Configure OpenVPN

From Organic Design wiki
Revision as of 18:04, 24 March 2022 by Nad (talk | contribs) (Setting up Linux clients)

We use a VPN so that we can be sure our local browsing traffic's private even when we're on an insecure connection like a hotel or airport. Of course there are many solutions available such as ProtonVPN, Mozilla VPN or RiseupVPN, but we like to be independent for our security, and also this allows us to customise the ports and locations and have higher bandwidth than a shared solution.

We currently use OpenVPN for our VPN server software. One big advantage of OpenVPN is that it has a method of generating client .ovpn files which most VPN client software supports making it very easy for end users to connect with. In fact the Gnome desktop network manager has optional support for configuring VPNs directly from the desktop that expects a .ovpn configuration file allowing clients to access an OpenVPN server in literally seconds, and to then simply switch it on or off any time they like from the comfort of their desktop.

We may at some point change over to WireGuard because it's much more modern and efficient. But currently it is much more difficult for users to get up and running which is why we're sticking to OpenVPN for now. It looks like it won't be long before the Linux kernel and Network Manager will support WireGuard making at as simple to use from the user's perspective as OpenVPN at which point we'll likely change over.

OpenVPN involves a pretty long installation procedure, but there are some good helper scripts around such as Angristan's OpenVPN-install script. Big thanks to Angristan for this, because it really does make a super complicated procedure unbelievably painless!

Setting up the server

Skip this section if you're just setting up a client!

Simply download and run Angristan's installer script!

wget https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh
chmod +x openvpn-install.sh
sudo openvpn-install.sh

Stick with the defaults for everything, except in our case we use local Unbound for our chosen DNS server. It really is as simple as that, after the script finished OpenVPN will be running, and you'll be given the location of an .ovpn file that includes all the information necessary for a client to connect to your VPN server.

Setting up Linux clients

Each client needs to have their own certificate files generated by the server. The server administrator simply needs to run Angristan's installer script again and it will present an option for creating a new client which leads to a new client-specific .ovpn file.

On Linux machines running the Gnome desktop, installation is very simple, but you may need to first install some necessary packages, check if you see OpenVPN listed in the VPN section of the network manager settings applet.

Add-vpn.jpg

We'll be using the "import from file" option, but first you'll need to install the packages as follows if you don't see the OpenVPN option as shown above. If you see OpenVPN available, skip the following commands.

sudo apt-get install openvpn network-manager-openvpn network-manager-openvpn-gnome
sudo service networking restart


Click the "+" to the right of the VPN section in the network manager and then select "import from file", as shown in the image above. Browse for you .ovpn file that was given to you by the server administrator.

You will then see the VPN form open with the gateway and certificates already filled out as shown below.

Ovpn-filled.jpg


Click "Add" and then you'll see your VPN in the list where it can be simply switched on or off at any time.

Ovpn-ready.jpg


After turning on the VPN, you can go to whatsmyip.org and iplocation.net in your browser to ensure that it's working as expected.

If you have a number of VPN clients you can scan the virtual subnet to see which IPs are currently connected. This is a lot slower than a normal subnet scan so it's best to use a larger netmask so that only the first few IPs are scanned, for example here we scan for the first 16 hosts. Remember to double check your local subnet address with ifconfig first.

sudo nmap -sP 10.8.0.0/28
Starting Nmap 7.80 ( https://nmap.org ) at 2022-03-24 12:56 -03
Nmap scan report for 10.8.0.1 (10.8.0.1)
Host is up (0.23s latency).
Nmap scan report for 10.8.0.3 (10.8.0.3)
Host is up (0.46s latency).
Nmap scan report for 10.8.0.2 (10.8.0.2)
Host is up.
Nmap done: 16 IP addresses (3 hosts up) scanned in 6.39 seconds

See also