Setting up Personal VPN Server

Security No Comments

This is my second attempt at setting up a VPN service. This this time with lessons learned.
Server provider: RamNode
Price: $3/month
Virtualization: KVM
Specs: 512 GB RAM, 10 GB Storage, 1000 GB Bandwidth
Chosen OS: CentOS 7

After you set up your server, ssh into it.

Optionally, install and enable firewall for better security. Better to do before you run the vpn script. Otherwise, will have to manually update firewall rules.

yum update
# If you want vim:
yum search vim
yum install vim-enhanced.x86_64
yum install firewalld


systemctl enable firewalld
systemctl start firewalld

#Show configuration for the given zone:
firewall-cmd --zone=public --list-all

# add a port for your ssh console. Recommended to change from default 12
firewall-cmd --add-port 1234/tcp
firewall-cmd --add-port 1234/tcp --permanent
vim /etc/ssh/sshd_config
# update Port to 1234 (or whatever you picked above)
# Uncomment Protocol 2 - it provides better security
service sshd restart


# this retrieves the vpn script - see https://github.com/Nyr/openvpn-install
wget https://git.io/vpn -O openvpn-install.sh && bash openvpn-install.sh


# if you plan to run VPN on port 443
firewall-cmd --zone=public --add-port=443/udp
firewall-cmd --permanent --zone=public --add-port=443/udp
vim /etc/openvpn/server.conf
#add "port 443" or change to 443 if there is already an entry

#in the generated .ovpn file make the same change for the port
# should look something like this: remote your_server_ip 443


# additional security feature (not necessary for VPN)
yum install epel-release
yum install fail2ban
yum install fail2ban-systemd
cp -pf /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
systemctl enable fail2ban
vim /etc/fail2ban/jail.local
#set to somehting like this
------------------------
[DEFAULT]
# ban hosts for 300 seconds:
bantime = 300
maxretry = 2

[sshd]
port = your_ssh_port
enabled = true

#Override /etc/fail2ban/jail.d/00-firewalld.conf:
banaction = iptables-multiport


#if SELinux is enabled (check with sestatus)
[selinux-ssh]
port     = ssh
logpath  = %(auditd_log)s
enabled = true


#Check logs:
/var/log/fail2ban.log
------------------------
systemctl restart fail2ban



# if you need more users, just execute the script again
sh openvpn-install.sh

This generates a single some_name.ovpn file that you can download and use with an OpenVPN client. Hopefully, you now have a personal VPN server for roughly $30 a year.

Disabling ipv6
If you’re not planning on using ipv6, may as well disable it. Unfortunately fail2ban doesn’t support it yet.

sysctl -w net.ipv6.conf.all.disable_ipv6=1
sysctl -w net.ipv6.conf.default.disable_ipv6=1

Multiple instances of OpenVPN

If you want to run multiple instances of vpn (say a typical 1194 udp and another one on 443 tcp to avoid blocking)
Add a new config in /etc/openvpn
For simplicity, you can copy existing server.conf and lets name it server2.conf.

Update server2.conf to use a different port and change the server ip (let’s say if original server.conf has ip of 10.8.0.0, let’s give the new config
10.8.2.0:

port 443
proto tcp
server 10.8.2.0 255.255.255.0

Start your new openvpn instance:

systemctl start openvpn@server_443_tcp

If using firewalld, add new rules:

firewall-cmd --zone=trusted --add-source=10.8.2.0/24
firewall-cmd --permanent --zone=trusted --add-source=10.8.2.0/24
firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.2.0/24 -j SNAT --to your_server_ip
firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.2.0/24 -j SNAT --to your_server_ip

Restart your new openvpn server:

systemctl restart openvpn@server_443_tcp

If you’d like to use the same .ovpn config on the client side to connect to both ports, add this to client config:

server-poll-timeout 4
remote your_ip 1194 udp
remote your_ip 443 tcp
remote your_ip 1194 udp
remote your_ip 1194 udp

This will try to connect to 1194 udp first, then if unsuccessful, it’ll try 443 tcp, then 1194
In order for this to work, both configs on the server must have the same settings (except for IP’s of course)

OpenDNS
If using OpenDNS head to https://dashboard.opendns.com/ and set it up

Auto-update all CentOS packages

yum -y install yum-cron

vim /etc/yum/yum-cron.conf
# set:
# download_updates = yes
# apply_updates = yes
sudo systemctl enable yum-cron.service
systemctl start yum-cron

Harden SSH
vim /etc/ssh/sshd_config

Ciphers aes128-ctr,aes192-ctr,aes256-ctr
KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256
MACs hmac-sha2-256,hmac-sha2-512

A nice resource to test the speed: https://speedof.me/.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.