InfoWorld how-to's

How to roll your own VPN

With free open source OpenVPN and a low-cost VPS, you can have a secure connection from any location

InfoWorld how-to's

Show More
1 2 3 4 5 Page 3
Page 3 of 5

We also need to copy some files to our client machine. You can use WinSCP to do this on Windows, the scp command on Linux, or Cyberduck on Mac OS X. Start up your SCP client, connect to the server using the IP address and root credentials you used for the SSH session, and copy these files to your client system:

/etc/openvpn/easy-rsa/keys/ca.crt
/etc/openvpn/easy-rsa/keys/remote1.crt
/etc/openvpn/easy-rsa/keys/remote1.key

These will be used to connect to your VPN server.

Now, we need to create our OpenVPN configuration file. We move to the /etc/openvpn directory, and create a new file (with Nano):

root@localhost:/etc/openvpn/easy-rsa/keys# cd /etc/openvpn
root@localhost:/etc/openvpn # nano vpnserver.conf

Then copy and paste this configuration:

port    10000
proto   udp
dev-type     tun
dev vpnclient
ca      ca.crt
cert    server.crt
key     server.key
dh      dh1024.pem
comp-lzo
duplicate-cn
server  10.200.200.0 255.255.255.0
client-to-client
keepalive 10 120
push               "dhcp-option DNS 8.8.8.8"
push               "redirect-gateway def1"
persist-key
persist-tun
user nobody
group nogroup
log openvpn.log
verb 1

Save the file (Ctrl-O) and exit. Note that if you want to use a different DNS server, you can change the 8.8.8.8 in the example to a server located at your VPS provider, or any DNS server you wish. The 8.8.8.8 server is Google's DNS server.

We're almost done with the server. We just need to configure routing and network address translation:

root@localhost:/etc/openvpn # echo "1" > /proc/sys/net/ipv4/ip_forward
root@localhost:/etc/openvpn # /sbin/iptables -t nat -A POSTROUTING -s 10.200.200.0/24 -o eth0 -j MASQUERADE

And we need to make these changes persist after a reboot. To do this, we edit /etc/sysctl.conf to remove the # at the beginning of the line:

net.ipv4.ip_forward=1

Then save the file. To open the file with Nano:

root@localhost:/etc/openvpn # nano /etc/sysctl.conf

We also need to add the iptables line to be run at startup. A quick way to do this is to add it to /etc/rc.local:

root@localhost:/etc/openvpn # nano /etc/rc.local

Above the line reading "exit 0," paste the iptables command:

/sbin/iptables -t nat -A POSTROUTING -s 10.200.200.0/24 -o eth0 -j MASQUERADE

The server configuration is now complete. Let's start/restart the OpenVPN service:

root@localhost:/etc/openvpn # service openvpn restart

The way this is configured, a tunnel device will be created on the server, and the address of 10.200.200.1 will be assigned to that device. When a client connects to the server, the client will be assigned an address in the 10.200.200.0/24 network, and all routes will be configured on the client to permit data to pass through the encrypted tunnel to the server-side tunnel interface. Then, the net.ipv4.ip_forward value will allow the VPN server to route that traffic through its public network interface, and (based on the iptables command) NAT will translate traffic from the VPN through the single public IP address. In short, all traffic from a connecting client will be routed through the VPN server.

1 2 3 4 5 Page 3
Page 3 of 5