With a global shutdown on normal business operations, access to your office network is no longer optional, it is a necessity. In this article I will show you step by step how to setup a VPN connection to access your office network securely.
To access your Office network, you will need
- Virtual Private Network Software,
- a PC or Server to run it on
- and configure your internet router to allow the network traffic.
What Is A VPN
A VPN or Virtual Private Network is software that establishes a secure tunnel over an internet connection. If you google for VPN, most of the results will be for a outbound VPN – wich allows you to access the internet securely and prevent your ISP (Internet Service Provider) from tracking the sites you access. What we need is the exact opposite – an inbound VPN, that allows a secure tunnel INTO your network.
For this we are going to use OpenVPN. OpenVPN is an opensource software solution for setting up a VPN, and comprises of two parts. The VPN Server Software, that accepts client connections and attaches them to the network, and the VPN client software that connects client PC’s to the VPN Server.
Now, while OpenVPN has a Windows server available, it is actually easier to configure on Linux, and this is what we will do here.
A note on Linux This guide is written for all small business owners, and no technical kill is assumed. I will explain every step, and provide additional notes on not just HOW to do it, but WHY we do it as we go along. It might seem daunting but relax!
Hardware Requirements
You will need a PC to run the VPN server software. You can use any old PC, as long as it has at-least 4GB of RAM, you can get away with as little as 1GB, but 4GB is recommended. Note that ALL the data will be deleted from this machine, so choose wisely, and backup diligently.
Install Linux
For this guide we are going to install Ubuntu 20, so head over here and download the ISO image. For beginners or those not too familiar with linux, I suggest getting the Desktop edition. If you are comfortable working in the command line feel free to grab the server ISO. (What is an ISO – it is a disk image we will use to install Ubuntu)
Ubuntu Desktop vs Ubuntu Server
There is zero difference between the Server and Desktop ISO’s, apart from the software packages that are installed by default on each – that is why the server image is smaller. The server also does not come with a Desktop by default. While the server requires less resources than the desktop version, OpenVpn is not that resource intensive to begin with. So for the mere fact that most users feel more comfortable in a desktop – just go with that!
After you downloaded the ISO, follow their guide to Burn A CD, or if you live in 2020 with the rest of us just create a bootable USB drive as explained here
Insert the CD or USB drive into your sacrificial PC and turn it on – you will see an option if you want to boot from CD or USB or harddrive – choose USB or CD here.
Now that you have Ubuntu installed, you might want to open a browser on that machine and continue with this article there to easily copy the commands we are going to use next.
A quick note on command line
in the rest of this article you will see terminal commands illustrated like this
curl ifconfig.me
to run these, open a terminal window (by pressing the windows key and typing in terminal), and type all the characters and press enter. Remember in linux casing is very important, so typing CURL instead of curl will not work
What is an Ip Address
Your PC will have it’s own IP address on you local network (this is like your room number), and your office / home will have an external IP address that connects you to the internet (this is like your street address). If someone wants to send ypu a package, they send it to your street address, and receiption will take it to your room. It works exactly the same for internet traffic – people send data to your EXTERNAL ip address, and your ROUTER delivers the package to your PC
Configure Ubuntu To Use A Static IP
Install OpenVPN
OpenVPN actually supplies a script file that will automate most of the setup required, and also acts as a tool to create and revoke VPN clients Type the following in your terminal:
cd ~
mkdir openvpn
cd openvpn
wget https://git.io/vpn -O openvpn-install.sh
chmod +x openvpn-install.sh
What did you just do?
- cd ~ :navigates to your home directory
- mkdir openvpn :creates a new directory named openvpn
- cd openvpn :navigates to the openvpn directory you just created.
- wget :this fetches the openvpn install script from the web and places it i a file named openvpn-install.sh
- chmod +x : this makes the file executable. As a side note this is one of the reasons WHY linux is considered more secure than Windows. you have to explicitly allow a file to execute on your system.
Next you will actually install OpenVPN server.
Before you continue however you will need your public IP
Head over to ifconfig in your browser, or if you did a server install, or just want to test your command line skills, just type
curl ifconfig.me
Note down this address – we will use it next
Now for the actual install. Since the script is going to make system changes, you need to run it as a Super User. Thats where sudo comes in – which means ‘super user do’. Just type:
sudo ./openvpn-install.sh
It will prompt for your sudo password – this is your normal user password. If you entered it successfully, the script will start running and ask for some input.
- For the IP address, enter your public ip address, or dyndns name.
- Keep the port at 1194
- For DNS choose current system resolvers – this will allow client pc’s to access your internal computers and servers by name.
- Client Name: This will be the first vpn client generated, I suggest you use your name here, and when creating clients for your other staff do the same to easily identify and revoke vpn connections.
To double check everything is working just type:
sudo systemctl status openvpn-server@server
The output should look like this:
● openvpn-server@server.service - OpenVPN service for server
Loaded: loaded (/lib/systemd/system/openvpn-server@.service; indirect; vendor preset: enabled)
Active: active (running) since Fri 2020-05-15 10:29:55 SAST; 1 weeks 2 days ago
Docs: man:openvpn(8)
https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
https://community.openvpn.net/openvpn/wiki/HOWTO
Main PID: 1757 (openvpn)
Status: "Initialization Sequence Completed"
Tasks: 1 (limit: 4915)
CGroup: /system.slice/system-openvpn\x2dserver.slice/openvpn-server@server.service
└─1757 /usr/sbin/openvpn --status /run/openvpn-server/status-server.log --status-version 2 --s
And thats it! – you just configured a Secure OpenVPN server in linux!
Well done! Take a breath, a sip of coffee, and get ready for the next step: Configuring your incoming network connections.
Configure Your Router
When a VPN client hits your external IP address, you need to tell your ROUTER to send the data to your VPN server. Lets look at our delivery analogy again. When you receive a delivery, your receiptionist (the router) accepts it, and sends it to the correct room number (your VPN server). To do this we need to setup port forwarding. You will need your router IP address, and its administrator user name and password. On any of your windows PC’s you can type in
route print
or on linux
route -n
You will see a gateway IP address next to 0.0.0.0, that will be your router IP address See example output below – here the gateway we want is 192.168.1.1
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.1.1 0.0.0.0 UG 600 0 0 wlo1
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 wlo1
192.168.0.0 0.0.0.0 255.255.0.0 U 600 0 0 wlo1
Type this gateway ip into a browser window, and log into your router.
Now, since all routers are different, this is where you will need to do a bit of figuring out.
What you are looking for, is a Virtual Server, or Port Forwarding section. You can head over to PortForward.com. They have a guide for almost every router out there. If you cannot find your exact model, just choose one with the closest model number from the same manufacturer – chances are the software / interface will be the same.
What you need to set:
- Source IP: leave blank, or set to 0.0.0.0 if a value is required
- Port: 1194
- Local IP / Destination IP: Your Ubuntu OpenVPN server IP address
- Local Port / Destination Port: 1194
- Protocol: UDP
Ok, now we need to connect your Windows PC to the VPN.
Download VPN File
To get the .ovpn file you just created, you will need an SFTP client. I suggest you get FileZilla from here. It has a graphic interface and works on all platforms.
To connect just create a new profile, with the settings: Protocol: SFTP Address: Your Ubuntu serve internal IP
Connect to the server, you should get presented with the home folder on the server, showing all you ovpn files. Just drag and drop to your computer.
Install OpenVpn Client
Head over to OpenVPN Windows Client and download.
On your windows pc, install the client, and double click the ovpn file you created. It will import the client settings. Now all that is left is to toggle the connect button.
All your hard work will be rewarded by a beautiful green button. Well done!
Just note that your client must NOT be on your internal network, but on an external network So to test just connect to a mobile hotspot like your phone.
Create Additional Client Certificates
To create new clients, just run the openvpn script again. sudo ./openvpn-install.sh
Looks like OpenVPN is already installed.
What do you want to do?
1) Add a new user
2) Revoke an existing user
3) Remove OpenVPN
4) Exit
Select an option:
Just type 1, and press enter
You will be prompted for a new client name
Tell me a name for the client certificate.
Client name: testclient1
Using SSL: openssl OpenSSL 1.1.1 11 Sep 2018
Generating a RSA private key
......+++++
........................................................................+++++
writing new private key to '/etc/openvpn/server/easy-rsa/'
--
Using configuration from ./safessl-easyrsa.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'testclient1'
Certificate is to be certified until May 22 16:42:48 2030 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Client testclient1 added, configuration is available at: /home/theuns/testclient1.ovpn
Type a name for your client and press enter – use a descriptive name, and preferably the persons name. VPN certificates are not to be shared or re-used. Rather revoke a certificate, and generate a new one.
Your new client certificate will be created, and you can download via Filezilla as described above.
It is also important to revoke users that no longer need access to the VPN. Also if any user loses a certificate, or the device it is installed on – rather revoke it and generate a new certificate.
Warning
REMEMBER, any client connected via VPN, has the same access on your network as if it was connected directly to your network with a physical network cable, so make sure all client PC’s you connect have updated antivirus software and all system updates are up to date.