How to Setup an OpenVPN Server to Secure Your Network

VPN configurationShutterstock / Elaine333

Hosting your own VPN server can keep your network secure by allowing you to set up strong firewalls (to block important services like SSH), while still being able to maintain administrative access when connected to the VPN. .

Why would i need a VPN server?

A traditional VPN like TunnelBear will secure your personal computer’s Internet connection by routing your data through an intermediary server. But what it really does under the hood is connect to a VPN, allowing you to access anything the Intermediate Server can access, including devices on the same network.

This is very useful for accessing servers behind firewalls. For the best security, you shouldn’t leave a lot of ports open on your servers. But that causes a problem when you lock down a bunch of ports – you can’t access them either. What if you have a database administration panel hosted on one of your servers? You obviously don’t want this to be open to the world, but you would like to be able to access it when needed. You can lock down access to your IP address, but what if you have multiple admins and what if you want to access it from a cafe, where your IP address would be different?

This is the problem that a VPN server solves. Instead of connecting directly, you instead connect to the VPN server and connect to your private cloud. From there, you can SSH on the database server or on another server running in the same VPC with access to the first. You can now behave as if your traffic is coming from the server you’re connected to, which would make the admin panel visible only when you’re connected through your VPN.

It also has the benefit of securing your connection in places like coffee shops, where your internet browsing is not extremely secure. It’s not the main goal, but it’s good to have it.

Configure an OpenVPN server

Although you can install the command line version of OpenVPN, it is quite complicated and involves the creation of your own certification authority and key management.

What you want is the OpenVPN Access server, which is installable as a package and comes with a web interface to manage your VPN settings. It’s free for two simultaneous connections, which should be sufficient for the simple use case of managing servers behind a firewall. If you need more connections, the real VPN part of OpenVPN is free and open source, you just need to configure everything manually.

One thing to note is that the OpenVPN access server will use port 443 to redirect traffic to the web interface, hosted on port 943. If you have things running on this port, you will either need to use port 943 and manually redirect 443 to your other apps, or just run OpenVPN on a smaller server hosted in the same VPC, as it is quite lightweight with one user.

First, download the OpenVPN package for your distribution. The supported distributions are Ubuntu, Debian, CentOS, and RHEL. Take the link of your package and download it from the command line with wget:

wget http://swupdate.openvpn.org/as/openvpn-as-2.1.12-Ubuntu16.amd_64.deb

Install the package with dpkg on Ubuntu / Debian:

dpkg -i openvpn-as-2.1.12-Ubuntu16.amd_64.deb

On CentOS / RHEL, you will need to use rpm -Uvh on the .rpm file.

During installation, OpenVPN will configure itself with the default settings, configure its private CA to secure your connection, and let you know from where the client web service is served. This is usually just your server’s IP address over HTTPS, but it can also be broadcast without redirection from port 943. The administration UI is broadcast to / admin.

The only thing OpenVPN doesn’t configure is a password. You will want to set a password for the “openvpn” user:

passwd openvpn

You will need to enter it twice and can change it at any time.

Connection to OpenVPN

You can now access the administration user interface, hosted at:

https: // ip-address-of-your-servers / admin

You might get a big red warning from Chrome stating that the certificate is not valid. This is because your VPN server is not recognized as an appropriate certificate authority, which of course is true. However, since you have configured it yourself, you obviously trust the certificate, so you can bypass this warning.

You will be asked for a username and password; just enter “openvpn” then the password you set:

The default authentication method is PAM, which uses local account-based authentication. Create a new user from the “User parameters” tab:

PAM uses local, account-based authentication. Create a new user from the User Settings tab

This is the user that you will use to connect to the VPN service. To access it, you can access customer service, hosted at:

https: // ip-address-of-your-servers /

… Although it can operate on port 943. You will be prompted for your username and password, and you will have two connection options: connect directly to the VPN or connect a client. Choose “Connect Client” because you are not using it as a web browsing VPN.

This will give you a configuration file (client.ovpn), which you can use in any client that supports the OpenVPN protocol. You can use OpenVPN’s own client, or a third party customer like Pritunl, or log in manually with your username and password in the Windows and macOS.

Once you are connected, all of your internet traffic will be routed through the VPN, including requests to other servers. Any SSH connection you make will appear as if the VPN server is making an SSH connection. You will still need to make sure that these servers are configured to allow the VPN server to access them, and you will still want to secure your other servers with SSH keys.

On a service like AWS, some ports might be closed by default. You will need to open ports 443 and 943 on the VPN server and lock ports on other servers so that they can only be accessed from the VPN server’s IP address. However, most of the services will have 80 and 443 open without the need to configure a firewall, as they are primarily used for web traffic.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.