July 2, 2019
July 2, 2019
VPN stands for Virtual Private Network. One such open source VPN software is OpenVPN and it can work as a Linux VPN server. At a basic level, a VPN secures connections by creating a point to point secured connection. Using a good VPN for Linux is one of the best ways to remain secure over the Internet or an open network. In this tutorial, we’ll show you how to set up your very own Linux VPN server using OpenVPN. Turn your VPS into an amazing security measure!
VPN comes with certain benefits. Few of these are highlighted below:
At a higher level, a VPN makes your transactions secure by using encryption.
Having showed you the benefits of a VPN, here we will demonstrate how to set up and install OpenVPN software on Linux. We’ll cover the setup of a Linux VPN server using OpenVPN and how to connect it to Windows, Android and other devices. And if you want to learn more about the OpenVPN protocol, I suggest you reading this OpenVPN review.
First, let’s update the system. For CentOS use:
yum -y update
For Ubuntu and Debian update the indexes using:
sudo apt update
To install OpenVPN you will require a net-tools package. Install this if you do not have it preinstalled. The net-tools package contains ifcfg which is needed for OpenVPN server installation.
You can install this for CentOS using:
sudo yum install net-tools
For Ubuntu and Debian, you can use the below command:
sudo apt install net-tools
You can download an OpenVPN client for your distribution from the OpenVPN website. You can get the link from here and use it along with the curl command. A sample curl command for Ubuntu is as shown below:
curl -O http://swupdate.openvpn.org/as/openvpn-as-2.5.2-Debian9.amd_64.deb
For CentOS the curl command will be:
curl -O http://swupdate.openvpn.org/as/openvpn-as-2.7.3-CentOS7.x86_64.rpm
Here you can add the URL to your distribution. To validate that the correct installation is downloaded, print the SHA256 checksum. You can use the below command:
This will print the checksum as shown below:
You can compare this downloaded binary’s checksum with the one provided on the website. If the checksum matches install the previously downloaded binary.
To install in CentOS use:
sudo rpm --install openvpn-as-*.rpm
Similarly, in Ubuntu and Debian you can use the below command in the command line:
sudo dpkg -i openvpn-as-*.deb
This will take some time to install. Once the installation is complete you will be shown the Admin UI and the Client UI details. By default, an openvpn user will be created during this installation. You can set the password for this user using:
This will set your new password. Remember the password since it will be used to log in. Use the admin URL to login and finish the installation process. In our case, the admin URL is – https://126.96.36.199:943/admin. Normally the URL is simply your VPS address, the :943 port with /admin at the end, as in the example.
You will be able to see a screen as shown below:
The username – as mentioned before – is openvpn and the password is the one you just set for this user. Once you login you will be able to see a Terms and Conditions page. Read it and press the Agree button to proceed. The next page will provide you with configuration details and indicate that the server is status.
The default settings are good enough and can allow MacOS, Linux, Windows, Android, and iOS to connect to the Linux VPN server. In case you want to change any settings, make sure to click Apply and Update Running Server to enable the changes.
This completes the default installation. Next, we will set up the OpenVPN tunnel.
Enable IP forwarding in your kernel by using the below command:
echo 'net.ipv4.ip_forward=1' | sudo tee -a /etc/sysctl.d/99-sysctl.conf
This enables traffic forwarding over IPv4. To apply these changes, use the below command:
sudo sysctl -p
OpenVPN does not support simultaneous tunnels over IPv6 and IPv4, so you can disable IPv6 using:
sudo sysctl -w net.ipv6.conf.all.disable_ipv6=1
sudo sysctl -w net.ipv6.conf.default.disable_ipv6=1
To disable IPv6 manually, add the below parameters to be set on boot. These parameters should be added to the 99-sysctl.conf file located at /etc/sysctl.d/. Simply use the cd command to access the folder, and use your preferred text editor to edit the file. Remember to save the changes made!
net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 net.ipv6.conf.lo.disable_ipv6 = 1 net.ipv6.conf.eth0.disable_ipv6 = 1
Next, you can activate the new settings by using:
Next, in the file hosts located at /etc/ comment the IPv6 resolution line as shown below:
#::1 localhost ip6-localhost ip6-loopback
With this, we have disabled IPv6. Next login again to the Admin server URL and go to the VPN settings.
In the Routing section, the option Should VPN clients have access to private subnets (non-public networks on the server side)? should be set as No:
The option Should client Internet traffic be routed through the VPN? should be set to Yes.
To avoid any DNS leak, alter the DNS resolver settings. Select the Have clients to use the same DNS servers as the Access Server host
Save these settings and don’t forget to click Update Running Server. You can restart the OpenVPN server by using the Status tab from the Admin console. From here, you can stop the server and then start it again.
This completes our set up for OpenVPN server. Next, we can check the client installations.
Now that your server is up and running, we can connect some devices to it! We’ll cover the most popular operating system options:
Open the OpenVPN client URL, you will be able shown links to client downloads for different operating systems.
Choose the Windows version and run the installation.
Once the installation is complete, you will be prompted for the OpenVPN username and password. The server IP will be auto-populated.
You can use the OpenVPN icon from your Windows taskbar to disconnect, reconnect and view connection status.
Connect to the OpenVPN Client UI and click the link to download the OpenVPN software for MacOS. Once this package is downloaded, a window will open with the installer package icon.
Follow the standard procedure of MacOS application installation.
Double click on this installer icon and click Open to run the installation.
Once the installation is complete, you will be able to see the OpenVPN icon on your macOS taskbar. You can right click on this icon to see the different options. From here you can connect to OpenVPN.
Once you click the Connect to option, you will see a popup prompting for the OpenVPN username and password. Here you should enter the credentials and click on Connect to establish the Linux VPN server connection.
The client installation for Linux is slightly different. Download and install the OpenVPN client software on CentOS using the below command:
sudo yum install OpenVPN
Similarly, you can install the OpenVPN client software on Debian or Ubuntu using the below command:
sudo apt-get install openvpn
Open the OpenVPN client UI and download the appropriate profile for your OS. Alternatively, you can use wget or curl command and provide the URL to download the software.
Copy the downloaded profile to location /etc/openvpn and rename it to client.conf. You can start the OpenVPN Tunnel service where you will be prompted for the username and password. You can start the operation by using:
sudo service openvpn start
You can use ipconfig or ip addr to view the network connections. Once the VPN interface is available, you will see a tun0 interface added to the existing list shown in the output.
First, go to the Google Play store and search for OpenVPN Connect. Install the OpenVPN Connect app.
Once opened, it will display three options – Private Tunnel, Access Server, and OVPN Profile.
Select Access Server and fill in all the details manually:
Or alternatively, you can import the .ovpn file for the profile. You can get the connection profile from the client UI.
Similar to Android devices you can install OpenVPN software from the App Store.
Complete the installation and open the newly installed app. It will ask you to fill in the profile information, or upload the profile file same as the Android version.
Once they are added, you can start using OpenVPN on your iPhone or iPad.
In case you are connected to the VPN and are not able to browse the Internet, you can check the OpenVPN logs at /var/log/openvpnas.log in your VPS. In case you find entries similar to the one shown below, you’re most likely experiencing compression issues:
2019-03-23 18:24:05+0800 [-] OVPN 11 OUT: 'Mon Mar 23 08:59:05 2016 guest/188.8.131.52:55385 Bad compression stub decompression header byte: 251'
To resolve this, you can disable compression. This can be done from the Admin UI. Open the Admin UI and click Advanced VPN.
Go to Default Compression Settings. Here turn off the option Support compression on client VPN connections.
Apply the changes, and click on the Update Running Server option. The issue should be solved.
The free OpenVPN client supports two users. To create more users, you would need to select any of the paid plans. You can add additional users from the admin UI. Navigate to the User Management tab, and click the User Permissions link.
Enter the new username as shown below:
For this new user configure additional settings by clicking the More Settings link. Here you can provide the password and other details.
Save these settings and click on Update Running Server option.
With OpenVPN, you can also configure auto-login profiles. This will cause all your non-local traffic to be routed via a VPN automatically. In case you want to manually enable or disable the VPN you can use User or Server locked profiles.
To set the auto-login, open the Admin UI, then select the User Permissions link. Here you can select the checkbox for Allow Auto-login.
To test if OpenVPN works as expected, connect the VPN client and check your IP address. You can use the DNS leak test website from the browser. It should show you the OpenVPN server’s IPv4 address.
Next, you can choose Extended test. The test should output the IPs for the DNS resolver you chose for your client device.
You can also confirm the traffic is not using IPv6. To check this, you can use the IPv6 test website. This should again display the server IP and will show a message stating that no IPv6 address was detected.
In this tutorial, you learned how to set up a Linux VPN server running OpenVPN and how to connect it using various clients like Windows, Linux, Android, iPhone or iPad, and MacOS.
Now that you know all the basic ins and outs, you can browse the internet safely with your brand new Linux VPN server. To learn more you can read through the official manual of OpenVPN, that can be found in the admin UI. This completes your first ever server-client OpenVPN configuration. Go ahead and enjoy secure browsing using OpenVPN.