Clever Geek Ideas

Install OpenVPN and configure the server on Windows and Linux

OpenVPN server configuration is used so that clients can easily connect to the VPN. It allows users to connect any Internet connection for secure access, including to remote networks that are connected to the router, even if the user is outside of NAT. OpenVPN client software can be used for many operating systems.

Thanks to access to reliable VPN platforms, users can also appreciate other benefits, such as a higher level of security when using public Wi-Fi. These services use an encrypted tunnel to transmit data over the Internet. When configuring an OpenVPN server, there are several encryption protocol options that can be used.

Project history

It was founded by James Jonan and demonstrated to the public in 2002. Yonan was developing software for the original IBM PC. Currently, he is still involved in the project, is a co-founder of the company, as well as technical director of OpenVPN Technologies.

One of the reasons for the popularity of server configuration with OpenVPN is the fact that it supports all major Windows, macOS and Linux operating systems, Android and iOS mobile platforms, and also the less common FreeBSD, QNX, Solaris, Maemo, and Windows Mobile.

The whole point of the VPN protocol is to provide a high level of security. It is capable of performing up to 256-bit encryption through OpenSSL, uses a widely deployed library of software to protect messages on different networks, supports conventional encryption in the static key mode via pre-shared PSKs, as well as protection using client and server certificates.





Configure OpenVPN Remote Access Server

The number of VPN users is growing annually, so information about the operation of the system and its common functions is very popular.

Configure OpenVPN Remote Access Server




Remote access to OpenVPN VPN can be easily configured using the wizard:

  • Go to VPN> OpenVPN and click on the "Wizard" tab to start it.
  • Select the desired authentication settings. Most often, this is set for local access by users.
  • User Authentication. When configuring AC66U, OpenVPN servers are run using RADIUS through Active Directory.
  • Click "Next."
  • Fill in the fields to create a new certificate authority. The descriptive name is used as a generic name; no spaces, punctuation, or special characters are used.
  • Key length The higher it is, the better, but a complex password will use more CPU.
  • E-mail is used as a reference to the certificate and does not receive any mail from the system.
  • Click "Add new CA".
  • Fill in the fields to create a new server certificate. Most of the information is transferred and does not need to be changed.
  • Click "Create a new certificate."
  • Enter the configuration for the VPN server.
  • Perform TLS authentication. Mark the checkbox along with the box below it to create a new key. Using TLS is technically optional but highly recommended. Some OpenSSL attacks, such as Heartbleed, have been mitigated using the TLS key.
  • Other values ​​can be set as desired and are preferred (parameters such as compression, DNS, and NetBIOS).
  • Click "Next."
  • The next screen offers the option to automatically add a firewall rule. If they are not manually controlled, both options are checked for convenience.
  • Click Next and Finish to close the Wizard.

Checking optimal settings

To establish the optimal connection settings, check the firewall rules of the WAN and OpenVPN tabs. The WAN tab rule should go to the OpenVPN port on the WAN address and allow any operations.









Some parameters are not presented in the wizard, but are better suited for certain situations than the default settings selected by the "Wizard".

The OpenVPN 2 4 server setup mode on Windows allows you to choose between certificate requirements, user authentication, or both.

The wizard uses Remote Access by default (SSL / TLS + User Auth). Possible values ​​for this choice and their advantages:

  • Remote access (SSL / TLS + User Auth). Certificates required, username / password.
  • Remote access (SSL / TLS).
  • Each user has a unique client configuration, which includes their personal certificate and key.
  • Only certificates, without authorization.
  • There are several authentication factors: TLS key and certificate, and username / password.
  • Each project has a unique client configuration, which includes their personal certificate and key.
  • Remote access (User Auth).
  • Less secure since it only relies on the user having a TLS key and certificate.
  • Authentication
  • Customers are not required to have individual certificates.
  • Used for external authentication (RADIUS, LDAP).
  • All clients can use the same exported configuration and software package.
  • Less secure because it relies only on what the user knows - name and password.

Cancellation of compromised certificates

Such files can be canceled by creating a revocation list (CRL) in System> Cert Manager on the Certificate Revocation tab, adding them, and then selecting this CRL for OpenVPN server settings.

If the mode remains at the Wizard level by default or in a mode that includes authentication, then the user can be created using the following actions:

  • Go to the "System" section and then to the "User Manager".
  • Click "Add user".
  • Fill in the username.
  • Fill in and confirm the password.
  • Click "Create user certificate".
  • Fill in the username again.
  • Select the appropriate certification authority.
  • Click "Save."
  • The OpenVPN Client Export Package allows you to export configurations formatted for a wide variety of platforms into a pre-packaged Windows Installer executable file that includes the configuration included in the package for a smooth installation of the client.

Consider how to install the client export package when configuring the Debian 9 OpenVPN server:

  1. Go to the System tab> Packages, Available Packages.
  2. Find client export packages in the list.
  3. Click “Confirm”.
  4. The package will be installed and available under VPN> OpenVPN on the “Export Client” tab.
  5. Go to VPN> OpenVPN on the Export Client tab.
  6. Select a VPN from the OpenVPN DD-WRT server remote access drop-down list.
  7. Set any desired parameters at the top.
  8. Find the user in the list at the bottom of the page and select the appropriate type of configuration to export.
  9. Perform an upgrade, after which the VPN setup on the firewall is completed.

The choice of the Windows installer is the most common, and the Inline configuration is optimal when using the current client, which is not listed. At the bottom of the client export package page there are links to frequently used users.

Firewall rules for strict traffic management in this VPN can be added in the "Firewall"> "Rules" section of the VPN tab. It is not recommended to connect clients directly on the local network.

Editing a configuration file

Often during the practical application of the platform, it is necessary to edit the OpenVPN configuration file.

Editing a configuration file




Order of execution:

  • Set this line to use the IP address of the user, which is determined from the ifconfig command: vim /etc/openvpn/server.conf.
  • Delete the line if it exists: push "dhcp-option DNS 10.8.0.1" #push dhcp-option DNS 8.8.8.8. This push directive sets a DHCP parameter that tells the client to connect to the VPN, which should be used as the primary DNS server.
  • It is assumed that it will be the only resolver, as it defines upstream servers. Installing a non-Pi-hole resolver here can have adverse effects on ad blocking, but can provide fault tolerance in case the device does not work.
  • Restart the VPN to apply the changes. Depending on the operating system, one of these commands must work in order to restart the service: systemctl restart openvpn.
  • Restart the OpenVPN service settings of the Windows 7 server.
  • Create a client configuration file (.ovpn).
  • Now that the server is configured, connect clients so that you can use the service area. This requires a certificate. Create it and get the .ovpn file by running the installer and selecting: Add a new user for each client that will connect to the VPN.
  • You can repeat this process for more customers. In this example, click “Add a new user”, naming the ovpn file in the same way as the host name of the client, but you can accept your own naming strategy.
  • Run the installation program: ./openvpn-install.sh.
  • Select Add a new user and enter the client name.
  • OpenVPN is already installed.
  • Add a new user.
  • Cancel an existing user.
  • Remove OpenVPN.
  • Exit.

It is recommended to use only one word for identification, no special characters are needed, for example, client name: iphone7. This will create an ovpn file that must be copied to the client machine. This process also generates several other found files / etc / openvpn / easy-rsa / pki /, which makes public key authentication possible.

VPN Client in ASUS Router

Many routers support VPN access, so you can use a VPN client to activate a home network connection. This is usually necessary for people who do not trust their home Internet service provider or prevent the invasion of personal information.

Many people configure the Asus OpenVPN server to provide safe surfing when a person is in questionable networks, for example, in a hotel or Internet cafe. This will provide the user with standard VPN servers with a paid service or home router. Often a person needs to not only allow surfing access from a network remotely, but also to be able to use the internal network.

The best way for home security is to close all ports on the router and access only the home network with an encrypted VPN.

VPN Client in ASUS Router




ASUS routers support OpenVPN in the form of a client / server. It is better to create users with long random passwords received from the GRC generator.

ASUS routers support two servers, so you can configure them for access to your home network and for safe viewing:

  • After setting these parameters, the .ovpn file is exported.
  • Then they configure the "client" mode and import the .ovpn file.
  • It is recommended that after configuration, close all ports in the router.
  • Once this is done, be sure to scan your router with GRC Shields Up.

Creating a server based on Mikrotik

There is a good opportunity to configure the OpenVPN Mikrotik server using its router.

In this example, a router with an external IP 192.168.88.2, an internal IP 192.168.89.1 and a pool for OVPN clients - 192.168.87.0/24 will be used.

Creation and signing of certificates is performed as follows:

  • When setting up the Mikrotik OpenVPN server, the user will need to execute several commands one after another. Signing certificates will take time and load the CPU.
  • Sometimes there will be an error message called the "validity period" when the user signs the certificates, this is not critical, you just have to wait a little longer.
  • You can see that the router is busy with the CPU usage certificate icon. When the certificate is signed, the processor load drops, “KLAT” appears.
  • After signing, you can proceed to the next certificate.
Creating and signing certificates




Next, when setting up the OpenVPN Mikrotik server, the exported files are saved on the computer:

  • Sign the public key.
  • Open a command prompt with elevated permissions, go to the place where the files were saved, and run: C: \ Program Files \ OpenVPN \ bin \ openssl.exe "rsa -in client1.key -out client1.key.
  • The program will ask you to enter the missing phrase for client1.key. Set a passphrase when exporting certificates.
  • Next, create a new pool to configure the Linux OpenVPN server.
New server configuration pool




To test the server, in addition to certificates and a key, test.ovpn and auth.cfg are used. The advantage of using a VPN is that this program blocks ads on the device using the ad unit script on the OVPN server.

If you need to delete the user and revoke the certificate, insert the # script in the MikroTik terminal window and return the server configuration.

VPN for home network

VPN for home network




Many routers support VPN access. Users configure the Ubuntu OpenVPN server to provide secure surfing when they are on dubious public networks. This is what standard VPN servers provide, whether it’s a paid service or a home router. One more step to be taken. It is not only to allow surfing from the network remotely, but also to have access to the internal network.

The best way to protect yourself is to close all ports on the router and access only your home network with an encrypted VPN.

ASUS supports client or server mode. Usually they configure the router only as a VPN server.

First, when setting up the OpenVPN server, Ubuntu is created by users with passwords. It is recommended that you come up with confusing names and a long random Password.

GRC Password Generator

In the “Advanced Settings” section below are utilities that work on the ASUS router to access your home network and configure it only for safe viewing.

GRC Password Generator




After setting these parameters, export the .ovpn file. Then configure the "client" mode and import the .ovpn file. A VPN message appears in the window at the top of the screen that the device is connected. To check the quality of the connection, you can open a web page.

Once connected, you can open the remote desktop application, log in to your Windows NVR and connect to the local web page using a secure encrypted connection from any network. It is recommended that you close all ports in the router. Once this is done, be sure to scan the program using GRC Shields Up.

Configure Full SSL

OpenVPN server configuration with CentOS Linux version 7.0 is carried out to protect browsing activity on public Wi-Fi.

The procedure is as follows:

  1. They update the system and run the command: {vivek @ centos7: ~} $ sudo yum update.
  2. Find and record your IP address.
  3. Use the IP command as follows: dig / host to find out the public IP address from the command line when setting the OpenVPN server setting on Centos 7 & lt; / li>
Configure Full SSL




Search for AWS / EC2 or Lighsail NAT IP Address from CLI. Most CentOS Linux cloud servers have two types of IP addresses: an open static, directly assigned to a computer and routed from the Internet, and a private static, directly connected to a server located behind NAT. The script will automatically detect the network setting. All you have to do is provide the correct IP address when asked.

Provide the correct IP address




Next, to configure the Linux server, OpenVPN downloads and runs the centos7-vpn.sh script using the wget command and permissions to install using chmod. You can view the script using a text editor such as vim / vi.

Next, they copy desktop.ovpn, check the connection from the CLI, after which the Linux desktop system will automatically connect when the computer is rebooted using a script or the openvpn service.

Check the OpenVPN server for errors: {vivek @ centos7: ~} $ journalctl --identifier openvpn. Next, use the cat command to view the rules: {vivek @ centos7: ~} $ cat /etc/iptables/add-openvpn-rules.sh.

Installation for Linux Debian

OpenVPN Debian server configuration can be performed for different versions. Pre-enter a name for the new device and activate the required additional functions. Scroll down and create login and configuration data for the OpenVPN protocol.

Select the protocol to use: OpenVPN (UDP). UDP provides a higher speed than the TCP version, but in some cases it may cause a download failure. Choose a country. Since native protocol connections can be used with only one server, you need to choose the country from which to surf. PPTP, L2TP Debian OpenVPN , .

, .

, « », . 'openvpn.ovpn' ' CG_Country.conf ', VPN. , , : cd [ ].

:

  • sudo cp CG_XX.conf / etc / openvpn /
  • sudo cp ca.cert / etc / openvpn /
  • sudo cp client.crt / etc / openvpn /
  • sudo cp client.key / etc / openvpn /

, sudo apt-get update. : cd / etc / openvpn user:

sudo nano user.txt.

( comp-lzo) : up / etc / openvpn / update-resolv-conf down / etc / openvpn / update-resolv-conf. CTRL + O CTRL + X. , : sudo nano / etc / default / openvpn. , : sudo update-rc.d openvpn (""). : sudo service openvpn start. , , .

pfSense

VPN . , , , - Wi-Fi . , VPN-, , . pfSense, ( ).

, pfSense OpenVPN , IP-.

Preinstall the latest version of pfSense with a WAN interface and a LAN interface and connect to the client device through its interface. This is necessary so that you can access webConfigurator to configure pfSense.

The benefits of a modern security standard

OpenVPN Mikrotik server setup




OpenVPN has not only modern security, but also high adaptability using third-party software. There are commercial providers who accept the protocol and transform it into a VPN for their users. An example of this is PrivateTunnel with proprietary VPN protection. There are also vendor-neutral OpenVPN clients, such as the SecurePoint SSL VPN Client, both of which are available as free, open source software.

Of all encryption protocols, OpenVPN can help bypass the Deep Packet Inspection (DPI), which many countries use. DPI is a monitoring technology that checks traffic passing through it in real time, but it can also be adapted to hide it. Other major protocols belong to the largest Internet giants Microsoft, L2TP and Cisco, including PPTP and SSTP.

VPN wins with open source code that is freely available for modification and development, as well as community support. All source code for the latest version of OpenVPN, 2.4.4 was released in September 2017 and is available for downloading the gray IP settings of the OpenVPN server.



More articles:


All Articles