OpenVPN on Ubuntu VPS

<- Back To Blog

Published: 12/07/2013 UTC

Updated: 12/07/2013 UTC

One of the ways to improve the security of any system is to limit the attack surface, such as using a white list of allowed IP's, for specific services such as phpmyadmin. If your on an ADSL connection, without a fixed ip-address, this can be time-consuming as you would have to unblock the whole ip-range for your ISP for evey service. It can also be limiting if you want to access something from another ISP, or you switch ISPs. A way around this is to install a dynamic ip service and OpenVPN. Although not a total security solution, it certainly makes things more difficult for any would be intruders. OpenVPN even has clients for Android and on the latest versions (e.g. Jellybean), you don't even need root.

Note: From what I can tell, my VPS is running on Parallels virtualization, instructions may differ between different virtualization systems.

This is a list of instructions on how I installed open VPN. Before I start, I am NOT a system admin by any means, so my knowledge is limited to what I've read. This is simply me sharing what I have read. This is a two stage setup. (1) Install OpenVPN and run it. (2) Setup a cron job to make sure there is a connection, if not restart it (so it will reconnect).

Also, of note, I had to contact my VPS provider to get them to install the TUN/TAP device.

VPN Server

I use a Untangle firewall as my OpenVPN server. This is running at my home and makes configuration simple (via a web config page). For each VPN client, it builds a zip file of OpenVPN settings ready. I assume you already have an OpenVPN server running, and it's been port forwarded, tested, and you have the config already on the Ubuntu Server.

VPN Client

Install and setting up OpenVPN

sudo apt-get install openvpn

Move and unzip the Config that untangle made to /etc/openvpn. A "ls" of the folder /etc/openvpn, should show two files with the same name a ".conf" and ".opvn" file and a folder labeled "untangle-vpn". Note: There is a file called "update-resolv-conf" that was already in that folder.

Now try #openvpn --config /etc/openvpn/myConfignNameHere.conf If you get an error like " Note: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2)", you will have to talk to your VPS provider to get that setup on your VPS, like I did. All going well, you should be able to ping a machine on your home network! Now we need a script to detect if the OpenVPN is down and if it is a restart it, so it will auto connect back.

OpenVPN auto reconnect script

This is a quick script that I built (I cannot remember where I got the ping code from sorry), that gets run every minute. It basically pings its own private OpenVPN address, to see if its available and if not it runs "service openvpn restart". I added this script in webmin to the list of scheduled cron jobs, to run every minute.

Note: I'm using 172.16.0.5 as an example for the Ubuntu machines ip-address assigned in the OpenVPN server.

<?php
if(!(boolean)ping("172.16.0.5")){
    exec("service openvpn restart");//RESTART OPENVPN
}
function ping($host){
    exec(sprintf('ping -c 1 -W 5 %s', escapeshellarg($host)), $res, $rval);
    return $rval === 0;
}

Done!

<- Back To Blog