
How to Setup an OpenVPN Server on Digital Ocean - git-sgmoore
https://github.com/git-sgmoore/OpenVPN_Ipsec_L2tp_server_on_Digital_Ocean
======
terrywang
L2TP is quite old, itself does not provide encryption or confidentiality to
traffic passes thru it. L2TP/IPsec encapsulates data twice at layer 2, it has
pros and cons. See this -> [https://www.bestvpn.com/blog/4147/pptp-vs-l2tp-vs-
openvpn-vs...](https://www.bestvpn.com/blog/4147/pptp-vs-l2tp-vs-openvpn-vs-
sstp-vs-ikev2/)

IKEv{1,2} + IPsec (tunnel mode) is recommended. strongSwan is probably the
best free, open source IPsec solution out there (much better than
libreswan...), very good documentation and examples etc, actively developed
and maintained by a bunch of passionate guys that knows the stuff.

Our company (pre-IPO startup) has been using strongSwan for 2+ years as site-
to-site solution from on-premises data centres to AWS VPC, proved to be rock
solid as long as it's properly configured ;-) The only drawback is that
strongSwan currently does not have a mature HA solution but it's shaping up
(5.4.0 introduced IKEv2 redirect). Hopefully a proper HA solution will be
built on top of that and later productized ;-)

BTW: I myself have been using strongSwan since 5.0.x for remote access, to
protect privacy, fight censorship (yes, originally from China mainland where
GFW is in place, etc...). The native strongSwan client for Android is a killer
;-)

HTH

------
amingilani
Probably a silly question but what will I do with this?

I have a personal DO OpenVPN proxy setup because my country (Pakistan) censors
internet, which I made following the DO guide [1]. I set it up a while ago,
and it was mostly copying commands.

Will this allow me to use Tunnelblink and use my VPN as a proxy? Will it let
me connect my machines to each other a VPN? What's the motivation for a setup
like this.

[1]: [https://www.digitalocean.com/community/tutorials/how-to-
set-...](https://www.digitalocean.com/community/tutorials/how-to-set-up-an-
openvpn-server-on-ubuntu-16-04)

~~~
terrywang
Only traffic destined to the subnet in encryption domain go through the VPN
connection (you can check IP routing table and identify that - interface
should be tun0 or equivalent).

In case of OpenVPN remote access use case, you may have to route all traffic
through the VPN connection (TunnelBlick has an option for you to tick, or
you'll have to generate a new client config file), you also need proper NAT
rules in place on the OpenVPN server.

To achieve what you want, blocked sites over VPN and unblocked via your ISP,
extra effort may be needed, e.g. by poking around routing table and/or using
dnsmasq.

------
AdamGibbins
[https://github.com/trailofbits/algo](https://github.com/trailofbits/algo) and
[https://github.com/jlund/streisand](https://github.com/jlund/streisand) are
also great alternatives.

------
antouank
You could also get CoreOS and a container with openvpn in a few lines
[https://github.com/kylemanna/docker-
openvpn](https://github.com/kylemanna/docker-openvpn)

~~~
matt_wulfeck
The open VPN container is amazing. Definitely worth a look. If you commands
and you'll get service plus an auto-login profile that is about as easy to use
as possible.

It doesn't need to be CoreOS, it can be any docker host.

~~~
antouank
Sure. Just CoreOS makes it easier with docker-rkt pre-installed.

You can get an openvpn container on dply.co in 1-2 minutes, and you use it for
free...

------
mpitt
> wget ... --no-check-certificate

Why? Oh why?

~~~
jwilk
[https://github.com/git-
sgmoore/OpenVPN_Ipsec_L2tp_server_on_...](https://github.com/git-
sgmoore/OpenVPN_Ipsec_L2tp_server_on_Digital_Ocean/commit/b1a3602cdafd0021550d68f91147d08092e603ac)

But it's downloading stuff via HTTP, so certificate verification doesn't help
that much.

------
beagle3
My experience with openvpn is abysmal. It is slow, tunnels tcp-over-tcp the
wrong way[0], tunnels udp-over-tcp the wrong way, and the connections were
quite fargile.

Does anyone have alternatives to recommend? SoftEther looks like the bees
knees from the website, but I haven't found trustworthy reviews from real
users.

[0] [http://sites.inka.de/bigred/devel/tcp-
tcp.html](http://sites.inka.de/bigred/devel/tcp-tcp.html)

------
philfreo
[https://github.com/hwdsl2/setup-ipsec-vpn](https://github.com/hwdsl2/setup-
ipsec-vpn) has one-click options for DigitalOcean
([http://dovpn.carlfriess.com/](http://dovpn.carlfriess.com/)) and others

------
robbintt
I made a project like this as well, but with Ansible. I submitted a separate
post for that but won't link it here out of courtesy.
[https://github.com/robbintt/popup-openvpn](https://github.com/robbintt/popup-
openvpn)

------
olavgg
Do anyone know about a good user friendly OpenVPN client for Windows? The
official one requires a lot of fiddling with administrator permissions to
work, which most non tech people have no chance to do successfully.

~~~
dc_gregory
I use viscosity, which has the added benefit of allowing multiple VPN's (e.g.
to multiple VPC's on AWS or w/e).

~~~
olavgg
Thanks! That is exactly what we need at our company!

------
eknkc
Take a look at dockerized alternatives too. Makes it a lot easier.

For example
[https://hub.docker.com/r/siomiz/softethervpn/](https://hub.docker.com/r/siomiz/softethervpn/)
outputs the config file to stdout so you can just run it, get the config with
docker logs and connect.

~~~
aarongolliver
I run a pfsense router for fun at my house and it has a really nice UI/wizard
for OpenVPN. Even got it hooked up with AD login + certificates without much
trouble.

Having a GUI can make playing with it really fun and easy. I spent yesterday
toggling through all the different encryption methods to see how they effected
mobile performance (turns out: it effects it a LOT. Don't encrypt stronger
than necessary!)

------
cmsimike
I've been using pivpn[0] for about a year now (first on a raspi, and now on
ubuntu 16.04 server). Wraps all the basic commands like client cert gen and
revocation. Many sensible defaults.

[0] [https://github.com/pivpn/pivpn](https://github.com/pivpn/pivpn)

------
dannysu
I follow this guide for setting up OpenVPN:
[https://www.tinfoilsecurity.com/blog/dont-get-pwned-on-
publi...](https://www.tinfoilsecurity.com/blog/dont-get-pwned-on-public-wifi-
use-your-own-vpn-tutorial-guide-how-to)

------
tribby
by only looking at the source (haven't installed it) I'm guessing this leaks
ipv6 addresses and probably shouldn't be used. this is the second openvpn
install script to match that description today.

~~~
jlgaddis
Your comment would have been a lot more useful if you provided a link to info
on how to prevent that.

~~~
tribby
sorry, I had mentioned it in the other thread -- in your openvpn config set
server-ipv6 and use tun-ipv6[0].

depending on your server environment you'll want to use ip6tables with
essentially the same commands as iptables, substituting for ipv6 addresses.

0\.
[https://community.openvpn.net/openvpn/wiki/IPv6](https://community.openvpn.net/openvpn/wiki/IPv6)

~~~
jlgaddis
_(delayed response)_

Thanks.

In the past, I've had a habit of passing "ipv6.disable=1" (a.k.a. the "nuclear
option") to the kernel on hosts I manage. I'm trying to get away from that,
though, and lately, I've simply been dropping "everything IPv6" in my rulesets
to avoid things like this.

------
joshiej
Would this work on Amazon EC2 as well?

~~~
terrywang
Very similar.

However, for EC2 Linux instances you'll need to enable IP forwarding by
disabling Source/Destination Check for the instance in addition to setting
net.ipv4.ip_forward=1 for the VM.

Also EC2 uses layered security, so you may have OS level packet filter, then
NACLs (if used - stateless), finally Security Groups (stateful).

------
manish_gill
I have one. I wish it would still work with Netflix. :(

Sigh.

------
whyileft
[https://github.com/Nyr/openvpn-install](https://github.com/Nyr/openvpn-
install) with a budget $15/year vps and you're good for personal needs.

That said, this is a great write-up and I'm sure very helpful to those that
need to set up a more custom/mission critical development.

~~~
tribby
the OP's script embeds the script you're linking to. neither of these should
be used for anything mission critical.

------
rick_perez
An easier alternative is to tunnel everything through a SSH connection.

I use putty tunneling+proxifier (on windows) and a python script on my ubuntu
box (The name is escaping me at the moment).

It's very simple to setup, doesn't require a ton of configuration, and can be
just a secure as a VPN connection.

I've never been a fan of OpenVPN. Configuration is cumbersome and performance
wasn't that great.

~~~
terrywang
SSH Tunnel - Dynamic (port) Forwarding works, it can even be shared by IPs
within the same network (ssh -g on clients / GatewayPorts yes on sshd) but it
requires per application configuration (set as SOCKS5 proxy, Firefox requires
extra configuration to use remote host to do dns lookups by setting ->
network.proxy.socks_remote_dns yes).

NOTE: some tips written down previously ;-)
[https://sites.google.com/site/imterry/computer/tools/ssh](https://sites.google.com/site/imterry/computer/tools/ssh)

In countries like China (and more) where massive state-sponsored Internet
censorship is in place, the unusual SSH traffic pattern can be easily detected
and IPs of the SSH server blocked in less than a hour. That's why IPsec
(strongSwan) and OpenVPN start to become popular among Chinese netizens and
skills have been developed (networking, security etc...) LoL

