How To Make Your Own VPN Server And Use It On Android Devices

Preface

There are many tutorials on the Internet explaining how to install OpenVPN server on a VPS. Infact almost all the popular VPN providers have one. But in this tutorial we are going to see how to install VPS server like other along with how to use that server on Android devices. Same procedure and configuration may work on Apple or other devices but I haven't tested.

What Will I Learn?

• Installing OpenVPN
• Configure it for better security
• Making .ovpn file for using with Android devices
• How to use that file with OpenVPN Connect app

Difficulty

Intermediate: This tutorial will be easier if someone has basic knowledge of Terminal and Ubuntu servers.

Requirements

• A Ubuntu VPS with root access
• A computer with Terminal
• An Android device

Installing OpenVPN

Login to your VPS using the Terminal and update repositories and upgrade currently installed softwares.

sudo apt update && sudo apt upgrade

Now lets install OpenVPN community edition using following command.

sudo apt install openvpn easy-rsa

OpenVPN encrypts connection between you and the server using TLS/SSL. So, we have to setup our own Certificate Authority (CA) to issue our server and clients certificates. To start issuing our own SSL certificates we can copy easy-rsa template files into a folder and change working directory to that.

make-cadir ~/CA && cd ~/CA

In CA directory, vars file contains the defaults to generate new certificates. You may wish to change line # 64-69 according to your needs.

export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="me@myhost.mydomain"
export KEY_OU="MyOrganizationalUnit"

Now source the vars file to get the changed values into the environment, run the clean-all command and then run the build-ca script.

source ./vars
./clean-all
./build-ca

You will be prompted to enter some details about the CA, if you edited the vars file you just need to press enter to accept default. After that a keys folder will be created with CA certificate and key.

Now create the server’s key.

./build-key-server server

We now need to create Diffie-Hellman (DH) key which usered in OpenVPN sessions to create Perfect Forward Secrecy. Generating this may take some time depending on the amount of entropy on your system.

./build-dh

Now we are on to generating client certificate and key.

./build-key client01

If you want to create a password-protected certificate, replace build-key with build-key-pass.

The last thing we need is a TLS key that OpenVPN on both the client and server will use for Perfect Forward Secrecy.

openvpn --genkey --secret ta.key

Now we will copy CA and server certificates and keys to /etc/openvpn folder. Its not mandatory but will be easier to reference them in server config.

sudo cp ca.crt server.crt server.key ta.key dh2048.pem /etc/openvpn

If you wish to use sample configuration and then modify it according to your need you can do so. I am going to provide you with my configuration.

gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | sudo tee /etc/openvpn/server.conf

My server configuration:

# Port for OpenVPN server
port 1194
# Connection protocol
proto udp

dev tun
persist-key
persist-tun
topology subnet
keepalive 10 120

# Location of certificate authority's cert.
ca ca.crt

# Location of VPN server's TLS cert.
cert server.crt

# Location of server's TLS key
key server.key

# Location of DH parameter file.
dh dh2048.pem

# The VPN's address block starts here.
server 10.8.0.0 255.255.255.0

# This will force all traffic to go through the VPN
push "redirect-gateway def1 bypass-dhcp"

# DNS servers provided by opendns.com.
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"

explicit-exit-notify 1

# Drop root privileges and switch to the `ovpn` user after startup.
user ovpn

# OpenVPN process is exclusive member of ovpn group.
group ovpn

# The second parameter should be '0' on the server and '1' on the clients.
tls-auth ta.key 0

# Cryptographic cipher
cipher AES-256-CBC
auth SHA512

# Logging options.
ifconfig-pool-persist ipp.txt
status openvpn-status.log
log /var/log/openvpn.log
verb 3

Start OpenVPN server and enabling autostart on boot:

sudo systemctl start openvpn@server
sudo systemctl enable openvpn@server

Android Client Configuration

Make required changes and save this to an .ovpn file and transfer it to your Android device.

client

dev tun
persist-key
persist-tun
proto udp
nobind
remote-cert-tls server

# Cryptographic info
auth SHA512
cipher AES-256-CBC

# Keydirection for ta.key
key-direction 1

remote VPS_IP 1194

# Main CA certificate in text form
<ca>
Contents from ca.crt
</ca>

# Client certificate in text form

<cert>
Contents from your client01.crt
</cert>

# Client's private key in text form

<key>
Contents from your client01.key
</key>

# ta.key in text form

<tls-auth>
Contents from your ta.key
</tls-auth>

Download OpenVPN Connect from Google Play. Click on Hamburger on top left, select Import Profile, select OVPN, locate and select your transfered .ovpn file. Click on Import on the top right, change name if required, click Add. Now click on the toggle switch to connect.

Congratulations, you are now connected securely to your own OpenVPN server from your phone.

---

Posted on Utopian.io - Rewarding Open Source Contributors

---