Aug 30, 2024 3 min read

OpenVPN: Simplifying Self-Hosting

OpenVPN: Simplifying Self-Hosting
Table of Contents

OpenVPN is an open-source virtual private network (VPN) software that allows users to securely connect to remote networks or the internet by creating encrypted tunnels. It’s highly customizable, making it an excellent choice for self-hosting, as users retain full control over their data and configuration. In this guide, we’ll walk through the installation, configuration, and management processes for OpenVPN, covering everything from deploying it via Docker to enabling advanced features.

Installing OpenVPN

πŸ“¦ Docker/Docker Compose Setup

To deploy OpenVPN using Docker Compose, create a Docker Compose file with the necessary configurations for persistent storage and network settings. Use the following steps:

  1. Create a directory for OpenVPN:

mkdir -p ~/openvpn && cd ~/openvpn

  1. Generate a docker-compose.yml file:

version: '3.8'

services:

openvpn:

image: kylemanna/openvpn

container_name: openvpn

cap_add:

- NET_ADMIN

ports:

- "1194:1194/udp"

volumes:

- ./openvpn-data:/etc/openvpn

restart: always

  1. Initialize the OpenVPN server and create configuration files:

docker run --rm -v $(pwd)/openvpn-data:/etc/openvpn kylemanna/openvpn ovpn_genconfig -u udp://<YOUR_SERVER_IP>

docker run --rm -v $(pwd)/openvpn-data:/etc/openvpn kylemanna/openvpn ovpn_initpki

  1. Start the OpenVPN container:

docker-compose up -d

  1. Generate client profiles:

docker run --rm -v $(pwd)/openvpn-data:/etc/openvpn kylemanna/openvpn easyrsa build-client-full <CLIENT_NAME> nopass

docker run --rm -v $(pwd)/openvpn-data:/etc/openvpn kylemanna/openvpn ovpn_getclient <CLIENT_NAME> > <CLIENT_NAME>.ovpn

πŸš€ Manual Installation

To install OpenVPN directly on a Linux server:

  1. Install OpenVPN and Easy-RSA:

sudo apt update

sudo apt install -y openvpn easy-rsa

  1. Set up the Easy-RSA environment:

make-cadir ~/openvpn-ca

cd ~/openvpn-ca

  1. Configure and build the PKI (Public Key Infrastructure):

./easyrsa init-pki

./easyrsa build-ca

./easyrsa gen-req server nopass

./easyrsa sign-req server server

openvpn --genkey --secret ta.key

  1. Set up the OpenVPN server configuration:

cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz .

gunzip server.conf.gz

vim server.conf  # Adjust settings as needed

  1. Start the OpenVPN service:

sudo systemctl start openvpn@server

sudo systemctl enable openvpn@server

Configuring Nginx as a Reverse Proxy

🌐 Nginx Configuration

To route traffic through Nginx, create an Nginx server block for OpenVPN:

  1. Install Nginx:

sudo apt install -y nginx

  1. Configure the server block:

sudo vim /etc/nginx/sites-available/openvpn

Add the following content:


server {

listen 443 ssl;

server_name <YOUR_DOMAIN>;

ssl_certificate /etc/letsencrypt/live/<YOUR_DOMAIN>/fullchain.pem;

ssl_certificate_key /etc/letsencrypt/live/<YOUR_DOMAIN>/privkey.pem;

location / {

proxy_pass http://127.0.0.1:1194;

proxy_set_header Host $host;

proxy_set_header X-Real-IP $remote_addr;

}

}

  1. Enable the configuration:

sudo ln -s /etc/nginx/sites-available/openvpn /etc/nginx/sites-enabled/

sudo nginx -t

sudo systemctl reload nginx

πŸ”’ SSL/TLS Setup

To secure OpenVPN with SSL/TLS using Let’s Encrypt:

  1. Install Certbot:

sudo apt install -y certbot python3-certbot-nginx

  1. Obtain an SSL certificate:

sudo certbot --nginx -d <YOUR_DOMAIN>

  1. Automate certificate renewal:

echo "0 0 * * * certbot renew --quiet" | sudo tee -a /etc/crontab

Logging and Debugging OpenVPN

πŸ—ƒοΈ Enabling Debug Logs

Enable debug-level logging for OpenVPN by editing the server configuration file:

  1. Open the server.conf file:

sudo vim /etc/openvpn/server.conf

  1. Add or modify the following line:

verb 5

  1. Restart OpenVPN:

sudo systemctl restart openvpn@server

πŸ“„ Viewing Logs

To view logs, use the following commands:

  • Docker Logs:

docker logs openvpn

  • File System Logs:

sudo tail -f /var/log/openvpn.log

πŸ› οΈ Troubleshooting Common Issues

Check for common issues such as missing certificates or misconfigured routes by analyzing logs. Example:


grep "error" /var/log/openvpn.log

Backup and Restore

πŸ—‚οΈ File-Based Backups

Back up the OpenVPN configuration directory:


tar -zcvf openvpn-backup.tar.gz ~/openvpn-ca

πŸ”„ Restoring Files

Restore the backup:


tar -zxvf openvpn-backup.tar.gz -C ~

πŸ“… Automated Backup Scripts

Set up a backup script in a cron job:


echo "0 2 * * * tar -zcvf ~/openvpn-backup-$(date +\%F).tar.gz ~/openvpn-ca" | crontab -

Updating and Upgrading OpenVPN

⬆️ Updating Docker Images

Update the OpenVPN Docker image and redeploy:


docker-compose pull

docker-compose up -d

πŸ› οΈ Manual Updates

For manual installations, update OpenVPN via apt:


sudo apt update

sudo apt upgrade -y openvpn

Leveraging OpenVPN’s Unique Features

πŸ”§ Enabling APIs

Some OpenVPN versions support API endpoints. Activate and interact with the API:

  1. Enable the management interface in the server config:

management localhost 7505

  1. Use telnet to interact with it:

telnet localhost 7505

🌟 Advanced Configurations

Enable client-specific configurations by creating CCD (Client Config Directory) files:

  1. Add this line to server.conf:

client-config-dir /etc/openvpn/ccd

  1. Create a CCD file for a client:

sudo vim /etc/openvpn/ccd/<CLIENT_NAME>

Example content:


ifconfig-push 10.8.0.2 255.255.255.0

  1. Restart OpenVPN:

sudo systemctl restart openvpn@server

Wrapping Up

OpenVPN offers unparalleled flexibility and security for self-hosted VPN solutions. By following this guide, you now have the tools to deploy, configure, and manage OpenVPN effectively. With its robust customization options, OpenVPN is an invaluable tool for developers, system administrators, and advanced users looking to secure their networks. Start implementing these steps today to harness the full power of OpenVPN!

Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to Selfhosted Ninja.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.