Hacker News new | past | comments | ask | show | jobs | submit login
How to Setup an OpenVPN Server on Digital Ocean (github.com)
78 points by git-sgmoore on Jan 8, 2017 | hide | past | web | favorite | 34 comments

L2TP is quite old, itself does not provide encryption or confidentiality to traffic passes thru it. L2TP/IPsec encapsulates data twice at layer 2, it has pros and cons. See this -> https://www.bestvpn.com/blog/4147/pptp-vs-l2tp-vs-openvpn-vs...

IKEv{1,2} + IPsec (tunnel mode) is recommended. strongSwan is probably the best free, open source IPsec solution out there (much better than libreswan...), very good documentation and examples etc, actively developed and maintained by a bunch of passionate guys that knows the stuff.

Our company (pre-IPO startup) has been using strongSwan for 2+ years as site-to-site solution from on-premises data centres to AWS VPC, proved to be rock solid as long as it's properly configured ;-) The only drawback is that strongSwan currently does not have a mature HA solution but it's shaping up (5.4.0 introduced IKEv2 redirect). Hopefully a proper HA solution will be built on top of that and later productized ;-)

BTW: I myself have been using strongSwan since 5.0.x for remote access, to protect privacy, fight censorship (yes, originally from China mainland where GFW is in place, etc...). The native strongSwan client for Android is a killer ;-)


Probably a silly question but what will I do with this?

I have a personal DO OpenVPN proxy setup because my country (Pakistan) censors internet, which I made following the DO guide [1]. I set it up a while ago, and it was mostly copying commands.

Will this allow me to use Tunnelblink and use my VPN as a proxy? Will it let me connect my machines to each other a VPN? What's the motivation for a setup like this.

[1]: https://www.digitalocean.com/community/tutorials/how-to-set-...

Only traffic destined to the subnet in encryption domain go through the VPN connection (you can check IP routing table and identify that - interface should be tun0 or equivalent).

In case of OpenVPN remote access use case, you may have to route all traffic through the VPN connection (TunnelBlick has an option for you to tick, or you'll have to generate a new client config file), you also need proper NAT rules in place on the OpenVPN server.

To achieve what you want, blocked sites over VPN and unblocked via your ISP, extra effort may be needed, e.g. by poking around routing table and/or using dnsmasq.

You could also get CoreOS and a container with openvpn in a few lines https://github.com/kylemanna/docker-openvpn

The open VPN container is amazing. Definitely worth a look. If you commands and you'll get service plus an auto-login profile that is about as easy to use as possible.

It doesn't need to be CoreOS, it can be any docker host.

Sure. Just CoreOS makes it easier with docker-rkt pre-installed.

You can get an openvpn container on dply.co in 1-2 minutes, and you use it for free...

> wget ... --no-check-certificate

Why? Oh why?


But it's downloading stuff via HTTP, so certificate verification doesn't help that much.

I personally prefer to use curl whenever possible (don't blindly do curl | sh though) ;-)


Fixed, thank you.

My experience with openvpn is abysmal. It is slow, tunnels tcp-over-tcp the wrong way[0], tunnels udp-over-tcp the wrong way, and the connections were quite fargile.

Does anyone have alternatives to recommend? SoftEther looks like the bees knees from the website, but I haven't found trustworthy reviews from real users.

[0] http://sites.inka.de/bigred/devel/tcp-tcp.html

https://github.com/hwdsl2/setup-ipsec-vpn has one-click options for DigitalOcean (http://dovpn.carlfriess.com/) and others

I made a project like this as well, but with Ansible. I submitted a separate post for that but won't link it here out of courtesy. https://github.com/robbintt/popup-openvpn

Do anyone know about a good user friendly OpenVPN client for Windows? The official one requires a lot of fiddling with administrator permissions to work, which most non tech people have no chance to do successfully.

The latest 2.4 client does not require Administrator privileges.

I use viscosity, which has the added benefit of allowing multiple VPN's (e.g. to multiple VPC's on AWS or w/e).

Thanks! That is exactly what we need at our company!

Take a look at dockerized alternatives too. Makes it a lot easier.

For example https://hub.docker.com/r/siomiz/softethervpn/ outputs the config file to stdout so you can just run it, get the config with docker logs and connect.

I run a pfsense router for fun at my house and it has a really nice UI/wizard for OpenVPN. Even got it hooked up with AD login + certificates without much trouble.

Having a GUI can make playing with it really fun and easy. I spent yesterday toggling through all the different encryption methods to see how they effected mobile performance (turns out: it effects it a LOT. Don't encrypt stronger than necessary!)

I've been using pivpn[0] for about a year now (first on a raspi, and now on ubuntu 16.04 server). Wraps all the basic commands like client cert gen and revocation. Many sensible defaults.

[0] https://github.com/pivpn/pivpn

I follow this guide for setting up OpenVPN: https://www.tinfoilsecurity.com/blog/dont-get-pwned-on-publi...

by only looking at the source (haven't installed it) I'm guessing this leaks ipv6 addresses and probably shouldn't be used. this is the second openvpn install script to match that description today.

Your comment would have been a lot more useful if you provided a link to info on how to prevent that.

sorry, I had mentioned it in the other thread -- in your openvpn config set server-ipv6 and use tun-ipv6[0].

depending on your server environment you'll want to use ip6tables with essentially the same commands as iptables, substituting for ipv6 addresses.

0. https://community.openvpn.net/openvpn/wiki/IPv6

(delayed response)


In the past, I've had a habit of passing "ipv6.disable=1" (a.k.a. the "nuclear option") to the kernel on hosts I manage. I'm trying to get away from that, though, and lately, I've simply been dropping "everything IPv6" in my rulesets to avoid things like this.

Would this work on Amazon EC2 as well?

Very similar.

However, for EC2 Linux instances you'll need to enable IP forwarding by disabling Source/Destination Check for the instance in addition to setting net.ipv4.ip_forward=1 for the VM.

Also EC2 uses layered security, so you may have OS level packet filter, then NACLs (if used - stateless), finally Security Groups (stateful).

Yes, or Google or Azure or any VPS provider. These instructions use apt so Ubuntu or Debian

I have one. I wish it would still work with Netflix. :(


https://github.com/Nyr/openvpn-install with a budget $15/year vps and you're good for personal needs.

That said, this is a great write-up and I'm sure very helpful to those that need to set up a more custom/mission critical development.

the OP's script embeds the script you're linking to. neither of these should be used for anything mission critical.

An easier alternative is to tunnel everything through a SSH connection.

I use putty tunneling+proxifier (on windows) and a python script on my ubuntu box (The name is escaping me at the moment).

It's very simple to setup, doesn't require a ton of configuration, and can be just a secure as a VPN connection.

I've never been a fan of OpenVPN. Configuration is cumbersome and performance wasn't that great.

SSH Tunnel - Dynamic (port) Forwarding works, it can even be shared by IPs within the same network (ssh -g on clients / GatewayPorts yes on sshd) but it requires per application configuration (set as SOCKS5 proxy, Firefox requires extra configuration to use remote host to do dns lookups by setting -> network.proxy.socks_remote_dns yes).

NOTE: some tips written down previously ;-) https://sites.google.com/site/imterry/computer/tools/ssh

In countries like China (and more) where massive state-sponsored Internet censorship is in place, the unusual SSH traffic pattern can be easily detected and IPs of the SSH server blocked in less than a hour. That's why IPsec (strongSwan) and OpenVPN start to become popular among Chinese netizens and skills have been developed (networking, security etc...) LoL

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact