Your own VPN in minutes: easy, safe & cheap

You, when using VPN to bypass the network firewall with port 443.
You, when using VPN to bypass the network firewall with port 443.

Everytime I had to setup a VPN, I used to do manually, with guides like these:

https://www.digitalocean.com/community/tutorials/how-to-setup-and-configure-an-openvpn-server-on-centos-6
https://www.digitalocean.com/community/tutorials/how-to-setup-and-configure-an-openvpn-server-on-centos-7

To make it easier, I was going to create a shell script like any sysadmin. However, before I did any movement, I went to Google to find if there is already an existing script.

For my luck, I found a great one, called “OpenVPN road warrior installer”:

https://github.com/Nyr/openvpn-install

So far so good, right? Just run the follow command, catch the .ovpn file and I am good to go:

wget https://git.io/vpn -O openvpn-install.sh && bash openvpn-install.sh

Actually, no. I tried to connect to the OpenVPN server I created:

Mon Sep 5 14:25:22 2016 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Sep 5 14:25:22 2016 TLS Error: TLS handshake failed

Something wasn’t right. So, I went to my CentOS 6 VPN and tried to find what was wrong:

[root@vpn ~]# service openvpn status
Status written to /var/log/messages

Ok, OpenVPN writes its status into /var/log/messages. So, let’s “tail -f” it:

[root@vpn ~]# tail -f /var/log/messages
Sep 5 13:18:08 vpn openvpn[7996]: ERROR: Cannot open TUN/TAP dev /dev/net/tun: Operation not permitted (errno=1)
Sep 5 13:18:08 vpn openvpn[7996]: Exiting due to fatal error

That’s was the problem. I forgot to ask my host provider to allow TUN/TAP. I am using a 128MB OpenVZ VPS from RamNode ($15/year) and they allow you to modify TUN/TAP setting from their panel. After enabling it and restarting the VM, the OpenVPN client from my notebook connected right away.

That’s it, I had a VPN in a matter of minutes. But wait.. It is a virtual machine. The script does not install a firewall or change the SSH port. I am not safe.

Let’s make it right. First, let’s update:

yum -y update

Ok, let’s install CSF:

wget https://git.io/visi7 -O install-csf.sh && bash install-csf.sh

According to OpenVPN docs, we have to open 443 TCP, 943 TCP and 1194 TCP-UDP on CSF:

vi /etc/csf/csf.conf

I am going to use my VPN just to browse safely on public networks and later I will use port 2222 to SSH, so my “IPv4 Port Settings” configs would look like this:

And of course, I have to put TESTING = “0”.
To finish CSF configurations, we have to create /etc/csf/csfpre.sh file with the follow instructions:

Change 123.0.0.0 with your server IP and save it.

Before I restart CSF, I have to change SSH port to 2222:

sed -i ‘s/#Port 22/Port 2222/g’ /etc/ssh/sshd_config
service sshd restart

Ok, now I can restart CSF with “csf -r”. That’s it, I have a safe VPN for $15/year.

Notes:

  1. My VPN is used to access from public network, so I use 443 port, not 1194 default one.
  2. If you want to improve more your security, change password auth for ssh keys.