From Zero to Secure: Creating and Connecting to Your Own OpenVPN Server on Azure
In today’s digital age, ensuring the privacy and security of your online activities is paramount. Virtual Private Networks (VPNs) provide a secure tunnel for your internet traffic, safeguarding your data from prying eyes. OpenVPN, a widely used open-source VPN solution, offers robust security features and flexibility. In this guide, we’ll walk you through setting up your OpenVPN server on an Azure virtual machine, configuring it for multiple devices including Windows PCs and Android phones, and monitoring network traffic in real-time. By the end of this tutorial, you’ll have a secure and private network environment, ensuring your online activities remain confidential and protected.
Step 1: Setting Up the Azure Virtual Machine
The journey begins with creating an Azure Virtual Machine (VM) where your OpenVPN server will reside. Azure offers a robust and flexible cloud platform that’s perfect for this project.
Creating the Azure VM
1. Log in to Azure Portal: Open your browser and navigate to the Azure Portal. Sign in with your Azure account.
2. Create a Virtual Machine:
- Click on “Create a resource” on the Azure Portal dashboard.
- Select “Virtual Machine” from the list of available resources.
- Fill in the necessary details:
- Name: Give your VM a recognizable name, such as “OpenVPN-Server”.
- Region: Choose a region close to you for better performance.
- Image: Select an Ubuntu Server LTS image for simplicity and reliability.
- Size: Choose a VM size that fits your needs. For most VPN applications, a small instance like `B1s` should suffice.
- Authentication: Set up your authentication method. You can use the SSH public key for more secure access.
3. Configure Networking:
- Ensure that the VM has a Network Security Group attached.
- Open ports 22 (SSH) and 1194 (UDP) by adding inbound security rules.
4. Review and Create: After filling in all necessary details, review your configurations and click “Create”.
Connecting to Your Azure VM
Once your VM is up and running, you’ll need to connect to it to start the setup process:
1. Accessing Your VM:
- Open your terminal (macOS/Linux) or PowerShell (Windows).
- Use the SSH command provided by the Azure Portal to connect to your VM.
ssh -i /path/to/your/private/key.pem azureuser@<your-vm-ip-address>With the Azure VM set up and ready, we move on to installing and configuring OpenVPN.
Step 2: Installing and Configuring OpenVPN
OpenVPN is a powerful open-source VPN solution that is versatile and highly configurable. This section’ll walk you through the installation and configuration process.
Installing OpenVPN
1. Update Your System:
sudo apt-get update
sudo apt-get upgrade -y2. Install OpenVPN and Easy-RSA:
sudo apt-get install openvpn easy-rsa -ySetting Up Easy-RSA for Certificate Management
Using Easy-RSA simplifies generating the certificates and keys required for OpenVPN.
1. Set Up the Easy-RSA Directory:
make-cadir ~/openvpn-ca
cd ~/openvpn-ca2. Configure Easy-RSA:
Edit the `vars` file to set up your default certificate authority (CA) settings.
nano varsUpdate the fields with your information:
set_var EASYRSA_REQ_COUNTRY “Bangladesh”
set_var EASYRSA_REQ_PROVINCE “Dhaka”
set_var EASYRSA_REQ_CITY “Dhaka”
set_var EASYRSA_REQ_ORG “Software”
set_var EASYRSA_REQ_EMAIL “youremail@example.com”
set_var EASYRSA_REQ_OU “Data”3. Build the Certificate Authority:
./easyrsa init-pki
./easyrsa build-caYou’ll be prompted to set a password for your CA key.
4. Generate Server and Client Certificates:
./easyrsa gen-req server nopass
./easyrsa sign-req server server
./easyrsa gen-req client1 nopass
./easyrsa sign-req client client15. Generate Diffie-Hellman Parameters:
./easyrsa gen-dh6. Transfer Certificates and Keys:
sudo cp pki/ca.crt pki/private/server.key pki/issued/server.crt pki/dh.pem /etc/openvpn/Configuring OpenVPN
1. Create Server Configuration:
sudo nano /etc/openvpn/server.confAdd the following configuration:
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
cipher AES-256-CBC
persist-key
persist-tun
status openvpn-status.log
verb 3
push “redirect-gateway def1”
push “dhcp-option DNS 8.8.8.8”2. Enable IP Forwarding:
- Edit the sysctl configuration:
sudo nano /etc/sysctl.conf- Uncomment or add the following line:
net.ipv4.ip_forward = 1- Apply the changes:
sudo sysctl -p3. Configure Firewall Rules:
- Add iptables rules:
sudo iptables -t nat -A POSTROUTING -s 10.9.0.0/24 -o eth0 -j MASQUERADE
sudo iptables -A FORWARD -m state — state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -s 10.9.0.0/24 -j ACCEPT- Save the iptables rules:
sudo apt-get install iptables-persistent
sudo netfilter-persistent save4. Start the OpenVPN service:
sudo systemctl start openvpn@server
sudo systemctl enable openvpn@serverYour OpenVPN server is now configured and running. Next, we’ll configure client devices to connect to your VPN server.
Step 3: Copying Certificates and Keys and Setting Permissions
After generating the certificates and keys using Easy-RSA, you need to place them in the correct directories and set the appropriate permissions.
1. **Copy Certificates and Keys to the OpenVPN Directory**:
- SSH into your Azure VM if you’re not already connected:
ssh -i /path/to/your/private/key.pem azureuser@<your-vm-ip-address>- Copy the certificates and keys to the OpenVPN directory:
sudo cp ~/openvpn-ca/pki/ca.crt /etc/openvpn/
sudo cp ~/openvpn-ca/pki/private/server.key /etc/openvpn/
sudo cp ~/openvpn-ca/pki/issued/server.crt /etc/openvpn/
sudo cp ~/openvpn-ca/pki/dh.pem /etc/openvpn/
sudo cp ~/openvpn-ca/pki/issued/client1.crt /etc/openvpn/
sudo cp ~/openvpn-ca/pki/private/client1.key /etc/openvpn/
sudo cp ~/openvpn-ca/pki/issued/client2.crt /etc/openvpn/
sudo cp ~/openvpn-ca/pki/private/client2.key /etc/openvpn/2. **Set Ownership and Permissions**:
- Set the ownership of the OpenVPN directory to the appropriate user:
sudo chown user:user /etc/openvpn/ca.crt
sudo chown user:user /etc/openvpn/server.key
sudo chown user:user /etc/openvpn/server.crt
sudo chown user:user /etc/openvpn/dh.pem
sudo chown user:user /etc/openvpn/client1.crt
sudo chown user:user /etc/openvpn/client1.key
sudo chown user:user /etc/openvpn/client2.crt
sudo chown user:user /etc/openvpn/client2.keyhere “user” is whatever username you set in your VM
Step 4: Transferring Configuration Files to Clients
You need to securely copy the configuration files, including the client certificates and keys, to your client devices.
For Windows PC
1. Secure Copy (SCP) Configuration Files to Your Local Machine:
- On your local machine, use `scp` to copy the client configuration and certificates:
scp -i /path/to/your/private/key.pem azureuser@<your-vm-ip-address>:/etc/openvpn/client1.crt ./client1.crt
scp -i /path/to/your/private/key.pem azureuser@<your-vm-ip-address>:/etc/openvpn/client1.key ./client1.key
scp -i /path/to/your/private/key.pem azureuser@<your-vm-ip-address>:/etc/openvpn/ca.crt ./ca.crtuse git bash terminal for this use case.
Step 5: Configuring Client Devices to Connect to OpenVPN Server
Having set up your OpenVPN server, the next step is to configure your client devices to connect to it. We’ll cover connecting both a Windows PC and an Android device.
1. Install OpenVPN Client:
- Download the OpenVPN client from the OpenVPN website.
- Install the client by following the installation wizard.
2. Transfer the Client Configuration:
- Ensure the `client.ovpn`, `ca.crt`, `client1.crt`, and `client1.key` files are easily accessible on your Windows PC.
- For simplicity, the contents of the certificates and key can be embedded directly in the `client.ovpn` file as previously described.
3. Edit the Client Configuration File for Windows:
client
dev tun
proto udp
remote <your vm-public-ip> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca “C:\\Program Files\\OpenVPN\\config\\ca.crt”
cert “C:\\Program Files\\OpenVPN\\config\\client1.crt”
key “C:\\Program Files\\OpenVPN\\config\\client1.key”
data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
remote-cert-tls server
verb 3
redirect-gateway def14. Place the Configuration File:
- Copy the `client.ovpn` file (with embedded certificates and key) to `C:\Program Files\OpenVPN\config\`.
5. Connect to the VPN:
- Open the OpenVPN GUI.
- Right-click the OpenVPN icon in the system tray and select the imported configuration file.
- Click “Connect”.
Configuring an Android Device
To connect your Android device to the OpenVPN server, follow these steps:
1. Secure Copy (SCP) Configuration Files to Your Local Machine:
- Similar to the Windows PC, use `scp` to copy the client configuration and certificates:
scp -i /path/to/your/private/key.pem azureuser@<your-vm-ip-address>:/etc/openvpn/client2.crt ./client2.crt
scp -i /path/to/your/private/key.pem azureuser@<your-vm-ip-address>:/etc/openvpn/client2.key ./client2.key
scp -i /path/to/your/private/key.pem azureuser@<your-vm-ip-address>:/etc/openvpn/ca.crt ./ca.crt1. Install OpenVPN Connect:
- Open the Google Play Store on your Android device.
- Search for “OpenVPN Connect” and install it.
- OpenVPN Connect on Google Play
2. Prepare the Client Configuration File:
- Create a consolidated `client.ovpn` file as previously described with inline certificates and key.
Example configuration:
client
dev tun
proto udp
remote <your vm-public-ip> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
verb 3
redirect-gateway def1
dhcp-option DNS 8.8.8.8
<ca>
— — -BEGIN CERTIFICATE — — -
[Your CA Certificate Content Here]
— — -END CERTIFICATE — — -
</ca>
<cert>
— — -BEGIN CERTIFICATE — — -
[Your Client2 Certificate Content Here]
— — -END CERTIFICATE — — -
</cert>
<key>
— — -BEGIN PRIVATE KEY — — -
[Your Client2 Private Key Content Here]
— — -END PRIVATE KEY — — -
</key>3. Transfer the Configuration File to your Android device:
- Email the `client.ovpn` file to yourself or use a file-sharing app (like Google Drive, Dropbox, etc.) to transfer the file.
- Save the file to your device’s internal storage or the preferred location.
4. Import the Profile into OpenVPN Connect:
- Open the OpenVPN Connect app on your Android device.
- Tap the menu icon (three horizontal lines) in the top-left corner.
- Tap “Import Profile” and then “File”.
- Navigate to and select the `client.ovpn` file to import it.
5. Connect to the VPN:
- Once the profile is imported, it will appear in the OpenVPN Connect app.
- Tap on the profile and then tap “Connect”.
- Grant necessary permissions when prompted.
6. Verify the Connection:
- Open a web browser on your Android device and visit whatismyip.com to check that your public IP address matches the VPN server’s IP.
Using `iftop` to Monitor Traffic
`iftop` is a useful tool for observing the bandwidth usage on a network interface in real time. Here are the steps to install and use `iftop` on your OpenVPN server:
Step 1: Install `iftop`
First, you need to install `iftop` on your server if it is not already installed.
1. Update Your Package List:
sudo apt-get update2. Install `iftop`:
sudo apt-get install iftop -yStep 2: Run `iftop`
Once `iftop` is installed, you can start monitoring traffic.
1. Run `iftop` on the OpenVPN Interface:
sudo iftop -i tun0- `-i tun0`: Specifies the network interface to monitor. For OpenVPN, this is typically `tun0`.
Step 3: Interpreting `iftop` Output
When you run `iftop`, you’ll see a real-time display of bandwidth usage. Here’s a breakdown of the `iftop` interface:
1. Header:
- Across the top, you’ll see network activity over 2 seconds, 10 seconds, and 40 seconds intervals, providing an average of inbound and outbound traffic.
2. Main Window:
- The main part of the screen displays a list of connections. Each connection’s source and destination addresses are shown along with the amount of data being transferred.
- For example:
192.168.1.10 => 192.168.1.1 300Kb 100Kb 50Kb <= 200Kb 90Kb 30Kb3. Footer:
- Across the bottom, summary statistics include the total bandwidth usage of `tx` (send) and `rx` (receive).
- Various keyboard commands are listed at the bottom to control and adjust the display.
Step 4: Useful Command-Line Options
Here are a few additional command-line options you can use with `iftop`:
- Filter Traffic: Use filters to focus on specific traffic types.
sudo iftop -i tun0 -f “port 443”This command filters traffic to only show HTTPS traffic (port 443).
- Set Display Limits: Set upper display limits for bandwidth.
sudo iftop -i tun0 -n -L 10This command limits the display to the top 10 connections and avoids DNS resolution (`-n` flag).
Example Output
Here’s what you might see when you run `iftop` on your OpenVPN interface (`tun0`):
interface: tun0
IP address is: 10.8.0.1
MAC address is: 00:00:00:00:00:00
BTN (10s) Eldest Newest Middle Eldest Newest
192.168.1.10 => 192.168.1.1 300Kb 100Kb 50Kb
<= 200Kb 90Kb 30Kb
=> google.com 150Kb 40Kb 10Kb
<= 130Kb 30Kb 8Kb
…
TX: cumm: 500KB peak: 100Kb rates: 50Kb 30Kb 10Kb
RX: 400KB peak: 90Kb rates: 30Kb 20Kb 5Kb
TOTAL: 900KB 100KB/s 50Kb 30Kb 15Kb- Each line shows a connection from a local endpoint to a remote endpoint.
- The figures next to each connection show the data throughput averaged over 2 seconds, 10 seconds, and 40 seconds.
- The header shows average network activity, while the footer provides an overall summary of data throughput.
