How to setup your own VPN Server for Secure Browsing

Prerequisite

  1. Debian 12 Machine
  2. on a cloud with a Public IP (I am using DidgitalOcean)
  3. interface name of public IP ( my interface name is eth0)


STEP 1: Configure IP Forwarding

vim /etc/sysctl.conf


uncomment the following line

#net.ipv4.ip_forward=1


set proxy ARP for Interface

echo 1 | sudo tee /proc/sys/net/ipv4/conf/eth0/proxy_arp


STEP 2: Configure Firewall Rules

install ufw

apt install ufw


Allow port for SSH (22/TCP) and OpenVPN (1194/udp)

ufw allow ssh
ufw allow 1194/udp


Now add some rules for ufw but first backup and clear old file

cp /etc/ufw/before.rules /tmp/
> /etc/ufw/before.rules


Edit the following file and add the following content in that file

vim /etc/ufw/before.rules


Copy and paste it into the file

#
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
#   ufw-before-input
#   ufw-before-output
#   ufw-before-forward
#

# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]

# Uncomment the next POSTROUTING line and replace ens224 with the name
# of your Local Network Interface if you have a second network interface
# for accessing machines on your local network
# Allow OpenVPN client to communicate with local home network
#-A POSTROUTING -s 10.8.0.0/24 -d 192.168.0.0/24 -o ens32 -j MASQUERADE

# Allow traffic from OpenVPN client to your WAN and/or LAN via ens224
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT
# END OPENVPN RULES


# Don't delete these required lines, otherwise there will be errors
*filter
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-not-local - [0:0]
# End required lines

#Accept all traffic to and from VPN
-A ufw-before-input -i tun+ -j ACCEPT
-A ufw-before-output -i tun+ -j ACCEPT

# Forward traffic to and from the VPN
-A ufw-before-forward -s 10.8.0.0/24 -j ACCEPT
-A ufw-before-forward -d 10.8.0.0/24 -j ACCEPT

# allow all on loopback
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-output -o lo -j ACCEPT

# quickly process packets for which we already have a connection
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# drop INVALID packets (logs these in loglevel medium and higher)
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP

# ok icmp codes for INPUT
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT

# ok icmp code for FORWARD
-A ufw-before-forward -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT

# allow dhcp client to work
-A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT

#
# ufw-not-local
#
-A ufw-before-input -j ufw-not-local

# if LOCAL, RETURN
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN

# if MULTICAST, RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN

# if BROADCAST, RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN

# all other non-local packets are dropped
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP

# allow MULTICAST mDNS for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT

# allow MULTICAST UPnP for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT

# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT


Edit the ufw default file

vim /etc/default/ufw


SET ACCEPT for DEFAULT_INPUT_POLICY and DEFAULT_FORWARD_POLICY

# /etc/default/ufw
#

# Set to yes to apply rules to support IPv6 (no means only IPv6 on loopback
# accepted). You will need to 'disable' and then 'enable' the firewall for
# the changes to take affect.
IPV6=yes

# Set the default input policy to ACCEPT, DROP, or REJECT. Please note that if
# you change this you will most likely want to adjust your rules.
DEFAULT_INPUT_POLICY="ACCEPT"

# Set the default output policy to ACCEPT, DROP, or REJECT. Please note that if
# you change this you will most likely want to adjust your rules.
DEFAULT_OUTPUT_POLICY="ACCEPT"

# Set the default forward policy to ACCEPT, DROP or REJECT.  Please note that
# if you change this you will most likely want to adjust your rules
DEFAULT_FORWARD_POLICY="ACCEPT"

# Set the default application policy to ACCEPT, DROP, REJECT or SKIP. Please
# note that setting this to ACCEPT may be a security risk. See 'man ufw' for
# details
DEFAULT_APPLICATION_POLICY="SKIP"

# By default, ufw only touches its own chains. Set this to 'yes' to have ufw
# manage the built-in chains too. Warning: setting this to 'yes' will break
# non-ufw managed firewall rules
MANAGE_BUILTINS=no

#
# IPT backend
#
# only enable if using iptables backend
IPT_SYSCTL=/etc/ufw/sysctl.conf

# Extra connection tracking modules to load. IPT_MODULES should typically be
# empty for new installations and modules added only as needed. See
# 'CONNECTION HELPERS' from 'man ufw-framework' for details. Complete list can
# be found in net/netfilter/Kconfig of your kernel source. Some common modules:
# nf_conntrack_irc, nf_nat_irc: DCC (Direct Client to Client) support
# nf_conntrack_netbios_ns: NetBIOS (samba) client support
# nf_conntrack_pptp, nf_nat_pptp: PPTP over stateful firewall/NAT
# nf_conntrack_ftp, nf_nat_ftp: active FTP support
# nf_conntrack_tftp, nf_nat_tftp: TFTP support (server side)
# nf_conntrack_sane: sane support
IPT_MODULES=""


now enable firewall rules.

ufw enable


STEP 4: Install OpenVPN

apt install dnsutils aptitude mlocate tcpdump wget curl
apt install openvpn easy-rsa pip python3-click


STEP 5: Install OpenVPN Configuration Generator

wget https://github.com/thesparklabs/openvpn-configuration-generator/releases/download/1.0.9/openvpn-configuration-generator_20.04_1.0.9.deb
dpkg -i openvpn-configuration-generator_20.04_1.0.9.deb


STEP 6: Create OpenVPN Sever Configuration Files

openvpn-generate init --path /etc/openvpn/server/
Please fill in the information below that will be incorporated into your certificate.
Some fields have a default value in square brackets, simply press Enter to use these values without entering anything.
Some fields can be left blank if desired. Enter a '.' only for a field to be left blank.
---
Server address, e.g. myserver.mydomain.com: vpn.yourdomain.com
Server Port [1194]:
Protocol, 1=UDP, 2=TCP [UDP]:
Redirect all traffic through VPN? [Y/n]: y
Please specify DNS servers to push to connecting clients:
        1 - CloudFlare (1.1.1.1 & 1.0.0.1)
        2 - Google (8.8.8.8 & 8.8.4.4)
        3 - OpenDNS (208.67.222.222 & 208.67.220.220)
        4 - Local Server (10.8.0.1). You will need a DNS server running beside your VPN server
        5 - Custom
        6 - None
Please select an option [1]: 2
Would you like to use tls-crypt-v2 with this configuration? [Y/n]: n
Would you like to use anonymous defaults for certificate details? [Y/n]: n
Common Name, e.g. your servers name [vpn.yourdomain.com]:
Country Name, 2 letter ISO code [AU]: PK
State or Province [NSW]: Islamabad
Locality Name, e.g. a City [Sydney]: Islamabad
Organisation Name [My Company]: HBVoice
Organisation Unit, e.g department [Networks]: DevOps
Email Address [me@host.domain]: hamid@hbvoice.dev

Generating new server configuration...
Creating DH Params. This will take a while...
...................+..............................++++...............
Creating Server Identity...
Successfully generated server configuration at /etc/openvpn/server/server.
Successfully initialised config.


STEP 7: Create OpenVPN Client Configuration Files

openvpn-generate client --path /etc/openvpn/server/
https://gist.githubusercontent.com/hamidrhashmi/97205cc0e7363efd63905df8c5133172/raw/8e473c47fecf0938fc75b7c3bcda8112c3e31747/viscosity-to-openvpn.py
chmod +x viscosity-to-openvpn.py 
viscosity-to-openvpn.py ./clients/Hamid.visz ./clients/Hamid.ovpn


STEP 8: Configure Service file

 cat /lib/systemd/system/openvpn.service
# This service is actually a systemd target,
# but we are using a service since targets cannot be reloaded.

[Unit]
Description=OpenVPN service %i
After=network.target

[Service]
Type=forking
RemainAfterExit=yes
ExecStart=openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --config /etc/openvpn/server/server/server.conf
WorkingDirectory=/etc/openvpn/server/server/

[Install]
WantedBy=multi-user.target

Now start openvpn server

systemctl daemon-reload
systemctl enable openvpn
systeemct start openvpn

STEP 9: Download .ovpn file

Download .ovpn file which you have created in STEP 7.


STEP 10: Install OpenVPN GUI (Community Version)

Download the community OpenVPN from thier website as per your OS


STEP 8: Import Client Configuration


RefSetting up an OpenVPN server with Ubuntu and Viscosity


Enjoy 😉

at No comments:
Location: Islamabad, Islamabad Capital Territory, Pakistan
Subscribe to: Posts (Atom)

SIPp UAC Scenario to send RTP

Please install the latest sipp ( >=3.7.3 ) wget https://github.com/SIPp/sipp/releases/download/v3.7.3/sipp chmor +x sipp mv sipp /usr/bin...