Running your own OpenVPN Server

As we have talked about what VPNs are and how they can be useful in the workplace or home in our previous VPN post we will now show you how you can run your own OpenVPN server at home or in your business.

In this environment we have selected OpenVPN, It’s free and open source and on of the most secure options out there. We will be running this on Windows Server 2012 however this should run fine on Windows 8 as well.

First we must download and install OpenVPN from the community downloads section at the bottom of the page. Be sure to check all boxes while installing OpenVPN. Once OpenVPN has been installed we can create the required server certificates and keys, To do this input the following commands on an Administrative Command Prompt session.

cd "C:\Program Files\OpenVPN\easy-rsa"
init-config This will create a new vars.bat from a template.
vars
clean-all
build-ca

The last command build-ca will create our Certificate Authority certificate and key, while executing this command it will ask for information to be input into your certificate, however the only information that must be entered is the Common Name parameter. We will now create a certificate and private key for the server with the following command

build-key-server server

Again the only required parameter is the common name which should be set to “server” after that you will be required to input Y to “Sign the certificate? [y/n]” and “1 out of 1 certificate requests certified, commit? [y/n]”.

Finally we can create our Diffie Hellman parameters with

build-dh

Now that we have generated all the required files to run our VPN we can now copy them into the config folder (C:\Program Files\OpenVPN\config), these files are ca.crt, server.crt, server.key and dh*.pem from the folder C:\Program Files\OpenVPN\easy-rsa\keys.

Inserting the server.ovpn template

The OpenVPN servers configuration is read by a text file called server.ovpn, we can find a preconfigured template in the sample-config folder (C:\Program Files\OpenVPN\sample-config) copy this file to the config folder (C:\Program Files\OpenVPN\config).

Starting the OpenVPN server

Open Command Prompt with administrative rights and navigate to the config folder (C:\Program Files\OpenVPN\config). Run the following command

openvpn server.ovpn

You can also start the OpenVPN server via right clicking on the .ovpn file and selecting Start OpenVPN on this config file, However while this is more convenient it doesn’t grant the server with Administrative rights which can lead to problems.

Creating client certificates and keys

The default authentication method for connecting to the OpenVPN is with client certificates and keys. To create a client certificate you must run the following administrative commands.

cd C:\Program Files\OpenVPN\easy-rsa
vars
build-key *name of user*

Again the only required parameter is the common name which should be set to “*Name of user*” after that you will be required to input Y to “Sign the certificate? [y/n]” and “1 out of 1 certificate requests certified, commit? [y/n]”.

The required files for a client to connect to the OpenVPN are the *nameofuser*.crt,*nameofuser*.key,ca.crt and client.ovpn. All these files will be located in the keys folder (C:\Program Files\OpenVPN\easy-rsa\keys) except the client.ovpn file which is in the sample-config folder (C:\Program Files\OpenVPN\sample-config). The client.ovpn file comes with preconfigured parameters for the OpenVPN client however we still must specify the IP address and port of the OpenVPN server as well as the name of the certificate and key file. You can use the following example for help.

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote vpn.techcheck.com.au 1194
;remote my-server-2 1194

# SSL/TLS parms.
# See the server config file for more
# description. It’s best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca ca.crt
cert john.crt
key john.key

Port forwarding to the OpenVPN server

Now that we have a live OpenVPN server it’s now time to port forward the VPNs port, The default port is 1194 unless you have specifically changed it in the server.ovpn configuration file. If you haven’t port forwarded you can find a guide here from PortForward.com. If your router runs a firewall make sure port 1194 is open for incoming connections.

Routing OpenVPN clients to the local subnet.

So far we have made a server and allowed incoming connections to it from the internet, However there is no connectivity for clients to connect to local network devices on the servers subnet as we haven’t created a route.

To succeed in routing we’ll need to enable Routing and Remote access on our OpenVPN server, On Windows Server 2012 and Windows 8 we can do this by running regedit and navigating to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\Tcpip\Parameters\IPEnableRouter from there right click on IPEnableRouter and select modify, change Value Data from 0 to 1 and click OK and then close the Registry Editor.

Press the start button and type in “services.msc” and hit enter, navigate to Routing and Remote access and right click, Properties and change its Startup Type to Automatic and start the service.

The next step is to create a route in our local router, Login and create a route which sends traffic sent to the VPN clients subnet 10.8.0.0 to the VPN servers local address 192.168.15.104 like in the following screen shot..

The reason we do this is because replying packets from network devices on the local network will be sent to the VPN clients IP address,  E.g. 10.8.0.6 however the client only exists on the OpenVPN server so it’s traffic still must be sent through the VPN server. Routing all traffic towards the VPN subnet to the VPN’s local IP address will then allow VPN clients to receive their packets.

The last step is to advertise the 192.168.15.0 subnet to VPN clients once they connect to the VPN server, Open up the server.ovpn file which is located in C:\Program Files\OpenVPN\config and in there will be a section that looks like the following.

# Push routes to the client to allow it
# to reach other private subnets behind
# the server. Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
;push “route 192.168.10.0 255.255.255.0”
;push “route 192.168.20.0 255.255.255.0”

Simply use this example push routes to the VPN clients, In our case our local subnet is 192.168.15.0 so we will be inserting the following line

push “route 192.168.15.0 255.255.255.0”

Save this file and restart the OpenVPN server as well as the physical machine, VPN clients should now be able to connect to devices on the local network as if they were physically in the same building.

Routing all traffic through the VPN

OpenVPN’s default settings is that traffic sent out from a VPN client are only sent to the VPN server if its directed at the VPN’s subnet or one advertised. This means connecting to your file server at home will go through the VPN but browsing Facebook will bypass the VPN server and point directly towards Facebook. This is a good thing unless however you wish to use the VPN server to protect you against packet sniffing and filtering.

On the server add the following line to the server.ovpn file located in C:\Program Files\OpenVPN\config

push "redirect-gateway def1"
or
push "redirect-gateway local def1" (If on a wireless network where all clients and servers are on the same wireless subnet)

Because all traffic is routed through the VPN it will need to handle DNS queries you can do this by pushing DNS server addresses to VPN clients using the following configuration in the server.ovpn file located on the server.

# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses. CAVEAT:
# http://openvpn.net/faq.html#dhcpcaveats
# The addresses below refer to the public
# DNS servers provided by opendns.com.
;push “dhcp-option DNS 208.67.222.222”
;push “dhcp-option DNS 208.67.220.220”

Removing the ; marks will push OpenDNS’s server addresses to VPN clients so they can make successful queries, However you can change these addresses to any DNS server reachable by the VPN clients.

Client to Client Connections

If you would like VPN clients to be able to talk to other VPN clients on the 10.8.0.0 subnet you can allow this using the following section of the server.ovpn file
# Uncomment this directive to allow different
# clients to be able to “see” each other.
# By default, clients will only see the server.
# To force clients to only see the server, you
# will also need to appropriately firewall the
# server’s TUN/TAP interface.
;client-to-client

 Two Stage Authentication

To setup two stage authentication we need to enable password for the user certificates. In order to be able to set passwords on user certificates we need to edit the build-key batch file in the easy-ra, Copy it and rename it “build-key-pass.bat” edit the batch file and remove the text “-nodes “ (Including the space on the end). You can now go to the easy-rsa folder in Command Prompt, Run vars and build-key-pass and set a password along with the certificate details.

cd C:\Program Files\OpenVPN\easy-rsa
vars
build-key-pass *name of user*

This password can be changed on the clients machine by right clicking on the OpenVPN icon in the system tray after connecting to the VPN server.

OpenVPN provides a relatively inexpensive solution for connecting multiple networks and clients together. OpenVPN also allows you to create a VPN portal without the need for a domain environment, which is great for small businesses. If you have any questions please feel free to comment below.

Thank you for viewing and subscribing to our Blog it helps our community grow.