Setting up an OpenVPN server with VyOS and Viscosity
Virtual Private Networks (VPNs) can be utilized for a number of very useful applications. You can securely connect to any public WiFi hotspot. You can overcome geo-blocking restrictions on your favourite websites. And you can even connect to your home or office network from anywhere in the world, as if you were sitting right at your desk. This guide will walk you through the process of setting up your own OpenVPN server, and connecting to it with your copy of Viscosity.
Running your own OpenVPN server will allow you to encrypt everything you do on the internet, so that you can safely do your online banking on the free WiFi at your favourite cafe. Anything you send over the VPN connection will be encrypted from your device until it reaches your OpenVPN server at home. Setting up your OpenVPN server to access your home or office network gives you full access to all your files on your network.
This guide will walk you through the steps involved in setting up an OpenVPN server on a VyOS host that allows you to securely access your home/office network from a remote location and optionally send all of your network traffic through it so you can access the internet securely as well.
For this guide, we assume:
- You have already installed the latest version of VyOS (1.1 at time of writing)
- Your account has sudo privileges to this installation
- This installation of VyOS is a fresh install
- You already have a copy of Viscosity installed on your client device
If you need to download and install a copy of VyOS, a copy can be found at http://vyos.net/wiki/Main_Page. We won't be covering the details of setting up a VyOS instance, many guides can be found online. If you are running a different version of VyOS, it's very likely that many or even all of the steps outlined in this guide will still apply. If you are looking to setup an OpenVPN server on a different operating system, please check out our other guides.
If you don't have a copy of Viscosity already installed on your client, then please check out this setup guide for installing Viscosity (Mac | Windows).
Unfortunately we cannot provide any direct support for setting up your own OpenVPN server. We provide this guide as a courtesy to help you get started with, and make the most of, your copy of Viscosity. We've thoroughly tested the steps in this guide to ensure that, if you follow the instructions detailed below, you should be well on your way to enjoying the benefits of running your own OpenVPN server.
For further information or help with VyOS, there are a range of resources and forums available at https://vyos.io/
We will assume that you have already set up your network interfaces as such:
- 'OUTSIDE' - eth0 connected to the internet
- 'INSIDE' - eth1 connected to your local home network
Generating Certificates and Keys
The next step is to generate your configurations for the server and your clients as well as certificates to go with them. You can do this easily by following the Creating Certificates and Keys Guide. Generate everything on your PC or Mac and then take a note of the path to your server folder that is created, we will be using the files here later on.
If you use the default DNS Server (10.8.0.1), you will need to setup a DNS server yourself, instructions are at the end of this article. We recommend instead using an existing DNS server, a publically available DNS server like Google's (184.108.40.206 and 220.127.116.11) is the easiest.
We now need to copy the following files to the
/config/auth/ directory on your VyOS appliance which will be in the server folder that openvpn-generate just created, we recommend using SCP. If you're unfamiliar with SCP, we have some help on how to transfer files with SCP in our Introduction Guide.
If you're using SCP from command line, an example command would be
scp path/to/server/ca.crt [email protected]:/config/auth/
OpenVPN Server Configuration
There are a number of different settings we need to customize in our OpenVPN server configuration. In the terminal, enter configuration mode by typing:
You should see the prompt change from $ to #. If you make a mistake entering the following configuration commands, you can remove a previously entered command by repeating the it, but replacing the word 'set' at the start with the word 'delete'.
Paste the following into the terminal window:
# Configure this OpenVPN instance to run as the VPN server set interfaces openvpn vtun0 mode server # The OpenVPN server needs to know the location of the Diffie Hellman file #NOTE: Depending on how you generated your keys, this file name might be 'dh.pem' instead set interfaces openvpn vtun0 tls dh-file '/config/auth/dh.pem' # Our VPN connection will be transported over UDP set interfaces openvpn vtun0 openvpn-option "--proto udp" # The server needs to keep a record of client virtual IP addresses so that they # can be reassigned if the server goes down set interfaces openvpn vtun0 openvpn-option "--ifconfig-pool-persist ipp.txt" # To ensure that each side of the VPN knows if the connection has been severed, # we want to ping each side every 10 seconds. If either side fails to recieve a # ping within 2 minutes, then it will assume the other side is down set interfaces openvpn vtun0 openvpn-option "--keepalive 10 120" # There can be security issues if you run the OpenVPN server as root, so we will # downgrade the user and group set interfaces openvpn vtun0 openvpn-option "--user nobody --group nogroup" # To avoid attempting to access resources that may no longer be accessible on # restart set interfaces openvpn vtun0 openvpn-option "--persist-key --persist-tun" # To write (and rewrite) a short summary of current VPN connections every minute # to a file set interfaces openvpn vtun0 openvpn-option "--status openvpn-status.log" # The verbosity of this connection logging (displayed in the Viscosity 'Details' # window) can range from 0 (silent) to 9 extremely verbose. We will use the # default of 3 set interfaces openvpn vtun0 openvpn-option "--verb 3" # To prevent more than 10 duplicates of the same log message in a row from # flooding the Viscosity log set interfaces openvpn vtun0 openvpn-option "--mute 10" # The credential files set interfaces openvpn vtun0 tls ca-cert-file '/config/auth/ca.crt' set interfaces openvpn vtun0 tls cert-file '/config/auth/server.crt' set interfaces openvpn vtun0 tls key-file '/config/auth/server.key' # The server will use the default OpenVPN port (1194) set interfaces openvpn vtun0 openvpn-option "--port 1194" # We need the VPN to create a tun network interface through which we can # route all our traffic: set interfaces openvpn vtun0 openvpn-option "--dev vtun0" # The VPN requires a private IP subnet. We will use the default OpenVPN IP # subnet set interfaces openvpn vtun0 server subnet '10.8.0.0/24' # We want VPN clients connected to this server to be able to access any hosts # accessible on your home network. We are assuming that your local network # subnet is 192.168.0.x/24. If it is something else, you will need to change the # IP address in the command below. set interfaces openvpn vtun0 server push-route 192.168.0.0/24 # For enhanced security, set a cipher and auth hash set interfaces openvpn vtun0 openvpn-option "--cipher AES-256-CBC" set interfaces openvpn vtun0 openvpn-option "--auth SHA256" # Lastly, we want to allow hosts on the home network to be able to see VPN # clients connected to the OpenVPN server set interfaces openvpn vtun0 openvpn-option "--client-to-client"
Pay special attention to the IP address in the
set interfaces openvpn vtun0 server push-route 192.168.0.0/24. Ensure that this subnet matches your home/office LAN IP subnet. If you are not setting up this VPN server to access your home/office LAN, then you can skip this line altogether.
We will use the firewall installed by default on VyOS. If you are installing OpenVPN on a server that already has its own firewall setup, make sure to add the rules to allow our OpenVPN traffic. However, if this is just a simple standalone VyOS server, the firewall settings below should be enough to get your OpenVPN server up and running.
Still in configuration mode, paste the following into the terminal window:
# First we will set the rules for traffic passing through the server. We want # the firewall to allow traffic for existing connections to the server, and drop # any new ones: set firewall name OUTSIDE-IN default-action 'drop' set firewall name OUTSIDE-IN rule 10 action 'accept' set firewall name OUTSIDE-IN rule 10 state established 'enable' set firewall name OUTSIDE-IN rule 10 state related 'enable' # Next we will set the rules to allow the local network to talk to the outside world set firewall name OUTSIDE-LOCAL default-action 'drop' set firewall name OUTSIDE-LOCAL rule 10 action 'accept' set firewall name OUTSIDE-LOCAL rule 10 state established 'enable' set firewall name OUTSIDE-LOCAL rule 10 state related 'enable'</code> # If you would like the ability to ping your VyOS server externally, add the following set firewall name OUTSIDE-LOCAL rule 20 action 'accept' set firewall name OUTSIDE-LOCAL rule 20 icmp type-name 'echo-request' set firewall name OUTSIDE-LOCAL rule 20 protocol 'icmp' set firewall name OUTSIDE-LOCAL rule 20 state new 'enable' # If you would like the ability to SSH into your server externally (without a VPN connected), add the following # NOTE - This can be a security risk and is not recommended set firewall name OUTSIDE-LOCAL rule 30 action 'drop' set firewall name OUTSIDE-LOCAL rule 30 destination port '22' set firewall name OUTSIDE-LOCAL rule 30 protocol 'tcp' set firewall name OUTSIDE-LOCAL rule 30 recent count '4' set firewall name OUTSIDE-LOCAL rule 30 recent time '60' set firewall name OUTSIDE-LOCAL rule 30 state new 'enable' set firewall name OUTSIDE-LOCAL rule 31 action 'accept' set firewall name OUTSIDE-LOCAL rule 31 destination port '22' set firewall name OUTSIDE-LOCAL rule 31 protocol 'tcp' set firewall name OUTSIDE-LOCAL rule 31 state new 'enable' # Allow external connections to the OpenVPN port. This will allow you to VPN to your server # from somewhere outside your local network (like a coffee shop) set firewall name OUTSIDE-LOCAL rule 40 action 'accept' set firewall name OUTSIDE-LOCAL rule 40 destination port '1194' set firewall name OUTSIDE-LOCAL rule 40 protocol 'udp' # Apply these firewall policies: set interfaces ethernet eth0 firewall in name 'OUTSIDE-IN' set interfaces ethernet eth0 firewall local name 'OUTSIDE-LOCAL' # Lastly, we need to enable NAT masquerade: set nat source rule 100 outbound-interface 'eth0' set nat source rule 100 source address '10.8.0.0/24' set nat source rule 100 translation address 'masquerade' set nat source rule 200 outbound-interface 'eth1' set nat source rule 200 source address '10.8.0.0/24' set nat source rule 200 translation address 'masquerade'
If you are planning on encrypting all network traffic through your VPN server then it is recommended to enable your own DNS server. VyOS has a DNS forwarder installed by default which we can use to provide our own DNS server for the VPN connection, to prevent DNS related attacks.
Still in configuration mode, paste the following into the terminal window:
# We will set the DNS forwarder to store 100 lookups locally, to speed up # repeated DNS requests: set service dns forwarding cache-size '100' # DNS queries will be resolved coming from the local network: set service dns forwarding listen-on 'eth1' # DNS queries will be resolved coming from our VPN connection: set service dns forwarding listen-on 'vtun0' # We will use the Google DNS servers (you are free to use your DNS resolution # service of choice): set service dns forwarding name-server '18.104.22.168' set service dns forwarding name-server '22.214.171.124'
Now that we're done setting up the configuration, save the changes by entering the following into the terminal:
and exit configuration mode:
If your VyOS server is directly accessible, then you can skip this section. There is no router to configure.
However if your VyOS server is behind a router (such as on your home WiFi), then you will need to configure your router to permit VPN traffic. Due to the many different models of router and network configurations, we cannot provide a step by step guide on how to set up your router to allow VPN traffic. However there are a few settings you are likely to need to change, so we will outline them here.
As the the router will be directing all traffic to and from your OpenVPN server, you will need to set up port forwarding so that the OpenVPN server is externally accessible. Port forwarding may be under the section in your router management interface named 'Virtual Servers'. In general, you will want to forward any traffic incoming to the router on the OpenVPN port (1194). You will need to setup a rule to send any UDP traffic on these ports to the local IP address of your OpenVPN server (which is probably something in the range 192.168.0.x).
If you have set up port forwarding please also make a note of your external WAN IP address. This is the IP address assigned to your router by your Internet Service Provider (ISP). This address will be needed when configuring your connection in Viscosity below.
The other main router setting you will need to consider is static routing. Because you will have a VPN set up, there will be traffic sent to your router with a source or destination IP in the range 10.8.0.x. This traffic will need to have static routing in place to ensure that when a host recieves a request from the VPN client (on the 10.8.0.x subnet) and sends a response to that address, the router knows how to convert the 10.8.0.x IP address into an address it understands (i.e. 192.168.0.x). Thus you will need to setup a static routing rule that has the following properties:
Destination: 10.8.0.0 Subnet mask: 255.255.255.0 Default gateway: your-server-IP
where your-server-IP is the IP address of your OpenVPN server on the local network (something in the range 192.168.0.x).
Setting Up Viscosity
The final step is to setup Viscosity. Thanks to openvpn-generate, this is as easy as importing and connecting.
Copy your *.visz file you created with openvpn-generate to your Mac or Windows machine with Viscosity installed and double click the file. You should see a prompt that the config was imported successfully.
Once imported, edit your connection and go to the Advanced tab. Add the following two commands on new lines:
Connecting and Using Your VPN Connection
You are now ready to connect. Click on the Viscosity icon in the macOS menu bar or Windows system tray to open the Viscosity Menu, select the connection you imported, and Viscosity will connect.
To check that the VPN is up and running, you can open the Details window from the Viscosity Menu. This will allow you to view connection details, traffic and the OpenVPN log.
That's it, you've set up your very own OpenVPN server. Congratulations, you are now free to enjoy the benefits of operating your own OpenVPN server!