OpenVPN creates an encrypted tunnel between two points, preventing a third party from accessing your network traffic. By setting up your virtual private network (VPN) server, you become your own VPN provider. Many popular VPN services already use OpenVPN, so why tie your connection to a specific provider when you can have complete control?
The first article in this series set up a server for your VPN, and the second article demonstrated how to install and configure the OpenVPN server software. This third article shows how to start OpenVPN with authentication in place.
More on security
To set up an OpenVPN server, you must:
- Create a configuration file.
- Set the
sysctlvaluenet.ipv4.ip_forward = 1to enable routing. - Set up appropriate ownership for all configuration and authentication files to run the OpenVPN server daemon under a non-root account.
- Set OpenVPN to start with the appropriate configuration file.
- Configure your firewall.
Configuration file
You must create a server config file in /etc/openvpn/server/. You can start from scratch if you want, and OpenVPN includes several sample configuration files to use as a starting point. Have a look in /usr/share/doc/openvpn/sample/sample-config-files/ to see them all.
If you want to build a config file by hand, start with either server.conf or roadwarrior-server.conf (as appropriate), and place your config file in /etc/openvpn/server. Both files are extensively commented, so read the comments and decide which makes the most sense for your situation.
You can save time and aggravation by using my prebuilt server and client configuration file templates and sysctl file to turn on network routing. This configuration also includes customization to log connects and disconnects. It keeps logs on the OpenVPN server in /etc/openvpn/server/logs.
If you use my templates, you'll need to edit them to use your IP addresses and hostnames.
To use my prebuilt config templates, scripts, and sysctl to turn on IP forwarding, download my script:
$ curl \https://www.dgregscott.com/ovpn/OVPNdownloads.sh > \OVPNdownloads.shRead the script to get an idea of what it does. Here's a quick overview of its actions:
- Creates the appropriate directories on your OpenVPN server
- Downloads server and client config file templates from my website
- Downloads my custom scripts and places them into the correct directory with correct permissions
- Downloads
99-ipforward.confand places it into/etc/sysctl.dto turn on IP forwarding at the next boot - Sets up ownership for everything in
/etc/openvpn
Once you're satisfied that you understand what the script does, make it executable and run it:
$ chmod +x OVPNdownloads.sh$ sudo ./OVPNdownloads.shHere are the files it copies (notice the file ownership):
$ ls -al -R /etc/openvpn/etc/openvpn:total 12drwxr-xr-x. 4 openvpn openvpn 34 Apr 6 20:35 .drwxr-xr-x. 139 root root 8192 Apr 6 20:35 ..drwxr-xr-x. 2 openvpn openvpn 33 Apr 6 20:35 clientdrwxr-xr-x. 4 openvpn openvpn 56 Apr 6 20:35 server/etc/openvpn/client:total 4drwxr-xr-x. 2 openvpn openvpn 33 Apr 6 20:35 .drwxr-xr-x. 4 openvpn openvpn 34 Apr 6 20:35 ..-rw-r--r--. 1 openvpn openvpn 1764 Apr 6 20:35 OVPNclient2020.ovpn/etc/openvpn/server:total 4drwxr-xr-x. 4 openvpn openvpn 56 Apr 6 20:35 .drwxr-xr-x. 4 openvpn openvpn 34 Apr 6 20:35 ..drwxr-xr-x. 2 openvpn openvpn 59 Apr 6 20:35 ccddrwxr-xr-x. 2 openvpn openvpn 6 Apr 6 20:35 logs-rw-r--r--. 1 openvpn openvpn 2588 Apr 6 20:35 OVPNserver2020.conf/etc/openvpn/server/ccd:total 8drwxr-xr-x. 2 openvpn openvpn 59 Apr 6 20:35 .drwxr-xr-x. 4 openvpn openvpn 56 Apr 6 20:35 ..-rwxr-xr-x. 1 openvpn openvpn 917 Apr 6 20:35 client-connect.sh-rwxr-xr-x. 1 openvpn openvpn 990 Apr 6 20:35 client-disconnect.sh/etc/openvpn/server/logs:total 0drwxr-xr-x. 2 openvpn openvpn 6 Apr 6 20:35 .drwxr-xr-x. 4 openvpn openvpn 56 Apr 6 20:35 ..Here's the 99-ipforward.conf file:
# Turn on IP forwarding. OpenVPN servers need to do routingnet.ipv4.ip_forward = 1Edit OVPNserver2020.conf and OVPNclient2020.ovpn to include your IP addresses. Also, edit OVPNserver2020.conf to include your server certificate names from earlier. Later, you will rename and edit a copy of OVPNclient2020.ovpn for use with your client computers. The blocks that start with ***? show you where to edit.
File ownership
If you used the automated script from my website, file ownership is already in place. If not, you must ensure that your system has a user called openvpn that is a member of a group named openvpn. You must set the ownership of everything in /etc/openvpn to that user and group. It's safe to do this if you're unsure whether the user and group already exist because useradd will refuse to create a user with the same name as one that already exists:
$ sudo useradd openvpn$ sudo chown -R openvpn.openvpn /etc/openvpnFirewall
If you decided not to disable the firewalld service in step 1, then your server's firewall service might not allow VPN traffic by default.Using the firewall-cmd command, you can enable the OpenVPN service, which opens the necessary ports and routes traffic as necessary:
$ sudo firewall-cmd --add-service openvpn --permanent$ sudo firewall-cmd --reloadNo need to get lost in a maze of iptables!
Start your server
You can now start your OpenVPN server. So that it starts automatically after a reboot, use the enable subcommand of systemctl:
systemctl enable --now [email protected]Final steps
The fourth and final article in this article will demonstrate how to set up clients to connect to your OpenVPN from afar.
This article is based on D. Greg Scott's blog and is reused with permission.
This work is licensed under a Creative Commons Attribution-Share Alike 4.0 International License.
