Press "Enter" to skip to content

Set up your own VPN SSL (OpenVPN)

There are several situations in which we need to encrypt our IP communications over the Internet.

For example, to access corporate resources from outside the company or browse anonymously, etc.

There are many types of VPNs (SSL, IPSEC, PPtP, etc) and various solutions, most are paid. In this post we will show how to set up our own SSL VPN from the scratch using OpenVPN for free.

The advantage that OpenVPN has over other solutions is that you do not require specific appliances such as a firewall, it can be easily installed on any UNIX server and it also has a free license for up to 2 simultaneous connections.

The key element for OpenVPN VPNs is the access server. This access server can be installed on any server on premise UNIX (RedHat, CentOS, Debian, etc) or it can be deployed in cloud or virtualized environments (AWS, Azure, ESXi).

Here are a couple of topologies:

  • A) Using OpenVPN to navigate the Internet anonymously and secured

In this example, the client has a public IP Y.Y.Y.Y. It establishes a VPN tunnel against the Access Server so all communications from IP Y.Y.Y.Y to IP X.X.X.X are encrypted. After the tunnel is established, the client is going to navigate over the Internet anonymously from IP X.X.X.X and nobody will be able to spy on his Internet traffic (recommended in public wifi areas for example).

  • B) Using OpenVPN to access corporate resources

In this example, user can access corporate resoruces through the VPN tunnel. This way nobody can spy on the corporate information or perform a MiTM (man in the middle) attack.

In order to do this post we have set up 2 CentOS virtual machines simulating scenario 2 with the following IP addressses:

In this sample scenario, before the VPN is established, user is only able to reach IPs from network 192.168.125.0/24. After VPN is established he could access his corporate resourcer on 192.168.1.0/24 network.

1. Prepare the access server

Before installing the OpenVPN access server on our CentOS server, we would need to add the following firewall rules.

If the topology is A) (server has only one interface) we should add these rules:

If the topology is B) (server has 2 interfaces) we should add these rules:

NOTE: We must assign the interface published on Internet to the external zone of the firewall and the other interface to the internal zone. We can use these commands:

 

2. Install OpenVPN Access Server software

First we must download and install the package. We can find all the downloads on the following link

We should see something like this. The URL to access the web interface of our OpenVPN server.

After that, we must change the password of the user ‘openvpn’:

Now we should try to access the portal web of administration (https://192.168.1.135:943/admin)

3. Configure OpenVPN Access Server

+ Manage interfaces

The first thing we should do is to modify the interface on which the server is publishing the portal web (client/admin) and the interface on which server is listening for VPN connections. Configuration > Server Network Settings:

+ VPN settings

Go to Configuration > VPN settings. Here you can choose which IPs are assigned to the clients connected to VPN. Also you can choose which private networks are reachables for all VPN clients.

In addition you can choose if VPN clients will have as default gateway the access server (all Internet traffic will go through the VPN) or only traffic toward allowed networks will pass through the VPN:

+ Manage users

You can use LDAP authentication or enable local users. In order to create a new local user, you must create a new user on the access server:

Go to User Management > User Permissions and add the new user. If this user is only a client VPN user and doesn’t need admin privileges over the access server, you must uncheck the ‘admin’ option:

In this section you can restrict which private networks will be accessible for that user in particular in case we have selected that not all Internet traffic of the user will be routed through VPN (see “VPN settings”).

Therefore, if in “VPN settings” we have not checked the option “Should client Internet traffic be routed through the VPN?”, only routes for the allowed networks will be created on VPN clients.

Here is an example where we only allow VPN clients connect to 192.168.1.0/24 and 192.168.125.0/24 networks. Only routes against those networks will be created:

+ Installing OpenVPN client software

In order to install OpenVPN client software on Windows and MacOS, users only have to connect to the OpenVPN access server (not the admin panel): https://<server_IP>:943 and then they will see something like this where they will download the software preconfigured in order to connect to our access server:

For Linux users, they must first install openvpn:

After that they must download their connection profile from the access server (see picture above). This profile is a config file with extension .ovpn 

Finally to launch the VPN users must execute the following command:

After this, user and password will be required:

After a successful connection you should see something like this:

NOTE: If you want launch the VPN with no need to enter credentials (for example from a script), you can create a .txt file which first line will be the username and the second line will be the password. Save that file on the same location that the connection profile .ovpn. And then execute the following command:

Now, with the above simple steps you will have configured your own access server and your own VPN SSL connection.

4 Comments

  1. Kike
    Kike 22 February, 2018

    Dear Carlos,

    Great blog and great post. I just have read and I bealive that it will be useful to many people.

    Thanls for you job

    Kike

    • Carlos Martin
      Carlos Martin 24 February, 2018

      Hi Kike,

      Thanks for your comment! 🙂

  2. Jos April
    Jos April 25 February, 2018

    This information is very useful. Thanks for sharing and explaining it so well.

  3. Paulie
    Paulie 24 March, 2019

    Can we do this on a android platform in executing those alternative commands and/or what are the needed things to do

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.