AKLWEB Host offers you awesome private network<\/strong>\u00a0connectivity for servers running at the same location. But sometimes you want two servers in different\u00a0countries \/ datacenters<\/strong>\u00a0to be able to communicate in a private and secure way.\u00a0This tutorial will show you how to achieve<\/strong>\u00a0that with the help of OpenVPN. The operating systems used here are Debian and CentOS, just to show you two different configurations. This can be easily adapted for\u00a0Debian -> Debian, Ubuntu -> FreeBSD<\/strong>\u00a0and so on.<\/p>\n Start on machine 1 by installing OpenVPN:<\/strong><\/p>\n Then,\u00a0copy the example configuration<\/strong>\u00a0and\u00a0the tool for generating keys<\/strong>,\u00a0 The default values for your keys aren’t exactly safe anymore, to fix this open\u00a0 Next, ensure that the values are loaded into your current session,<\/strong>\u00a0clean up eventually existing keys, and generate your certificate authority:<\/p>\n You will be\u00a0prompted for information<\/strong>. Make your life easier by supplying information about your server, for example,\u00a0where it’s located and what the FQDN is\/will be.<\/strong>\u00a0This is useful for when you have to debug problems:<\/p>\n Another necessity is parameters for the\u00a0Diffie-Hellman<\/strong>\u00a0key exchange.\u00a0Those need to be generated too:<\/strong><\/p>\n Important: The\u00a0 To further improve the security of this connection,<\/strong>\u00a0we will generate a static secret that needs to be distributed amongst all clients:<\/p>\n Now, you can generate the key for the server:<\/strong><\/p>\n This command will prompt for some information:<\/strong><\/p>\n The final step is to sign the certificate request that was just generated with the CA’s key:<\/strong><\/p>\n Copy the necessary keys and certificates into a separate folder:<\/strong><\/p>\n Now for the configuration, unzip it …<\/strong><\/p>\n … and open the resulting\u00a0 After restarting the service you should watch your log a bit.<\/strong><\/p>\n …\u00a0to make sure everything is working.<\/strong>\u00a0If no errors are detected,\u00a0then you can generate the keys for your second server:<\/strong><\/p>\n Again, you will be prompted for information:<\/strong><\/p>\n Now, you need to transfer the necessary files to your second server, preferably encrypted:<\/strong><\/p>\n Time to switch to the\u00a0SSH-connection<\/strong>\u00a0of your\u00a0second server<\/strong>. The first step is to\u00a0install OpenVPN …<\/strong><\/p>\n …\u00a0and to deactivate<\/strong>\u00a0 Unpack the archive that you just moved to the server and properly set permissions on the files:<\/strong><\/p>\n Create\u00a0 The last step is to start and enable the service:<\/strong><\/p>\n If everything is working, then you should have no problem pinging the first server:<\/strong><\/p>\n You now have a private connection over the Internet!<\/strong><\/p>\n If you need to troubleshoot any errors,\u00a0try checking the logs with the following command:<\/strong><\/p>\n\n
Machine 1<\/strong><\/h3>\n
apt-get install openvpn\r\n<\/code><\/pre>\n
easy-rsa<\/code>, to\u00a0
\/etc\/openvpn<\/code>:<\/p>\n
cp -r \/usr\/share\/doc\/openvpn\/examples\/easy-rsa\/ \/usr\/share\/doc\/openvpn\/examples\/sample-config-files\/server.conf.gz \/etc\/openvpn\r\n<\/code><\/pre>\n
\/etc\/openvpn\/easy-rsa\/2.0\/vars<\/code>\u00a0with your favorite text editor and modify the following line:<\/p>\n
export KEY_SIZE=4096\r\n<\/code><\/pre>\n
cd \/etc\/openvpn\/easy-rsa\/2.0\r\nsource .\/vars\r\n.\/clean-all\r\n.\/build-ca\r\n<\/code><\/pre>\n
Country Name (2 letter code) [US]:NL\r\nState or Province Name (full name) [CA]:-\r\nLocality Name (eg, city) [SanFrancisco]:AKLWEB Host Datacenter\r\nOrganization Name (eg, company) [Fort-Funston]:-\r\nOrganizational Unit Name (eg, section) [changeme]:-\r\nCommon Name (eg, your name or your server's hostname) [changeme]:yourserver1.yourdomain.tld\r\nName [changeme]:-\r\nEmail Address [mail@host.domain]:youraddress@yourdomain.tld\r\n<\/code><\/pre>\n
.\/build-dh\r\n<\/code><\/pre>\n
build-dh<\/code>\u00a0command is a relatively complex process that can take up to ten minutes, depending on your server’s resources.<\/p>\n
mkdir \/etc\/openvpn\/keys\r\nopenvpn --genkey --secret \/etc\/openvpn\/keys\/ta.key\r\n<\/code><\/pre>\n
.\/build-key-server server1\r\n<\/code><\/pre>\n
Country Name (2 letter code) [US]:NL\r\nState or Province Name (full name) [CA]:-\r\nLocality Name (eg, city) [SanFrancisco]:AKLWEB Host Datacenter\r\nOrganization Name (eg, company) [Fort-Funston]:-\r\nOrganizational Unit Name (eg, section) [changeme]:-\r\nCommon Name (eg, your name or your server's hostname) [server1]:yourserver1.yourdomain.tld\r\nName [changeme]:-\r\nEmail Address [mail@host.domain]:youraddress@yourdomain.tld\r\n<\/code><\/pre>\n
1 out of 1 certificate requests certified, commit? [y\/n]y\r\n<\/code><\/pre>\n
cd \/etc\/openvpn\/easy-rsa\/2.0\/keys\r\ncp dh4096.pem ca.crt server1.crt server1.key \/etc\/openvpn\/keys\/\r\nchmod 700 \/etc\/openvpn\/keys\r\nchmod 600 \/etc\/openvpn\/keys\/*\r\n<\/code><\/pre>\n
cd \/etc\/openvpn\r\ngunzip server.conf.gz\r\n<\/code><\/pre>\n
server.conf<\/code>\u00a0with your favorite text editor.\u00a0The configuration should look similar to this:<\/strong><\/p>\n
port 1194\r\nproto udp\r\ndev tun\r\n\r\nca keys\/ca.crt\r\ncert keys\/server1.crt\r\nkey keys\/server1.key \r\ndh keys\/dh4096.pem\r\nserver 10.8.100.0 255.255.255.0\r\nifconfig-pool-persist ipp.txt\r\n\r\n# Uncomment this if you have multiple clients\r\n# and want them to be able to see each other\r\n;client-to-client\r\n\r\nkeepalive 10 120\r\ntls-auth keys\/ta.key 0 \r\n\r\ntls-cipher DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-AES128-SHA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA\r\ncipher AES-256-CBC\r\nauth SHA384\r\ncomp-lzo\r\n\r\nuser nobody\r\ngroup nogroup\r\n\r\npersist-key\r\npersist-tun\r\nverb 3\r\nmute 20\r\n<\/code><\/pre>\n
service openvpn restart && tail -f \/var\/log\/syslog\r\n<\/code><\/pre>\n
cd \/etc\/openvpn\/easy-rsa\/2.0\r\nsource .\/vars\r\n.\/build-key server2\r\n<\/code><\/pre>\n
Country Name (2 letter code) [US]:FR\r\nState or Province Name (full name) [CA]:-\r\nLocality Name (eg, city) [SanFrancisco]:AKLWEB Host Datacenter\r\nOrganization Name (eg, company) [Fort-Funston]:-\r\nOrganizational Unit Name (eg, section) [changeme]:-\r\nCommon Name (eg, your name or your server's hostname) \r\n[server2]:yourserver2.yourdomain.tld\r\nName [changeme]:-\r\nEmail Address [mail@host.domain]:youraddress@yourdomain.tld\r\n<\/code><\/pre>\n
cd \/etc\/openvpn\/easy-rsa\/2.0\/keys\r\ncp \/etc\/openvpn\/keys\/ta.key .\r\ntar -cf vpn.tar ca.crt server2.crt server2.key ta.key\r\nscp vpn.tar yourusername@server2:~\/\r\nrm vpn.tar\r\n<\/code><\/pre>\n
Machine 2<\/strong><\/h3>\n
yum install openvpn\r\n<\/code><\/pre>\n
firewalld<\/code>. The replacement will be\u00a0plain iptables.<\/strong><\/p>\n
systemctl stop firewalld\r\nsystemctl disable firewalld\r\n<\/code><\/pre>\n
cd \/etc\/openvpn\r\nmkdir keys\r\nchmod 700 keys\r\ncd keys\r\ntar -xf ~\/vpn.tar -C .\r\nchmod 600 *\r\n<\/code><\/pre>\n
\/etc\/openvpn\/client.conf<\/code>\u00a0with your favorite text editor.\u00a0It should look like this:<\/strong><\/p>\n
client\r\ndev tun\r\nproto udp\r\n\r\nremote yourserver yourport\r\nresolv-retry infinite\r\nnobind\r\nuser nobody\r\ngroup openvpn\r\n\r\n\r\npersist-key\r\npersist-tun\r\n\r\nca keys\/ca.crt\r\ncert keys\/server2.crt\r\nkey keys\/.key\r\n\r\nns-cert-type server\r\ntls-auth keys\/ta.key 1\r\n\r\ntls-cipher DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-AES128-SHA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA\r\ncipher AES-256-CBC\r\nauth SHA384\r\n\r\nremote-cert-tls server\r\n\r\ncomp-lzo\r\nverb 3\r\nmute 20\r\n<\/code><\/pre>\n
systemctl start openvpn@client.service\r\nsystemctl enable openvpn@client.service\r\n<\/code><\/pre>\n
PING 10.8.100.1 (10.8.100.1) 56(84) bytes of data.\r\n64 bytes from 10.8.100.1: icmp_seq=1 ttl=64 time=17.8 ms\r\n64 bytes from 10.8.100.1: icmp_seq=2 ttl=64 time=17.9 ms\r\n64 bytes from 10.8.100.1: icmp_seq=3 ttl=64 time=17.8 ms\r\n<\/code><\/pre>\n
journalctl -xn<\/code><\/pre>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"open","ping_status":"closed","template":"","format":"standard","manualknowledgebasecat":[231,233,244],"manual_kb_tag":[305],"_links":{"self":[{"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/manual_kb\/2473"}],"collection":[{"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/manual_kb"}],"about":[{"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/types\/manual_kb"}],"author":[{"embeddable":true,"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/comments?post=2473"}],"version-history":[{"count":1,"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/manual_kb\/2473\/revisions"}],"predecessor-version":[{"id":2474,"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/manual_kb\/2473\/revisions\/2474"}],"wp:attachment":[{"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/media?parent=2473"}],"wp:term":[{"taxonomy":"manualknowledgebasecat","embeddable":true,"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/manualknowledgebasecat?post=2473"},{"taxonomy":"manual_kb_tag","embeddable":true,"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/manual_kb_tag?post=2473"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}