COVID-19
We are here to help!
We are offering free subscriptions and cybersecurity consultancy to support companies affected by COVID-19 outbreak.
Learn more

How to setup an OpenVPN server on DigitalOcean?

In this guide we will setup a “Debian 9(stretch)” virtual machine on our Digital Ocean account and configure a OpenVPN server.

Creating a Debian 9 Instance

Let’s begin by navigating to our Digital Ocean home page.

Select a project if there is one or create a new on if one does not exit. We then navigate to the project page and select the “Create” button on the top right side to access a dropdown menu.

We then select “Droplets” from the dropdown menu in order to start the creation process.

On the next screen we start by selecting the operating system that we want the droplet to use. We shall choose Debian and then select the latest version of Debian 9 that shows up in the dropdown menu.

Next we shall choose a plan. A ‘Standard’ instance would be enough for our initial needs. As the minimum requirements for OpenVPN is 1GiB of RAM we can choose on the first two choices in the pricing list as a start.

Since the machines are scalable we can later grow them if need be.

Next we shall choose a suitable region for the droplet to be created in. The best choice would be a region in close proximity.

After selecting the region we will need to decide on a means of connecting to the droplet once it is operational. Here we shall choose the ‘SSH keys’ option for better security and then either choose from one of the existing ssh keys or click on the ‘New SSH Key’ option in order to add a new key.

Finally before creating the droplet we will provide a meaningful name to the droplet as it’s hostname. Then click on the ‘Create Droplet’ button at the bottom to start the creation process.

Adding Rules to Control Access

We Select the Droplet from the Droplets Menu to bring up the droplet information page and select the ‘Networking’ option in the inner left menu. Here we will select the ‘Manage Firewalls’ option under the ‘Firewalls’ section and navigate to it in order to start adding rules to the droplet.

Once on the networking page we can click on Create Firewall in order to create a new set of rules that we shall associate with the new droplet.

In the upcoming page we will set the name for the new firewall. Then we shall change the default ‘SSH’ rule by adding a list of Public IP addresses that we want to give SSH permission to as the contents of the ‘Sources’ field.

Next we will add a custom rule with TCP as the protocol and select a port that we want to use for the VPN connections(The default port for OpenVPN is 1194). Also we will set the ‘Sources’ field as ‘ALL IPv4’ to allow incoming connections on that port.

Finally we will scroll down to the end of the page and search for the new droplet by name in the input field below ‘Apply to Droplets’. This will bind the rules we added to that droplet.

Finally we will click ‘Create Firewall’ in order to apply the rules.

With the firewall rules now set we can start on configuring the VPN server on the machine.

Configuring OpenVPN

Having set up the machine we can now start installing OpenVPN and configuring it. Start by connecting to the machine over ssh. Once connected:

  • Update the machine.
apt-get update -y && apt-get upgrade 
  • Now we can download a script to help us install and configure the OpenVPN server. Download the script and make it executable.
wget https://git.io/vpn -O openvpn-configuration.sh
chmod +x openvpn-configuration.sh

Upon running the script asks us about the ip address of the machine. We select the number corresponding to the Public IP address of the machine.

Next we choose to use TCP as the base connection type for our VPN.

Now we will set the port that we added an Inbound rule for so that the OpenVPN server can listen for incoming connections on that port.

The DNS option can be set as preferred.

Finally we give a name that will be used to create a certificate for a user to be allowed to connect. The script will create the required files that a user will need to be able to connect to the server.

Welcome to this OpenVPN road warrior installer!

I need to ask you a few questions before starting setup.
You can use the default options and just press enter if you are ok with them.

This server is behind NAT. What is the public IPv4 address or hostname?
Public IPv4 address / hostname [35.204.34.7]:

Which protocol do you want for OpenVPN connections?
   1) UDP (recommended)
   2) TCP
Protocol [1]: 2

What port do you want OpenVPN listening to?
Port [1194]:

Which DNS do you want to use with the VPN?
   1) Current system resolvers
   2) 1.1.1.1
   3) Google
   4) OpenDNS
   5) Verisign
DNS [1]:

Finally, tell me a name for the client certificate.
Client name [client]: 1234

Okay, that was all I needed. We are ready to set up your OpenVPN server now.
Press any key to continue...

Adding/Removing VPN Clients

With the server up and running we can run the script again in order to create new client certificates or to revoke existing certificates.

We can rerun the script we downloaded to install OpenVPN. The script will now as us if we want to add or remove a user.

Entering the number corresponding to “Add a new user” and then providing a name for the user when prompted for shall create the certificate file required for the user to connect to the VPN server.

Looks like OpenVPN is already installed.

What do you want to do?
   1) Add a new user
   2) Revoke an existing user
   3) Remove OpenVPN
   4) Exit
Select an option: 1

Tell me a name for the client certificate.
Client name: test2

Using SSL: openssl OpenSSL 1.1.0l  10 Sep 2019
Generating a RSA private key
.......................................................................+++++
...........+++++
writing new private key to '/etc/openvpn/server/easy-rsa/pki/private/test2.key.DVI9'
-----
Using configuration from ./safessl-easyrsa.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'test2'
Certificate is to be certified until Mar 21 16:49:44 2030 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

Client test2 added, configuration is available at: /root/test2.ovpn

On the other hand if we enter the number corresponding to “Revoke an existing user”; we will be presented with a list of the available clients. Entering the number corresponding to the user that we intend to remove shall destroy the certificate generated for that user; resulting in them not being able to connect to the VPN.

Looks like OpenVPN is already installed.

What do you want to do?
   1) Add a new user
   2) Revoke an existing user
   3) Remove OpenVPN
   4) Exit
Select an option: 2

Select the existing client certificate you want to revoke:
     1) client
     2) test2
Select one client: 2

Do you really want to revoke access for client test2? [y/N]: y
Using configuration from ./safessl-easyrsa.cnf
Revoking Certificate 12B01D572096F0E4512D3DE9E0480C88.
Data Base Updated

Using SSL: openssl OpenSSL 1.1.0l  10 Sep 2019
Using configuration from ./safessl-easyrsa.cnf

An updated CRL has been created.
CRL file: /etc/openvpn/server/easy-rsa/pki/crl.pem


Certificate for client test2 revoked!

Since we only allow SSH connection to the machine other than the VPN; we can use any SFTP client to connect to the server and download the user certificate files.

Users can then connect to the VPN server using their ovpn certificate files.