If you are looking for a solution that helps others to route their systems traffic via our local gateway(ISP) which acting like a proxy, then here is a free solution. This is called Virtual Private Networking (VPN) and once users are connected, they have been assigned a private network which then ultimately enforce routing their local traffic via our VPN server to the actual destination. Of course, there are different use-cases people might look to achieve by deploying a VPN service and some of them are;
- Encrypt outgoing traffic
- Possible of traffic routing other than your local ISP
Getting Started
01. Installing the required packages
# apt-get update && apt-get install -y openvpn easy-rsa
02. Creating additional directory for hosting certificate which we later introduce
# mkdir -p /etc/openvpn/server/certs
# cd /etc/openvpn/server/certs
03. Build a CA & its Keys
# openssl genrsa -out ca.key 2048
# openssl req -new -x509 -days 3650 -key ca.key -out ca.crt Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:la Locality Name (eg, city) []:la Organization Name (eg, company) [Internet Widgits Pty Ltd]:osradar Organizational Unit Name (eg, section) []:it Common Name (e.g. server FQDN or YOUR name) []:vpn-server.osradar.com Email Address []:
04. Lets generate our VPN service own certificates & Keys
# openssl genrsa -out vpn.key 2048
# openssl req -new -key vpn.key -out vpn.csr Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:la Locality Name (eg, city) []:la Organization Name (eg, company) [Internet Widgits Pty Ltd]:osradar Organizational Unit Name (eg, section) []:it Common Name (e.g. server FQDN or YOUR name) []:vpn-server.osradar.com Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
# openssl x509 -req -in vpn.csr -out vpn.crt -CA ca.crt -CAkey ca.key -CAcreateserial -days 365 Signature ok subject=C = US, ST = la, L = la, O = osradar, OU = it, CN = vpn-server.osradar.com
# openssl dhparam -out dh2048.pem 2048
05. Configuring the Open VPN server
# vim /etc/openvpn/server/server.conf port 443 proto tcp dev tun server 10.11.0.0 255.255.255.0 ca /etc/openvpn/server/keys/ca.crt cert /etc/openvpn/server/certs/vpn.crt key /etc/openvpn/server/certs/vpn.key dh /etc/openvpn/server/certs/dh2048.pem persist-key persist-tun keepalive 10 60 reneg-sec 0 comp-lzo tun-mtu 1468 tun-mtu-extra 32 mssfix 1400 push "persist-key" push "persist-tun" push "redirect-gateway def1" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" status /etc/openvpn/443.log verb 3
06. Starting up the service
# systemctl start openvpn@server
07. Enable IPV4 routing between interfaces
# vim /etc/sysctl.d/60-ipv4-forward.conf net.ipv4.ip_forward=1
# sysctl -p /etc/sysctl.d/60-ipv4-forward.conf
08. Changing the firewall rules
# vim /etc/ufw/before.rules # START OPENVPN RULES # NAT table rules *nat :POSTROUTING ACCEPT [0:0] -A POSTROUTING -s 10.8.0.0/16 -o main_nic -j MASQUERADE COMMIT # END OPENVPN RULES
main_nic => replace this with your outgoing NIC device name
Allow 443/tcp which we setup our VPN service
# ufw allow 443/tcp # ufw disable # ufw enable
09. Prepare user certificate. In the example below, I assume the username is bob.
# openssl genrsa -out bob.key 2048
# openssl req -new -key bob.key -out bob.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:LK State or Province Name (full name) [Some-State]:CMB Locality Name (eg, city) []:colombo Organization Name (eg, company) [Internet Widgits Pty Ltd]:private Organizational Unit Name (eg, section) []:it Common Name (e.g. server FQDN or YOUR name) []:bob Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
10. Sign the user certificate using the CA certificate which we generated at step 03.
# openssl x509 -req -in bob.csr -out bob.crt -CA ca.crt -CAkey ca.key -CAcreateserial -days 365
bob.crt should be shared with the user in order to them to launch OpenVPN client from their work-station.
Client Work-Station End.
11. Open the terminal and install the the required packages and then launch “nm-connection-editor”
# apt-get update && apt-get install -y network-manager-openvpn
$ nm-connection-editor
12. Setting up the VPN client profile
Click (+) Sign and then Select the OpenVPN option under the drop-down menu
Â
That’s it. Now you can start newly created VPN connection which then initiate a encrypted tunnel between local station to the destination VPN server.
You can verify the result by looking at the IP address space
# ip addr show
“I hope this has been informative”