How to Secure Your Internet Connection with OpenVPN on Linux

We will install the OpenVPN server on Ubuntu 20.04. To do this, you need to log in as the root user. You also must know the public IP of the server with which clients will establish a secure VPN channel.

OpenVPN installation and configuration

We will use the script to install and configure all the necessary packages to start the OpenVPN server. All you have to do is provide it with the correct public IP address of your server.

Download it using the below command.

wget https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh

Make it executable.

chmod +x openvpn-install.sh

disable ufw and firewalld if present

ufw disable 
systemctl stop firewalld

Now run the script.

./openvpn-install.sh

You will be asked to confirm some parameters that have optimal values by default. The only thing that is worth checking is the public IP of the server. Other parameters should only be changed if you understand what you are doing and why.

You can also run the script without waiting for user input, in an automated manner.

AUTO_INSTALL=y ./openvpn-install.sh

In the last step, you need to set the client name and choose whether to protect the configuration with a password or not. For security reasons, it's better to set a password.

When the process is over, you can check whether the OpenVPN server is listening for incoming connections.

sudo netstat -tupln | grep openvpn

Then open /etc/openvpn/server.conf

vim /etc/openvpn/server.conf

You can now advertise the private network over OpenVPN . To do that add the below line with required changes. (make sure to change the subnet - i am using 172.16.0.0/24 )

push "route 172.16.0.1 255.255.255.0"

Iptables rule to advertise network

Make sure you add proper rules to advertise network.

if using iptables use the below command to enable advertising private networks

iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 172.16.0.1

*-o eth1 - private network interface name

--to-source 172.16.0.1 is private network IP of Openvpn server*

Enable Linux IP forwarding

Also, enable ip4 Forwarding in Linux if you are advertising a network

echo 1 > /proc/sys/net/ipv4/ip_forward

OR

sysctl -w net.ipv4.ip_forward=1

Then, to check type sysctl -p in the command line.

If using shorewall follow below steps.

Configuring Shore wall to work with OpenVPN

we are assuming normal Shorewall is configured and running.

Don't have Shorewall? you can just download it.

Configuration needed in Shorewall Files .

1. edit zones

vim /etc/shorewall/zones

add the following

vpn     ipv4

2. edit interfaces

vim /etc/shorewall/interfaces

add the following

vpn     tun0          dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0,physical=tun0

3. edit rules

vim /etc/shorewall/rules

add the following

ACCEPT          net             $FW     udp     1194

4. edit snat for masquerade routing policy or forwarding policy

vim /etc/shorewall/snat

add the following

SNAT(PUBLIC IP)   10.8.0.0/24          eth0
SNAT(172.16.0.1)   10.8.0.0/24          eth1

5. edit policy

vim /etc/shorewall/policy

add the following in the 2nd line of rules

vpn     net             ACCEPT
vpn     $FW             ACCEPT
$FW     vpn             ACCEPT
loc     vpn             ACCEPT
vpn     loc             ACCEPT

OpenVPN client connection

We will use another Ubuntu machine to show the client connection process. You can configure any Linux system in this way or download the Windows client from the OpenVPN website: https://openvpn.net/community-downloads/

At the end of the OpenVPN server configuration process, you will see a message stating that the client configuration has been created and the path to it is specified. Download it to the client using SCP or SFTP or FTP.

Install the OpenVPN client.

sudo apt install openvpn

Now start the client and specify the path to the configuration downloaded from the server.

openvpn --config user.ovpn

The next line shows that the connection was established successfully.

Wed Dec 9 19:59:58 2022 Initialization Sequence Completed

Add more OpenVPN clients or delete one

To add or remove clients on the server or delete OpenVPN, run the script again and select the appropriate option.

./openvpn-install.sh

Output:

What do you want to do?
1) Add a new user
2) Revoke existing user
3) Remove OpenVPN
4) Exit
Select an option [1-4]:

select and enter the username which will provide a new client file.

That's it, Now you have an OpenVPN Server running with a client configuration.

This script can be found in the GitHub repo https://github.com/angristan/openvpn-install

Thanks, angristan for the script.