A virtual private network is a technology that creates a safe, secure, encrypted network over a less secure network such as the internet.
It is mainly developed to allow users and other remote offices to be able to access the corporate network and resources over the internet in a much secure way.
The concept works by allowing a client to connect to the organization’s VPN gateway by authenticating themselves either by using SSL or IPSec. The gateway then provides a link back to the internal organization’s resources.
A number of advantages offered the by use of VPN include:
- Organization members can work even when remotely situated.
- It can hide a user’s browsing activity.
- Users may access sites which they might have been blocked from remotely.
OpenVPN is a fully fledged VPN that uses SSL/TLS for key exchange which are then used by peers to communicate to each other.
Before You Start
- Two Ubuntu 18.04 VPS, one to be used as a server and another one as a client.
- A non-root user with sudo privileges on both VPS
- Firewall enabled on both client and server environments
Update System Packages
$ sudo apt update && sudo apt upgrade
Install OpenVPN Package
$ sudo apt install openvpn
Normally, OpenVPN authenticates users via various methods such as username and password combination, pre-shared key, certificates, e.t.c. In this tutorial, we will be looking at setting an OpenVPN server and client using a shared secret key.
First off we need to check whether the server and the client can communicate.
On the server side use the following command to test the VPS server.
$ openvpn --dev tun1 --ifconfig 10.9.8.1 10.9.8.2
Tue Oct 919:12:242018 disabling NCP mode (--ncp-disable) because notin P2MP client or server mode Tue Oct 919:12:242018 OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep 52018 Tue Oct 919:12:242018 library versions: OpenSSL 1.1.0g 2 Nov 2017, LZO 2.08 Tue Oct 919:12:242018 ******* WARNING *******: All encryption and authentication features disabled -- All data will be tunnelled as clear text and will not be protected against man-in-the-middle changes. PLEASE DO RECONSIDER THIS CONFIGURATION! Tue Oct 919:12:242018 TUN/TAP device tun1 opened Tue Oct 919:12:242018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0 Tue Oct 919:12:242018 /sbin/ip link set dev tun1 up mtu 1500 Tue Oct 919:12:242018 /sbin/ip addr add dev tun1 local 10.9.8.1 peer 10.9.8.2 Tue Oct 919:12:242018 Could not determine IPv4/IPv6 protocol. Using AF_INET Tue Oct 919:12:242018 UDPv4 link local (bound): [AF_INET][undef]:1194 Tue Oct 919:12:242018 UDPv4 link remote: [AF_UNSPEC]
When you try to see the network interfaces on another tab, you will notice a new interface has been added. The new interface (tun1) will display as long as the OpenVPN tunnel is open.
tun1: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500 inet 10.9.8.1 netmask 255.255.255.255 destination 10.9.8.2 inet6 fe80::3cd2:9bd7:4b17:a740 prefixlen 64 scopeid 0x20<link> unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 6 bytes 288 (288.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
To test the client, run the following command.
$ openvpn --remote SERVER_IP --dev tun1 --ifconfig 10.9.8.2 10.9.8.1
Tue Oct 922:40:052018 disabling NCP mode (--ncp-disable) because notin P2MP client or server mode Tue Oct 922:40:052018 OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep 52018 Tue Oct 922:40:052018 library versions: OpenSSL 1.1.0g 2 Nov 2017, LZO 2.08 Tue Oct 922:40:052018 ******* WARNING *******: All encryption and authentication features disabled -- All data will be tunnelled as clear text and will not be protected against man-in-the-middle changes. PLEASE DO RECONSIDER THIS CONFIGURATION! Tue Oct 922:40:052018 TUN/TAP device tun1 opened Tue Oct 922:40:052018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0 Tue Oct 922:40:052018 /sbin/ip link set dev tun1 up mtu 1500 Tue Oct 922:40:052018 /sbin/ip addr add dev tun1 local 10.9.8.2 peer 10.9.8.1 Tue Oct 922:40:052018 TCP/UDP: Preserving recently used remote address: [AF_INET]188.8.131.52:1194 Tue Oct 922:40:052018 UDP link local (bound): [AF_INET][undef]:1194 Tue Oct 922:40:052018 UDP link remote: [AF_INET]184.108.40.206:1194 Tue Oct 922:40:152018 Peer Connection Initiated with [AF_INET]220.127.116.11:1194 Tue Oct 922:40:162018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Tue Oct 922:40:162018 Initialization Sequence Completed
Generate a static key
On your server, use the command below to generate a static key:
$ openvpn --genkey --secret static.key
Now get the file via sftp and copy it to /etc/openvpn in your client VPS. It’s highly recommended to use a secure method to transfer these files .e.g scp (Secure Copy).
On the server side, create a new file
$ vim /etc/openvpn/tun0.conf
Add the following code
Dev tun0 Ifconfig 10.9.8.110.9.8.2 Secret /etc/openvpn/secret.key
On the client side, create a new file
$ vim /etc/openvpn/tun0.conf
Add the following code:
Add the following code Dev tun0 Ifconfig 10.9.8.210.9.8.1 Secret /etc/openvpn/secret.key
You can now go ahead and start the OpenVPN services by running the following command on both the server and client to view the output:
$ openvpn --config /etc/openvpn/tun0.conf --verb 6
At this point, you should be able to ping the 10.9.8.1 IP address from the client VPS and 10.9.8.2 address from the server side.
At this point, we have created a simple VPS using secrete shared keys that can be used to access resources over the internet. You can also look at How to Install and Enable OpenVPN Server.