OpenVPN: Simplifying Self-Hosting

OpenVPN is an open-source virtual private network (VPN) software that allows users to securely connect to remote networks or the internet by creating encrypted tunnels. It’s highly customizable, making it an excellent choice for self-hosting, as users retain full control over their data and configuration. In this guide, we’ll walk through the installation, configuration, and management processes for OpenVPN, covering everything from deploying it via Docker to enabling advanced features.

Installing OpenVPN

📦 Docker/Docker Compose Setup

To deploy OpenVPN using Docker Compose, create a Docker Compose file with the necessary configurations for persistent storage and network settings. Use the following steps:

Create a directory for OpenVPN:


mkdir -p ~/openvpn && cd ~/openvpn

Generate a docker-compose.yml file:


version: '3.8'

services:

openvpn:

image: kylemanna/openvpn

container_name: openvpn

cap_add:

- NET_ADMIN

ports:

- "1194:1194/udp"

volumes:

- ./openvpn-data:/etc/openvpn

restart: always

Initialize the OpenVPN server and create configuration files:


docker run --rm -v $(pwd)/openvpn-data:/etc/openvpn kylemanna/openvpn ovpn_genconfig -u udp://<YOUR_SERVER_IP>

docker run --rm -v $(pwd)/openvpn-data:/etc/openvpn kylemanna/openvpn ovpn_initpki

Start the OpenVPN container:


docker-compose up -d

Generate client profiles:


docker run --rm -v $(pwd)/openvpn-data:/etc/openvpn kylemanna/openvpn easyrsa build-client-full <CLIENT_NAME> nopass

docker run --rm -v $(pwd)/openvpn-data:/etc/openvpn kylemanna/openvpn ovpn_getclient <CLIENT_NAME> > <CLIENT_NAME>.ovpn

🚀 Manual Installation

To install OpenVPN directly on a Linux server:

Install OpenVPN and Easy-RSA:


sudo apt update

sudo apt install -y openvpn easy-rsa

Set up the Easy-RSA environment:


make-cadir ~/openvpn-ca

cd ~/openvpn-ca

Configure and build the PKI (Public Key Infrastructure):


./easyrsa init-pki

./easyrsa build-ca

./easyrsa gen-req server nopass

./easyrsa sign-req server server

openvpn --genkey --secret ta.key

Set up the OpenVPN server configuration:


cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz .

gunzip server.conf.gz

vim server.conf  # Adjust settings as needed

Start the OpenVPN service:


sudo systemctl start openvpn@server

sudo systemctl enable openvpn@server

Configuring Nginx as a Reverse Proxy

🌐 Nginx Configuration

To route traffic through Nginx, create an Nginx server block for OpenVPN:

Install Nginx:


sudo apt install -y nginx

Configure the server block:


sudo vim /etc/nginx/sites-available/openvpn

Add the following content:


server {

listen 443 ssl;

server_name <YOUR_DOMAIN>;

ssl_certificate /etc/letsencrypt/live/<YOUR_DOMAIN>/fullchain.pem;

ssl_certificate_key /etc/letsencrypt/live/<YOUR_DOMAIN>/privkey.pem;

location / {

proxy_pass http://127.0.0.1:1194;

proxy_set_header Host $host;

proxy_set_header X-Real-IP $remote_addr;

}

}

Enable the configuration:


sudo ln -s /etc/nginx/sites-available/openvpn /etc/nginx/sites-enabled/

sudo nginx -t

sudo systemctl reload nginx

🔒 SSL/TLS Setup

To secure OpenVPN with SSL/TLS using Let’s Encrypt:

Install Certbot:


sudo apt install -y certbot python3-certbot-nginx

Obtain an SSL certificate:


sudo certbot --nginx -d <YOUR_DOMAIN>

Automate certificate renewal:


echo "0 0 * * * certbot renew --quiet" | sudo tee -a /etc/crontab

Logging and Debugging OpenVPN

🗃️ Enabling Debug Logs

Enable debug-level logging for OpenVPN by editing the server configuration file:

Open the server.conf file:


sudo vim /etc/openvpn/server.conf

Add or modify the following line:


verb 5

Restart OpenVPN:


sudo systemctl restart openvpn@server

📄 Viewing Logs

To view logs, use the following commands:

Docker Logs:


docker logs openvpn

File System Logs:


sudo tail -f /var/log/openvpn.log

🛠️ Troubleshooting Common Issues

Check for common issues such as missing certificates or misconfigured routes by analyzing logs. Example:


grep "error" /var/log/openvpn.log

Backup and Restore

🗂️ File-Based Backups

Back up the OpenVPN configuration directory:


tar -zcvf openvpn-backup.tar.gz ~/openvpn-ca

🔄 Restoring Files

Restore the backup:


tar -zxvf openvpn-backup.tar.gz -C ~

📅 Automated Backup Scripts

Set up a backup script in a cron job:


echo "0 2 * * * tar -zcvf ~/openvpn-backup-$(date +\%F).tar.gz ~/openvpn-ca" | crontab -

Updating and Upgrading OpenVPN

⬆️ Updating Docker Images

Update the OpenVPN Docker image and redeploy:


docker-compose pull

docker-compose up -d

🛠️ Manual Updates

For manual installations, update OpenVPN via apt:


sudo apt update

sudo apt upgrade -y openvpn

Leveraging OpenVPN’s Unique Features

🔧 Enabling APIs

Some OpenVPN versions support API endpoints. Activate and interact with the API:

Enable the management interface in the server config:


management localhost 7505

Use telnet to interact with it:


telnet localhost 7505

🌟 Advanced Configurations

Enable client-specific configurations by creating CCD (Client Config Directory) files:

Add this line to server.conf:


client-config-dir /etc/openvpn/ccd

Create a CCD file for a client:


sudo vim /etc/openvpn/ccd/<CLIENT_NAME>

Example content:


ifconfig-push 10.8.0.2 255.255.255.0

Restart OpenVPN:


sudo systemctl restart openvpn@server

Wrapping Up

OpenVPN offers unparalleled flexibility and security for self-hosted VPN solutions. By following this guide, you now have the tools to deploy, configure, and manage OpenVPN effectively. With its robust customization options, OpenVPN is an invaluable tool for developers, system administrators, and advanced users looking to secure their networks. Start implementing these steps today to harness the full power of OpenVPN!