GUIDE

How to roll your own OpenVPN server on a VPS (pt2)

Part 2 – advanced

In Part 1 of this two part guide on setting up OpenVPN on a CentO6 VPS server, we looked at why you might want to do this, and the pros and cons of doing so. We also provided step-by-step instructions to installing OpenVPN Access Server software on your VPS, and how to create a simple VPN connection using the OpenVPN Connect client.

In Part 2 (advanced) we will explore how to improve security by changing the cipher used, how to build a self-signed OpenVPN CA certificate, how to create an OpenVPN .ovpn configuration file so that any OpenVPN client can be used to connect to your server, and how to add additional users.

For these tutorials we have chosen to use OpenVPN Access Server software, which is distinct from OpenVPN Server. OpenVPN Access Server is designed to be more user-friendly than OpenVPN Server, and allows you to perform many otherwise complex tasks using a simple GUI. The only real downside is that a licence must be purchased for more than two users (starting at $9.60/year per Client Connection). However, as this tutorial is aimed at the home user building a personal DIY remote OpenVPN server, we do not consider this a major drawback.

Changing the encryption cipher

This is easy! By default OpenVPN uses 128-bit Blowfish Cipher-Block Chaining (BF-CBC) encryption. While more than sufficient for most purposes, weakness in it exist that have led to even the Blowfish cipher’s creator, Bruce Schneier, recommending users choose a more secure alternative.

As we have discussed before, we would love to see commercial VPN providers move away from NIST created and/or certified encryption algorithms, but unfortunately at this point OpenVPN does not support our favorite options – Twofish and Threefish. Most commercial providers have instead switched to 256-bit AES as standard, as this is the cipher used by the US government to encrypt sensitive information.

1. Open your OpenVPN Access Server page (by going to your Admin UI address, as discussed in Part 1 of this guide), the go to the ‘Advanced VPN page’.

 Advanced settings

2. Scroll down to ‘Additional OpenVPN Config Directives (Advanced)’, and add the following line to both the ‘Server Config Directives’ and ‘Client Config Directives’ boxes:

cipher <ciphername>

e.g. cipher AES-256-CBC

Advanced VPN settings

Hit ‘Save changes’.

Then ‘Update Running Server’ when prompted.

update server

OpenVPN supports the following ciphers:

DES-CBC (Data Encryption Standard – 56-bit key, now considered insecure)
DES-EDE3-CBC (also Triple DES or 3DES – increases key size of DES)
BF-CBC (Blowfish)
AES-128-CBC (Advanced Encryption Standard)
AES-192-CBC
AES-256-CBC
Camellia-128-CBC (Camellia)
Camellia-192-CBC
Camellia-256-CBC

How to build an OpenVPN certificate

OpenVPN Connect makes life easy by creating a valid CA certificate for you, so you do not need to do this yourself. However, if you would like to create your own self-signed certificate, follow the steps below (you can also follow Steps 1 and 2 to create a certificate signing request (CSR), which can be submitted to a commercial certificate authority (CA) for signing if you wish.)

1. The required SSL libraries should already be installed on your system from when you installed OpenVPN Access Server in Part 1, but you should check by entering the following command:

openssl version

csr1

If they not, then you can get them entering by entering:

apt-get install openssl (then check again that they are installed as above).

2. It is now time to build the certificate. We will first build a certificate signing request (CSR). This can be submitted to a commercial certificate authority (CA) for signing, but in this tutorial we will convert it into a self-signed CA certificate.

Enter:

openssl req -out server.csr -new -newkey rsa:2048 -nodes -keyout server.key

The response will be a number of questions:

Country Name (2 letter code): (letter codes available here)
State or Provence Name:
City:
Org Name:
Org Name Unit: (e.g. IT support)
Common Name: (exact name of domain or DNS name of your VPS)
Email Address:

Plus ‘extra’ attributes –

A challenge password:
An optional company name:

csr3

These should be filled in if you plan to submit the CSR to a commercial certificate authority (CA), but for the purpose of this tutorial you can just hit <enter> for each one to leave the fields blank.

3. We should now have two files in your root directory, called server.csr and server.key. We will use these to create a self-signed CA certificate. Type:

cp server.key server.key.org <enter>

openssl rsa -in server.key.org -out server.key <enter> and

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt <enter>

csr4

We should now have 3 files: Server.key, Server.crt and Server.csr (enter dir to see the contents of the current directory).

Installing the new CA certificate

4. Download these files to your PC using an ftp client (we used the FOSS WinSCP), then install them in OpenVPN Access Server by going to the ‘Web Server’ page (under ‘Configuration’ on left of the page), and Browse to the following files:

  • CA Bundle: server.crt
  • Certificate: server.crt
  • Private Key: server.key

Installing CA1

5. Hit ‘Validate’, then scroll to the top of the page – the ‘Validation Results’ should say ‘self signed certificate’ and display the information you entered in Step 2 above. The certificate is valid for 1 year.

Installing CA2

6. Now scroll back down to the bottom of the web page and hit ‘Save’, then ‘Update Running Server’ in the ‘Settings Changed’ dialog.

update server

You now have validated your OpenVPN server with a self-signed CA certificate!

Creating an .ovpn file

One of the great things about using OpenVPN Access Server is that it does much of the heavy lifting for you, and one of the most useful things it does is to automatically generate .ovpn OpenVPN configuration files so that any OpenVPN client can connect to your server.
1. Login to your Client UI address (not Admin UI). When you see the automatic download screen (below), refresh your browser.

openvpn client login 2

2. You will now be offered a selection of download choices. Select ‘Yourself (user-locked profile)’ or ‘Yourself (autologin profile)’ (if available – you need to set this up – see ‘Adding other users below’).

Download ovpn file

3. Import the downloaded .ovpn file into your OpenVPN client as normal (for the standard Widows OpenVPN client, simply copy the file into the OpenVPN ‘config’ folder). The .ovpn can be renamed to whatever you like in order to help identify it. Then login as normal.

New user autologin

Adding other users

1. Additional users can be added using the OpenVPN Access Server Admin panel by going to ‘User Permissions.’

User Permissions

If you plan to only access your OpenVPN server from a secure location you can simplify login by selecting ‘Allow Auto-login’

The basic free OpenVPN Access Server license allows up to 2 client connections. When we setup our VPN Server, the option to add a second user was already available. If, however, this option does not appear (or you have purchased a group license and wish to add more users), you will have to add them (up to your license restriction) manually by entering the ‘# adduser’ command in PuTTY (or Terminal ect.). Please refer to this article for more details.

Once you have added a new user you will prompted to ‘Update Running Server’ (do so).

2. Login to the Client UI address using the new username and password, and follow the steps outlined above in ‘Creating an .ovpn file’ above.

Remember to check out Part 1 of this guide here!


Douglas Crawford I am a freelance writer, technology enthusiast, and lover of life who enjoys spinning words and sharing knowledge for a living. Find me on Google+

Related Coverage


14 responses to “How to roll your own OpenVPN server on a VPS (pt2)

  1. default username is openvpn but you need to put command in your putty for you to able access. here’s the command: passwd openvpn

    Then after you need to put your password and try it to access.

    1. Hi azhure,

      Do you mean when you try to login to the OpenVPN Access Server page? I will need some more info in order to help.

    1. Hi SlamberGamer,

      Hmm… The basic free OpenVPN Connect licence should allow up to 2 client connections. When we setup our VPN server, the option to add a second user was already available.

      It seems, however, that for some reason you will have to add an additional user (up to your license restriction) manually by entering the ‘# adduser’ command in PuTTY (or Terminal etc.). Please refer to this article for more details. I will add this information to the tutorial.

  2. Thanks for such a great tutorial especially from the first part. Can i use this OpenVPN to connect my windows small business server 2011 machine to an OpenVPN server installed on a centos 6 VPS. I just think it could solve my problem of getting a dedicated public IP address from my internet provider. Is it possible route traffic from the VPS to my LAN?

      1. Hello. How can I setup this VPN so that it doesn’t leak my DNS? I tried ipleak.net and it shows my real IP/DNS. (While connected to the VPN using this setup guide)… I tried changing the DNS settings in Admin UI to a Custom DNS but it did not solve my issue. I still see my original DNS when i visit ipleak.net….any help would be appreciated thanks!

        1. Hi elfer

          Connecting to OpenVPN will not change your DNS settings per se (commercial VPN providers also run their own DNS servers and route customers’ connections through these.)

          The simplest solution is to use a third party DNS resolution service (we like the open source OpenNIC on principle, which also allows you choose where the DNS server is located, but OpenDNS or GoogleDNS are more reliable). Bear in mind that running your own VPS VPN server is not super-private anyway, as the VPS is directly traceable to your real IP address.

          If you really do want to run your own DNS server, and route it through your OpenVPN connection, then instructions for setting up a DNS server in CentOS 6.3 – 6.5 can be found here, and instructions for routing the DNS server through the OpenVPN server can be found here. Please note that I have not yet tried this myself yet (so further research may be required), but I may write a how-to about it the future. Thanks for the article idea!

  3. hi, i have a vserver with 2 ips, debian and openvpn acess server, is there a way to set up 2 users that connect to a diff ip each? i dont see it in options/google. id love to hear an answer

    1. Hi Tee,

      I’m afraid that I don’t have a VPS running at the moment to investigate for you. Maybe one of our readers can help?

  4. Not able to download files

    We should now have 3 files: Server.key, Server.crt and Server.csr (enter dir to see the contents of the current directory).

    Installing the new CA certificate

    4. Download these files to your PC using an ftp client (we used the FOSS WinSCP), then install them in OpenVPN Access Server by going to the ‘Web Server’ page (under ‘Configuration’ on left of the page), and Browse to the following files:

    CA Bundle: server.crt
    Certificate: server.crt
    Private Key: server.key

    1. Hi Wael,

      I’m afraid that without more information it is impossible for me guess where you are going wrong. Have you verified that the openssl libraries are installed, built the cert (as per step 2), and checked that you have the bserver.csr and server.key files in your root directory?

Leave a Reply

Your email address will not be published. Required fields are marked *