Setting up a personal VPN with a Debian Linux server and a Windows (7 or 8) client

I want to set up my own VPN. As I’ve been on the road a lot I don’t like the fact that web traffic on hotel wifi networks can be viewed by anyone. One can also pay to use a VPN service, but since I already have a high-speed Internet connection at my home and am running a Debian server, why not just set up my own VPN server?

I am choosing to use OpenVPN to do this. Here we go then (note this outline assumes you know something about Linux administration, using a command shell, and the VI editor):

Set up the Debian server:

(Substitute your server and client(s) names below for myserver and myclient):

Become root:
sudo -i

apt-get install openvpn

cp -rp /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/openvpn

cd /etc/openvpn/easy-rsa

cp vars{,.orig}

vim ./vars
change following lines:
export KEY_SIZE=4096 #e.g. 1024, 2048, or 4096 key size
export KEY_COUNTRY=”US”
export KEY_PROVINCE=”OH”
export KEY_CITY=”Cleveland”
export KEY_ORG=”My Company/Organization Name”
export KEY_EMAIL=”admin@mycompany.com”
#export KEY_EMAIL=mail@host.domain
#export KEY_EMAIL=mail@host.domain
#export KEY_CN=changeme
#export KEY_NAME=changeme
#export KEY_OU=changeme
#export PKCS11_MODULE_PATH=changeme
#export PKCS11_PIN=1234

source ./vars

./clean-all

./build-ca

./build-key-server myserver

./build-dh #takes *forever* with 4096 key

./build-key myclient1 [myclient2, myclient3, …]

openvpn --genkey --secret /etc/openvpn/easy-rsa/keys/ta.key

mkdir -p /etc/openvpn/certs

cp -rp /etc/openvpn/easy-rsa/keys/{ca.{crt,key},ta.key,dh*.pem,myserver.{crt,key}} /etc/openvpn/certs/

gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf

vim /etc/openvpn/server.conf
:
change following lines:
ca certs/ca.crt
cert certs/myserver.crt
key certs/myserver.key
dh certs/dh4096.pem
push “redirect-gateway def1 bypass-dhcp”
client-to-client

service openvpn restart

update-rc.d -f openvpn defaults

vim /etc/sysctl.conf:
change (uncomment) the following line:
net.ipv4.ip_forward=1

sysctl -p

vim /etc/network/if-pre-up.d/openvpn-iptables:
#!/bin/bash -e
iptables -A INPUT -p udp -m state –state NEW -m udp –dport 1194 -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -m state –state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

chmod +x openvpn-iptables

On the router for the home network:
set up a port-forward rule for 1194/UDP to the Debian server

On Windows client:

Install OpenVPN client

copy ca.crt, ta.key, myclient1.crt, myclient1.key to C:\Program Files\OpenVPN\config\

copy C:\Program Files\OpenVPN\sample-config\client.ovpn to C:\Program Files\OpenVPN\config\

Edit C:\Program Files\OpenVPN\config\client.ovpn
Change/make sure of the following lines:
client
;dev tap
dev tun
remote myserver.mycompany.com 1194
ca ca.crt
cert myclient1.crt
key myclient1.key
tls-auth ta.key 1
route-metric 512
route 0.0.0.0 0.0.0.0

Note: The final couple lines above are needed so that the VPN network will not show up in Windows’ Network and Sharing Center as an “Unidentified Network” (cf. this help post).

Start OpenVPN GUI as Administrator (edit the shortcut’s Advanced properties and check “Run as administrator).

Possibly needed: Create Windows Firewall rule to allow C:\Program Files\OpenVPN\bin\openvpn.exe through firewall

Hint: Double-click the OpenVPN GUI icon in the system tray and view the log output. Also look at /var/log/syslog on the server in case of any problems.

Optional:

Install WinMTR on the Windows client and test:

E.g., with VPN connected:

WinMTR with VPN connected

And without the VPN:

WinMTR without VPN

Credits, help, & thanks:

How to install and set-up OpenVPN in Debian 7 (Wheezy) at d.stavrovski.net

Next step:

1. Work on setting up http proxy for VPN since some hotels block ports.

2. Set up other VPN clients such as Android devices.

Latest Update:

On the road and the VPN is working great. Also toggled on Annex M with my Internet provider [login @ members.sonic.net -> Labs -> Fusion Line Profile -> Click to set the Upload profile; login to home Netgear DGND3700 N600 ADSL Modem/Router running special firmware -> System -> xDSL Advanced -> DSL Modulation: ADSL2+ AnnexM] to get better upload bandwidth suitable for a VPN.

Its nice to be able to access network shares and other machines on my home LAN which on the road! Hint: Try entering an IP address directly into Windows Explorer’s address bar, such as: \\10.8.0.1\

And all my traffic is totally private and secure now. Yes.

Possible todo:

Set up OpenVPN for data-link layer Ethernet bridging. Also see.

But how much overhead is there for layer 2 bridging?

OMG:

davidwesterfield.net: OpenVPN Sharing a TCP Port with SSL on NGINX and Apache? Yeah It’s Possible

Wow. Yes! Since I’m running and using http and https ports (for my web server, CalDAV, CardDAV, and OwnCloud servers) I was kind of bummed out that these ports were used and would preempt me from being able to use them for OpenVPN. Many places block all but these ports so that would mean not being able to connect to my VPN from certain locations. But now: Yes!

One thing I will love about being able to do this: I can now have my cheapo Android phone use the department store’s restrictive network and access my VPN and be able to use GrooveIP which is important because the phone doesn’t get reception in there. And of course I can now access my VPN from pretty much Any. Network. Anywhere.