How to roll your own OpenVPN server on a VPS using CentOS 6
In addition to using third party VPN providers, we have shown you how to turn your own PC into an OpenVPN server using free Hamachi and Privoxy software. Another popular VPN option is to rent a VPS, and run that as a VPN server.
A Virtual Private Server (VPS) is more or less exactly what it sounds like – you rent some of the resources on a physical server run by a VPS company, which provides a closed environment that acts as if it was a complete physical remote server. You can install any operating system on a VPS (as long as the provider allows it), and basically treat the VPS as your own personal remote server.
In Part 1 (basics) of this tutorial we will show you how to install OpenVPN Access Server software onto a VPS running CentOS 6 (a popular Linux distribution offered pre-installed by most VPS providers), and how to connect to it using the OpenVPN Connect client.
In Part 2 (advanced) we will show you how to build OpenVPN certificates so that peers can securely authenticate with each other, and you can connect to the server using the regular OpenVPN client. We will also explain how to change the encryption ciphers used.
Advantages of VPN on a VPS
- Acts as a proxy server, so great for accessing georestricted services as long the VPS is located in the country you wish to access the services from
- The VPS provides a private IP address, so the IP address will not be blocked by services such as Hulu, or by most firewalls. This makes it a great anti-censorship option (and will work against IP blocks in China, although will not defend against other censorship measures such as packet sniffing)
- All traffic between your computer and the VPS goes through an encrypted VPN tunnel. As long as the VPS is located outside an adversary’s area of influence (for example if someone in Iran wishes to evade government censorship and so sets up a VPS server located in Europe) it will provide a high degree of privacy
- VPN on VPS also protects against hackers when using public WiFi hotspots
- Can be cheaper than VPN.
- Because the VPS provides a static IP address that belongs to you, a global adversary (such as the NSA or police forces with an international reach) can easily trace internet activity back to you
- Not suitable for copyright piracy – copyright holders will send DMCA notices (and similar) to your VPS provider. Unlike VPN providers who often keep no logs and use shared IPs to shield customers from these, VPS providers almost all take very dim view of piracy, and will likely shut down your account (and very possibly pass on your details to the copyright holder)
- Not for the technically fainthearted – we hope to make the setup process as painless as possible with these tutorials, but it does require a reasonable degree of technical know-how, and will require getting our hands dirty with a command line.
What you will need
- A VPS server with CentOS 6 (32- or 64-bit) installed, and a minimum of 218MB RAM. We may review suitable VPS services in the future, but for this tutorial we have chosenVPSCheap.net – mainly because it offers VPS plans from $1.99 per month
- An SSH client – OSX and Linux users have one already, in the form of Terminal. Windows users can download the excellent PuTTY (which we use for this demo).
Installing OpenVPN Access Server on the VPS
1. Open your SSH client and connect to your VPS server using the IP address supplied by your VPS provider.
Terminal users should enter ssh -l user ip.address and enter your details when you get the response:
2. Login as root and enter the password you were given by your VPS provider. Note that in PuTTY the typed password remains hidden, so just type it and hit <enter>.
3. Before proceeding you should check that tap/tun is enabled. Enter cat /dev/net/tun (in PuTTY you can paste by right-clicking).
If tap/tun is enabled you should receive the response: cat: /dev/net/tun: File descriptor in bad state
Any other response means that tap/tun is not enabled. We had to login to our VPS account control panel to enable it.
4. Next we need to download the OpenVPN Server Access package. Enter:
wget http://swupdate.openvpn.org/as/openvpn-as-1.8.5-CentOS6.i386.rpm (CentOS 6 32-bit) or
wget http://swupdate.openvpn.org/as/openvpn-as-1.8.5-CentOS6.x86_64.rpm (CentOS 6 64-bit)
You should see the response pictured below.
5. We now need to install the package using the ‘rpm’ command. Check the line that says ‘Saving to’ (see arrow in screenshot above) to verify package name, and enter:
rpm -i <package name>
e.g. rpm -i openvpnas-1.8.5-1.centos6 x86_64.rpm
The output should look as shown above. Make a note of the Admin UI address and Client UI addresses – you will need them in a minute!
6. Setup a password. Enter passwd openvpn, and whatever password you want at the prompt (and again to confirm it).
Oops – our password is not very strong, but it will do for now!
7. Paste the Admin UI address into your web browser (from step 5 above), and enter Username: ‘openvpn’ and whatever password you selected into the Admin Login (you may need to ‘Agree to end User License Agreement’ the first time you login).
8. You should now see the OpenVPN Access Server configuration page.
Congratulations, you have installed OpenVPN Server Access on your VPS!
Connecting to your VPS using OpenVPN Connect
We now need to setup OpenVPN at your end. OpenVPN Connect is a VPN client that creates a simple OpenVPN connection between your PC and the VPS server, without the need for certificate authentication.
By default, the connection is protected by 128-bit Blowfish Cipher-Block Chaining (BF-CBC) encryption. The Blowfish cipher was created by Bruce Schneier, who has since recommended switching to stronger standards such as AES. However, for most purposes it is fine (and in part two of this tutorial we show you how to change encryption ciphers.)
1. Paste the Client UI address into your web browser (from step 5 above), ensure that ‘Connect’ is selected from the dropdown menu, and enter your Username (‘openvpn’) and password.
2. You will be prompted to download the OpenVPN Connect client…
The correct client for your OS should download automatically. If this does not happen for any reason, reload the page and you will be offered a choice of OpenVPN connect clients (including for iOS and Android.)
3. Install and run OpenVPN Connect as normal, then click the OpenVPN Connect icon in the notification bar and select ‘Connect to <your Client UI address>’
4. Enter your username (openvpn) and password.
5. Click ‘Yes’ at the warning (you need do this only once).
6. And yay! You are now connected to your VPS via OpenVPN.
The OpenVPN connect icon turns green so you can see whether you are connected at a glance
We popped along to ipleak.net to test everything was working properly, and our IP address appears to be that of our VPS. Yay!
For causal users and most situations this simple OpenVPN connection should be more than enough.