Prerequisites
- Hardware: Linode virtual machine
- Operating System: Debian 11 (it will work on others as well, but it’s configured on this system)
- Access: SSH access
Instructions for deploying the virtual machine in the cloud will not be covered in this guide. It is assumed that the virtual machine is configured and that we have access to it.
Installation
Go to Git to download the openvpn-install script.
On the script’s website, there are specific instructions to follow for a successful installation.
curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh
chmod +x openvpn-install.sh
sudo ./openvpn-install.sh
The script must be run with admin privileges. So, if we don’t have sudo installed, we need to run it as the root user.
Leave everything as default unless we know exactly what we need from the script. Upon completion of the installation, a file_name.ovpn will be generated.
Configuration
By default, we will only be able to connect one device to the OpenVPN server and we won’t be able to access devices that are also connected to the VPN server.
To bypass this, we need to add 2 lines to the server.conf file, which can be found at /etc/openvpn/server.conf.
Before making any changes, let’s make a copy of the file.
cp /etc/openvpn/server.conf /etc/openvpn/server.conf.bkp
Then open the server.conf file and add two lines to it.
client-to-client
duplicate-cn
This ensures that all clients connecting to OpenVPN with the same generated file_name.ovpn get different IP addresses.
If these two options are not added, all clients connecting will receive the same IP address and kick each other off the VPN server.
Finally, after adding those changes our configuration will look like this.
port 1194
proto udp
dev tun
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 94.140.14.14"
push "dhcp-option DNS 94.140.15.15"
push "redirect-gateway def1 bypass-dhcp"
client-to-client
dh none
duplicate-cn
ecdh-curve prime256v1
tls-crypt tls-crypt.key
crl-verify crl.pem
ca ca.crt
cert server_MUoSUCrxku2XgmhR.crt
key server_MUoSUCrxku2XgmhR.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
verb 3
With this we can now connect multiple users by using the same user name and certificates.
Configuration for multiple users
To be able to accommodate multiple users on the VPN server, we need to generate separate keys and separate file_name.ovpn for each user.
Like everything else, this process can be automated so we don’t have to do it manually each time.
The following script will significantly simplify this task.
#!/bin/bash
RUN_USER=MY_USERS_NAME
USER_TEMPLATE_PATH=/etc/openvpn/client-template.txt
CA_PATH=/etc/openvpn/ca.crt
KEY_PATH=/etc/openvpn/ca.key
TLS_PATH=/etc/openvpn/tls-crypt.key
if [ [ $1 != '' ] ]
then
mkdir -p client-configs/$1/keys
openssl req -nodes -newkey rsa:2048 -keyout client-configs/$1/keys/$1.key -out client-configs/$1/keys/$1.csr -subj "/CN=$1"
openssl x509 -req -in client-configs/$1/keys/$1.csr -CA $CA_PATH -CAkey $KEY_PATH -CAcreateserial -out client-configs/$1/keys/$1.crt -days 365
cat $USER_TEMPLATE_PATH\
<(echo -e '<ca>') \
$CA_PATH \
<(echo -e '</ca>\n<cert>') \
client-configs/$1/keys/$1.crt \
<(echo -e '</cert>\n<key>') \
client-configs/$1/keys/$1.key \
<(echo -e '</key>\n<tls-crypt>') \
$TLS_PATH \
<(echo -e '</tls-crypt>') \
> client-configs/$1/$1.ovpn
chown -R $RUN_USER:$RUN_USER client-configs/$1/
fi
We need to set the $RUN_USER variables with the username to have complete control over the files after generation.
Admin rights are required to access certain files. Therefore, we need to use sudo to access them.
The script assumes that we have created a folder client-configs which will be located in the same folder as the script.
All certificates and .ovpn files will be generated in this folder.
Using the script
Now that everything is set up, we can run the script and create several users.
Let’s create users user1 and user2.
sudo ./create_vpn_user.sh user1
sudo ./create_vpn_user.sh user2
Upon successful execution of the script, we will get a response like this.
user1
sudo ./create_vpn_user.sh user1
Generating a RSA private key
..................+++++
..........................................................................+++++
writing new private key to 'client-configs/user1/keys/user1.key'
-----
Signature ok
subject=CN = user1
Getting CA Private Key
user2
sudo ./create_vpn_user.sh user2
Generating a RSA private key
.......+++++
..............................................................................................................+++++
writing new private key to 'client-configs/user2/keys/user2.key'
-----
Signature ok
subject=CN = user2
Getting CA Private Key
Now we should have generated the following folders and files.
tree
.
├── client-configs
│ ├── user1
│ │ ├── keys
│ │ │ ├── user1.crt
│ │ │ ├── user1.csr
│ │ │ └── user1.key
│ │ └── user1.ovpn
│ └── user2
│ ├── keys
│ │ ├── user2.crt
│ │ ├── user2.csr
│ │ └── user2.key
│ └── user2.ovpn
└── create_vpn_user.sh
If everything has gone well, we will see user1.ovpn and user2.ovpn files. Send these files to clients to allow them to connect to the VPN server.
Now that we have a multi-user scenario, we need to remove one line from the config file /etc/openvpn/server.conf to disable the option that 2 users can connect with the same .ovpn file.
The line to remove is:
duplicate-cn
In conclusion, setting up an OpenVPN server for a multi-user scenario provides a secure and efficient way to connect multiple devices to a private network, regardless of their physical location. By following the steps outlined in this guide, users can establish a robust VPN infrastructure on their Debian 11 Linode virtual machine, granting them the flexibility to access resources securely from anywhere in the world.
