Create an OpenVPN Server in 5 Minutes

April 28, 2017


Security and privacy are very important and there have been several blog posts out there talking about the importance of a VPN. I thought I would put together something to automate the creation of an OpenVPN server and the first client configuration.

I'm using Python Fabric to do all the work and the install is based on a current version of Ubuntu. So, you could use this internally in order to get into your business or home environment or spin up a cloud instance at a place like Digital Ocean and secure all of your outbound traffic from the soon to be eyes of your ISP.

All of the code and files are up on GitHub here

A quick peek at the Fabric script:

from fabric.api import *
from fabric.contrib.files import sed

def deploy_openvpn():
    sudo('apt-get update')
    sudo('apt-get -y install openvpn easy-rsa')
    run('make-cadir ~/openvpn-ca')
    put('vars', '~/openvpn-ca/vars', mode=0644)
    with cd('~/openvpn-ca'):
        with prefix('source vars'):
            run('./build-key-server server')
            run('openvpn --genkey --secret keys/ta.key')
            run('./build-key client1')
    with cd('~/openvpn-ca/keys'):
        sudo('cp ca.crt ca.key server.crt server.key ta.key dh2048.pem /etc/openvpn')
    put('server.conf', '/etc/openvpn/server.conf', mode=0644, use_sudo=True)
    sed('/etc/sysctl.conf', '#net.ipv4.ip_forward=1', 'net.ipv4.ip_forward=1', use_sudo=True)
    sudo('sysctl -p')
    put('before.rules', '/etc/ufw/before.rules', mode=0640, use_sudo=True)
    sed('/etc/default/ufw', 'DEFAULT_FORWARD_POLICY=.*', 'DEFAULT_FORWARD_POLICY="ACCEPT"', use_sudo=True)
    sudo('ufw allow 1194/udp')
    sudo('ufw allow OpenSSH')
    sudo('ufw disable')
    sudo('ufw enable')
    sudo('systemctl enable openvpn@server')
    sudo('systemctl start openvpn@server')
    run('mkdir -p ~/client-configs/files')
    run('chmod 700 ~/client-configs/files')
    put('base.conf', '~/client-configs', mode=0644)
    put('','~/client-configs', mode=0700)
    with cd('~/client-configs'):
        run('./ client1')

You will first have to change a couple of settings. In the vars file, there is a section that sets the settings for the certificate, change these to match your name and email if you want. The other item that is rather important is in the base.conf file you need to change the server IP. This is the file that the OpenVPN config file is generated from and you'll want to connect to the correct IP.

Then just run the Fabric script:

fab -H -u root -i ~/.ssh/id_rsa deploy_openvpn

The -H option is the IP address of the destination server that you are deploying to.

The -u is the username that you are logging in with.

The -i is the ssh key that you are using to login with.

And, the deploy_openvpn is the name of the function within the Fabric script that you are deploying.

Don't go too quickly and read the prompts. There will be a few critical prompts to answer yes to or it will not work.

After it has ran you should end up with a client config file located in your user directory at ~/client-configs/files/client1.ovpn

Download the client config and import it into your favorite VPN client. Connect and surf securely