Jump to content
Sign in to follow this  
smakme7757

How to: Create your own OpenVPN Access Server.

Recommended Posts

Hi all

This is a little side project of mine seeing as a mate was interested in how i set mine up. So i created a small guide on my blog which i have pasted in here.
For a fully formatted version which is a little bit easier on the eyes you can have a look at my blog post: How to: Create an OpenVPN access Server

If anyone actually uses it let me know if you come across any problems.
*****************************************
How to: Create your own OpenVPN server.

The aim of this guide is to help anyone who wishes to build their own OpenVPN server get it online and working and have the ability to use their home internet connection while abroad.
Additionally I will provide the information on how to create your own SSL certificate for your server.

What you need:

* An old PC or laptop with Ubuntu loaded on it – Download Ubuntu here – Remember to update Ubuntu with all the latest updates for all of its software.
* DynDNS Free account with a Dynamic DNS setup.
* Some knowledge regarding networking and routing, downloading files and moving through an operating system – Linux.
* Some spare time.

Downloading and installing OpenVPN

Notice: Most settings will be set to default to make the install more streamlined and less problem prone. Feel free to redo the configuration again if you wish to change anything.

The first thing you should is go to http://openvpn.net
Under Access Server Downloads Click Ubuntu Download

* Select Ubuntu 9 amd/x86 32/64bit depending on what you want to install. (I will be using the 32bit version)
* When the download completes double click the file in the explorer window. This will then open the Ubuntu Software Center – click Install.
* When the software is installed open up a terminal windows (Applications-Accessories).
* Run the install script with root privileges:

sudo /usr/local/openvpn_as/bin/ovpn-init

You will be prompted to type in your password, do so!
Tip: if you ever have to reinstall/configure Openvpn, run the above script again. You will then be prompted to type ‘DELETE’.
* Accept the license agreement by typing Yes.

Initial Configuration

* Will this be the primary Access Server Node = Yes
* Please specify the network interface and IP address to be used: choose the interface with a number similar to 192.168.0.0, usually No. 2.
* Please Specify the port number for the Admin Web UI = Default (943)
* Please Specify the Port Number for the Openvpn Daemon = Default (443)
Tip: Changing the port number can increase security although this is considered security through obscurity as it’s only a delaying tactic if someone wants to hack your server.
* Should client traffic be routed by default through the VPN = Yes
* should RFC1918 subnets be accessible to clients by default = Yes
* Do you wish to login as “Openvpn” = No
* Specify a new username = Type in your current username and press enter – You might encounter an error, but just press enter.
* Please specify the OpenVPN-AS license key = Leave it blank – press Enter

Now Openvpn will configure its self.

Take note of the web URL provided e.g. -https://192.168.0.0:943/admin- <—-Important!

Accessing the Web UI

Open Firefox and type in the specified URL: -https://192.168.0.0:943/admin-
Tip: Certificate warning: Firefox will warn you that the certificate of the server is no signed. Accept the certificate and create an exception.

Type in your Ubuntu username and password and hit enter
Welcome to the OpenVPN web UI
Notice: Now is a good time to setup a DynDNS account if you have not already done so.

Setting up your router

Port forward the following ports to the IP address of the PC hosting OpenVPN:
TCP: 443
UDP: 1194
Tip:If your asked to choose a service for the forwarded port choose HTTP.
Enter your DynDNS information into your router and make sure it is updating you IP address and that you have correctly typed in your DynDNS host name.

Setting up the network settings in the WebUI

Server Network Settings

* Hostname or IP Address – Enter your DynDNS hostname here e.g jack-brennan.dyndns.net
* Interface and IP address – Usually, Eth0 192.168.0.0
* Choose your Protocol I use the settings Both. If you want, you can change the port numbers here to slightly increase the security of your server. Remember to port forward the ports if you change them.

Admin Web UI

* Choose your interface – again choose the one similar to 192.168.0.0
* As above, only change the port numbers if you want to
Notice: You will notice that in the router configuration above, port 943 is not mentioned. That is because you can access the Admin UI via typing in your DynDNS host name followed with /admin e.g. -https://jack-brennan.dyndns.com/admin-. Deeming forwarding of port 943, not necessary.

Save your settings

Testing the Server

* Firstly stop the server
* Scroll down to Tools and click on Connectivity Test
* Test the server….

If the server test failed check the following:

* You have port forwarded the correct ports.
* You have correctly spelled your DynDNS host name in the network settings in the web UI.
* Your DynDNS account is correctly setup in your reouter.
* Your PC doesn’t have a firewall which is blocking the OpenVPN access server. Or that any other hardware in your network which acts as a firewall has been setup correctly.

Creating your own SSL certificates

Create the server certificate

* Open a Terminal window

openssl genrsa -aes256 -out server.key 2048

* Enter your passphrase and confirm it.

Create the certificate signing request

openssl req -new -key server.key -out server.csr

* enter passphrase for server certificate

Fill in the following information

Country Name: US
State or Province: Pentagon
Locality Name: Washington
Organization name: Atomic Industries
Organizational unit name: The big bang section
Command Name (your website URL): my-vpn.com
Email address: admin@my-vpn.com

Please enter the following ‘Extra’ attributes to be sent with your certificate request
A challenge password []: Leave blank
An optional company name []: Leave blank

Remove the passphrase from server.key

cp server.key server.key.org
openssl rsa -in server.key.org -out server.key

* The newly created server.key file now has no passphrase in it.

Generating self-signed certificate with a life span of 365 days

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

* you should now have 4 files: Server.key, Server.crt, Server.csr and server.key.org

Installing the new SSL certificate

* Open up the OpenVPN web UI and scroll down to Web server (under the configuration sub menu)
* Copy and paste the contents of Server.key and Server.crt into their respective windows:
Tip: You can use Notepad in Windows to read the contents of the files; just drag and drop

Web server CA bundle – Leave unchanged
server.crt – Web server Certificate
server.key – Web Server Private Key

* Restart the server and log back in. You should now be prompted that the site is using an untrusted certificate. Accept the certificate and view its contents. You should see your information there to confirm that the new certificate is working.Congratulations and enjoy your new OpenVPN access server!

***UPDATE - Adding clients***

Using https//:johns-vpn.dyndns.com as an example URL

Adding Clients to your Openvpn Server:

Once your server is up and running you will need to install the client software on the machine which will be using the VPN to gain secure access to the internet. This is easily done by simply connecting to your VPNs webpage by typing in your DynDns url you created earlier (Remember to have the HTTPS suffix in from of the url e.g. https//:johns-vpn.dyndns.com) and then logging in with your username and password.

Connecting to the VPN

Here are a few ways to connect to your OpenVPN remotely for either configuration or to download and connect the client software:

Connecting to the VPN (user logon): https//:johns-vpn.dyndns.com (For some reason i had to connect using the :443 suffix to gain access so try adding that at the end if you have problems e.g: https//:johns-vpn.dyndns.com:443)

Connecting to the admin panel (admin logon): https//:johns-vpn.dyndns.com/admin

Terminal Commands which might be of interest.

Start OpenVPN: /etc/init.d/openvpnas start

Stop OpenVPN: /etc/init.d/openvpnas stop

Restart OpenVPN: /etc/init.d/openvpnas restart

Adding users

Adding users is very simple, just open the terminal windows and follow these instructions:

sudo adduser [username]

Then follow the on screen instructions!


Notice: Please do let me know if you find any errors in this guide. Or if you just need help figuring something out. I can be contacted at feedback@jack-brennan-com

Edited by smakme7757

Share this post


Link to post
Share on other sites

Hey Mate

 

I found your guide quite interesting, I'm currently in the middle of setting up my openvpn server at home.

Though my setup/environment is a little different.

 

I currently have a white box pc running vmware esxi 4.1,

 

I deployed my OpenVPN Access Server from an OVF Template which I found here

Visit My Website

 

All was going really well until I tried to open the web interface, no bingo.

My linux skills are quite pathetic but I still managed to get under the hood and have a little bit of a play.

I added an eth01 which I then assigned an i.p address, and could ping to but thats as far as I could really get.

I just called it a night after that.

 

 

I might just follow your steps and use ubuntu.

Share this post


Link to post
Share on other sites

Hey Mate

 

I found your guide quite interesting, I'm currently in the middle of setting up my openvpn server at home.

Though my setup/environment is a little different.

 

I currently have a white box pc running vmware esxi 4.1,

 

I deployed my OpenVPN Access Server from an OVF Template which I found here

Visit My Website

 

All was going really well until I tried to open the web interface, no bingo.

My linux skills are quite pathetic but I still managed to get under the hood and have a little bit of a play.

I added an eth01 which I then assigned an i.p address, and could ping to but thats as far as I could really get.

I just called it a night after that.

 

 

I might just follow your steps and use ubuntu.

I've used the VMware version before and it worked extremely well. I remember having to fiddle in the network adapter settings in VMware to get it to run properly though. It's been over a year since i've used OpenVPN through VMware so i really can't be of much help unfortunately :(.

 

One thing i can tell you though is that running it on a dedicated system running Ubuntu is a hell of alot easier :).

Share this post


Link to post
Share on other sites

Good write up smakme. Always been interested in VPN's so will play with this when I get some spare time. This will definitely help!

 

Cheers

Share this post


Link to post
Share on other sites

Nice win well desreved win with POTM smakme7757 {:)

Edited by Waltish

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×