Setup a VPN
11 (bullseye) |
As always... | |
---|---|
Start with: |
|
Install openvpn
sudo apt install openvpn
Testing
We'll build a raw (unsecured) connection for testing.
Note that this is not a persistent setup. Hitting Ctrl-C in the terminal where you started openvpn will destroy the VPN tunnel.
Configure as a server
sudo openvpn --dev tun1 --ifconfig 10.9.8.1 10.9.8.2
in a second terminal:
ip a
& you should see a tun1
entry like:
9: tun1: <pointopoint,multicast,noarp,up,lower_up> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 500 link/none inet 10.9.8.1 peer 10.9.8.2/32 scope global tun1 valid_lft forever preferred_lft forever inet6 fe80::dc71:3707:693c:5017/64 scope link stable-privacy valid_lft forever preferred_lft forever
Configure as a client
sudo openvpn --remote SERVER_IP --dev tun1 --ifconfig 10.9.8.2 10.9.8.1
(Where SERVER_IP is the IP address or name of the machine acting as the server...)
in a second terminal:
ip a
& you should see a tun1
entry like:
3: tun1: <pointopoint,multicast,noarp,up,lower_up> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 500 link/none inet 10.9.8.2 peer 10.9.8.1/32 scope global tun1 valid_lft forever preferred_lft forever inet6 fe80::4c39:d598:21b8:2b41/64 scope link stable-privacy valid_lft forever preferred_lft forever</pointopoint,multicast,noarp,up,lower_up>
Securing your VPN
Handling it locally
(Static-Key)
In the server's /etc/openvpn
directory, run the following command to generate a static key:
sudo openvpn --genkey --secret static.key
Copy this static key to the clients /etc/openvpn directory using a secure channel like scp or sftp.
sudo scp static.key USER@VPNclient:~
- Then, on the client:
sudo mv static.key ~/static.key /etc/openvpn
On the server, create a new /etc/openvpn/tun0.conf file:
sudo vi /etc/openvpn/tun0.conf
and add the following:
dev tun0 ifconfig 10.9.8.1 10.9.8.2 secret /etc/openvpn/static.key
On the client, create a new /etc/openvpn/tun0.conf file:
sudo vi /etc/openvpn/tun0.conf
and add the following:
remote SERVER_IP dev tun0 ifconfig 10.9.8.2 10.9.8.1 secret /etc/openvpn/static.key
Start OpenVPN by hand on both sides with the following command (verbose output at 6):
sudo openvpn --config /etc/openvpn/tun0.conf --verb 6
You should now see tun devices on both machines (like in the Testing section above):
ip a
TLS-enabled
WERKIN ON IT
Using a Commercial VPN Service
PIA
WERKIN ON IT
NordVPN
WERKIN ON IT
Starting the VPN on Boot
Server
sudo vi /etc/openvpn/server/server.conf
WERKIN ON IT
& create the status log file:
touch /var/log/openvpn/openvpn-status.log
Restart OpenVPN:
systemctl daemon-reload
sudo service openvpn restart
Client
sudo vi /etc/openvpn/client/client.conf
WERKIN ON IT
Restart OpenVPN:
systemctl daemon-reload
sudo service openvpn restart