A VPN allows you to connect to remote VPN servers, making your connection encrypted and secure and surf the web anonymously by keeping your traffic data private.<\/p>\n\n\n\n
There are many commercial VPN providers you can choose from, but you can never be truly sure that the provider is not logging your activity. The safest option is to set up your own VPN server.<\/p>\n\n\n\n
In this tutorial we explain how to install OpenVPN on your ServerHub Bare Metal Server or VPS.
OpenVPN is an open source VPN application that lets you create and join a private network securely over the internet <\/p>\n\n\n\n
To complete this tutorial, you will need:<\/p>\n\n\n\n
Configuring easy-rsa<\/strong><\/p>\n\n\n\n To configure this CLI utility, you\u2019ll need to generate several keys and certificates including:<\/p>\n\n\n\n 1. Certificate Authority (CA)<\/p>\n\n\n\n 2. Server Key and Certificate<\/p>\n\n\n\n 3. Diffie-Hellman key<\/a><\/p>\n\n\n\n 4. Client Key and Certificate<\/p>\n\n\n\n Here is what you need to do:<\/p>\n\n\n\n Step 1: Copy the easy-rsa script generation to \u201c\/etc\/OpenVPN\/\u201d.<\/strong><\/p>\n\n\n\n cp -r \/usr\/share\/easy-rsa\/ \/etc\/openvpn\/<\/p>\n\n\n\n Then click on the easy-rsa directory and make changes to the vars file.<\/p>\n\n\n\n cd \/etc\/openvpn\/easy-rsa\/2.*\/<\/p>\n\n\n\n vim vars<\/p>\n\n\n\n After this, we can generate new keys and certificates to help us with installation.<\/p>\n\n\n\n source .\/vars<\/p>\n\n\n\n Run clean-all to make sure that you are left with a clean certificate setup.<\/p>\n\n\n\n .\/clean-all<\/p>\n\n\n\n Now it\u2019s time to generate a certificate authority (ca). Here you\u2019ll be asked several details such as Country Name, etc., enter your details.<\/p>\n\n\n\n This command will create a ca.key and ca.crt in the \/etc\/OpenVPN\/easy-rsa\/2.0\/keys\/ directory.<\/p>\n\n\n\n .\/build-ca<\/p>\n\n\n\n Step 2: Generating a Server Key and Certificate<\/strong><\/p>\n\n\n\n You need to run the command \u201cbuild-key-server server\u201d in the existing directory.<\/p>\n\n\n\n .\/build-key-server server<\/p>\n\n\n\n Step 3: Building a Diffie-Hellman Key Exchange<\/strong><\/p>\n\n\n\n Execute this build-dh command:<\/p>\n\n\n\n .\/build-dh<\/p>\n\n\n\n It might take some time to generate these files. The waiting time depends on the KEY_SIZE you have set on the file vars.<\/p>\n\n\n\n Step 4: Generating Client Key and Certificate<\/strong><\/p>\n\n\n\n .\/build-key client<\/p>\n\n\n\n Step 5: Move or copy the `keys\/` directory to `\/etc\/opennvpn`.<\/strong><\/p>\n\n\n\n cd \/etc\/openvpn\/easy-rsa\/2.0\/<\/p>\n\n\n\n cp -r keys\/ \/etc\/openvpn\/<\/p>\n\n\n\n Configure OpenVPN<\/strong><\/p>\n\n\n\n You can either copy an OpenVPN configuration or create one from scratch. You can copy it from \/usr\/share\/doc\/openvpn-2.3.6\/sample\/sample-config-files.<\/p>\n\n\n\n Here is how you can create one:<\/p>\n\n\n\n cd \/etc\/openvpn\/<\/p>\n\n\n\n vim server.conf<\/p>\n\n\n\n Paste this configurations<\/p>\n\n\n\n #change with your port Save it.<\/p>\n\n\n\n Now you need to create a new folder for the log file.<\/p>\n\n\n\n mkdir -p \/var\/log\/myvpn\/<\/p>\n\n\n\n touch \/var\/log\/myvpn\/openvpn.log<\/p>\n\n\n\n How to Disable Selinux and Firewalld<\/strong><\/p>\n\n\n\n Step 1: disabling firewalld<\/p>\n\n\n\n systemctl mask firewalld<\/p>\n\n\n\n systemctl stop firewalld<\/p>\n\n\n\n Step 2: Disabling SELinux<\/p>\n\n\n\n vim \/etc\/sysconfig\/selinux<\/p>\n\n\n\n Ensure you make SELINUX as disabled.<\/p>\n\n\n\n SELINUX=disabled<\/p>\n\n\n\n Now reboot your server to incorporate the changes.<\/p>\n\n\n\n Configure Routing and Iptables<\/strong><\/p>\n\n\n\n Step 1: you need to enable iptables<\/p>\n\n\n\n systemctl enable iptables<\/p>\n\n\n\n systemctl start iptables<\/p>\n\n\n\n iptables \u2013F<\/p>\n\n\n\n Step 2: Add iptable-rule so as to forward the routing to our OpenVPN subnet.<\/p>\n\n\n\n iptables -t nat -A POSTROUTING -s 192.168.200.024 -o eth0 -j MASQUERADE<\/p>\n\n\n\n iptables-save > \/etc\/sysconfig\/iptablesvpn<\/p>\n\n\n\n Step 3: Now enable port forwarding<\/p>\n\n\n\n vim \/etc\/sysctl.conf<\/p>\n\n\n\n Then add this to the end of the line:<\/p>\n\n\n\n net.ipv4.ip_forward = 1.<\/p>\n\n\n\n Step 4: Restart your network server<\/p>\n\n\n\n systemctl start openvpn@server<\/p>\n","protected":false},"excerpt":{"rendered":" A VPN allows you to connect to remote VPN servers, making your connection encrypted and secure and surf the web anonymously by keeping your traffic data private. There are many commercial VPN providers you can choose from, but you can never be truly sure that the provider is not logging your activity. The safest option … Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_bbp_topic_count":0,"_bbp_reply_count":0,"_bbp_total_topic_count":0,"_bbp_total_reply_count":0,"_bbp_voice_count":0,"_bbp_anonymous_reply_count":0,"_bbp_topic_count_hidden":0,"_bbp_reply_count_hidden":0,"_bbp_forum_subforum_count":0,"om_disable_all_campaigns":false,"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_uf_show_specific_survey":0,"_uf_disable_surveys":false,"footnotes":""},"categories":[7,41],"tags":[44,8,43,42],"class_list":["post-60","post","type-post","status-publish","format-standard","hentry","category-linux-administration","category-vpn-tunnels","tag-how-to","tag-linux","tag-openvpn","tag-vpn"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/serverhub.com\/kb\/wp-json\/wp\/v2\/posts\/60","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/serverhub.com\/kb\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serverhub.com\/kb\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serverhub.com\/kb\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/serverhub.com\/kb\/wp-json\/wp\/v2\/comments?post=60"}],"version-history":[{"count":0,"href":"https:\/\/serverhub.com\/kb\/wp-json\/wp\/v2\/posts\/60\/revisions"}],"wp:attachment":[{"href":"https:\/\/serverhub.com\/kb\/wp-json\/wp\/v2\/media?parent=60"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serverhub.com\/kb\/wp-json\/wp\/v2\/categories?post=60"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serverhub.com\/kb\/wp-json\/wp\/v2\/tags?post=60"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
port 1337
#You can use udp or tcp
proto udp
# \u201cdev tun\u201d will create a routed IP tunnel.
dev tun
#Certificate Configuration
#ca certificate
ca \/etc\/openvpn\/keys\/ca.crt
#Server Certificate
cert \/etc\/openvpn\/keys\/server.crt
#Server Key and keep this is secret
key \/etc\/openvpn\/keys\/server.key
#See the size a dh key in \/etc\/openvpn\/keys\/
dh \/etc\/openvpn\/keys\/dh1024.pem
#Internal IP will get when already connect
server 192.168.200.0 255.255.255.0
#this line will redirect all traffic through our OpenVPN
push \u201credirect-gateway def1\u201d
#Provide DNS servers to the client, you can use goolge DNS
push \u201cdhcp-option DNS 8.8.8.8\u201d
push \u201cdhcp-option DNS 8.8.4.4\u201d
#Enable multiple client to connect with same key
duplicate-cn
keepalive 20 60
comp-lzo
persist-key
persist-tun
daemon
#enable log
log-append \/var\/log\/myvpn\/openvpn.log
#Log Level
verb 3<\/p>\n\n\n\n