Wanting to learn how you would create your own remote VPN access server? Well, jumped in and I’ll teach you how you would exactly do this using free and open-source software called OpenVPN AS or OpenVPN Access Server.
In this guide you’ll learn how to setup and configure a remote access server for you
VPN needs. If you’re up on setting; a secure Internet connect, bypass ISP traffic shaping or capping, use a country-based IP to get access to country specific services like Hulu, Netflix or Vevo, then this guide definitely for you.
First off, I want to give you a brief overview about the difference between the OpenVPN Community Edition and OpenVPN Access Server. You probably thought that setting up your own VPN remote access server is that difficult and tedious, well I’ll tell you that it’s not. There are two editions of OpenVPN, as I’ve mentioned it already. The one to be used in this guide is the OpenVPN Access Server edition.
This edition is easy to install and very easy to configure too. It actually has a Web-based GUI where you can easily configure and administer, creating new user and new VPN settings is just a point-and-click away. The Community Edition is not restricted to number of users, while the Access Server Edition is limited to 2 user accounts only (license restricted). If you need more VPN users accounts to your remote access server, you should purchase more license for them, and the minimum number of license that can be purchase is 10. By the way, you can set a user account to have more than one concurrent connection from its end, that means, a single user account could have more than one connection. The Access Server Edition comes in software package, that means you can just download and install it on various supported platforms (Debian, Fedora, Centos).
Unlike the Community Edition, where you need to manually install it using the command-line, and you need to generate the SSL/RSA files manually too. With OpenVPN Access Server Edition, everything is simplified and polished, you can easily install your own VPN access server using only two commands (wget and dpkg – more on this below). If in case you only landed to this page from somewhere else while searching for VPN or OpenVPN, and you’re not actually wanting to setup your own VPN Access Server, instead you’re searching for VPN providers that you may subscribe to, then see the list below. With these providers, you don’t have to go through all the steps mentioned in this guide. Instead, you only need to download the configuration file from your client dashboard, once you subscribe and paid.
There is also a VPN provider that lets you signup for a VPN trial account.
Known VPN Service Providers
Road-warrior Setup With US-based IP
There are various implementation of an OpenVPN access server; one could be a road-warrior setup, site-to-site connection, client-to-server
VPN setup in pfSEnse, or just a simple remote VPN access to access certain IP-based or Country-restricted service like HULU or Netflix. So for the first part, I will cover the procedures on how to setup a single client to remote access VPN server. This VPN implementation is applicable to a road-warrior setup and at the same time, access HULU or Netflix using VPN. If you’re always on the go and Internet connection is part of your job, this setup would be very beneficial to you to secure your connection. Also, if you’re looking to subscribe for a HULU or Netflix account but not yet offered in your country, then this would be the easier and cheaper way to access the service from your country. For this setup, you’ll need a VPS (Virtual Private Server) to host your OpenVPN Access Server instance. Don’t be discouraged when I mention VPS, it’s not that hard to setup and not that expensive as you may thought of. We’ll be using one from Digital Ocean’s Ubuntu droplet, this is gonna be easy and I’ll walk you through the step-by-step guide on how to set things up. After you completed this setup, you won’t be needing the service of known VPN providers anymore, because you already have it and it’s lot cheaper than Air VPN or Ghost VPN. Using Digital Ocean’s $5 droplet, you can setup a 1TB monthly bandwidth allowance and a 20GB worth of SSD storage, not that bad for a personal DIY VPN access server. Okay, enough with the talk, let’s move on.
Requirements For This Setup
- 1 Digital Ocean droplet (VPS worth $5)
- OpenVPN Access Server Edition, Package for Ubuntu 14.04
- SSH Client (Putty for windows or plain terminal for Linux)
- Any computer or mobile device to test your setup
Step 1: Create your SSH-key pairs to use with your Digital Ocean droplet (VPS). This is very essential before creating your first droplet or server. It’s a good way to secure your connection between your local machine and remote server right from the start. So before you create your server, generate the SSH key pair. This would be a password-less connection using the
rootaccount from your Ubuntu server.
If you’re on Windows, you need to download
puttygen.exeto generate the SSH keys. You can download it from this link After downloading the file, fire it up and you should see something like this:
SSH-2 RSAfrom the
Parametersfield-set and enter
Number of bits in a generated keyfield-set. Then click
Generatebutton to start creating the SSH keys. Move your mouse randomly within the window to fill up the progress bar. When it’s done, you should see another field-sets containing; the generated public key, Key finger print, Key comment, Key pass-phrase, Save public key and Save private key button. Reference Image:Save the generated SSH public key by copying the whole block of text found inside the
Keytext area and paste it to a new text file (use notepad) and save it with a file extension of
.pub. In my case, I’ve created a folder named
Documentsfolder and then I saved the file as
digital-ocean-ssh.pub. Reference Image:While still on the PuttyGen window, click
Save private keybutton to save the SSH private key file to a filename with
.ppkfile extension. In my case, I’ve put it inside
SSH-Keysfolder with a filename
digital-ocean-ssh.ppk. You may now close the
puttgen.exewindow to continue with the next step. Reference Text for
.pubssh key file content:
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArEJ7LaeS68oGbvdts5aGIZBQjZ5zmdGaorw /AhMWD8NYbasqJh0wuJpHQRxWc0g93FNSOW7LGtQme7QuiEM9HyJQWyLtiwi9udqaxgSM2x Xilnxe49kFxtypfCgsKAyzC0phXCYb7QUdgLKWEr33d6soNohzqVre2meXZcDmZuAechMJf 73JSHi76FSdg4YPhwCriqvyL56/pI4h3SjKLfyIVGBPiJy25xbLE8E7frbFrDAeyvfUzEDP W3C40vXcLH1XONNI/Jv8E66DXFCm1sCxya9su9tnlshJ+ZXjvLWLkN38i0wc1kPqHGwUXua FQS0/hDv/aD6SVJfNLXXaGQ== rsa-key-20140828
If you’re on Linux/Mac, simply fire-up a terminal and type:
ssh-keygen -t rsa -b 2048 -f ~/.ssh/name-it-like-you-wish
ssh-keygenis the main command,
-b 2048tells key strength if it’s 1024, 2048, and 4096 bits.
-f ~/.ssh/name-of-the-filetell it to where the ssh-keys should be saved in your local folders.
Step 2: Sign-up for a Digital Ocean Account and create your first VPS (Virtual Private Server) or droplet (as what Digital Ocean refers to). After signing up, make your initial deposit of $5 to enable your account for droplet creation. But if you signup now through this link, your account will be credited worth $15 in total. So you get additional $10 credit on top of your $5 initial deposit, and would be able to run a 512Mb VPS for 3 months. Awesome right? Reference Image: Before creating your first VPS, add your public SSH keys by copying and pasting it to your control panel. To do this, go to your navigation menu (left side) click
SSH Keysto go to the next page, then click the big blue button labeled
Add SSH Key. Enter a name, let’s say for instance
Windows Machine, and paste-in your public ssh key inside the
Public SSH Keytext area. Then click the big green button labeled
CREATE SSH KEY. Now you’re ready to spin your first droplet. See next step below. Reference Images:
Step 3: Create a droplet for your OpenVPN access server. For this guide, we’ll be using Ubuntu 14.04 LTS 32-bit Server Edition for our Host-OS, but you may use the 64-bit version. Click the big green button labeled
Createthen fill up
Hostnamefield, for demo purposes, let’s name it
openvpn. Select size and click the $5 package, which is a 512, 20GB, 1TB/month VPS package.
Select region and choose San Francisco 1, New York 1, 2 or 3.
Select image by clicking
Ubuntu 14.04 x32button.
Reference Image:Now, under
Add optional SSH Keys, add the SSH keys you have added previously from step 1 by clicking on it.
Reference Image:Make sure
Enable VirtIOis checked, and finally click
CREATE DROPLETbutton. Your VPS will then be created for under 55 seconds. When it’s done, proceed to the next step.
Step 4: Login to your server remotely using SSH. Login using SSH by typing
ssh root@ip-address-of-your-server. If you’re on Windows, launch
putty.exeand do the following:
- Fill up
Host Name(or IP address)` field with your server’s IP address
- From the left-pane, expand
Connectionmenu and click on
SSHto expand it more
- Navigate to your
.ppkSSH private key file and open it.
Then finally click
Openbutton again to make the SSH connection Reference Images:If you’re on Linux/Mac, simply open up a terminal
ctrl + alt + tand type in the ssh command.
Note: If it’s your first time to connect, you’ll be asked about
PuTY Security Alert, just make sure that you’re connecting to the right IP address and click YES.
- Fill up
Step 5: Download and Install OpenVPN Access Server. Now that you’re logged in as root, let’s download and install the right OpenVPN-AS package for our version of Ubuntu, which is
Ubuntu 14.04 LTS Server x32. Head over to the OpenVPN AS download page and right-click on
Ubuntu 14 amd/x86 32-bitgreen button, then select
Copy Link Addressfrom the context-menu. Reference Image:Go back to your terminal and type in
space. Then paste in what you copied by right-clicking on the terminal window and click paste. Middle mouse click if you’re using PuTTY. This is what should be in your command-line:
Press ENTER key to start the download. After this, install the
.debpackage by using the following command:
dpkg -i http://swupdate.openvpn.org/as/openvpn-as-2.0.10-Ubuntu14.i386.deb
That should install the package and will only take a few seconds to complete.After this process, you OpenVPN web-gui should be accessible from:
Admin UI: https://your-server-ip-address:943/admin Client UI: https://your-server-ip-address:943
When installed, an administrative user-account is created and that you should enter a new password for it. The administrative user-name is
openvpn, this is the user-name that you should use when logging in to the OpenVPN Web-GUI. So let’s create a new password for it and type the following command then press ENTER key;
You’ll be asked to enter your new UNIX password.
Step 6: Create a local user account for your OpenVPN client. Create a local user-account for your VPN user account. This account will be used for the web-ui login. To create a new user-account, type the following and press
Then enter a password for it.
Step 7: Login to OpenVPN Web-UI and create a client account. Login as
openvpnuser with the password you previously created from step 5. The admin login URL is
https://your-server-ip-address/admin. Make sure to use
httpswhen accessing the web page. From the main navigation menu on the left side of the page, click on
User Managementmenu. Create a new VPN user by supplying the user-name you previously created from step 6. Enter the user-name in the
New Usertext field. You may select
Allow Auto Loginby ticking the checkbox, to allow users to connect to the VPN server without providing their user-name and user-password. Click
Save Settingsto finish the process.
Step 8: Connecting from a client machine or device. S how to connect to the VPN server, the answer is like this; first login as a client to the OpenVPN web-ui and download the applicable user connection profile, then install it like any other software. If you want to connect from a Windows-based machine, login using your VPN client account, then choose and download
OpenVPN Connect for Windows. Depending on the current version of the client software, you should download a file similar to this one;
openvpn-connect-188.8.131.52.msi. Reference Image:After you install it, launch the
OpenVPN Connectclient software and check it from you system tray. Right-click on the icon and click
Connect to your-server-ip-address, and you should be connected. Now make an IP address check by typing
what is my ipin the google search bar, it should output your server’s IP address. Check your Internet speed and go over at
speedtest.net. It should also detect your current IP address location. Then check if you can already access HULU, Netflix or Vevo, even you’re outside of US. If you’ve granted access, then your VPN access server is working!
Step 9: Configure your server to have a dynamic domain name. This step is optional. If you wanted to give your server a domain name, you could do that for free using a dynamic dns service like NO-IP. To set this up, sign-up for an account and login. Then navigate to
Hosts/Redirectsmenu and then click on
Add Host. Then fillup the fields, like so:
- Hostname =>
- Host Type =>
DNS Host (A)
- IP Address =>
Add Hostbutton to finish the setup. Your OpenVPN Access Server is now accessible using your configured host name. So when you’re on the road and you need a secured Internet connection, access your server using your host name and download the necessary configuration file.
- Hostname =>
Basic Server Security
Now that you got your server working, you need to setup some basic server security to harden your access server a bit. Though this is not a server for public use, it’s important to secure it just in case someone would try to gain access to your VPN server. So to implement basic security, follow the procedures below. For this part of the guide, we need to setup the firewall. Firewall Setup. To setup a basic firewall in Ubuntu, you need first to enable UFW (Uncomplicated Firewall). It’s an easy to use firewall front-end for IP tables, and it comes pre-shipped with Ubuntu. To enable UFW, type in
sudo ufw enable or
ufw enable if you’re logged in as
root. You’ll be prompted with a message like this:
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y Just press
y to continue. Do not logout yet while still on the server, you need to open the port for your SSH server. To open the port type in;
ufw allow ssh
Note: In Ubuntu 14.04, this will block all incoming port, except for port
openvpndefault port. You have to open port 22 for incoming SSH connection. After this, your firewall should be set. Harden SSH Server If you want to add more security to your server, hardening SSH is another good way to prevent automated attacks to your VPN server. To make this happen follow the steps below.
Create a new admin user-account:
Login as root via SSH and type in:
Enter a strong password twice, then press
enterkey to continue. You may skip other details by pressing enter key. Once done, add the new user to the
sudoerfile. This should give the new user an administrative privileges to your server.
To do this, type the following command:
usermod -aG sudo your-admin-user-name
Next, copy your
.sshfolder, under your new user-account’s home holder.
Do the following steps:
Create a new folder under
/home/your-user-name/and name it
.ssh. In Linux, a folder or file prepended with a
dotmeans it’s hidden. To create the folder:
Copy the current
authorized_keysto your new
cp .ssh/authorized_keys /home/your-user-name/.ssh/
Change the folder owner and assign it to your new-user-account.
chown -R your-user-name:your-user-name /home/your-user-name/.ssh/
Change folder and file permission.
chmod 700 /home/your-user-name/.ssh/
chmod 400 /home/your-user-name/.ssh/authorized_keys
DO NOT log out or exit from your session yet. Do the next step below.
Disable Root Login: Disable
rootlogin. To do this, login as
rootuser using SSH and edit the
/etc/ssh/sshd_configfile by typing:
nano -c /etc/ssh/sshd_config
Look for the line (line 28 or close) containing
PermitRootLogin without-password, change it to
PermitRootLogin no. Next, find the text
#PasswordAuthentication yes(around line 52) and change it to
PasswordAuthentication noNext, look for
UsePAM yes(last line of the page) and change it to
UsePAM no. Create a new line and enter
UseDNS no, this is not really a big security benefit but it makes loging in pretty quick. Then create a new line of text under that with
UsePAM no UseDNS no AllowUsers your-admin-username
Finally, save the file by pressing
ctrl + othen
enterkey to confirm saving the file, then press
ctrl + xto exit the editor. Make sure that you put the right user-name for
AllowUsersor else you won’t be able to log in anymore. You need to rebuild your droplet if that happens. To implement your settings, type in
service ssh restart. After restarting SSH you won’t be able to log in as
rootuser anymore, so you need to login with your new user-name:
ssh your-user-name@server-ip-address or ssh your-user-name@hostname
If you got logged in, then you did! You have configured your SSH server for better security.
That’s a Wrap
There you have it, you now know how to setup your own VPN server, either for a road-warrior setup or to access HULU or Netflix outside of US. It’s not that difficult to setup, just read the guide carefully and don’t be in a haste when you try to follow this guide. Take your time and double check what you’re doing, on every step of the way. If there is something you want to ask about this guide, or something you wanna share, feel free to post your comment below.