A little while back, I needed to scale my sphinxsearch instance, but due to the skyrocketing price of RAM, I couldn’t afford to just throw money into one large server. I decided to go with a sharded database, where each server stores a portion (shard) of the entire database. After doing some research, I found some great deals on high ram VPS’s, but only 1 problem. How would I connect them to my database, on an entirely different network? A VPN.
You may have used a VPN before to tunnel internet traffic through another machine, perhaps to get around a firewall or to keep your data encrypted while using free wifi, but that’s not what I’m going for. I needed a VPN that just provided a “local” connection between my servers, and not to route internet traffic through. Thankfully OpenVPN does this quite easily.
I am going to be walking through the steps I used on Ubuntu 16.04 LTS, but should be similar on other OSs.
Installing the Server
sudo apt install openvpn easy-rsa gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/easy-rsa/keys/client.ovpn
We now need to edit /etc/openvpn/server.conf and make some changes. You can add these lines to the end of the file. Save the file when you are done.
push "route 10.8.0.0 255.255.255.0" user nobody group nobody
The first line tells the clients to add the route for 10.8.0.* to their routing table, so it can communicate with other machines on the network. The user and group settings tell OpenVPN to not run as the root user (which is wise to do).
Creating the Keys
Run these commands. This copies the RSA helper scripts to our OpenVPN directory and begins seeding the 2048 bit Diffie–Hellman key. Go grab a snack as this will take a few minutes.
cp -r /usr/share/easy-rsa/ /etc/openvpn mkdir /etc/openvpn/easy-rsa/keys openssl dhparam -out /etc/openvpn/dh2048.pem 2048
Next we will create the Certificate Authority and the certificate for the server. You may be asked questions about your server, it is best practice to answer them honestly, but this does not affect the VPN setup.
cd /etc/openvpn/easy-rsa
source ./vars
./clean-all
./build-ca
./build-key-server server
cp /etc/openvpn/easy-rsa/keys/{server.crt,server.key,ca.crt} /etc/openvpn/
Start our VPN server, make sure it’s running, and have it start on boot.
systemctl start openvpn systemctl status openvpn systemctl enable openvpn
Setting up the Clients
Now we will create the keys our clients will be using to securely connect to our VPN server. You will need to do this for each client you intend to connect to your server, with a unique name for each one. While connected to your VPN server, run this command (replacing myclientpc with the name of your client):
cd /etc/openvpn/easy-rsa/ ./build-key myclientpc
Download these files to your local machine:
/etc/openvpn/easy-rsa/keys/client.ovpn
/etc/openvpn/ca.crt
/etc/openvpn/easy-rsa/keys/myclientpc.crt
/etc/openvpn/easy-rsa/keys/myclientpc.key
Open up client.ovpn in a text editor.
You will need to edit the line that reads
remote my-server-1 1194
and replace my-server-1 with the IP address or DNS name of your VPN server.
You should also uncomment the user & group options if your client machine is on Linux.
Connect to the machine you want to add to your VPN network.
sudo apt install openvpn
After installing, copy the files you downloaded earlier to /etc/openvpn/. You will need to rename these files.
mv /etc/openvpn/client.ovpn /etc/openvpn/client.conf mv /etc/openvpn/myclientpc.crt /etc/openvpn/client.crt mv /etc/openvpn/myclientpc.key /etc/openvpn/client.key
Start up the VPN, make sure it connects, and enable it to start at boot.
systemctl start openvpn systemctl status openvpn systemctl enable openvpn
You can now communicate with the server (and other clients) securely over the VPN! To get the VPN IP of a machine, just check ifconfig while the VPN is connected.
Leave a Reply