Setup your own VPN server using OpenVPN-AS + Ubuntu 14.04 Server

Wanting to learn how you would create your own remote VPN access server? Well, jumped in and I’ll teach you how you would exactly do this using free and open-source software called OpenVPN AS or OpenVPN Access Server.

In this guide you’ll learn how to setup and configure a remote access server for you

VPN needs. If you’re up on setting; a secure Internet connect, bypass ISP traffic shaping or capping, use a country-based IP to get access to country specific services like Hulu, Netflix or Vevo, then this guide definitely for you.

First off, I want to give you a brief overview about the difference between the OpenVPN Community Edition and OpenVPN Access Server. You probably thought that setting up your own VPN remote access server is that difficult and tedious, well I’ll tell you that it’s not. There are two editions of OpenVPN, as I’ve mentioned it already. The one to be used in this guide is the OpenVPN Access Server edition.

This edition is easy to install and very easy to configure too. It actually has a Web-based GUI where you can easily configure and administer, creating new user and new VPN settings is just a point-and-click away. The Community Edition is not restricted to number of users, while the Access Server Edition is limited to 2 user accounts only (license restricted). If you need more VPN users accounts to your remote access server, you should purchase more license for them, and the minimum number of license that can be purchase is 10. By the way, you can set a user account to have more than one concurrent connection from its end, that means, a single user account could have more than one connection. The Access Server Edition comes in software package, that means you can just download and install it on various supported platforms (Debian, Fedora, Centos).

Unlike the Community Edition, where you need to manually install it using the command-line, and you need to generate the SSL/RSA files manually too. With OpenVPN Access Server Edition, everything is simplified and polished, you can easily install your own VPN access server using only two commands (wget and dpkg – more on this below). If in case you only landed to this page from somewhere else while searching for VPN or OpenVPN, and you’re not actually wanting to setup your own VPN Access Server, instead you’re searching for VPN providers that you may subscribe to, then see the list below. With these providers, you don’t have to go through all the steps mentioned in this guide. Instead, you only need to download the configuration file from your client dashboard, once you subscribe and paid. There is also a VPN provider that lets you signup for a VPN trial account.

Known VPN Service Providers

  1. Hide My 4ss
  2. CyberGhost
  3. PureVPN
  4. SaferVPN
  5. SwitchVPN

Road-warrior Setup With US-based IP

There are various implementation of an OpenVPN access server; one could be a road-warrior setup, site-to-site connection, client-to-server

VPN setup in pfSEnse, or just a simple remote VPN access to access certain IP-based or Country-restricted service like HULU or Netflix. So for the first part, I will cover the procedures on how to setup a single client to remote access VPN server. This VPN implementation is applicable to a road-warrior setup and at the same time, access HULU or Netflix using VPN. If you’re always on the go and Internet connection is part of your job, this setup would be very beneficial to you to secure your connection. Also, if you’re looking to subscribe for a HULU or Netflix account but not yet offered in your country, then this would be the easier and cheaper way to access the service from your country. For this setup, you’ll need a VPS (Virtual Private Server) to host your OpenVPN Access Server instance. Don’t be discouraged when I mention VPS, it’s not that hard to setup and not that expensive as you may thought of. We’ll be using one from Digital Ocean’s Ubuntu droplet, this is gonna be easy and I’ll walk you through the step-by-step guide on how to set things up. After you completed this setup, you won’t be needing the service of known VPN providers anymore, because you already have it and it’s lot cheaper than Air VPN or Ghost VPN. Using Digital Ocean’s $5 droplet, you can setup a 1TB monthly bandwidth allowance and a 20GB worth of SSD storage, not that bad for a personal DIY VPN access server. Okay, enough with the talk, let’s move on.

Requirements For This Setup

  • 1 Digital Ocean droplet (VPS worth $5)
  • OpenVPN Access Server Edition, Package for Ubuntu 14.04
  • SSH Client (Putty for windows or plain terminal for Linux)
  • Any computer or mobile device to test your setup

Procedures

  • Step 1: Create your SSH-key pairs to use with your Digital Ocean droplet (VPS). This is very essential before creating your first droplet or server. It’s a good way to secure your connection between your local machine and remote server right from the start. So before you create your server, generate the SSH key pair. This would be a password-less connection using the root account from your Ubuntu server.

    If you’re on Windows, you need to download putty.exe and puttygen.exe. Use puttygen.exe to generate the SSH keys. You can download it from this link After downloading the file, fire it up and you should see something like this:

    Reference Image:

    Tick SSH-2 RSA from the Parameters field-set and enter 2048 or 4096 in the Number of bits in a generated key field-set. Then click Generate button to start creating the SSH keys. Move your mouse randomly within the window to fill up the progress bar. When it’s done, you should see another field-sets containing; the generated public key, Key finger print, Key comment, Key pass-phrase, Save public key and Save private key button. Reference Image:

    Save the generated SSH public key by copying the whole block of text found inside the Key text area and paste it to a new text file (use notepad) and save it with a file extension of .pub. In my case, I’ve created a folder named SSH-Keys inside my Documents folder and then I saved the file as digital-ocean-ssh.pub. Reference Image:
    While still on the PuttyGen window, click Save private key button to save the SSH private key file to a filename with .ppk file extension. In my case, I’ve put it inside SSH-Keys folder with a filename digital-ocean-ssh.ppk. You may now close the puttgen.exe window to continue with the next step. Reference Text for .pub ssh key file content:

    ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArEJ7LaeS68oGbvdts5aGIZBQjZ5zmdGaorw
    /AhMWD8NYbasqJh0wuJpHQRxWc0g93FNSOW7LGtQme7QuiEM9HyJQWyLtiwi9udqaxgSM2x
    Xilnxe49kFxtypfCgsKAyzC0phXCYb7QUdgLKWEr33d6soNohzqVre2meXZcDmZuAechMJf
    73JSHi76FSdg4YPhwCriqvyL56/pI4h3SjKLfyIVGBPiJy25xbLE8E7frbFrDAeyvfUzEDP
    W3C40vXcLH1XONNI/Jv8E66DXFCm1sCxya9su9tnlshJ+ZXjvLWLkN38i0wc1kPqHGwUXua
    FQS0/hDv/aD6SVJfNLXXaGQ== rsa-key-20140828
    

    If you’re on Linux/Mac, simply fire-up a terminal and type: ssh-keygen -t rsa -b 2048 -f ~/.ssh/name-it-like-you-wish

    ssh-keygen is the main command, -b 2048 tells key strength if it’s 1024, 2048, and 4096 bits. -f ~/.ssh/name-of-the-file tell it to where the ssh-keys should be saved in your local folders.

  • Step 2: Sign-up for a Digital Ocean Account and create your first VPS (Virtual Private Server) or droplet (as what Digital Ocean refers to). After signing up, make your initial deposit of $5 to enable your account for droplet creation. But if you signup now through this link, your account will be credited worth $15 in total. So you get additional $10 credit on top of your $5 initial deposit, and would be able to run a 512Mb VPS for 3 months. Awesome right? Reference Image: Screenshot: Digital Ocean Promo Before creating your first VPS, add your public SSH keys by copying and pasting it to your control panel. To do this, go to your navigation menu (left side) click SSH Keys to go to the next page, then click the big blue button labeled Add SSH Key. Enter a name, let’s say for instance Windows Machine, and paste-in your public ssh key inside the Public SSH Key text area. Then click the big green button labeled CREATE SSH KEY. Now you’re ready to spin your first droplet. See next step below. Reference Images:

  • Step 3: Create a droplet for your OpenVPN access server. For this guide, we’ll be using Ubuntu 14.04 LTS 32-bit Server Edition for our Host-OS, but you may use the 64-bit version. Click the big green button labeled Create then fill up Hostname field, for demo purposes, let’s name it openvpn. Select size and click the $5 package, which is a 512, 20GB, 1TB/month VPS package.

    Select region and choose San Francisco 1, New York 1, 2 or 3.

    Select image by clicking Ubuntu Logo then Ubuntu 14.04 x32 button.

    Reference Image:

    Now, under Add optional SSH Keys, add the SSH keys you have added previously from step 1 by clicking on it.

    Reference Image:

    Make sure Enable VirtIO is checked, and finally click CREATE DROPLET button. Your VPS will then be created for under 55 seconds. When it’s done, proceed to the next step.

  • Step 4: Login to your server remotely using SSH. Login using SSH by typing ssh root@ip-address-of-your-server. If you’re on Windows, launch putty.exe and do the following:

    • Fill up Host Name (or IP address)` field with your server’s IP address
    • From the left-pane, expand Connection menu and click on SSH to expand it more
    • Click Auth and click Browse button under Authentication parameters field-set.
    • Navigate to your .ppk SSH private key file and open it.
    • Then finally click Open button again to make the SSH connection Reference Images:

      If you’re on Linux/Mac, simply open up a terminal ctrl + alt + t and type in the ssh command.

      Note: If it’s your first time to connect, you’ll be asked about PuTY Security Alert, just make sure that you’re connecting to the right IP address and click YES.

  • Step 5: Download and Install OpenVPN Access Server. Now that you’re logged in as root, let’s download and install the right OpenVPN-AS package for our version of Ubuntu, which is Ubuntu 14.04 LTS Server x32. Head over to the OpenVPN AS download page and right-click on Ubuntu 14 amd/x86 32-bit green button, then select Copy Link Address from the context-menu. Reference Image:

    Go back to your terminal and type in wget then space. Then paste in what you copied by right-clicking on the terminal window and click paste. Middle mouse click if you’re using PuTTY. This is what should be in your command-line:

    wget http://swupdate.openvpn.org/as/openvpn-as-2.0.10-Ubuntu14.i386.deb
    

    Reference Image:

    Press ENTER key to start the download. After this, install the .deb package by using the following command:

    dpkg -i http://swupdate.openvpn.org/as/openvpn-as-2.0.10-Ubuntu14.i386.deb
    

    That should install the package and will only take a few seconds to complete.After this process, you OpenVPN web-gui should be accessible from:

    Admin  UI: https://your-server-ip-address:943/admin
    Client UI: https://your-server-ip-address:943
    

    When installed, an administrative user-account is created and that you should enter a new password for it. The administrative user-name is

    openvpn, this is the user-name that you should use when logging in to the OpenVPN Web-GUI. So let’s create a new password for it and type the following command then press ENTER key;

    `passwd openvpn`
    

    You’ll be asked to enter your new UNIX password.

  • Step 6: Create a local user account for your OpenVPN client. Create a local user-account for your VPN user account. This account will be used for the web-ui login. To create a new user-account, type the following and press Enter key:

    adduser vpnclientone

Then enter a password for it.

  • Step 7: Login to OpenVPN Web-UI and create a client account. Login as openvpn user with the password you previously created from step 5. The admin login URL is https://your-server-ip-address/admin. Make sure to use httpswhen accessing the web page. From the main navigation menu on the left side of the page, click on User Permission under User Management menu. Create a new VPN user by supplying the user-name you previously created from step 6. Enter the user-name in the New User text field. You may select Allow Auto Login by ticking the checkbox, to allow users to connect to the VPN server without providing their user-name and user-password. Click Save Settings to finish the process.

  • Step 8: Connecting from a client machine or device. S how to connect to the VPN server, the answer is like this; first login as a client to the OpenVPN web-ui and download the applicable user connection profile, then install it like any other software. If you want to connect from a Windows-based machine, login using your VPN client account, then choose and download OpenVPN Connect for Windows. Depending on the current version of the client software, you should download a file similar to this one; openvpn-connect-2.0.8.106.msi. Reference Image:

    After you install it, launch the OpenVPN Connect client software and check it from you system tray. Right-click on the icon and click Connect to your-server-ip-address, and you should be connected. Now make an IP address check by typing what is my ip in the google search bar, it should output your server’s IP address. Check your Internet speed and go over at speedtest.net. It should also detect your current IP address location. Then check if you can already access HULU, Netflix or Vevo, even you’re outside of US. If you’ve granted access, then your VPN access server is working!

  • Step 9: Configure your server to have a dynamic domain name. This step is optional. If you wanted to give your server a domain name, you could do that for free using a dynamic dns service like NO-IP. To set this up, sign-up for an account and login. Then navigate to Hosts/Redirects menu and then click on Add Host. Then fillup the fields, like so:

    • Hostname => your-desired-name.ddns.net
    • Host Type => DNS Host (A)
    • IP Address => your-server-ip-address Then click

    Add Host button to finish the setup. Your OpenVPN Access Server is now accessible using your configured host name. So when you’re on the road and you need a secured Internet connection, access your server using your host name and download the necessary configuration file.

Basic Server Security

Now that you got your server working, you need to setup some basic server security to harden your access server a bit. Though this is not a server for public use, it’s important to secure it just in case someone would try to gain access to your VPN server. So to implement basic security, follow the procedures below. For this part of the guide, we need to setup the firewall. Firewall Setup. To setup a basic firewall in Ubuntu, you need first to enable UFW (Uncomplicated Firewall). It’s an easy to use firewall front-end for IP tables, and it comes pre-shipped with Ubuntu. To enable UFW, type in sudo ufw enable or ufw enable if you’re logged in as root. You’ll be prompted with a message like this: Command may disrupt existing ssh connections. Proceed with operation (y|n)? y Just press y to continue. Do not logout yet while still on the server, you need to open the port for your SSH server. To open the port type in; ufw allow ssh

Note: In Ubuntu 14.04, this will block all incoming port, except for port 80, 443, openvpn default port. You have to open port 22 for incoming SSH connection. After this, your firewall should be set. Harden SSH Server If you want to add more security to your server, hardening SSH is another good way to prevent automated attacks to your VPN server. To make this happen follow the steps below.

  • Create a new admin user-account:

    Login as root via SSH and type in:

    adduser your-admin-user-name

    Enter a strong password twice, then press enter key to continue. You may skip other details by pressing enter key. Once done, add the new user to the sudoer file. This should give the new user an administrative privileges to your server.

    To do this, type the following command:

    usermod -aG sudo your-admin-user-name

    Next, copy your authorized_keys file to .ssh folder, under your new user-account’s home holder.

    Do the following steps:

    • Create a new folder under /home/your-user-name/ and name it .ssh. In Linux, a folder or file prepended with a dot means it’s hidden. To create the folder:

      mkdir /home/your-user-name/.ssh/

    • Copy the current authorized_keys to your new .ssh folder. cp .ssh/authorized_keys /home/your-user-name/.ssh/

    • Change the folder owner and assign it to your new-user-account. chown -R your-user-name:your-user-name /home/your-user-name/.ssh/

    • Change folder and file permission. chmod 700 /home/your-user-name/.ssh/

      chmod 400 /home/your-user-name/.ssh/authorized_keys

    DO NOT log out or exit from your session yet. Do the next step below.

  • Disable Root Login: Disable root login. To do this, login as root user using SSH and edit the /etc/ssh/sshd_config file by typing:

    nano -c /etc/ssh/sshd_config

    Look for the line (line 28 or close) containing

    PermitRootLogin without-password, change it to PermitRootLogin no. Next, find the text #PasswordAuthentication yes (around line 52) and change it to PasswordAuthentication no Next, look for UsePAM yes (last line of the page) and change it to UsePAM no. Create a new line and enter UseDNS no, this is not really a big security benefit but it makes loging in pretty quick. Then create a new line of text under that with AllowUsers your-user-name

    Reference Text:

    UsePAM no
    UseDNS no
    AllowUsers your-admin-username
    

    Finally, save the file by pressing

    ctrl + o then enter key to confirm saving the file, then press ctrl + x to exit the editor. Make sure that you put the right user-name for AllowUsers or else you won’t be able to log in anymore. You need to rebuild your droplet if that happens. To implement your settings, type in service ssh restart. After restarting SSH you won’t be able to log in as root user anymore, so you need to login with your new user-name:

    ssh your-user-name@server-ip-address
    
    or
    
    ssh your-user-name@hostname
    

    If you got logged in, then you did! You have configured your SSH server for better security.

That’s a Wrap

There you have it, you now know how to setup your own VPN server, either for a road-warrior setup or to access HULU or Netflix outside of US. It’s not that difficult to setup, just read the guide carefully and don’t be in a haste when you try to follow this guide. Take your time and double check what you’re doing, on every step of the way. If there is something you want to ask about this guide, or something you wanna share, feel free to post your comment below.

Chubbable

Hi, I'm Chubby! That's what my friends call me. I'm a tech savvy dude who is passionate in learning stuffs by himself. I post stuffs that I recently learned and also stuffs that I'm very knowledgeable of. I also post articles here to serve as my own reference and knowledge base archiving.

  • Max Power

    Thanks for the info. Quick question… I am trying to set up my router to connect directly to the VPN. The router is asking for a .ovpn file. Any ideas how to obtain or create this file? Thanks!

    • Hey there! What exactly do you mean by “I am trying to set up my router to connect directly to the VPN”? Are you trying to connect to a OpenVPN Access Server just like this setup? or a third-party VPN service providers. If you wanted to connect using the setup mentioned in this guide, then you need to have a user account already created. Then login as a user at “https://your-server-ip-address:943”. You can now download the configuration file. You won’t get a .ovpn file if you’re downloading a config file for windows. This is actually mentioned in “STEP 8”.

      If you’re using a third-party VPN service, then login to your account and download the file from your dashboard or consult the service’s documentation on how you would do this.

      • Max Power

        Thanks for the reply. I have since obtained the config file. I use an Asus router (RT-N66U) that has an Open VPN client built into it. It just requires the config file to set it all up. I got it all set up and connected but does not seem to be working very well. Probably some settings need to be changed somewhere.

        I wanted to connect directly through the router so my entire network (including my xbox) could be on the VPN. But maybe this is not the way to go.

        Any ways, thanks for the write up!

        • Double check everything. Make sure the hostname or IP address in your .ovpn config file is the right one for your server.

          Also, make sure that the hostname you setup for your OpenVPN server is reachable and is resolving to your server’s IP address, especially if you’re using a DDNS service.

          You also need to provide the certificate files path for your .ovpn config.

          You can also try to connect first by connecting first your Windows, LInux or Mac machine directly to the OpenVPN server, so you’ll know if it’s working or not.

          • Max Power

            Yeah, I can connect directly through Windows and it works no problem.
            When I use the same settings for the router, it will connect (and it
            shows being connected on the access server), but none of the computers
            behind the router are able to connect.

          • Okay, now I got you. You actually got it working. But to connect your client machines to your router, you need to setup another OpenVPN server for your internal network.

            It’s like this, client machines connect to your OpenVPN router, PLUS, your OpenVPN server also acts as a VPN client for the access server. So you need to set your router to act as a OpenVPN server and at the same time a client. Just like what I did in this post: https://chubbable.com/setup-pfsense-as-openvpn-client

  • Kelu Thatsall

    Hey, thanks for your help! Hulu doesn’t allow me to watch free movies still though. They notice I use anonymous proxy. Do you know if I can override that too?

    • Hi Kelu,

      This setup only allows you to access Hulu, Netflix, Vevo outside of U.S. For Hulu/Netflix, you still need to have an active subscription for the service.

  • Cannon Goodnight

    Clubbable, this is an EPIC guide. Thanks on behalf of the silent masses. It has helped me greatly. Just a tiny FYI that a few of your images are now failing.

    • Thanks for the tiny FYI. Will fix it soon.