A little while back, I needed to scale my sphinxsearch instance, but due to the skyrocketing price of RAM, I couldn’t afford to just throw money into one large server. I decided to go with a sharded database, where each server stores a portion (shard) of the entire database. After doing some research, I found some great deals on high ram VPS’s, but only 1 problem. How would I connect them to my database, on an entirely different network? A VPN.

You may have used a VPN before to tunnel internet traffic through another machine, perhaps to get around a firewall or to keep your data encrypted while using free wifi, but that’s not what I’m going for. I needed a VPN that just provided a “local” connection between my servers, and not to route internet traffic through. Thankfully OpenVPN does this quite easily.

I am going to be walking through the steps I used on Ubuntu 16.04 LTS, but should be similar on other OSs.

Installing the Server

sudo apt install openvpn easy-rsa
gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/easy-rsa/keys/client.ovpn

We now need to edit /etc/openvpn/server.conf and make some changes. You can add these lines to the end of the file. Save the file when you are done.

push "route 10.8.0.0 255.255.255.0"
user nobody
group nobody

The first line tells the clients to add the route for 10.8.0.* to their routing table, so it can communicate with other machines on the network. The user and group settings tell OpenVPN to not run as the root user (which is wise to do).

Creating the Keys
Run these commands. This copies the RSA helper scripts to our OpenVPN directory and begins seeding the 2048 bit Diffie–Hellman key. Go grab a snack as this will take a few minutes.

cp -r /usr/share/easy-rsa/ /etc/openvpn
mkdir /etc/openvpn/easy-rsa/keys
openssl dhparam -out /etc/openvpn/dh2048.pem 2048

Next we will create the Certificate Authority and the certificate for the server. You may be asked questions about your server, it is best practice to answer them honestly, but this does not affect the VPN setup.

cd /etc/openvpn/easy-rsa
source ./vars
./clean-all
./build-ca
./build-key-server server
cp /etc/openvpn/easy-rsa/keys/{server.crt,server.key,ca.crt} /etc/openvpn/

Start our VPN server, make sure it’s running, and have it start on boot.

systemctl start openvpn
systemctl status openvpn
systemctl enable openvpn

Setting up the Clients
Now we will create the keys our clients will be using to securely connect to our VPN server. You will need to do this for each client you intend to connect to your server, with a unique name for each one. While connected to your VPN server, run this command (replacing myclientpc with the name of your client):

cd /etc/openvpn/easy-rsa/
./build-key myclientpc

Download these files to your local machine:
/etc/openvpn/easy-rsa/keys/client.ovpn
/etc/openvpn/ca.crt
/etc/openvpn/easy-rsa/keys/myclientpc.crt
/etc/openvpn/easy-rsa/keys/myclientpc.key

Open up client.ovpn in a text editor.
You will need to edit the line that reads

remote my-server-1 1194

and replace my-server-1 with the IP address or DNS name of your VPN server.
You should also uncomment the user & group options if your client machine is on Linux.

Connect to the machine you want to add to your VPN network.

sudo apt install openvpn

After installing, copy the files you downloaded earlier to /etc/openvpn/. You will need to rename these files.

mv /etc/openvpn/client.ovpn /etc/openvpn/client.conf
mv /etc/openvpn/myclientpc.crt /etc/openvpn/client.crt
mv /etc/openvpn/myclientpc.key /etc/openvpn/client.key

Start up the VPN, make sure it connects, and enable it to start at boot.

systemctl start openvpn
systemctl status openvpn
systemctl enable openvpn

You can now communicate with the server (and other clients) securely over the VPN! To get the VPN IP of a machine, just check ifconfig while the VPN is connected.