You’ve decided to set up a VPN within your own VPC (Virtual Private Cloud). Congrats! This is a big decision, and it’s not easy to do everything by yourself. This guide will walk you through the entire process of configuring a VPN server within your VPC so you can connect to the Internet securely from anywhere.
Plan Your VPN Strategy
Before you get started, you need to have a clear strategy in mind. What do you want to achieve? Do you want to secure all your Internet traffic? Or do you just want to encrypt some of it? Are you using this VPN server for a specific purpose (work, school, etc.), or is it just for general use?
Also, decide how you will authenticate yourself within the VPN (username and password, public key, certificate, etc.). Remember: you’re in full control of the VPN server; you can configure anything you want, including the authentication method!
Create Your VPC
The first thing you need to do is create your virtual private cloud (VPC). You can use one of the following services to do this:
- Amazon Web Services
- Google Cloud Platform
- Microsoft Azure
- Other (please specify)
Whichever service you use, make sure you purchase a dedicated IP from the provider (this will be your IP address for the VPN server). You don’t want to use your own IP because you won’t be able to access the server from outside of the network. Once you’ve purchased the dedicated IP, you can create your VPC within a few minutes. You won’t have to provide any payment details to create your VPC.
Install Ubuntu Server
The next step is to install Ubuntu Server within your VPC. You can choose any version from 16.04 LTS (Long Term Support) to 20.04 Focal Fossa. Choose the version that best suits your needs. If you’re new to Linux, go with the LTS version to minimize the number of updates you’ll need to handle.
Now that you have Ubuntu Server installed, you can install the VPN client OpenVPN on it. OpenVPN connects to your VPN server (running on AWS, Microsoft Azure, or Google Cloud Platform) and allows you to securely send and receive data over the Internet with anyone, anywhere. The beauty of OpenVPN is that it’s open source, so you have complete control over it (this also means that it’s completely free).
There are a few different OpenVPN flavors to choose from, all with their own unique features. For a secure and private connection, it’s best to go with the premium packages that provide additional features (more on this later).
Configure Your VPN Server
Once you’ve installed OpenVPN on your VPN server, it’s time to configure it. The first step is to open the VPN connection from your client (the software you use to access the Internet). Then, you can configure all the basic settings (gateway, username, and password) and click Save to apply them. After that, you can click Test to verify the connection. If everything works as expected, then there’s no reason to continue further.
The only limitation of this method is that you must have access to the Internet from the VPN server itself (i.e. you can’t access the server from a remote location using a different Internet connection). If this is the case, then you’ll need to configure the VPN server to allow remote VPN logins (more on this later).
Configure Your DNS
The next step is to configure your DNS. DNS stands for “Domain Name System,” and it’s a way of assigning a friendly name to a domain (such as google.com) instead of an IP address (like 18.104.22.168). Think of it like an online phone book that maps domain names to IP addresses.
When you visit a website, your Internet service provider (ISP) translates the website’s domain name to its IP address. Without going into too much detail, this process (called DNS resolution) can take a while, and during this time, your device will not be able to access the website (because it doesn’t have the correct IP address).
To help solve this, you can use the DNS server within your VPC to speed up the process. This method is pretty straightforward: you simply add the required DNS servers to your VPC and configure the VPC to use them. You don’t need to add any other DNS servers because your VPC will automatically resolve DNS queries to the correct IP addresses.
Configure Your DHCP
The final step before you can connect to the Internet is to configure your Dynamic Host Configuration Protocol (DHCP). DHCP is a protocol that automatically assigns your computer a block of IP addresses when you connect to the Internet. You don’t have to configure anything to use DHCP, it will work straight out of the box. However, if you’d like to assign your device a fixed IP address (i.e. one that doesn’t change), then you’ll need to configure DHCP to assign the same IP address to your device every time it connects to the Internet.
Secure Your Connection
Now that you have your VPN server configured, it’s time to secure your connection to the Internet. This means that you’ll need to verify that you’re connected to the Internet by a secure connection. You could use PGP (Pretty Good Privacy) to encrypt all your Internet traffic, or you could use TLS (Transport Layer Security) to encrypt only the traffic between your device and the VPN server. TLS is considered to be more secure than PGP, so it should be your priority.
To secure your connection to the Internet using PGP, you’ll need to install the GnuPG program (this is free software that allows you to encrypt and decrypt data). Then, from a shell prompt, execute the following command:
$ gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys EFBC6796
This command will automatically download and install the public key for the Ubuntu archive (currently named “bionic”). Once the key is installed on your device, you can use it to securely send and receive data over the Internet with anyone, anywhere (using OpenVPN). To learn more, check out this page.
When using the VPN server with TLS, you’ll need to execute the following command to create a TLS certificate and private key:
$ openssl genrsa -out private/mycertificate.key 2048
This will create a private key and a certificate. The -out option tells the command to write the items to the specified location.
Then, you need to upload the certificate and private key to your device:
$ openssl x509 -in server.crt -out server.cert
-in server.crt is the certificate file, and -out server.cert is the certificate. After you’ve uploaded the certificate and private key, you can use the server’s IP address (from the VPN client) as the common name for the certificate.
To use the VPN server with TLS, you’ll need to set up a TLS certificate on the server and create a configuration file that specifies the location of the certificate and private key. To do this, from a shell prompt, enter the following commands:
$ mkdir -p /etc/openvpn/tls
$ touch /etc/openvpn/tls/server.crt
$ chmod 600 /etc/openvpn/tls/server.crt
$ nano /etc/openvpn/tls/server.crt
The first two commands will create the /etc/openvpn/tls directory if it doesn’t exist, and the third command will make the private key stored within the /etc/openvpn/tls directory (server.crt) readable only by the owner (i.e. only the root user can read the file). The final command will open the server.crt file in the nano text editor.