In my last post, I discussed the following:
Why OpenVPN instead of PPTP or IPSec over L2TP?
Setting up a static hostname for a dynamic IP address, so we can access it no matter what IP address our ISP gives us
A brief overview of port forwarding over Network Address Translation (NAT) on your home router
Continuing where we left off, the obvious question is “why those ports and what is NAT anyway?” Simply put, NAT allows your home network to have its own range of IP addresses while appearing like one computer to the rest of the internet. The advantage of this is that computers on the internet (usually) cannot access any computers on your network without some sort of authorization. What we’re telling the router is that when it gets a request on a specific port (port 443, for instance), we want that to actually be passed on to a specified port on a specified machine in our network. As you see in this example, whenever my network gets a request on UDP port 1193 or TCP port 443, if goes to those same ports on the computer with the IP address 10.0.1.2.
OpenVPN in its default configuration will use retain the use of both ports for VPN traffic. The TCP port 443 serves to both give the clients the ability to securely download their configuration files and the ability to use the commonly-open port 443 for VPN traffic in the event you are on a network that blocks port 1194. This is the configuration that we’ll be using.
So now we have
ddclient up and running and our ports forwarded, it’s time to download and install OpenVPN Access Server. Head to your friendly terminal and enter the following for a 64-bit Ubuntu (or fork thereof, version 10+):
If you insist on 32-bit, use this instead:
Next, enter this to install it:
That star in there means that this command will work regardless of which one you downloaded. Now that OpenVPN is installed, you should set a password for the default admin account,
openvpn by entering the following:
… and enter a good strong password. Remember, this is the key to your (home network) castle and will be exposed to the internet. It better be good.
You can now access the web GUI for administration in your browser at https://hostIPaddress:943/admin, with the server’s IP address in place of “hostIPaddress.” Ignore the certificate warning, since you’re using a self-signed certificate. The default configuration is pretty good, but there are a few things you’ll definitely want to change.
First, make sure that you have already set up any users you want to access the network as local users on this machine. Then, click on the User Permissions menu item and add them (along with any specific permissions for that user). Then, as a good security practice, check the “Deny access to all users not listed above” box on the bottom. This will help ensure that only users who are explicitly allowed on your VPN will have access.
Finally, make sure that you go over to the “Server Network Settings” menu item and enter the hostname from your dynamic DNS provider. Do not use your local IP address. This one got me on two different deployments of OpenVPN. Both times I could access my VPN server from the LAN but not over the internet. This was why.
That’s pretty much it. Point any computer’s browser at that hostname and follow the prompts to download the OpenVPN client software and configuration file. There are free clients available for iOS and Android in their respective app stores. Keep in mind that this version of OpenVPN server is completely free for up to two users at a time. If you want more users, you’ll need to pay for them. It’s not cheap, but good things never are.