OpenVPN

back to Projects

I went through the process of setting up a VPN server a few years ago and it worked well enough for about 5 years. Then after an update everything stopped working. I meant to fix it but I was then notified that my VPS was end of life, so I left the server expire.

This gave me the opportunity to install a new VPN server and document it for my future self. I started the process thinking it would be quick, and then I remembered that it’s actually quite a big task! It took me a good week or so of tinkering to get all the elements to work. The process of documenting the project was actually really educational as I wanted to try different options and approaches.

I’ll be using OpenVPN as it’s free, well supported and well documented. They have commercial offerings too, but I went ahead with the self hosted vanilla option.

Why use a VPN?

There are a few good reasons to use a VPN, and a few not so good ones. A lot will depend on where you live and your ISP

• Remote Access – A VPN can connect two networks together, so your computer can appear as if it’s on the same local network as a remote server. This is the best reason in my opinion, and the reasons VPNs are so popular in the corporate world. With a VPN you can securely “attach” to a remote network and get work done
• Privacy Considerations – this one is a bit variable because it really depends on where how you connect to the internet. A VPN can be used to move where your network traffic emerges on the internet, but it can’t do much more than that.
  • If your ISP is monitoring your traffic and you are a political activist it would be worthwhile to use a VPN in a different jurisdiction. However if you are breaking the law you are still breaking the law.
  • Your traffic still will emerge at the VPN server, so you really need to trust the VPN provider and understand where it’s located. If the VPN service provider is selling on your data, or subject to surveillance then you haven’t solved anything.
  • Removing your ISP and “moving” your traffic may be all you want to do if you are in a country with oppressive internet policies, in that case you have a very valid use case, but again you may still be breaking the local laws in your country.
• Geo-locking – if a site is US only, then you can defeat that by using a US VPN.
• IP Fixing – some services use IP locking to only allow access from any a set of fixed IP addresses. This is to prevent bad actors from spamming them with requests hoping to get lucky. Having a fixed IP VPN server can be very handy.
• DNS Security – There is an argument that some ISPs are intercepting DNS requests with transparent proxies and doctoring or at least monitoring results. Using your own DNS settings like 1.1.1.1 or 8.8.8.8 may not be enough to protect your DNS lookups from interference.
• Security – using a VPN will encrypt traffic as far as the VPN server, however after that it will be back on the open internet. So it can help with the “first hop”, but if you are sending sensitive data in the clear then it will still be exposed for the rest of the journey.
• Website Tracking – You won’t stop websites tracking you by using a VPN. The only thing you have changed with a VPN is the IP address you use. Websites will still track you in the same way as before.

For Web Browsing, the VPN server will only protect you on the first hop to the VPN Server. After that the data is transmitted far and wide on the internet – so the red link below is secure, the rest is the Wild West.

For me it boils down to:

1. IP fixing – I sometimes work from cafes or other public networks but want to access APIs that use IP address limitation. Using a VPN in this case saves me a lot of hassle.
2. Free Wifi Network – again when out and about I want to limit myself from (1) filtered DNS and (2) filtering of traffic. Some locations limit access to domains based on content rating or expected traffic. Sending everything down a VPN is handy in this case.

The Plan

To break it down into manageable chunks, I took the following approach.

• Install the server and getting it running
  • server considerations and software install
  • certificates/keys – lots and lots of certificates
  • checking the server status
• Simple Client Connection – Point to Point
  • client configuration files and another certificate
  • peer to peer connection
• Configuring the server as a gateway
  • firewall rules for forwarding traffic
  • IP check
• Client DNS considerations
  • how to handle DNS requests
• Creating OVPN configuration files
  • simplifying the client configuration
• Debugging Connections

Post Script

• A Note on Ubuntu DNS
• Some handy websites and tools