Introduction

In the article we are going to brings you to build your own VPN server.

What is Virtual Private network?

Basically, VPN nowadays are more to use for unblocking some GEO-RESTRICTED content online.

How about if you found out you really need a  secure VPN server to make transaction online or secure your own location?

Prerequisites

Before we start, you may need to get a server across some of the Server Provider

ie: Digital Ocean , Google Cloud , Amazon Ec2

Both of the Provider Offer a Very Good Pricing for the instance. It is calculate by hours, days or month as well.

Which is very suitable for short term user and also long term user to self customise the pricing of instance.

We will demonstrate the process using DigitalOcean.

Pick your Server

  1. Go to www.digitalocean.com
  2. Signup an account through this link https://cloud.digitalocean.com/registrations/new
  3. Login your account using this link https://cloud.digitalocean.com/login

After Login you will see some similar screen like below:

Create Droplet

Press on the green Color Button “Create Droplet”

Choose an image

And Choose your Image ie: CentOs or Ubuntu

In this tutorial we will Demonstrate based on Ubuntu 16.04 x64bit.

Choose a size

Choose a size and spec that meet your requirement for building your own VPN server.

If you are just building this for your own between one or two vpn user, Choose the $5/month which is very cheap and enough for your use.

After Select Operating system and the size of the cloud instance.

Choose a datacenter region

We will need to decide which country should we locate our VPN server.

In here we will decide to get Singapore Server which is where we wish our vpn server located.

Tab on the Singapore Flag, and its done.

Finalize and Create

The last step you can setup your server hostname and Press the “Create” Button at the end of the page.

After all these thing , you will get an email from digitalocean which is contains username of the server and the password.

Login to your server and start our VPN installation.

Install Openvpn on Ubuntu16.04.02 x64bit.

Step1: Install Require Package.

sudo apt-get update
sudo apt-get install openvpn easy-rsa

Step2: Create CA directory on our home Directory using below command.

make-cadir ~/openvpn-ca

Step 3: Configure the CA Variables

cd ~/openvpn-ca/

in ~/openvpn-ca/vars

Changes below content to match your country information.

. . .

export KEY_COUNTRY=”US”
export KEY_PROVINCE=”CA”
export KEY_CITY=”SanFrancisco”
export KEY_ORG=”Fort-Funston”
export KEY_EMAIL=”me@myhost.mydomain”
export KEY_OU=”MyOrganizationalUnit”

. . .

to

export KEY_COUNTRY=”SG”
export KEY_PROVINCE=”SG”
export KEY_CITY=”Geylang”
export KEY_ORG=”Geylang”
export KEY_EMAIL=”linuxscriptshub@gmail.com”
export KEY_OU=”MyOrganizationalUnit”

and also look for the KEY_NAME

export KEY_NAME=”EasyRSA”

Changes to

export KEY_NAME=”Server”

After that save and close the file.

Step 4: Build the Certificate Authority

ensure you are in the openvpn-ca folder and source the vars file we set earlier.

cd ~/openvpn-ca/
source vars

You should see the following if it was sourced correctly:

Output
NOTE: If you run ./clean-all, I will be doing a rm -rf on /home/sammy/openvpn-ca/keys

Run below command to make sure we start in a very clean Environment.

./clean-all

and Run below command to Build Our ca key

./build-ca

You will get something like below:

Generating a 2048 bit RSA private key
……………………..+++
…..+++
writing new private key to ‘ca.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [SG]:
State or Province Name (full name) [SG]:
Locality Name (eg, city) [Geylang]:
Organization Name (eg, company) [Geylang]:
Organizational Unit Name (eg, section) [MyOrganizationalUnit]:
Common Name (eg, your name or your server’s hostname) [Geylang CA]:
Name [Server]:
Email Address [linuxscriptshub@gmail.com]:

Step 5: Create the Server Certificate, Key, and Encryption Files

Build our server.key using below command.

./build-key-server server

you will get the result like below:

Note the text with red you cant press enter key, you must press “y” to confirm sign the cerification.

Generating a 2048 bit RSA private key
…………………….+++
……………………………………………………………+++
writing new private key to ‘server.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [SG]:
State or Province Name (full name) [SG]:
Locality Name (eg, city) [Geylang]:
Organization Name (eg, company) [Geylang]:
Organizational Unit Name (eg, section) [MyOrganizationalUnit]:
Common Name (eg, your name or your server’s hostname) [server]:
Name [Server]:
Email Address [linuxscriptshub@gmail.com]:

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /root/openvpn-ca/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName :PRINTABLE:’SG’
stateOrProvinceName :PRINTABLE:’SG’
localityName :PRINTABLE:’Geylang’
organizationName :PRINTABLE:’Geylang’
organizationalUnitName:PRINTABLE:’MyOrganizationalUnit’
commonName :PRINTABLE:’server’
name :PRINTABLE:’Server’
emailAddress :IA5STRING:’linuxscriptshub@gmail.com’
Certificate is to be certified until May 5 10:29:03 2027 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Build dhparam with below Command:

./build-dh

something like the diagram.

Generate ta.key for our VPN server.

openvpn --genkey --secret keys/ta.key

after that we are done all the thing for the server side.

And we have to continue to create the key file and cert for our client.

Step 6: Generate a Client Certificate and Key Pair

Using below command and create a pair of key for out client.

cd ~/openvpn-ca
source vars
./build-key client1

Step 7 : Configure Server.conf of the VPN server.

Copy some of  the file that we create early to the /etc/openvpn folder

sudo cp ca.crt ca.key server.crt server.key ta.key dh2048.pem /etc/openvpn

We need to unzip a sample config file to the Openvpn Main directory.

gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | sudo tee /etc/openvpn/server.conf

Continue to Edit our Server.conf that we just copied.

vi /etc/openvpn/server.conf

Basic Configuration
First, find the HMAC section by looking for the tls-auth directive. Remove the “;” to uncomment the tls-auth line. Below this, add the key-direction parameter set to “0”:

/etc/openvpn/server.conf
tls-auth ta.key 0 # This file is secret
key-direction 0
Next, find the section on cryptographic ciphers by looking for the commented out cipher lines. The AES-128-CBC cipher offers a good level of encryption and is well supported. Remove the “;” to uncomment the cipher AES-128-CBC line:

/etc/openvpn/server.conf
cipher AES-128-CBC
Below this, add an auth line to select the HMAC message digest algorithm. For this, SHA256 is a good choice:

/etc/openvpn/server.conf
auth SHA256
Finally, find the user and group settings and remove the “;” at the beginning of to uncomment those lines:

/etc/openvpn/server.conf
user nobody
group nogroup

And we must push all the traffic through vpn server and to confirm that we serve the website securely and hide our origin ip addresses.

uncomment 3 thing like below:

in the end of the file please make sure your key and cert are pointing the correct name of the cert ie: server.key, server.crt.

Step8 : Enable Ip forwarding on your Server

vi /etc/sysctl.conf

add below line in the file.

net.ipv4.ip_forward=1

Save and Exit the file and enable it by the following command.

sysctl -p

And enable interface MASQUERADE using iptables.

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o enp0s3 -j MASQUERADE

Step9 : Start your openvpn Server

using systemctl to start your openvpn server.

systemctl start openvpn@server

Run below command and make sure your openvpn port u1194 is start.

netstat -ntulp |grep openvpn

you will see the result like below:

udp 0 0 0.0.0.0:1194 0.0.0.0:* 2876/openvpn

That all for VPN server creation.

If you found you dont know how to connect to the VPN when you trying to create client1.ovpn.

Kindly please leave a comment here, and we will show you how you may do it.

Share this yours friends if you found this is useful.

1 reply

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *