a client configuration generation script

Create the file:

nano ~/client-configs/make_config.sh

Add the following to it:

#!/bin/bash # First argument: Client identifier KEY_DIR=~/openvpn-ca/keys

OUTPUT_DIR=~/client-configs/files

BASE_CONFIG=~/client-configs/base.conf cat ${BASE_CONFIG} \

<(echo -e ‘<ca>’) \

${KEY_DIR}/ca.crt \

<(echo -e ‘</ca>

<cert>’) \

${KEY_DIR}/${1}.crt \

<(echo -e ‘</cert>

<key>’) \

${KEY_DIR}/${1}.key \

<(echo -e ‘</key>

<tls-auth>’) \

${KEY_DIR}/ta.key \

<(echo -e ‘</tls-auth>’) \

> ${OUTPUT_DIR}/${1}.ovpn

And mark it executable:

chmod 700 ~/client-configs/make_config.sh

12. Generate the client config file

cd ~/client-configs

./make_config.sh clientname

13. Transfer client configuration to device

You can now transfer the client configuration file found in ~/client-configs/files to your device.



This post originally appeared on my personal website here.