Everytime I had to setup a VPN, I used to do manually, with guides like these:
To make it easier, I was going to create a shell script like any sysadmin. However, before I did any movement, I went to Google to find if there is already an existing script.
For my luck, I found a great one, called “OpenVPN road warrior installer”:
So far so good, right? Just run the follow command, catch the .ovpn file and I am good to go:
wget https://git.io/vpn -O openvpn-install.sh && bash openvpn-install.sh
Actually, no. I tried to connect to the OpenVPN server I created:
Mon Sep 5 14:25:22 2016 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Sep 5 14:25:22 2016 TLS Error: TLS handshake failed
Something wasn’t right. So, I went to my CentOS 6 VPN and tried to find what was wrong:
[root@vpn ~]# service openvpn status
Status written to /var/log/messages
Ok, OpenVPN writes its status into /var/log/messages. So, let’s “tail -f” it:
[root@vpn ~]# tail -f /var/log/messages
Sep 5 13:18:08 vpn openvpn: ERROR: Cannot open TUN/TAP dev /dev/net/tun: Operation not permitted (errno=1)
Sep 5 13:18:08 vpn openvpn: Exiting due to fatal error
That’s was the problem. I forgot to ask my host provider to allow TUN/TAP. I am using a 128MB OpenVZ VPS from RamNode ($15/year) and they allow you to modify TUN/TAP setting from their panel. After enabling it and restarting the VM, the OpenVPN client from my notebook connected right away.
That’s it, I had a VPN in a matter of minutes. But wait.. It is a virtual machine. The script does not install a firewall or change the SSH port. I am not safe.
Let’s make it right. First, let’s update:
yum -y update
Ok, let’s install CSF:
wget https://git.io/visi7 -O install-csf.sh && bash install-csf.sh
According to OpenVPN docs, we have to open 443 TCP, 943 TCP and 1194 TCP-UDP on CSF:
I am going to use my VPN just to browse safely on public networks and later I will use port 2222 to SSH, so my “IPv4 Port Settings” configs would look like this:
And of course, I have to put TESTING = “0”.
To finish CSF configurations, we have to create /etc/csf/csfpre.sh file with the follow instructions:
Change 220.127.116.11 with your server IP and save it.
Before I restart CSF, I have to change SSH port to 2222:
sed -i ‘s/#Port 22/Port 2222/g’ /etc/ssh/sshd_config
service sshd restart
Ok, now I can restart CSF with “csf -r”. That’s it, I have a safe VPN for $15/year.
- My VPN is used to access from public network, so I use 443 port, not 1194 default one.
- If you want to improve more your security, change password auth for ssh keys.