List

A little while back, I needed to scale my sphinxsearch instance, but due to the skyrocketing price of RAM, I couldn’t afford to just throw money into one large server. I decided to go with a sharded database, where each server stores a portion (shard) of the entire database. After doing some research, I found some great deals on high ram VPS’s, but only 1 problem. How would I connect them to my database, on an entirely different network? A VPN.

You may have used a VPN before to tunnel internet traffic through another machine, perhaps to get around a firewall or to keep your data encrypted while using free wifi, but that’s not what I’m going for. I needed a VPN that just provided a “local” connection between my servers, and not to route internet traffic through. Thankfully OpenVPN does this quite easily.

I am going to be walking through the steps I used on Ubuntu 16.04 LTS, but should be similar on other OSs.

Installing the Server

sudo apt install openvpn easy-rsa
gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/easy-rsa/keys/client.ovpn

We now need to edit /etc/openvpn/server.conf and make some changes. You can add these lines to the end of the file. Save the file when you are done.

push "route 10.8.0.0 255.255.255.0"
user nobody
group nobody

The first line tells the clients to add the route for 10.8.0.* to their routing table, so it can communicate with other machines on the network. The user and group settings tell OpenVPN to not run as the root user (which is wise to do).

Creating the Keys
Run these commands. This copies the RSA helper scripts to our OpenVPN directory and begins seeding the 2048 bit Diffie–Hellman key. Go grab a snack as this will take a few minutes.

cp -r /usr/share/easy-rsa/ /etc/openvpn
mkdir /etc/openvpn/easy-rsa/keys
openssl dhparam -out /etc/openvpn/dh2048.pem 2048

Next we will create the Certificate Authority and the certificate for the server. You may be asked questions about your server, it is best practice to answer them honestly, but this does not affect the VPN setup.

cd /etc/openvpn/easy-rsa
source ./vars
./clean-all
./build-ca
./build-key-server server
cp /etc/openvpn/easy-rsa/keys/{server.crt,server.key,ca.crt} /etc/openvpn/

Start our VPN server, make sure it’s running, and have it start on boot.

systemctl start openvpn
systemctl status openvpn
systemctl enable openvpn

Setting up the Clients
Now we will create the keys our clients will be using to securely connect to our VPN server. You will need to do this for each client you intend to connect to your server, with a unique name for each one. While connected to your VPN server, run this command (replacing myclientpc with the name of your client):

cd /etc/openvpn/easy-rsa/
./build-key myclientpc

Download these files to your local machine:
/etc/openvpn/easy-rsa/keys/client.ovpn
/etc/openvpn/ca.crt
/etc/openvpn/easy-rsa/keys/myclientpc.crt
/etc/openvpn/easy-rsa/keys/myclientpc.key

Open up client.ovpn in a text editor.
You will need to edit the line that reads

remote my-server-1 1194

and replace my-server-1 with the IP address or DNS name of your VPN server.
You should also uncomment the user & group options if your client machine is on Linux.

Connect to the machine you want to add to your VPN network.

sudo apt install openvpn

After installing, copy the files you downloaded earlier to /etc/openvpn/. You will need to rename these files.

mv /etc/openvpn/client.ovpn /etc/openvpn/client.conf
mv /etc/openvpn/myclientpc.crt /etc/openvpn/client.crt
mv /etc/openvpn/myclientpc.key /etc/openvpn/client.key

Start up the VPN, make sure it connects, and enable it to start at boot.

systemctl start openvpn
systemctl status openvpn
systemctl enable openvpn

You can now communicate with the server (and other clients) securely over the VPN! To get the VPN IP of a machine, just check ifconfig while the VPN is connected.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  Posts

1 2 3 4
February 28th, 2018

Concluding the February Challenge

Writing every day for the month of February has been an experience, and has changed my perspective on writing tremendously. […]

February 27th, 2018

Cloudflare2DB

Cloudflare stats are very useful, but they expire and can’t be tracked over a long period of time. That’s why […]

February 26th, 2018

Nightly Database Backups to Google Drive

If you have a Google Apps account (a business account with more than 5 users or one provided by your […]

February 25th, 2018

Sublime Text

Sublime Text is a really powerful text editor and includes tons of functionality relevant to programming. I will dive into […]

February 24th, 2018

Great Resources for Student Developers

Being enrolled in a university comes with its pros and cons (a topic itself worthy of many other blog posts), […]

February 23rd, 2018

What is MVC?

MVC is a term thrown around lots of software development projects. Laravel, Zend, CodeIgniter, Ruby on Rails, Django, iOS, and […]

February 22nd, 2018

Getting Started With Phalcon PHP

To get started with Phalcon, I already have my server stack setup with Ubuntu 16.04, Percona MySQL, Nginx, and PHP […]

February 21st, 2018

What is Phalcon?

Phalcon is a modern PHP framework with the typical feature set you’d expect. Database ORM, error handling, MVC architecture, and […]

February 20th, 2018

Setting Up a PHP Development Environment

If you do PHP development, moving to a PHP IDE is extremely beneficial especially when debugging. PHPStorm is a great […]