Unlocking Privacy: How to Configure and Test an OpenVPN Server on a Virtual Machine

Hey there, fellow network explorer! 🧑‍🚀 Ready to embark on a journey to set up your very own VPN server using OpenVPN? Buckle up, because we're about to make your internet travels safe, secure, and super cool. 🌟

🚀 Mission Objective

Goal: Install and configure an OpenVPN server on a VM (Ubuntu in our case) and connect a client (Kali Linux) to it. We'll secure the connection, route all traffic through the VPN, and make sure everything is working perfectly!

Tools You’ll Need:

🐧 Ubuntu VM (for the server)

🐉 Client VM (for the client)

💻 OpenVPN (our hero of the day!)

Step 1: Prepping the Ubuntu Server 🛠️

First things first, we need to get our Ubuntu server ready for action.

1.1 Install OpenVPN and Easy-RSA

Fire up your Ubuntu server and let’s get the OpenVPN engine running:

sudo apt update

sudo apt install openvpn easy-rsa -y

1.2 Create the PKI Directory

Let's build our Public Key Infrastructure (PKI) like a pro:

make-cadir ~/openvpn-ca

cd ~/openvpn-ca

Step 2: Generating Keys & Certificates 🗝️🔐

No VPN setup is complete without some secure keys and certificates.

2.1 Set Up Easy-RSA Variables

Now, we'll set up the Easy-RSA variables:

nano vars

Modify the fields like your country, organization, etc. Save and exit.

2.2 Build the CA

Time to build the Certificate Authority (CA) that will sign our certificates:

./easyrsa init-pki

./easyrsa build-ca

#You can use nopass to not use password when generating CA.

When prompted, enter a name for your CA. Let’s keep it simple and cool, like "MyVPN_CA".

2.3 Create Server Certificate, Key, and DH Params

Now, let's create the server certificate:

./easyrsa gen-req server nopass

./easyrsa sign-req server server

And don't forget to generate the Diffie-Hellman parameters:

./easyrsa gen-dh

2.4 Generate Client Certificates

Your clients need their own credentials to join the VPN party:

./easyrsa gen-req client1 nopass

./easyrsa sign-req client client1

Replace client1 with whatever cool name you want.

Step 3: Configuring the OpenVPN Server 🎛️

3.1 Move the Files

Time to get our keys, certificates, and configuration in the right place:

sudo cp pki/ca.crt pki/issued/server.crt pki/private/server.key pki/dh.pem /etc/openvpn/

3.2 Create the Server Configuration

Let’s set up our OpenVPN server configuration file:

sudo nano /etc/openvpn/server.conf

Paste the following configuration:

port 1194                          # The port OpenVPN will listen on for incoming connections

proto udp                          # Protocol to use for connections, in this case, UDP

dev tun                            # The virtual network interface to use, in this case, TUN (tunnel)

ca ca.crt                          # Path to the Certificate Authority (CA) certificate file

cert server.crt                    # Path to the server certificate file

key server.key                     # Path to the server private key file

dh dh.pem                          # Path to the Diffie-Hellman parameters file

auth SHA256                        # Authentication algorithm to use, in this case, SHA256

tls-auth ta.key 0                  # Path to the TLS authentication key file and direction (0 for server, 1 for client)

server 10.8.0.0 255.255.255.0      # VPN subnet and netmask

ifconfig-pool-persist ipp.txt      # File to persist IP address allocations for clients

push "redirect-gateway def1 bypass-dhcp"  # Route all client traffic through the VPN

push "dhcp-option DNS 8.8.8.8"     # Push a DNS server to the client, in this case, Google's DNS

push "dhcp-option DNS 8.8.4.4"     # Push a secondary DNS server to the client

keepalive 10 120                   # Send ping every 10 seconds, and assume the client is down if no ping received for 120 seconds

cipher AES-256-CBC                 # Encryption cipher to use, in this case, AES-256-CBC

user nobody                        # Drop privileges to this user after initialization

group nogroup                      # Drop privileges to this group after initialization

persist-key                        # Don't re-read key files across SIGUSR1 or --ping-restart

persist-tun                        # Don't close and reopen TUN/TAP device across SIGUSR1 or --ping-restart

status openvpn-status.log          # File to output status logs

verb 3                             # Set log verbosity level (higher numbers mean more detailed logs)

Step 4: Start the OpenVPN Server 🚀

Almost there! Let’s get this server running:

sudo systemctl start openvpn@server

To ensure it starts on boot:

sudo systemctl enable openvpn@server

Step 5: Configure the Client 🚴‍♂️

Now, let’s set up your Kali VM to connect to this new OpenVPN server.

6.1 Create the Client Config

Create a .ovpn config file:

nano client.ovpn

Paste the following:

client                              # Specifies that this is a client configuration

dev tun                             # Use a TUN (tunnel) device, which creates a routed IP tunnel

proto udp                           # Protocol to use for connection, in this case, UDP

remote [Your_Server_IP] 1194        # The server's IP address or hostname and port number to connect to

resolv-retry infinite               # Keep retrying to resolve the server address indefinitely

nobind                              # Do not bind to a specific local port (use a random port)

persist-key                         # Preserve the key across restarts

persist-tun                         # Preserve the TUN/TAP interface across restarts

ca ca.crt                           # Path to the CA certificate file

cert client1.crt                    # Path to the client certificate file

key client1.key                     # Path to the client private key file

tls-auth ta.key 1                   # Path to the TLS authentication key file and direction (1 for client)

cipher AES-256-CBC                  # Encryption cipher to use, matching the server's cipher

auth SHA256                         # Authentication algorithm to use, matching the server's auth setting

verb 3                              # Set log verbosity level (higher numbers mean more detailed logs)

Make sure to replace [Your_Server_IP] with the IP of your VPN server. Save and exit.

6.2 Transfer the Necessary Files

Transfer client.ovpn, ca.crt, client1.crt, client1.key, and ta.key to your OpenVPN Client machine.

Step 7: Connect to the VPN 🌍 & Verify the Connection 🕵️‍♂️

On OpenVPN Client machine, connect to your shiny new VPN:

sudo openvpn client.ovpn

Now that you're connected, let's make sure all traffic is flowing through the VPN:

Check the tun0 Interface:

ip addr show tun0

You should see an IP like 10.8.0.x.

Optional Step: IP Forwarding 🌐

Time to make sure your traffic gets to where it needs to go. If you want to allow the client machine to connect to Internet allow IP forwarding.

Enable IP Forwarding

This is the secret sauce that makes it all work:

sudo sysctl -w net.ipv4.ip_forward=1

To make it permanent, edit /etc/sysctl.conf:

sudo nano /etc/sysctl.conf

Uncomment or add this line:

net.ipv4.ip_forward=1

Save, exit, and apply the changes:

sudo sysctl -p

Ping Google in Client VM to verify:

ping google.com

Security Best Practices: Keep Your VPN Setup Safe and Sound! 🔒

As you embark on setting up your OpenVPN server, it’s important to ensure your setup stays as secure as it is cool. Here are some tips to lock down your VPN setup:

Strong Passwords: Use passwords that are as tough as your server setup. Mix it up with numbers, symbols, and funky characters to keep those pesky intruders at bay!

Protect Those Keys: Your private keys are like the secret sauce to your VPN security. Keep them locked up tight, and only share them with the trusted few who need them.

Firewall Fun: Set up your firewall to only let the good stuff in—like UDP port 1194 for OpenVPN—and keep the bad stuff out. It’s like VIP access control for your server!

TLS Authentication: Activate TLS authentication (tls-auth) to double-check that only authorized devices can join your VPN party. It’s like having a secret handshake for your data!

Keep a Watchful Eye: Peek into your OpenVPN logs now and then (/var/log/openvpn.log) to make sure everything’s running smoothly and to spot any unexpected guests.

Lock Down Unused Features: If you’re not using it, lose it! Disable any extra features or services in your OpenVPN setup to keep your security game tight.

Encrypt Everything: Wrap your data in super-strong encryption (like AES-256-CBC) to keep it safe from prying eyes. It’s like sending your data through a virtual Fort Knox!

Be Security Savvy: Share your security wisdom with your users! Teach them to steer clear of shady Wi-Fi spots and fishy emails that could try to snag their VPN credentials.

Backup Dance: Back up your OpenVPN configuration and keys regularly. It’s like having a safety net ready in case your server needs a quick recovery dance.

Conclusion: Mission Accomplished 🎉

Congrats, network warrior! You’ve set up a fully functioning OpenVPN server, secured it, and connected a client to it. Your internet traffic is now safe from prying eyes, and you’ve leveled up your networking skills. 👾

Remember, the world of VPNs is vast, so keep exploring and stay curious. Until next time—happy networking! 🌐✨