Nowadays, VPN technology becomes more popular. Ordinary users use VPN to safely access the Internet. It also helps get around locally blocked websites and services and protect against possible external malicious behavior. When you’re connecting to a VPN server, there’s a safe tunnel between your computer and the server that cannot be accessed from outside, so the VPN server becomes your Internet access point. There are lots of VPN services out there, both free and paid, but if they don’t work for you for some reason, you can always configure your own VPN server.
To run your oun VPN, you should rent VPS server. There’s different software that lets you create a VPN connection. It differs from each other by operating systems supported and algorithms used. We will take a look at two independent approaches to set up a VPN server. The first one is based on PPTP protocol that is already considered obsolete and not secure but is really easy to configure. The other one employs modern and secure software OpenVPN but requires installing a third-party client application and a more thorough setup process.
In our test environment, we are going to use a virtual server powered by Ubuntu Server 18.04. A firewall is going to be switched off on the server because its configuration deserves a separate article. We will describe the setup process on Windows 10.
No matter which VPN server you choose, the Internet access will be set up by integrated means of the operating system. In order to open Internet access through an external service interface you have to allow packet forwarding between the interfaces and configure network address translation.
To switch on packet forwarding open the file “/etc/sysctl.conf” and change “net.ipv4.ip_forward” parameter value into 1.
In order to apply changes without rebooting the computer, run the command
sudo sysctl -p /etc/sysctl.conf
Network address translation is configured by the means of iptables. First, check the name of your external network interface running the command “ip link show” - you will need it at the next step. Our name is “ens3”.
Enable network address translation at your external interface for all local network nodes.
sudo iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
Note that you need to specify the real name of your server’s interface, it can be different from ours.
By default, all rules created by iptables are reset after the server restart. In order to prevent that, use “iptables-persistent” utility. Install the following packet:
sudo apt install iptables-persistent
At some point during the installation process, you will see a configuration window that will suggest you saving current iptables rules. Since the rules are already defined, just confirm and click “Yes” twice. Since now the rules will be applied automatically after the server restart.
Install the packet:
sudo apt install pptpd
After the installation ends, open the file “/etc/pptpd.conf” in any text editor and edit it like this:
option /etc/ppp/pptpd-options #path to the settings file
logwtmp #client connections logging mechanism
connections 100 #number of simultaneous connections
localip 172.16.0.1 #the address that will serve as a client gateway
remoteip 172.16.0.2-200 #range of addresses
After that, edit the file “/etc/ppp/pptpd-options”. Most of the parameters are set up by default.
#name of the service for new client records
#restrict obsolete authentication methods
#allow a more secure authentication method
#specify dns servers for clients (use any available servers)
At the next stage, you will need to create a record for client connections. Let’s say you want to add a user “vpnuser” with password “1” and allow dynamic addressing for him. Open the file “/etc/ppp/chap-secrets” and add the following line with the user’s parameters at the end of the file:
vpnuser pptpd 1 *
“pptpd” value is the name of the service that we specified in the file “pptpd-options”. Instead of “*” you can specify a fixed IP address. In the result, the file “chap-secrets” should look like this:
To apply the settings reset the pptpd service and add it to autoloading.
sudo systemctl restart pptpd
sudo systemctl enable pptpd
Server configuration is finished.
Open “Start” - “Settings” - “Network & Internet” - “VPN” and click “Add a VPN connection”
Enter the connection parameters in the window opened and click “Save”
After saving parameters, you will see the new VPN connection in the window. Left-click the connection and select “Connect”. In the case of a successful connection, you will see “Connected” status.
In the Options, you will find internal addresses of the client and the server. Field “Destination address” displays the external server address.
When connected, the internal IP address of the server, 172.16.0.1 in our case, becomes the default gateway for all outgoing packets.
Using any online service you can make sure that the external IP address of the computer is now the same as your VPN server’s IP address.
Let’s promote the permissions level of the current user because for our further configuration we will need root access.
Install all the necessary packets. We will need “Easy-RSA” packet to manage encryption keys.
apt install openvpn easy-rsa
Create a symbolic link to the configuration file OpenSSL. Otherwise. the system will throw an error when trying to load variable.
ln -s /usr/share/easy-rsa/openssl-1.0.0.cnf /usr/share/easy-rsa/openssl.cnf
Go to the work directory of the easy-rsa utility, load the variables and clear old configurations.
Then proceed to create the keys. Generate a Diffie–Hellman key. It may take some time.
Generate certification center../build-ca
During that process, you will have to answer some questions and enter the key owner’s information. You can leave default values in the brackets. Click “Enter” to finish.
Generate keys for the server. Set any value as a parameter. In our case, it’s “vpn-server”
Answer the questions, just like at the previous step or leave default values. Press “y” at the final stage twice.
The keys generation is finished. You can find all the files in the “/usr/share/easy-rsa/keys” folder now.
Now let’s create the “keys” folder in the OpenVPN work directory to store the keys and copy all the necessary files in there.
cp ca.crt dh2048.pem vpn-server.key vpn-server.crt /etc/openvpn/keys/
Copy the config file template and unpack it into “/etc/openvpn/” directory.
cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
gzip -d /etc/openvpn/server.conf.gz
Open the file “/etc/openvpn/server.conf” for editing, make sure it contains the following lines, and edit them if needed:
#Port, protocol, and interface
#Path to the encryption keys
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push “dhcp-option DNS 126.96.36.199”
push “dhcp-option DNS 188.8.131.52”
#Switching off additional encryption
#tls-auth ta.key 0
#Switching on compression
push "compress lz4-v2"
#Demoting the service OpenVPN after launch
#Switching on parameters saving after reboot
Leave the rest unchanged.
Restart OpenVPN to apply the configuration.
systemctl restart openvpn
The server configuration is finished!
Go to the official website of OpenVPN “https://openvpn.net”, go to the “COMUNITY” - “DOWNLOADS” section
and download the installation file for your operating system. In our case, it’s Windows 10.
Install the application leaving all parameters by default.
At the next stage you will need to prepare the following file on the server and transfer them to the client computer:
Connect to the server, promote the permissions level, and go to the work directory of the “easy-rsa” utility and load the variables
Generate the key pair for the client. Set any name as the parameter (in our case it’s “client1”).
Answer the questions entering your info or just press “ENTER” to leave default values. After that, press “y” twice.
You can find the generated keys in the “/usr/share/easy-rsa/keys/” folder. To make it more convenient, create “client1” folder in the home directory and copy all the files in it that you need to distribute to the client.
cp client1.crt client1.key ca.crt ~/client1/
Copy the client config file template to the same directory. Change the file extension to “.ovpn” while copying.
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client1/client.ovpn
Change the owner of the directory and all the files “~/client1/” to be able to distribute them to the client. Let’s make “mihail” the owner in our case.
chown -R mihail:mihail ~/client1
Go to the client computer and copy the content of the “~/client1/” folder. You can do that with the help of “PSCP” utility, that goes with Putty.
PSCP -r [email protected][IP_сервера]:/home/mihail/client1 c:\client1
You can store key files “ca.crt”, “client1.crt”, “client1.key” wherever you want. In our case, they are in this folder “c:\Program Files\OpenVPN\keys”, and we mode the config file “client.ovpn” into the “c:\Program Files\OpenVPN\config” directory.
Now let’s get to configuring the client. Open the file “c:\Program Files\OpenVPN\config\client.ovpn” in a text editor and edit the following lines:
#announce that this is the client
#interface and protocol just like on the server
#IP address of the server and port
remote ip_address 1194
#saving parameters after reload
ca “c:\\Program Files\\OpenVPN\\keys\\ca.cert”
cert “c:\\Program Files\\OpenVPN\\keys\\client1.crt”
key “c:\\Program Files\\OpenVPN\\keys\\client1.key”
#enable server verification
#disable extra encryption
#tls-auth ta.key 1
Leave the rest untouched.
Save the file and launch the client application “OpenVPN GUI”.
Right-click on the app icon in the taskbar and choose “Connect”. If the connection is successful the icon will turn green.
Use any online service to make sure your public IP address has changed and is now the same as the server’s IP address.