This is my second attempt at setting up a VPN service. This this time with lessons learned.
Server provider: RamNode
Price: $3/month
Virtualization: KVM
Specs: 512 GB RAM, 10 GB Storage, 1000 GB Bandwidth
Chosen OS: CentOS 7
After you set up your server, ssh into it.
Optionally, install and enable firewall for better security. Better to do before you run the vpn script. Otherwise, will have to manually update firewall rules.
yum update # If you want vim: yum search vim yum install vim-enhanced.x86_64 yum install firewalld systemctl enable firewalld systemctl start firewalld #Show configuration for the given zone: firewall-cmd --zone=public --list-all # add a port for your ssh console. Recommended to change from default 12 firewall-cmd --add-port 1234/tcp firewall-cmd --add-port 1234/tcp --permanent vim /etc/ssh/sshd_config # update Port to 1234 (or whatever you picked above) # Uncomment Protocol 2 - it provides better security service sshd restart # this retrieves the vpn script - see https://github.com/Nyr/openvpn-install wget https://git.io/vpn -O openvpn-install.sh && bash openvpn-install.sh # if you plan to run VPN on port 443 firewall-cmd --zone=public --add-port=443/udp firewall-cmd --permanent --zone=public --add-port=443/udp vim /etc/openvpn/server.conf #add "port 443" or change to 443 if there is already an entry #in the generated .ovpn file make the same change for the port # should look something like this: remote your_server_ip 443 # additional security feature (not necessary for VPN) yum install epel-release yum install fail2ban yum install fail2ban-systemd cp -pf /etc/fail2ban/jail.conf /etc/fail2ban/jail.local systemctl enable fail2ban vim /etc/fail2ban/jail.local #set to somehting like this ------------------------ [DEFAULT] # ban hosts for 300 seconds: bantime = 300 maxretry = 2 [sshd] port = your_ssh_port enabled = true #Override /etc/fail2ban/jail.d/00-firewalld.conf: banaction = iptables-multiport #if SELinux is enabled (check with sestatus) [selinux-ssh] port = ssh logpath = %(auditd_log)s enabled = true #Check logs: /var/log/fail2ban.log ------------------------ systemctl restart fail2ban # if you need more users, just execute the script again sh openvpn-install.sh
This generates a single some_name.ovpn file that you can download and use with an OpenVPN client. Hopefully, you now have a personal VPN server for roughly $30 a year.
Disabling ipv6
If you’re not planning on using ipv6, may as well disable it. Unfortunately fail2ban doesn’t support it yet.
sysctl -w net.ipv6.conf.all.disable_ipv6=1 sysctl -w net.ipv6.conf.default.disable_ipv6=1
Multiple instances of OpenVPN
If you want to run multiple instances of vpn (say a typical 1194 udp and another one on 443 tcp to avoid blocking)
Add a new config in /etc/openvpn
For simplicity, you can copy existing server.conf and lets name it server2.conf.
Update server2.conf to use a different port and change the server ip (let’s say if original server.conf has ip of 10.8.0.0, let’s give the new config
10.8.2.0:
port 443 proto tcp server 10.8.2.0 255.255.255.0
Start your new openvpn instance:
systemctl start [email protected]_443_tcp
If using firewalld, add new rules:
firewall-cmd --zone=trusted --add-source=10.8.2.0/24 firewall-cmd --permanent --zone=trusted --add-source=10.8.2.0/24 firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.2.0/24 -j SNAT --to your_server_ip firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.2.0/24 -j SNAT --to your_server_ip
Restart your new openvpn server:
systemctl restart [email protected]_443_tcp
If you’d like to use the same .ovpn config on the client side to connect to both ports, add this to client config:
server-poll-timeout 4 remote your_ip 1194 udp remote your_ip 443 tcp remote your_ip 1194 udp remote your_ip 1194 udp
This will try to connect to 1194 udp first, then if unsuccessful, it’ll try 443 tcp, then 1194
In order for this to work, both configs on the server must have the same settings (except for IP’s of course)
OpenDNS
If using OpenDNS head to https://dashboard.opendns.com/ and set it up
Auto-update all CentOS packages
yum -y install yum-cron vim /etc/yum/yum-cron.conf # set: # download_updates = yes # apply_updates = yes sudo systemctl enable yum-cron.service systemctl start yum-cron
Harden SSH
vim /etc/ssh/sshd_config
Ciphers aes128-ctr,aes192-ctr,aes256-ctr KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256 MACs hmac-sha2-256,hmac-sha2-512
A nice resource to test the speed: https://speedof.me/.