How to Install OpenVPN On an Ubuntu OpenVZ VPS
If you are a webmaster outside the US, and you have purchased a US VPS. This tutorial is for you! The big question is why you should install openvpn on vps? Well the biggest reason is that you can change your IP to watch stuff like Hulu which is is only available for US visitors. Another benefit of VPN is the security it offers by encrypting traffic on public networks like public WIFI spots which are not very safe. You could of course use a commercial service like StrongVPN in which case you typically pay ($5-10) per month, but for webmasters who have rent a VPS, they will prefer to run VPN on their VPS hosting.
OpenVZ VPS supports VPN inside a container via kernel TUN/TAP module and device. First thing you need to do is to enable TUN/TAP.
You can enable TUN/TAP in your hosting control panel. TUN/TAP is disable in some VPS hosting, you need to submit a ticket to you hosting provider to enable TUN/TAP.
Steps of Installing OpenVPN Inside an OpenVZ VPS on Ubuntu 10.04:
First, install the openvpn package:
sudo apt-get install openvpn
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn
cd /etc/openvpn/
sudo gunzip server.conf.gz
This will copy and unpack the example server config. The sample config uses the ip range 10.8.0.0 and subnet 255.255.255.255
Edit the server.conf file with your favorite editor:
nano /etc/openvpn/server.conf
Now you need to uncomment the following (remove the “;” in front of the line):
push “redirect-gateway def1 bypass-dhcp”
push “dhcp-option DNS 208.67.222.222?
push “dhcp-option DNS 208.67.220.220?
Copy the necessary files to to create our certificates:
sudo mkdir /etc/openvpn/easy-rsa/
sudo cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
cd /etc/openvpn/easy-rsa
We need to adjust the vars file, which contains the settings for the certificates.
Please keep in mind that the ‘country’ field may only contain 2 letters.
Open the vars file and go to the end.
The default file contains:
# These are the default values for fields
# which will be placed in the certificate.
# Don’t leave any of these fields blank.
export KEY_COUNTRY=”US”
export KEY_PROVINCE=”CA”
export KEY_CITY=”SanFrancisco”
export KEY_ORG=”Fort-Funston”
export KEY_EMAIL=”me@myhost.mydomain”
You can modify these values if you like.
After that create the necessary key and CA’s:
Creating server certificates
cd /etc/openvpn/easy-rsa/
source vars
./clean-all
./pkitool –initca
./pkitool –server server
This will build your proper certificates based up the example files slightly editted. I recommend this for non-advanced users and first-timers.
Creating client certificates
cd /etc/openvpn/easy-rsa/
source vars
./pkitool hostname
Remember to replace hostname with the name of the client you want to connect. This can be used as an identifier for example “client1”
You’ll need to do 1 thing more to fix the routing. That is to route the traffic from tun0 to the interface that provides internet (venet0:0 by default).
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT -to-source your_vps_ip
iptables-save
Since we can’t use the MASQUERADE command, we need to use SNAT. Also only full interfaces are supported (So venet0:0 isn’t compatible with the -o option). That’s why I cover this on a static IP based configuration. This will route all network traffic on 10.8.0.0 to the internet-supplying interface.
sudo /etc/init.d/openvpn restart
Configure your VPN client on your computer, the client will need the following files:
/etc/openvpn/easy-rsa/keys/ca.crt
/etc/openvpn/easy-rsa/keys/intovps.crt
/etc/openvpn/easy-rsa/keys/intovps.key
Create a config file, for example myvps.ovpn and change the certificate settings to include the files above:
In the line “remote hostname 1194? change “hostname” with your VPS hostname that will match the certificate.
Also change the ssl settings in case you used a different name for the client certificates then myvps.
You can buy a cheap VPS from burst.net or visit lowendbox.com and search for an OpenVZ VPS.