Creating a VPN (Virtual Private Network) involves several steps. Here's a detailed guide to set up a VPN server using OpenVPN, one of the most popular open-source VPN solutions. This example assumes you are using a Linux-based server, such as Ubuntu.
Step 1: Update Your System
Before installing any software, it's important to update your system's package list and install available updates.
sudo apt-get update sudo apt-get upgrade
Step 2: Install OpenVPN and Easy-RSA
OpenVPN requires Easy-RSA, a set of scripts that simplifies the process of creating a Certificate Authority (CA) to manage your own certificate (used to secure the VPN connections).
Step 3: Configure Easy-RSA
Create a directory for Easy-RSA and set up the environment variables:
In the vars file, adjust the following parameters to match your environment. These values will be used to create the certificates:
Step 4: Build the Certificate Authority
Initialize the PKI (Public Key Infrastructure) and build the CA:
Step 5: Create the Server Certificate, Key, and Encryption Files
Generate the server certificate and key:
Generate Diffie-Hellman parameters:
Generate an HMAC signature to strengthen the server's TLS integrity verification capabilities:
Step 6: Configure the OpenVPN Service
Copy the sample OpenVPN configuration file to the /etc/openvpn directory and edit it:
Modify the server.conf file with the following parameters:
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh2048.pem
auth SHA256
tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
log-append /var/log/openvpn.log
verb 3
Step 7: Enable IP Forwarding and Configure Firewall
Enable IP forwarding:
Uncomment the following line:
Apply the changes:
Configure the firewall to allow traffic through the VPN:
sudo ufw allow 1194/udp sudo ufw allow OpenSSH sudo ufw enable sudo ufw status
Step 8: Start the OpenVPN Service
Start and enable the OpenVPN service:
Recommended by LinkedIn
Step 9: Generate Client Certificates and Configuration
Create the client certificates:
Copy the necessary files to a secure location to distribute to your clients:
Create a client configuration file template:
Add the following configuration to base.conf:
client
dev tun
proto udp
remote YOUR_SERVER_IP 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
auth SHA256
key-direction 1
verb 3
Step 10: Create Client Configuration Files
Create a script to generate client configuration files:
nano ~/client-configs/make_config.sh
Add the following content to make_config.sh:
#!/bin/bash
# First argument: Client identifier
KEY_DIR=~/client-configs/keys
OUTPUT_DIR=~/client-configs/files
BASE_CONFIG=~/client-configs/base.conf
cat ${BASE_CONFIG} \
<(echo -e '<ca>') \
${KEY_DIR}/ca.crt \
<(echo -e '</ca>\n<cert>') \
${KEY_DIR}/${1}.crt \
<(echo -e '</cert>\n<key>') \
${KEY_DIR}/${1}.key \
<(echo -e '</key>\n<tls-auth>') \
${KEY_DIR}/ta.key \
<(echo -e '</tls-auth>') \
> ${OUTPUT_DIR}/${1}.ovpn
Make the script executable:
Generate a client configuration file:
Step 11: Distribute the Client Configuration
Transfer the generated .ovpn file to your client's device securely. This can be done using secure methods such as SFTP, SCP, or a secure USB drive.
Step 12: Connect with the Client
Install an OpenVPN client on your client device and import the .ovpn file to connect to your VPN server.
That's it! Your VPN server should now be set up and ready to use.