Installing a vpn server on linux. Installing VPN on Ubuntu

The abbreviation VPN is now not heard unless only those who have never dealt with a computer. What is it, why is it needed and how to set it up yourself?

What is a VPN and why is it needed?

VPN (Virtual Private Network) is a virtual private network, a way to unite several computers physically located at some distance from each other into one logical network.

VPNs can be used for different purposes - from organizing a network for work / games to accessing the Internet. In doing so, you must understand the possible legal responsibility for your actions.

In Russia, the use of a VPN is not a punishable act, except for cases of use with deliberately illegal purposes. That is, if you want to go to the website of the president of a neighboring country (say, Somalia) and write how bad he is, while hiding your IP address, this in itself is not a violation (provided that the content of the statement does not violate the laws) ... But it is an offense to use this technology to access resources prohibited in Russia.

That is, you can play with friends over the network and work remotely in the organization's network using a VPN, but you cannot read all sorts of bad sites. With this sorted out. Now let's go directly to the setup.

Setting up the server side on Ubuntu Linux

For the server side, it is better to use Linux, it is easier to work with it in this regard. The simplest option is PPTP, does not require installation of certificates on client computers, authentication is performed by username and password... We will use it.

First, install the required packages:

Sudo nano /etc/pptpd.conf

If we need more than 100 simultaneous connections, look for the "connections" parameter, uncomment it and specify the desired value, for example:

Connections 200

If we need to send broadcast packets over the virtual network, we should make sure that the bcrelay parameter is also uncommented:

Bcrelay eth1

After that, go to the end of the file and add the address settings:

Localip 10.10.10.1 remoteip 10.10.10.2-254 listen 11.22.33.44

The first parameter specifies the IP address of the server in the local network, the second specifies the range of IP addresses issued to clients (the range should provide the possibility of the specified number of connections, it is better to allocate addresses with a margin), the third specifies at which external address to listen to interfaces to receive incoming connections. That is, if there are several external addresses, only one can be listened to. If you do not specify the third parameter, all available external addresses will be listened to.

Save the file and close. We specify additional fine-tuning settings in the / etc / ppp / pptpd-options file:

Sudo nano / etc / ppp / pptpd-options

First of all, we make sure that we have uncommented lines prohibiting the use of old and insecure authentication methods:

Refuse-pap refuse-chap refuse-mschap

We also check that the proxyarp option is enabled (the corresponding line is uncommented) and additionally, to allow or prohibit multiple connections of one user, comment (allow) or uncomment (disable) the lock option.

We also save the file and close it. It remains to create users:

Sudo nano / etc / ppp / chap-secrets

One line is allocated for each VPN user, in which his name, remote address, password and local address are indicated sequentially (separator - space).

The remote address can be specified if the user has an external static IP and only it will be used, otherwise it is better to specify an asterisk so that you can accurately accept the connection. Local must be specified if you want the user to be allocated the same IP address in the virtual network. For example:

User1 * password1 * user2 11.22.33.44 password2 * user3 * password3 10.10.10.10

For user1, connections will be accepted from any external address, the local one will be allocated the first available one. For user2, it will allocate the first available local address, but connections will only be accepted from 11.22.33.44. For user3, connections are accepted from anywhere, but the local address will always be allocated 10.10.10.10, which we reserved for him.

This completes the configuration of the VPN server, restart it (under Linux, you do not need to restart the computer):

Sudo service pptpd restart

Configuring VPN Clients

The client part can be configured for any operating system, I will use it as an example Ubuntu Linux 16.04.

On the client computer, open network connections (the screenshots show for Ubuntu + Cinnamon, for GNOME it is done the same way, in Kubuntu it looks like it will not cause any difficulties). Click the "Add" button and select the PPTP connection:

You can leave the name of the VPN connection as standard, or you can specify it that is convenient and understandable for you - this is a matter of taste. Enter in the "gateway" field the external IP-address of the server to which we are connecting (specified when setting in the "listen" option), below the name and password. On the right, in the “Password” field, you must first select the option “Save password for this user”):

After that, close the windows and connect to the server. If the server is outside your local network, you need internet access.

This completes the organization of the virtual network, but it will only connect computers to a local network. To access the Internet through a network server, you need to make one more setting.

Setting up Internet access via VPN

On the vpn server, enter the following commands:

Iptables -t nat -A POSTROUTING -o eth0 -s 10.10.10.1/24 -j MASQUERADE iptables -A FORWARD -s 10.10.10.1/24 -j ACCEPT iptables -A FORWARD -d 10.10.10.1/24 -j ACCEPT

where 10.10.10.1/24 is the local server address and netmask.

After that, we save the changes so that they work even after the server is restarted:

Iptables-save

And apply all the changes:

Iptables-apply

After that, you will have access to the Internet. If you go to any site that displays your IP address, you will see the external server address, not yours (if they do not match).

I remind you that only you are responsible for the consequences of your actions.

A true virtual private network (VPN) is an encrypted, interconnected tunnel between two networks that connects two trusted points. It is not the web protocol HTTPS, which is considered trusted by all clients. Only those clients with special access keys can connect to the VPN.

VPNs have become very sprawling these days with the advent of virtual private networks that trust everyone and the proliferation of HTTPS. Many VPNs are commercial solutions with minimal configuration to provide remote employee access. But not everyone trusts these solutions. A private virtual network connects two networks into one, such as an office network and an employee's home network. The VPN server is required so that the server and client can authenticate with each other.

Configuring server and client authentication requires a lot of work, and therefore commercial solutions with a minimum of settings fail in this regard. But it really isn't that hard to set up an OpenVPN server. You will need two nodes on different networks to set up a test environment, for example, you can use multiple virtual machines or real servers. As you already understood, this article will walk you through setting up OpenVPN in Ubuntu to create a full-fledged private virtual network.

Both machines must have OpenVPN installed, it is a fairly popular program, so you can install it from the official repositories. We also need Easy-RSA to work with private keys. To install programs on Ubuntu use the following command:

sudo apt install openvpn easy-rsa

Both packages must be installed on both server and client. You will need them to configure the program. The first stage of the article, installing and configuring openvpn is complete.

Setting up a certification authority

The first thing to do is create the correct public key infrastructure on the server. We consider the server to be the machine to which users will connect. There are several benefits to having your own CA. You will have your own CA that makes it easy to distribute and manage keys. For example, you can revoke client certificates on a server. Also, now you do not need to store all client certificates, the certification authority will only need to know that the certificate is signed by a CA. In addition to a complex key system, you can use static keys if you only need to grant access to a few users.

Please note that all private keys must be kept in a safe place. In OpenVPN, the public key is called a certificate and has the .crt extension, and the private key is called a key, its extension is .key.

First, create a folder to store Easy-RSA certificates. In fact, the OpenVPN configuration is done manually, so the folder can be placed anywhere:

sudo mkdir / etc / openvpn / easy-rsa

Then copy all the necessary easy-rsa scripts to this folder:

cd / etc / openvpn / easy-rsa /

sudo -i
# source ./vars
# ./clear-all
# ./build-ca

With the first command, we switch to the console on behalf of the superuser, with the second, load the environment variables from the. / Vars file. The. / Clear-all command creates the keys folder if it does not exist and clears its contents. And the last command will initialize our certification authority. Now all the necessary keys have appeared in the .keys folder:

Configuring client certificates

sudo cp -R / usr / share / easy-rsa / etc / openvpn /

Now we need to copy the certificate, the .crt file to the / etc / openvpn folder on all clients. For example, let's download this file for our client using scp:

sudo scp user @ host: /etc/openvpn/easy-rsa/keys/ca.crt / etc / openvpn / easy-rsa / keys

Only now you can create your own private key based on the CA certificate:

cd / etc / openvpn / easy-rsa /

sudo -i
# source ./vars
# build-req Sergiy

Please note that ca.crt must be in the keys folder, otherwise nothing will work. Now the utility will create a key, based on which you can connect to the OpenVPN server, but you still have to sign it on the server. Send the resulting .csr file to the server using the same scp:

scp /etc/openvpn/easy-rsa/keys/Sergiy.csr user @ host: ~ /

Then, on the server, in the / etc / openvpn / easy-rsa folder, you need to execute the certificate signing command:

./sign-req ~ / Sergiy

The signature of the certificate must be confirmed. Then the program will report that it has been signed and added to the database. The .crt file will appear in the folder with the csr certificate, which must be returned back to the client machine:

sudo scp user @ host: /home/Sergiy.crt / etc / openvpn / easy-rsa / keys

Only after that the server and client have all the necessary keys to connect and establish communication. There are a few more settings left. If you plan to use TLS encryption, then you need to create a Diffie-Huffman dataset on the server, for this use the command:

OpenVPN setup

Now setting up the OpenVPN server. By default, there is nothing in the OpenVPN config files folder. You need to create them yourself, depending on what you plan to configure, a server or a client. The required OpenVPN configuration file can be found at / usr / share / doc / openvpn / examples / sample-config-files /. First, let's create a config file for the server:

zcat /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | sudo tee /etc/openvpn/server.conf

There are a few parameters you need to tweak here:

port and proto- port and protocol used by the program;

port 1194
proto udp

All created keys must be registered in the configuration file. Our keys are stored at / etc / openvpn / easy-rsa / keys:

cert /etc/openvpn/easy-rsa/keys/ca.crt
key /etc/openvpn/easy-rsa/keys/ca.key
dh /etc/openvpn/easy-rsa/keys/dh.pem

We configure the range of addresses for the virtual network, our server will be available on the first of them - 10.8.0.1:

server 10.8.0.0 255.255.255.0

After completing the configuration, save the changes to the file, you can either paste all this configuration yourself or edit the example file. Ready working server settings:

port 1194
proto udp
comp-lzo
dev tun
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/ca.crt
dh /etc/openvpn/easy-rsa/2.0/keys/dh2048.pem
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt

sudo cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/client.conf

You can create multiple client configuration files to connect to different servers. Open the configuration file and change the following parameters in it:

remote- this is your OpenVPN server address, the address and port must match those configured on the server, for example:

remote 194.67.215.125 1194

ca- the key that you received from the certification authority, we placed it in the / etc / openvpn / folder.

cert and key- these are the public and private keys of the client, with the help of them you will connect to the server. As you remember, we saved them in the / etc / openvpn / easy-rsa / keys / folder.

ca /etc/openvpn/easy-rsa/keys/ca.crt

The rest of the settings can be left as they are. Here is the complete configuration file that you can copy:

client
dev tun
proto udp
remote 194.67.215.125 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/Sergiy.crt
key /etc/openvpn/easy-rsa/keys/Sergiy.key
tls-auth ta.key 1
comp-lzo
verb 3

Save the settings, the client is now ready to connect. Please note that the configuration files must match as much as possible, the absence of certain options in one of the files can lead to errors. This does not mean that the files will be identical, but the basic parameters of openvpn should be the same. You just need to run OpenVPN on this machine using this config file:

openvpn /etc/openvpn/client.conf

Done, now everything works, if you run ifconfig, you will see that the tun0 interface has been added:

You can also try to ping 10.8.0.1 addresses, this is the address we configured for our OpenVPN server, ping packets will be sent normally. If the packets are not coming, or something else is not working, pay attention to the output of both programs, perhaps there were any errors or warnings, also make sure that the server's firewall allows external access via udp for port 1194. You can also start the server or the client, setting the level of detail in the config to a maximum of verb 9. Very often this helps to understand why something does not work. But you cannot route traffic through the tunnel yet. To do this, you need to enable forwarding and add some iptables rules. First, we allow the transit of packets on the server:

sysctl -w net.ipv4.ip_forward = 1

Then add rules like this. We allow everyone to connect to our server:

iptables -A INPUT -p udp --dport 1194 -j ACCEPT

We allow OpenVPN users to access the Internet:

iptables -I FORWARD -i tun0 -o eth0 -j ACCEPT
# iptables -I FORWARD -i eth0 -o tun0 -j ACCEPT
# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

conclusions

In this article, we looked at how to install and configure OpenVPN Ubuntu, as well as how to configure openvpn to work with key authentication. The organization of private virtual networks can be very useful not only in organizations, but also for the exchange of data between two of your computers or for increasing the security on the network.

Do you want to have a safe and secure Internet access from your smartphone or laptop while connecting to an unsecured network via the WiFi of a hotel or cafe? A Virtual Private Network (VPN) allows you to use unsecured networks as if you were on a private network. All your traffic in this case goes through the VPN server.

In combination with the use of an HTTPS connection, the settings described below will allow you to secure your private information, for example, logins and passwords, as well as your purchases. Moreover, you can bypass regional restrictions and censorship, as well as hide your location and unencrypted HTTP traffic from an unsecured network.

You can transfer a profile from your computer to your phone by connecting your Android device to your computer via USB and copying the file. You can also move the profile file using an SD card by copying the profile to the card and inserting the card into your Android device.

Launch the OpenVPN application and click on the menu to import the profile.

Compound

Press the button to establish a connection. Connect... You will be asked if you trust the OpenVPN application. Answer OK to establish a connection. To stop the connection, go to the OpenVPN app and select Disconnect.

Step 13. Testing VPN connection

After everything is installed and configured, let's make sure everything works correctly. Without establishing a VPN connection, open a browser and go to DNSLeakTest.

This site will return the IP address assigned to you by your ISP. In order to check which DNS servers are in use, click on Extended Test.

Now establish a connection using your VPN client and refresh the page in your browser. The IP address given to you must be completely different. You are now using this new IP address for everyone on the Internet. Click on Extended Test again to check your DNS settings and make sure you are now using your VPN's DNS server.

Step 14. Revoking client certificates

From time to time, you may need to revoke the client certificate to prevent access to the VPN server &

To do this, go to your certification authority directory and enter the commands:

• cd ~ / openvpn-ca
• source vars

• ./revoke-full client3

The output from this command will end with error 23. This is normal. As a result, the crl.pem file will be created in the keys directory with the information necessary for certificate revocation.

Move this file to the / etc / openvpn directory:

• sudo cp ~ / openvpn-ca / keys / crl.pem / etc / openvpn

• sudo nano /etc/openvpn/server.conf

Add crl-verify to the end of the file. The OpenVPN server will check the CRL every time someone connects to the server.

/etc/openvpn/server.conf

Crl-verify crl.pem

Save and close the file.

Restart OpenVPN to complete the certificate revocation process:

• sudo systemctl restart [email protected]

Now the client will not be able to establish a connection with the OpenVPN server using the old certificate.

To revoke additional certificates, follow these steps:

Generate a new revoke list by using the source vars command in the ~ / openvpn-ca directory and executing the revoke-full command with the client's name.

Copy the new CRL to / etc / openvpn, overwriting the old list.

Restart the OpenVPN service.

This procedure can be used to revoke any certificates you have previously created.

Conclusion

Congratulations! Now you can safely access the Internet, all your traffic is protected from eavesdropping by censors and intruders.

Repeat steps to configure additional clients 6 and 11-13 for every new device. To revoke access for a particular client, use the step 14 .

Having considered the theoretical issues in the previous parts, let's move on to practical implementation. Today we will look at creating a PPTP VPN server on the Ubuntu Server platform. This material is intended for readers with Linux skills, so we will not be distracted by the things we have described in other articles, such as network configuration, etc. If you are experiencing difficulties - first study our other materials.

We'll start our practical acquaintance with VPN with PPTP, which is the easiest to implement. Keep in mind, however, that this is a weakly secure protocol and should not be used to access critical data.

Consider the circuit that we created in our test laboratory for a practical acquaintance with this technology:

We have a local network 10.0.0.0/24 with a terminal server 10.0.0.2 and 10.0.0.1, which will act as a VPN server, for VPN we have reserved the 10.0.1.0/24 network. The external server interface has a conditional dedicated IP address X.X.X.X. Our goal is to provide remote clients with access to the terminal server and shared resources on it.

PPTP server setup

Install the pptpd package that implements the PPTP VPN functionality:

Sudo apt-get install pptpd

Now let's open the file /etc/pptpd.conf and set the basic settings for the VPN server. Let's go to the very end of the file, where we indicate the server address in the VPN network:

Localip 10.0.1.1

And the range of addresses to issue to clients:

Remoteip 10.0.1.200-250

Addresses must be allocated at least as many as possible simultaneous connections, preferably with a small margin, since their increase without restarting pptpd is impossible. We also find and uncomment the line:

Bcrelay eth1

This will allow the VPN clients to broadcast packets on the internal network.

You can also use the options listen and speed, the first allows you to specify the IP address of the local interface to listen for incoming PPTP connections, the second to specify the speed of VPN connections in bps. For example, let's allow the server to accept PPTP connections only from the external interface:

Listen X.X.X.X

More subtle settings are in the file / etc / ppp / pptpd-options... The default settings are quite consistent with our requirements, but we will briefly review some of them so that you have an idea of ​​their purpose.

Section #Encryption responsible for data encryption and authentication. These options prohibit the use of the legacy and insecure PAP, CHAP, and MS-CHAP protocols:

Refuse-pap
refuse-chap
refuse-mschap

Require-mschap-v2
require-mppe-128

Next section #Network and Routing, here you should pay attention to the option ms-dns which allows the use of a DNS server on the internal network. This can be useful when the domain structure of the network or the presence of a DNS server in it that contains the names of all PCs in the network, which makes it possible to refer to computers by their names, and not just by IP. In our case, this option is useless and commented out. Similarly, you can set the address of the WINS server with the option ms-wins.

Here is the option proxyarp, including, as you might guess from the name, server support Proxy ARP.

In the section #Miscellaneous contains an option lock, which limits the client to one connection.

Ivanov * 123 *
petrov * 456 10.0.1.201

The first entry allows the user ivanov to connect to the server with the password 123 and assigns him an arbitrary IP address, the second creates the user petrov with the password 456, which will be assigned the permanent address 10.0.1.201 upon connection.

Restart pptpd:

Sudo /etc/init.d/pptpd restart

Important note! If pptpd does not want to restart, freezing at the start, but in / var / log / syslog adding the line long config file line ignored be sure to add to the end of the file /etc/pptpd.conf line break.

Our server is ready to go.

Configuring Client PCs

In general, it is sufficient to configure the VPN connection with the default options. However, we advise you to explicitly specify the type of connection and disable unnecessary encryption protocols.

Further, depending on the structure of the network, you must specify the static routes and the default gateway. These questions were discussed in detail in the previous parts.

We establish a VPN connection and try to ping any PC in the local network, we got access to the terminal server without any difficulty:

Now for one more important addition. In most cases, access to computers on the local network will be possible only by IP addresses, i.e. the path \\ 10.0.0.2 will work, but \\ SERVER will not. This can be inconvenient and unusual for users. There are several ways to solve this problem.

If the local network has a domain structure, it is enough to specify the DNS server for the VPN connection to the DNS server of the domain controller. Use the option ms-dns v / etc / ppp / pptpd-options server and setting data will be received by the client automatically.

If there is no DNS server in the local network, then you can create and use a WINS server, information about it can also be automatically transferred to clients using the option ms-wins... And finally, if there are few remote clients, use the files on client PCs hosts(C: \ Windows \ System32 \ drivers \ etc \ hosts), where you should add lines like.

Step 1

Opening the command line

The easiest way is to open a terminal by simultaneously pressing the Ctrl + Alt + T keys, but you can also launch the Terminal from the Main Menu.

Step 2

To install the OpenVPN Network Manager plugin, enter the following command into the command line without quotes: "sudo apt-get install network-manager-openvpn-gnome". Hit Enter.

Step 3

Install OpenVPN Network Manager plugin

Enter the system password if required and press Enter again.

Step 4

Install OpenVPN Network Manager plugin

Enter "Y", which means that you agree to install, and press Enter.

Step 5

Downloading the certificate

In your personal account, you have generated a certificate, for installation you need to download it. Go to My services "VPN-> My services" and click "VPN clients".

Step 6

Downloading the certificate

Click on the OpenVPN icon to download the certificate.

Step 7

Downloading the certificate

When asked "Would you like to save this file?", Click "Save File". The download of the file will begin.

Step 8

Downloading the certificate

Since certificates have long names, for convenience, you can pre-rename it to a shorter one.

Step 9

Import configuration

You can import the OpenVPN configuration with the following command "sudo openvpn --config /home/my/Downloads/client.ovpn". Where "/ home / my / Downloads" is the path to the folder where the certificate is located, and client.ovpn is the name of the certificate itself. Hit Enter.

Step 10

Import configuration

Enter the system password if required and press Enter again. VPN is connected, now you can close the terminal, this will not affect the VPN operation.

Step 11

Disconnecting from the network

If you want to disable the VPN, enter the command "sudo killall openvpn" in the terminal. Hit Enter.

Step 12

Disconnecting from the network

Enter the system password if required and press Enter again. VPN will now be disabled.

Step 13

Taking full advantage of a VPN

Congratulations! You've managed to set up a VPN on Ubuntu! Now you have secure access to the Internet and a new IP!

Why is it worth downloading a VPN on Linux?

• You will get a reliable connection, stable speed and access to your favorite content
• Installing the VPN browser extension only applies to web pages, they are not suitable for playing games and downloading torrents
• VPN for Linux helps ensure the highest level of anonymity for users by replacing the real IP with the IP address of the VPN server