
Install OpenVPN on VPS With Free SSL
Install OpenVPN on VPS with Automatic Free SSL Let’s Encrypt
Install OpenVPN on VPS With Free SSL In today’s digital landscape, ensuring secure online communication is paramount. This comprehensive guide provides an advanced tutorial for installing OpenVPN on a Virtual Private Server (VPS) while automating the SSL certification process through Let’s Encrypt. We’ll also create custom commands to manage OpenVPN users, set passwords, and choose preferred ports, ensuring a robust and flexible VPN setup.
Table of Contents
Toggle1. Prerequisites
Before we begin, ensure you have the following:
- A VPS running a Linux distribution (Ubuntu or Debian is recommended).
- Root access to the server (you can use
sudo
if you have a non-root user with sudo privileges). - Basic command-line knowledge.
- A domain name pointed to your VPS IP.
2. Installing OpenVPN
Step 1: Update Your System
Start by connecting to your VPS via SSH and updating the package list:
ssh root@your_vps_ip
apt update && apt upgrade -y
Step 2: Install OpenVPN and Easy-RSA
Install OpenVPN and Easy-RSA, which simplifies the process of managing SSL certificates:
apt install openvpn easy-rsa -y
Step 3: Configure Easy-RSA
Set up the Easy-RSA directory to build your Certificate Authority (CA):
make-cadir ~/openvpn-ca
cd ~/openvpn-ca
Edit the vars
file to set your certificate details:
nano vars
Inside vars
, modify the following fields to match your organization:
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="YourOrganization"
export KEY_EMAIL="[email protected]"
export KEY_OU="YourOrganizationalUnit"
Then source the vars
file and clean up previous keys:
source vars
./clean-all
Step 4: Build Server Certificate and Key
Generate the server certificate, key, and Diffie-Hellman parameters:
./build-ca
./build-key-server server
./build-dh
openvpn --genkey --secret keys/ta.key
Step 5: Configure OpenVPN Server
Copy the sample server configuration file to the OpenVPN directory:
cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
gunzip /etc/openvpn/server.conf.gz
Edit the /etc/openvpn/server.conf
file with your favorite text editor and set the following parameters:
nano /etc/openvpn/server.conf
Make sure the following lines are set appropriately:
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
tls-auth ta.key 0
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
3. Setting Up Let’s Encrypt for SSL
Step 1: Install Certbot
Certbot is the recommended tool for obtaining SSL certificates from Let’s Encrypt. Install it using:
apt install certbot -y
Step 2: Obtain Your SSL Certificate
To obtain your certificate, use Certbot with the standalone option:
certbot certonly --standalone -d yourdomain.com
Follow the prompts to complete the certificate issuance.
Step 3: Configure OpenVPN to Use SSL
In your /etc/openvpn/server.conf
, specify the paths to your SSL certificates:
ca /etc/letsencrypt/live/yourdomain.com/chain.pem
cert /etc/letsencrypt/live/yourdomain.com/fullchain.pem
key /etc/letsencrypt/live/yourdomain.com/privkey.pem
Step 4: Enable Auto-Renewal for SSL Certificates
To automate SSL certificate renewal, edit your crontab:
crontab -e
Add the following line:
0 0 * * * /usr/bin/certbot renew --quiet
This command will attempt to renew your certificate daily at midnight.
4. Creating Custom Commands for User Management
To enhance user management in OpenVPN, we will create custom scripts for adding, deleting users, setting passwords, and choosing preferred ports.
Adding a New OpenVPN User
Create a script named adduser.sh
:
nano ~/adduser.sh
Insert the following code into the script:
#!/bin/bash
# Add an OpenVPN user
if [ -z "$1" ]; then
echo "Usage: $0 username"
exit 1
fi
/usr/share/easy-rsa/easyrsa gen-req $1 nopass
/usr/share/easy-rsa/easyrsa sign-req client $1
cp ~/openvpn-ca/keys/$1.crt /etc/openvpn/clients/
echo "Client $1 added."
Make the script executable:
chmod +x ~/adduser.sh
Deleting a User
Create a script called deluser.sh
:
nano ~/deluser.sh
Insert the following code:
#!/bin/bash
# Remove an OpenVPN user
if [ -z "$1" ]; then
echo "Usage: $0 username"
exit 1
fi
rm -f /etc/openvpn/clients/$1.crt
echo "Client $1 removed."
Make this script executable:
chmod +x ~/deluser.sh
Setting Passwords for VPN Users
To secure user accounts with passwords, create a script named setpassword.sh
:
nano ~/setpassword.sh
Insert the following code:
#!/bin/bash
# Set password for VPN user
if [ -z "$1" ]; then
echo "Usage: $0 username"
exit 1
fi
echo "Enter new password:"
read -s PASSWORD
echo "$1:$PASSWORD" | chpasswd
echo "Password set for user $1."
Make it executable:
chmod +x ~/setpassword.sh
Choosing Preferred Ports
To allow changes to the OpenVPN port, create a script named setport.sh
:
nano ~/setport.sh
Insert the following code:
#!/bin/bash
# Set preferred OpenVPN port
if [ -z "$1" ]; then
echo "Usage: $0 port_number"
exit 1
fi
sed -i "s/^port .*/port $1/" /etc/openvpn/server.conf
echo "OpenVPN port set to $1. Please restart OpenVPN."
Make this script executable:
chmod +x ~/setport.sh
5. Starting OpenVPN
To start the OpenVPN server, run:
systemctl start openvpn@server
systemctl enable openvpn@server
Check the status to ensure it’s running:
systemctl status openvpn@server
6. FAQs
Q1: How do I connect to OpenVPN from a client?
To connect, you need the client configuration file, which can be generated for each user. You can transfer this file to the client device using secure methods like SCP or SFTP.
Q2: How often do I need to renew my SSL certificate?
Let’s Encrypt certificates are valid for 90 days. However, with the auto-renewal setup via cron, this will be handled automatically.
Q3: Can I customize my OpenVPN configuration further?
Yes! You can customize various settings in the server.conf
file, including routing options, DNS settings, and additional security measures.
Q4: What if I forget the commands?
Keep this guide saved, or consider creating a cheat sheet for quick reference.
Q5: How do I change the encryption method?
To change the encryption method, edit the cipher
line in your server.conf
file to your desired algorithm, such as cipher AES-128-CBC
for a different level of security.
7. Conclusion
This advanced tutorial has guided you through the Install OpenVPN on VPS With Free SSL, complete with automatic SSL certificate management through Let’s Encrypt. By creating custom commands for user management, you can efficiently control your VPN environment, ensuring both security and flexibility. With your new setup, you can enjoy secure browsing and a private online experience.