https://github.com/robbintt/popup-openvpn

Make a self hosted OpenVPN server in 15 minutes
https://github.com/robbintt/popup-openvpn

Last synced: about 2 months ago
JSON representation

Make a self hosted OpenVPN server in 15 minutes

• Host: GitHub
• URL: https://github.com/robbintt/popup-openvpn
• Owner: robbintt
• License: mit
• Created: 2016-11-23T09:32:18.000Z (about 8 years ago)
• Default Branch: master
• Last Pushed: 2017-05-16T03:00:10.000Z (over 7 years ago)
• Last Synced: 2024-07-31T17:23:48.316Z (4 months ago)
• Language: Shell
• Homepage:
• Size: 32.2 KB
• Stars: 808
• Watchers: 19
• Forks: 28
• Open Issues: 16
• Metadata Files:
  • Readme: README.md
  • License: license.txt

Awesome Lists containing this project

• awesome-discoveries - Popup OpenVPN - make a self hosted OpenVPN server in 15 minutes _(`Bash`)_ (DevOps Utilities)
• awesome-network-stuff - **833**星

README

        

### Popup OpenVPN

Make a self hosted VPN in 15 minutes.

If you can 'kind of run a server', then you can manage this.

Give all your non-technical friends a free VPN!

#### Why?

Companies like verizon, AT&T, and Comcast already have developed tools to sell police bulk access to your data without a warrant. Isn't this illegal spying? Not if your internet provider does it as a service!

Do you want every corrupt government contractor to have access to your browser history?  Right now, they often do.

#### Installation Guide

1. [Make an account and get a $10 free credit at digital ocean](https://m.do.co/c/a4d54c9e5004)

    - skip this step if you have an account already

    - disclaimer: I get some free credit when you use this link. Thanks!

2. Add your `SSH key` to `Digital Ocean`

    1. Enter the digital ocean web interface

    2. go to `settings->security->SSH keys`

    3. Paste your key, found by default `$HOME/.ssh/id_rsa.pub`

        - tip: make a key with `ssh-keygen`

        - danger: `ssh-keygen` WILL overwrite your current key without warning

    4. On server creation, the key will be added in server's `root` user's `authorized_keys`

    5. `ansible` uses the default SSH key: `~/.ssh/id_rsa.pub`

        - you can manually set a key as a command line argument in `manage.sh`

3. Create a new server on Digital Ocean

    1. Choose the `Ubuntu 16.04.1 x64` base image 

    2. Use the $5 option

    3. Choose a datacenter near you for low latency.

    4. Check your preferred `ssh key` under `Add your SSH keys`

    5. Choose a hostname like `popup-openvpn`

    6. Do not check `use IPv6`

    7. Notes

        - You will have 1 terabyte of monthly transfer

        - They call a `server` a `droplet`

4. Configure this repo for your users

    1. Clone this repository on your local computer

        - `git clone --recursive https://github.com/robbintt/popup-openvpn.git`

    1. Configuration files: 

        - `hosts` 

        - `group_vars/all`

    2. Add the IP address of the server to your `hosts` file

        - The `IP address` is available in your digital ocean dashboard

        - In the `[vpnservers]` section, replace the default 1.2.3.4 with your server's IP address

    3. Add each of the following to your `group_vars/all`

        - You need at least one user and password

        - `user` 

            - any username is fine in user

        - `password`

            - use a strong password

        - `openvpn_client` 

            - any name is fine -- the default is `myvpn1` etc.

        - **Replace or delete the example users and passwords entirely**

    4. You can add as many openvpn_client sections and user/passwords as you wish

    5. IMPORTANT: Delete any extra user lines and unnecessary example certificates, e.g. `myvpn3`, `myvpn4`

5. It's time to automatically set things up!!

    1. Install `ansible` locally

        - Follow the [official installation guide](http://docs.ansible.com/ansible/intro_installation.html) for your system

        - Optional: do this using your preferred method

    2. execute: `manage.sh`

        - The ansible script should run without any errors

        - (The restarter role fails if it doesn't need to restart or something)

    3. **When you run this playbook for the first time, you will need to restart the server before you can connect.**

        - todo - just restart the server every time the playbook is run or something

        - future - troubleshoot this issue in stouts or OpenVPN

    4. To reconfigure or update your server you may run `manage.sh` again

6. email the .ovpn files to all your users

    - The ansible playbook transferred the .ovpn files to the computer you ran ansible from

    - Each ovpn file is stored in `./openvpn_files/` (inside the `popup-openvpn` project directory)

    - Each user only needs the ovpn file generated for them. They also need their username and password

    - You will open this file in your `OpenVPN Client`

7. Install a client on each of your devices.  You will need: `user`, `password`, `.ovpn file`

    1. Client Recommendations

        - macOS: [Tunnelblick](https://tunnelblick.net/)

            - option: use `brew cask` to install

        - iOS (iPhone/iPad) App Store: [`OpenVPN Connect`](https://itunes.apple.com/us/app/openvpn-connect/id590379981?mt=8) by OpenVPN Technologies

        - Android/Google Play store: [`OpenVPN Connect`](https://play.google.com/store/apps/details?id=net.openvpn.openvpn) by OpenVPN Technologies

    2. You will need to follow the client specific instructions

        - iOS | [`OpenVPN`](https://itunes.apple.com/us/app/openvpn-connect/id590379981?mt=8)

            - You're going to want to go through [this set-up process](https://vikingvpn.com/connection-guides/ios) for iOS file syncing for the most secure way to share you `.ovpn` files. While you can send the file(s) through email, _this is not recommended as email is often unencrypted_, and will be assuming you don't have a prior end-to-end encryption system set up. The guide for iTunes sync in that VikingVPN link is rather outdated, so please refer to [this official support page for file syncing in iTunes 12.x (most recent version as or writing)](https://support.apple.com/kb/PH19463).

            - Note: to connect you'll want to go through the OpenVPN app, sign in, and connect in-app after importing your `.ovpn` profile(s).

        - TODO: Assemble more links for client instructions

    3. All your users need to do this step for all their devices

    4. Linux

        - Arch has a [good guide](https://wiki.archlinux.org/index.php/OpenVPN#DNS) for this. Find a better way.

8. Maintaining your server

    - TODO

#### Requirements

- Server: Digital Ocean Ubuntu 16.04.1 Release

- Local `~/.ssh/id_rsa.pub` private key deployed to remote root `authorized_keys`

    - This is done through Digital Ocean on droplet deployment

#### Future

1. Use ansible vault to encrypt group_vars/all

1. Make a workflow for adding a new user and client certificate "for a friend"

1. Add an automatic updates tool. 

1. Test this guide from very beginning to very end.

    - Beginning: Create a Digital Ocean Account

    - End: Install the ovpn cert and put the password in on all your devices

    - Very End: Maintaining your server

1. Deploy to the world at large (reddit? digital ocean article?)

#### Stouts.openvpn

The [Stouts.openvpn](https://github.com/Stouts/Stouts.openvpn) repo is included as a subrepo in `/roles/Stoutsopenvpn`. 

### References

Some useful links and additions.

#### Using Ansible Vault

You might use this to encrypt your `group_vars/all`

- Encrypt a file: `ansible-vault encrypt foo.yml bar.yml baz.yml`

- Decrypt a file: `ansible-vault decrypt foo.yml bar.yml baz.yml`

- View file contents: `ansible-vault view foo.yml`

- Run Playbook w/ Vault password: `ansible-playbook site.yml --ask-vault-pass`

    - This is managed in `manage.sh` in this script

##### Links

- [Manually building an ovpn file with certs and keys inside](https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-14-04)