Here we going again diving into the Homelab world, I recently got my pfSense router to act as a client for my OpenVPN setup on a VPS instance that is specifically running Ubuntu 20.04
which has public static address for both Internet Protocol standards namely IPv4/IPv6 versions.
The idea is allowing your home network to be a part of another network, which is in my case helping to bypass the Carrier Grade NAT (CGN or CGNAT) that is restricting me from self hosting my own services, that is one benefit for VPN but many people will want to use it for privacy purposes especially hiding your own identity.
However, anyone as a Homelab enthusiast can definitely use this to benefit from the staic IP address provided on a VPS instance, and then you can host hour own services through pfSense firewall from home in case your Internet Service Povider (ISP) doesn't offer you a public IP address, which is awesome.
Install OpenVPN Server on Linux
To be precise, I will explain the easiest and most automated method you will ever find to configure and set up an OpenVPN server in less than a minute on the following Linux distributions:
- Ubuntu
- Debian
- CentOS
- Fedora
We will make use of a bash script in the process, I am running Ubuntu 20.04 LTS on my end.
Download Installation Script
This bash script will automatically install and configure OpenVPN and here's how you can pull it.
wget https://git.io/vpn -O openvpn-install.sh
Once downloaded into your home directory you should make it executable.
chmod -v +x openvpn-install.sh
If you are curious about its content do not hesitate to check it out.
nano openvpn-install.sh
Run Installation Script
Well, now we can run the script which is going to ask some information to input.
sudo ./openvpn-install.sh
I recommend that you use defaults for all settings by pressing Enter
on your keyboard except for one, when it asks you to enter the first client certificate name which is preferably pfSense
in my case or any other descriptive name for your use case.
Customize OpenVPN Server Subnet
If you wish to change the default subnet on 10.8.0.0/24
for IP addresses given to OpenVPN clients by the server, then you can follow the instructions below, otherwise you can completely skip this section.
Modify OpenVPN Server Configuration
We'll configure 10.10.10.0/24
subnet instead which looks fanatastic.
sudo nano /etc/openvpn/server/server.conf
Look for 10.8.0.0
and change it to 10.10.10.0
or your own preferred private subnet IP address.
Fix OpenVPN Firewall Rule Configuration
sudo nano /etc/systemd/system/openvpn-iptables.service
You will find four occurances of 10.8.0.0/24
just change all of them to 10.10.10.0/24
or your own preferred private subnet.
Restart OpenVPN Services
sudo service openvpn-iptables restart
sudo service openvpn-server@server restart
This will assure that all of our changes are taking effect.
How to Add New OpenVPN Client
If you wish to add another client and produce a new client certificate, then you should run the installation script again on your OpenVPN server.
sudo ./openvpn-install.sh
This time around, since it's already installed you should see the following displayed to you.
OpenVPN is already installed.
Select an option:
1) Add a new client
2) Revoke an existing client
3) Remove OpenVPN
4) Exit
Option:
Input 1
as an option and press enter, then just follow the instructions.
Configure OpenVPN Client Device
Here's how you can connect any OpenVPN client running on Windows, Linux, Android or iOS with the server using the configuration file provided to you.
The installation wizard should have automatically created an ".ovpn" configuration file in the path /root/[Client Certificate Name].ovpn
which you should save and copy to your client device to connect with the OpenVPN server.
Save OpenVPN Client Configuration
In my case, it's actually /root/pfSense.ovpn
on the OpenVPN server since that's the name I set for my first client. Lets copy that configuration file to our current user home directory.
sudo cp /root/pfSense.ovpn ~/
Okay, now that file will be used on the client device to connect with the server, just make sure to change "pfSense" marked in white to your own client certificate name that you have set during script installation.
cat ~/pfSense.ovpn
This way you can view the content of that configuration file and then use on the client device, but I recommend that you copy the entire file instead, as an example I will copy that file from the OpenVPN server to my Linux desktop.
scp ~/pfSense.ovpn [user]@[Linux Desktop IP]:~/
I should be able to access that file on the home directory inside my Linux desktop now.
Enable OpenVPN Client on Linux Desktop
First of all, make sure you have OpenVPN software package installed on your target Linux desktop client device, for instance if you are running Ubutnu you can install it.
sudo apt install openvpn
Assuming we have the client configuration file on the home directory we can proceed and overwrite it with OpenVPN client file.
sudo cp ~/pfSense.ovpn /etc/openvpn/client.conf
One again, remember to replace the "pfSense" client name marked in white with your own name, which you have set during script installatiion.
Test Connectivity
sudo openvpn --client --config /etc/openvpn/client.conf
Just start the OpenVPN client service on your Linux desktop, once connectivity is confirmed.
sudo systemctl start openvpn@client
That's it.
Troubleshoot OpenVPN Issues
I will provide information on how to troubleshoot OpenVPN issues on the server and client.
Check OpenVPN Services
The ideal approach to inspect issues is by exposing the logs of the services running on the OpenVPN server, let's start with the main process.
sudo service openvpn-server@server status
And then, we also have the firewall service which is specifying rules for iptables.
sudo service openvpn-iptables status
Make sure that they're both active and running well, otherwise check for logs displayed to indentify errors and solve them.
Check OpenVPN Logs
sudo journalctl --identifier openvpn
You can also use this as a general command to find all logs for OpenVPN server. You are welcome to post your issue and ask for help in the comment section below.