Hosting your own VPN server can secure your network by allowing you to set up strict firewalls in place (to block important services like SSH), while still maintaining administrative access when connected to your VPN.
Why would I need a VPN server?
A traditional VPN such as TunnelBear secures your personal computer̵7;s internet connection by routing your data via an intermediate server. But what this really does under the hood is connect to a virtual private network, so you can access everything the intermediary server can access, including devices on the same network.
This is very useful for accessing servers behind firewalls. For best security, do not leave many ports open on your servers. But this leads to a problem when you lock down a lot of gates – you can not access them either. What happens if you have a database administrator panel hosted on one of your servers? Of course, you do not want it to be open to the world, but you want access to it when needed. You can lock access to your IP, but what if you have multiple administrators, and what if you want to access it from a coffee shop, where your IP would be different?
This is the problem that a VPN server solves. Instead of connecting directly, you would instead log in to the VPN server and connect to your private cloud. From there, you can SSH to the database server or another server running in the same VPC with access to the first one. You can now behave as if your traffic is coming from the server you are connected to, which would make the admin panel visible only to you when you are connected via your VPN.
This also has the added benefit of securing your connection to places like cafes, where your browsing is not extremely secure. This is not the primary purpose of this, but it’s nice to have.
Set up an OpenVPN server
While you can install the command-line version of OpenVPN, it is quite complicated and involves creating your own certificate authority and managing keys.
What you want is the OpenVPN Access server, which can be installed as a package and comes with a web interface for managing your VPN settings. It’s free for two simultaneous connections, which should be enough to easily manage servers behind a firewall. If you need more connections, the actual VPN part of OpenVPN is free and open source, you just need to configure everything manually.
One thing to note is that OpenVPN Access Server will use port 443 to redirect traffic to the web interface, hosted on port 943. If you have things running on that port, you must either use port 943 and manually redirect 443 back to your other applications , or just run OpenVPN on a smaller server hosted on the same VPC, as it’s pretty easy with just one user.
Get started by downloading the OpenVPN package for your distro. The supported distros are Ubuntu, Debian, CentOS and RHEL. Grab the link for your package and download it from the command line with
Install the package with
dpkg on Ubuntu / Debian:
dpkg -i openvpn-as-2.1.12-Ubuntu16.amd_64.deb
On CentOS / RHEL you have to use
rpm -Uvh on
During installation, OpenVPN configures itself with default settings, sets its private CA to secure your connection and tells you where the client web service is served from. Usually this is just your server’s IP address via HTTPS, but it can also be served without a redirect from port 943. The administrator interface is served on
The only thing OpenVPN does not configure is a password. You want to enter a password for the user “openvpn”:
You must enter this twice and can change it at any time.
Connects to OpenVPN
Now you can navigate to the administrator interface, host:
You may receive a large red warning from Chrome that the certificate is invalid. This is because your VPN server is not recognized as a valid CA, which is of course true. But since you set it yourself, you obviously trust the certificate so that you can bypass this warning.
You will be asked to enter a username and password. just type “openvpn” and then the password you set:
The default authentication method is PAM, which uses local account-based authentication. Create a new user from the “User Settings” tab:
This is the user you are using to connect to the VPN service. To access it, you can navigate to the client service, host it:
… even if it can be run on port 943. You will be asked to enter your username and password and have two options for connecting: connect directly to VPN or connect a client. Select “Connect client”, as you are not using this as a web browsing VPN.
This provides you with a configuration file (client.ovpn) that you can use on any client that supports the OpenVPN protocol. You can use OpenVPN’s own client or a third-party client such as Pritunl or connect manually with your username and password in Windows and macOS.
When you are connected, all your internet traffic is routed via VPN, including requests to other servers. All SSH connections you create are displayed as if the VPN server were making an SSH connection. You still need to make sure that these servers are configured so that the VPN server can access them and that you still want to secure your other servers with SSH keys.
On a service like AWS, some ports may be closed by default. You must open ports 443 and 943 on the VPN server and lock ports on other servers to access only from the VPN server’s IP address. However, most services have 80 and 443 open without having to configure a firewall, as they are mainly used for web traffic.