OpenVPN is a popular open-source VPN software that provides a secure, encrypted connection between devices over the internet. In this tutorial, we will walk you through the process of how to install and configure an OpenVPN server on Arch Linux. By the end of this guide, you’ll have a fully functioning VPN server that you can use to protect your online privacy and securely access your home network from anywhere.
Prerequisites
Before starting, ensure that you have the following:
- An Arch Linux system with root or sudo access
- A basic understanding of Linux commands
- A public IP address or domain name for your server
How to Install & Configure OpenVPN Server on Arch Linux
Update Your System
First, update your Arch Linux system to the latest version by running the following command:
sudo pacman -SyuInstall OpenVPN and Easy-RSA
Install the OpenVPN and Easy-RSA packages using the following command:
sudo pacman -S openvpn easy-rsaConfigure the Certificate Authority (CA)
Create a directory for your Easy-RSA files:
mkdir ~/easy-rsa
cp -r /usr/share/easy-rsa/* ~/easy-rsa
cd ~/easy-rsaNext, edit the vars file to customize your certificate details:
vim varsFind and update the following lines with your information:
set_var EASYRSA_REQ_COUNTRY "US"
set_var EASYRSA_REQ_PROVINCE "California"
set_var EASYRSA_REQ_CITY "San Francisco"
set_var EASYRSA_REQ_ORG "YourOrganization"
set_var EASYRSA_REQ_EMAIL "[email protected]"
set_var EASYRSA_REQ_OU "YourOrganizationalUnit"Save and exit the file. Initialize the Public Key Infrastructure (PKI) by running the following commands:
./easyrsa init-pki
./easyrsa build-caEnter a passphrase for your CA when prompted. This passphrase will be required whenever you sign new certificates.
Generate Server and Client Certificates
Create a server certificate and key by running the following command:
./easyrsa gen-req server nopassSign the server certificate using the CA:
./easyrsa sign-req server serverCreate a client certificate and key:
./easyrsa gen-req client1 nopassSign the client certificate:
./easyrsa sign-req client client1Generate Diffie-Hellman Parameters
Generate Diffie-Hellman parameters to enhance security:
./easyrsa gen-dhConfigure OpenVPN on Arch Linux
Create a directory for your OpenVPN configuration files:
sudo mkdir /etc/openvpn/serverCopy the server configuration template:
sudo cp /usr/share/openvpn/examples/server/server.conf /etc/openvpn/server/Edit the server configuration file:
sudo vim /etc/openvpn/server/server.confFind and update the following lines:
ca /etc/openvpn/server/pki/ca.crt
cert /etc/openvpn/server/pki/issued/server.crt
key /etc/openvpn/server/pki/private/server.key
dh /etc/openvpn/server/pki/dh.pemSave and exit the file. Copy the required certificates and keys to the OpenVPN configuration directory:
sudo cp ~/easy-rsa/pki/ca.crt /etc/openvpn/server/pki/
sudo cp ~/easy-rsa/pki/issued/server.crt /etc/openvpn/server/pki/issued/
sudo cp ~/easy-rsa/pki/private/server.key /etc/openvpn/server/pki/private/
sudo cp ~/easy-rsa/pki/dh.pem /etc/openvpn/server/pki/
Enable IP Forwarding on Arch Linux
Edit the sysctl.conf file to enable IP forwarding:
sudo vim /etc/sysctl.confAdd or uncomment the following line:
net.ipv4.ip_forward = 1Save and exit the file. Apply the changes:
sudo sysctl -pConfigure Firewall Rules
Assuming you are using iptables, create a new rule to allow traffic forwarding and NAT:
sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADEReplace eth0 with your network interface if it is different. To make these rules persistent across reboots, install the iptables-persistent package and save the rules:
sudo pacman -S iptables-persistent
sudo iptables-save > /etc/iptables/rules.v4Start and Enable OpenVPN Service
Enable and start the OpenVPN server:
sudo systemctl enable --now [email protected]Check the status to ensure the service is running:
sudo systemctl status [email protected]Configure Client Devices
Copy the client certificate and key, as well as the CA certificate, to the client device. You can use SCP, USB, or any other secure method:
scp ~/easy-rsa/pki/ca.crt user@client:/path/to/client/config/
scp ~/easy-rsa/pki/issued/client1.crt user@client:/path/to/client/config/
scp ~/easy-rsa/pki/private/client1.key user@client:/path/to/client/config/Create an OpenVPN client configuration file on the client device, for example client1.ovpn, and include the following content:
client
dev tun
proto udp
remote YOUR_PUBLIC_IP_OR_DOMAIN 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
auth SHA256
verb 3
<ca>
-----BEGIN CERTIFICATE-----
(Contents of ca.crt)
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
(Contents of client1.crt)
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
(Contents of client1.key)
-----END PRIVATE KEY-----
</key>Replace YOUR_PUBLIC_IP_OR_DOMAIN with your server’s public IP address or domain name. Ensure that the certificates and key are placed between the corresponding <ca>, <cert>, and <key> tags.
On the client device, install the OpenVPN client software and import the client1.ovpn configuration file.
Test Your VPN Connection
Connect to the VPN server from your client device using the OpenVPN client software. If the connection is successful, you should be able to access your home network resources and browse the internet securely.
Congratulations! You have now successfully installed and configured an OpenVPN server on Arch Linux. Now that your OpenVPN server is set up and running, you can add more clients or enhance your VPN server’s security and performance by following these optional steps:
Add More Clients
To add more clients, repeat Step 4, but replace client1 with the desired client name. Then, copy the generated client certificates and keys to the new client device, create a new OpenVPN configuration file (e.g., client2.ovpn), and import it into the OpenVPN client software on the new device.
Use DNS Server
To avoid DNS leaks and improve privacy, you can configure your OpenVPN server to use a custom DNS server, such as your own DNS server or a third-party one like Cloudflare or Google. Edit the OpenVPN server configuration file:
sudo vim /etc/openvpn/server/server.confAdd the following lines to configure the DNS server:
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 1.0.0.1"Replace 1.1.1.1 and 1.0.0.1 with the desired DNS server IP addresses. Save and exit the file. Restart the OpenVPN server to apply the changes:
sudo systemctl restart [email protected]Configure VPN Kill Switch
To prevent clients from accessing the internet when the VPN connection is lost, you can configure a VPN kill switch. This is particularly useful for clients that require a secure and private internet connection at all times. To enable the kill switch, edit the client configuration file (e.g., client1.ovpn), and add the following line:
block-outside-dnsThis setting blocks DNS requests outside the VPN tunnel. The client will lose internet access if the VPN connection drops, preventing DNS leaks.
Monitor and Troubleshoot
You can monitor the OpenVPN server’s activity by reviewing the log files located at /var/log/openvpn/server.log. The log files can provide valuable information for troubleshooting connection issues or identifying potential security threats.
Remember to keep your Arch Linux system and OpenVPN software up-to-date to ensure optimal security and performance. Use the pacman package manager to update your system and software regularly:
sudo pacman -SyuBy following these optional steps, you can further enhance the security and performance of your OpenVPN server on Arch Linux.
Enable Fail2Ban for OpenVPN
Fail2Ban can be used to protect your OpenVPN server from unauthorized access attempts and brute-force attacks. To install Fail2Ban, run:
sudo pacman -S fail2banCreate a new Fail2Ban configuration file specifically for OpenVPN:
sudo vim /etc/fail2ban/jail.d/openvpn.confAdd the following content to the configuration file:
[openvpn]
enabled = true
port = 1194
protocol = udp
filter = openvpn
logpath = /var/log/openvpn/server.log
maxretry = 3
bantime = 3600Save and exit the file. Create a new filter file:
sudo vim /etc/fail2ban/filter.d/openvpn.confAdd the following content to the filter file:
[Definition]
failregex = ^\s+\S+\s+\S+\s+(\S+)\s+TLS Auth Error: Auth Username/Password verification failed for peer\s+$
ignoreregex =Save and exit the file. Enable and start the Fail2Ban service:
sudo systemctl enable fail2ban
sudo systemctl start fail2banFail2Ban will now monitor your OpenVPN server logs and ban IP addresses that have multiple failed login attempts.
Harden OpenVPN Server Security
To further secure your OpenVPN server, you can implement additional security measures such as:
- Limit the number of concurrent connections per user.
- Use a strong passphrase for your private key.
- Enable TLS authentication to add an additional layer of security.
- Regularly audit your server logs for suspicious activity.
- Keep your Arch Linux system and software up-to-date.
By following these security best practices, you can significantly reduce the risk of unauthorized access and data breaches.
Conclusion
By now, you have successfully installed and configured an OpenVPN server on your Arch Linux system. You have also learned how to generate client certificates and keys, create OpenVPN configuration files, and connect to the VPN server using OpenVPN clients. Additionally, you have implemented several optional steps to enhance the security and performance of your OpenVPN server.
Remember that maintaining a secure and reliable VPN server requires regular monitoring, updates, and maintenance. Stay informed about security vulnerabilities, software updates, and best practices to ensure your VPN server remains secure and efficient. Enjoy your newfound privacy and security provided by your OpenVPN server on Arch Linux!
