OpenVPN Install

Install OpenVPN on VPS With Free SSL

Install OpenVPN on VPS with Automatic Free SSL Let’s Encrypt

Install OpenVPN on VPS With Free SSL In today’s digital landscape, ensuring secure online communication is paramount. This comprehensive guide provides an advanced tutorial for installing OpenVPN on a Virtual Private Server (VPS) while automating the SSL certification process through Let’s Encrypt. We’ll also create custom commands to manage OpenVPN users, set passwords, and choose preferred ports, ensuring a robust and flexible VPN setup.

1. Prerequisites

Before we begin, ensure you have the following:

  • A VPS running a Linux distribution (Ubuntu or Debian is recommended).
  • Root access to the server (you can use sudo if you have a non-root user with sudo privileges).
  • Basic command-line knowledge.
  • A domain name pointed to your VPS IP.

2. Installing OpenVPN

Step 1: Update Your System

Start by connecting to your VPS via SSH and updating the package list:

ssh root@your_vps_ip  
apt update && apt upgrade -y

Step 2: Install OpenVPN and Easy-RSA

Install OpenVPN and Easy-RSA, which simplifies the process of managing SSL certificates:

apt install openvpn easy-rsa -y

Step 3: Configure Easy-RSA

Set up the Easy-RSA directory to build your Certificate Authority (CA):

make-cadir ~/openvpn-ca  
cd ~/openvpn-ca

Edit the vars file to set your certificate details:

nano vars

Inside vars, modify the following fields to match your organization:

export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="YourOrganization"
export KEY_EMAIL="[email protected]"
export KEY_OU="YourOrganizationalUnit"

Then source the vars file and clean up previous keys:

source vars  
./clean-all

Step 4: Build Server Certificate and Key

Generate the server certificate, key, and Diffie-Hellman parameters:

./build-ca  
./build-key-server server  
./build-dh  
openvpn --genkey --secret keys/ta.key

Step 5: Configure OpenVPN Server

Copy the sample server configuration file to the OpenVPN directory:

cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
gunzip /etc/openvpn/server.conf.gz

Edit the /etc/openvpn/server.conf file with your favorite text editor and set the following parameters:

nano /etc/openvpn/server.conf

Make sure the following lines are set appropriately:

port 1194  
proto udp  
dev tun  
ca ca.crt  
cert server.crt  
key server.key  
dh dh2048.pem  
tls-auth ta.key 0  
cipher AES-256-CBC  
user nobody  
group nogroup  
persist-key  
persist-tun  
status openvpn-status.log  
verb 3

3. Setting Up Let’s Encrypt for SSL

Step 1: Install Certbot

Certbot is the recommended tool for obtaining SSL certificates from Let’s Encrypt. Install it using:

apt install certbot -y

Step 2: Obtain Your SSL Certificate

To obtain your certificate, use Certbot with the standalone option:

certbot certonly --standalone -d yourdomain.com

Follow the prompts to complete the certificate issuance.

Step 3: Configure OpenVPN to Use SSL

In your /etc/openvpn/server.conf, specify the paths to your SSL certificates:

ca /etc/letsencrypt/live/yourdomain.com/chain.pem  
cert /etc/letsencrypt/live/yourdomain.com/fullchain.pem  
key /etc/letsencrypt/live/yourdomain.com/privkey.pem

Step 4: Enable Auto-Renewal for SSL Certificates

To automate SSL certificate renewal, edit your crontab:

crontab -e

Add the following line:

0 0 * * * /usr/bin/certbot renew --quiet

This command will attempt to renew your certificate daily at midnight.

4. Creating Custom Commands for User Management

To enhance user management in OpenVPN, we will create custom scripts for adding, deleting users, setting passwords, and choosing preferred ports.

Adding a New OpenVPN User

Create a script named adduser.sh:

nano ~/adduser.sh

Insert the following code into the script:

#!/bin/bash  
# Add an OpenVPN user

if [ -z "$1" ]; then  
  echo "Usage: $0 username"
  exit 1  
fi

/usr/share/easy-rsa/easyrsa gen-req $1 nopass  
/usr/share/easy-rsa/easyrsa sign-req client $1  
cp ~/openvpn-ca/keys/$1.crt /etc/openvpn/clients/
echo "Client $1 added."

Make the script executable:

chmod +x ~/adduser.sh

Deleting a User

Create a script called deluser.sh:

nano ~/deluser.sh

Insert the following code:

#!/bin/bash  
# Remove an OpenVPN user

if [ -z "$1" ]; then  
  echo "Usage: $0 username"
  exit 1  
fi

rm -f /etc/openvpn/clients/$1.crt  
echo "Client $1 removed."

Make this script executable:

chmod +x ~/deluser.sh

Setting Passwords for VPN Users

To secure user accounts with passwords, create a script named setpassword.sh:

nano ~/setpassword.sh

Insert the following code:

#!/bin/bash  
# Set password for VPN user

if [ -z "$1" ]; then  
  echo "Usage: $0 username"
  exit 1  
fi

echo "Enter new password:"
read -s PASSWORD  
echo "$1:$PASSWORD" | chpasswd  
echo "Password set for user $1."

Make it executable:

chmod +x ~/setpassword.sh

Choosing Preferred Ports

To allow changes to the OpenVPN port, create a script named setport.sh:

nano ~/setport.sh

Insert the following code:

#!/bin/bash  
# Set preferred OpenVPN port

if [ -z "$1" ]; then  
  echo "Usage: $0 port_number"
  exit 1  
fi

sed -i "s/^port .*/port $1/" /etc/openvpn/server.conf  
echo "OpenVPN port set to $1. Please restart OpenVPN."

Make this script executable:

chmod +x ~/setport.sh

5. Starting OpenVPN

To start the OpenVPN server, run:

systemctl start openvpn@server  
systemctl enable openvpn@server

Check the status to ensure it’s running:

systemctl status openvpn@server

6. FAQs

Q1: How do I connect to OpenVPN from a client?

To connect, you need the client configuration file, which can be generated for each user. You can transfer this file to the client device using secure methods like SCP or SFTP.

Q2: How often do I need to renew my SSL certificate?

Let’s Encrypt certificates are valid for 90 days. However, with the auto-renewal setup via cron, this will be handled automatically.

Q3: Can I customize my OpenVPN configuration further?

Yes! You can customize various settings in the server.conf file, including routing options, DNS settings, and additional security measures.

Q4: What if I forget the commands?

Keep this guide saved, or consider creating a cheat sheet for quick reference.

Q5: How do I change the encryption method?

To change the encryption method, edit the cipher line in your server.conf file to your desired algorithm, such as cipher AES-128-CBC for a different level of security.


7. Conclusion

This advanced tutorial has guided you through the Install OpenVPN on VPS With Free SSL, complete with automatic SSL certificate management through Let’s Encrypt. By creating custom commands for user management, you can efficiently control your VPN environment, ensuring both security and flexibility. With your new setup, you can enjoy secure browsing and a private online experience.

Index