In today’s digital landscape, securing your internet connection has never been more vital. One of the most effective ways to enhance your online security is by using a Virtual Private Network (VPN), and OpenVPN is a popular open-source solution that many tech enthusiasts and organizations prefer. This guide will walk you through setting up OpenVPN on a Linux server from scratch. Whether you’re looking to safeguard your browsing or connect remotely to your home network, OpenVPN is an invaluable tool.

Prerequisites

Before you begin, ensure you have:

  1. A Linux server (Ubuntu, Debian, CentOS, or Fedora).

  2. Root or sudo access to the server.

  3. Basic knowledge of the Linux command line.

Step 1: Installing OpenVPN

For most Linux distributions, you can easily install OpenVPN using the package manager. Here’s how to do it for some common distributions.

On Ubuntu/Debian:

sudo apt update

sudo apt install openvpn easy-rsa

On CentOS/Fedora:

sudo dnf install openvpn easy-rsa

Step 2: Setting Up the Certificate Authority

OpenVPN uses SSL/TLS for its encryption, which requires setting up a Public Key Infrastructure (PKI) to manage keys. Easy-RSA is the tool that simplifies this task.

  1. Create a directory for Easy-RSA:

make-cadir ~/openvpn-ca

cd ~/openvpn-ca

  1. Configure Easy-RSA variables:

Edit the vars file located in the ~/openvpn-ca directory:

nano vars

Change the following lines to match your organization’s information:

export KEY_COUNTRY="US"

export KEY_PROVINCE="CA"

export KEY_CITY="SanFrancisco"

export KEY_ORG="WafaTech"

export KEY_EMAIL="[email protected]"

export KEY_OU="Community"

  1. Source the variables and clean up old keys:

cd ~/openvpn-ca

source vars

./clean-all

  1. Build the CA (Certificate Authority):

./build-ca

Follow the prompts and press Enter to accept defaults unless you have specific requirements.

Step 3: Create the Server Certificate, Key, and Encryption Files

Next, you’ll generate the server certificate and key.

  1. Generate the server key and certificate:

./build-key-server server

Follow the prompts again, and ensure you answer ‘y’ to the sign and commit questions.

  1. Generate strong Diffie-Hellman parameters:

./build-dh

  1. Generate an HMAC signature to strengthen the server’s TLS integrity:

openvpn --genkey --secret keys/ta.key

Now, you have all the necessary keys and certificate files in the ~/openvpn-ca/keys directory.

Step 4: Configure the OpenVPN Server

  1. Copy example server configuration file to /etc/openvpn/:

sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/

  1. Unzip the configuration file:

sudo gunzip /etc/openvpn/server.conf.gz

  1. Edit the server configuration file:

sudo nano /etc/openvpn/server.conf

Make the following changes:

  • Set the ca, cert, key, and dh paths to point to your CA, server certificate, server key, and Diffie-Hellman file:

ca /etc/openvpn/ca.crt

cert /etc/openvpn/server.crt

key /etc/openvpn/server.key

dh /etc/openvpn/dh2048.pem

  • Uncomment the push "redirect-gateway def1 bypass-dhcp" line to route all traffic through the VPN.

  • Uncomment push "dhcp-option DNS 1.1.1.1" (or your preferred DNS) to configure DNS through the VPN.

Step 5: Adjusting the Server Networking Configuration

To allow routing through your VPN, enable IP forwarding:

  1. Open and edit the sysctl configuration:

sudo nano /etc/sysctl.conf

  1. Uncomment the following line:

net.ipv4.ip_forward=1

  1. Apply the changes:

sudo sysctl -p

  1. Set up firewall rules to allow VPN traffic. Here’s an example using iptables:

sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

sudo iptables -A FORWARD -m mark --mark 0x1 -j ACCEPT

Step 6: Start the OpenVPN Server

  1. Start the OpenVPN service:

sudo systemctl start openvpn@server

  1. Enable OpenVPN to start at boot:

sudo systemctl enable openvpn@server

  1. Check the status:

sudo systemctl status openvpn@server

Step 7: Creating Client Configuration Files

  1. Generate a client certificate:

cd ~/openvpn-ca

source vars

./build-key client-name

  1. Create a client configuration file (client.ovpn):

nano ~/client.ovpn

Here is a basic client configuration template:

client

dev tun

proto udp

remote your_server_ip 1194

resolv-retry infinite

nobind

persist-key

persist-tun

<ca>

(Insert ca.crt contents here)

</ca>

<cert>

(Insert client.crt contents here)

</cert>

<key>

(Insert client.key contents here)

</key>

<tls-auth>

(Insert ta.key contents here)

</tls-auth>

key-direction 1

  1. Transfer these files to your client devices securely.

Step 8: Connecting the Client

  • Use the OpenVPN client on your device or the command line to connect, pointing it to your client.ovpn configuration file.

Conclusion

Congratulations! You’ve successfully set up OpenVPN on your Linux server. This configuration allows you to securely connect to the internet and browse anonymously. Ensure to keep your configuration files backed up, and if you encounter issues, the OpenVPN logs can provide helpful insights.

For further enhancements, consider exploring advanced configurations like multiple users, OpenVPN Access Server, or using an OpenVPN GUI. Enjoy your safe and secure browsing experience!

If you need further assistance or have questions about this guide, feel free to ask in the comments below.

By following this step-by-step guide, you should now be equipped to configure OpenVPN on your Linux server effectively. Happy VPNing!