The recommendation to use a 1024-bit RSA key worries me. In an era of passive, bulk surveillance, that seems too weak if you're not going to be using any additional transport-layer security.<p>The performance argument is only relevant for the establishment of the VPN connection and any periodic rekeying — it <i>shouldn't</i> have any impact on the tunnel's perf.<p>It's a shame openvpn's easy-rsa doesn't provide a straightforward mechanism to generate ECDSA certificates, which would've removed any performance concerns.<p>--<p>edit: easy-rsa <i>does</i> support ECDSA[1]:<p><i>Support for generating an ECDSA certificate chain is available in EasyRSA (in
spite of it's name) since EasyRSA 3.0. The parameters you're looking for are
'--use-algo=ec' and '--curve=<curve_name>'. See the EasyRSA documentation for
more details on generating ECDSA certificates.</i><p><a href="https://github.com/OpenVPN/openvpn/blob/master/README.ec" rel="nofollow">https://github.com/OpenVPN/openvpn/blob/master/README.ec</a>
Using a socks 5 tunnel over ssh seems like an interesting ad hoc alternative for web browsing only: <a href="https://www.digitalocean.com/community/tutorials/how-to-route-web-traffic-securely-without-a-vpn-using-a-socks-tunnel" rel="nofollow">https://www.digitalocean.com/community/tutorials/how-to-rout...</a><p>But crucially you'd want to make your browser use the tunnel for DNS as well: <a href="http://superuser.com/questions/103593/how-to-do-dns-through-a-proxy-in-firefox/260658#260658" rel="nofollow">http://superuser.com/questions/103593/how-to-do-dns-through-...</a><p>Careful if you're using this for something dangerous. I'm not a computer security expert by any stretch and I don't know whether the people who have written these articles are. Chances are that this is completely broken and will reveal your IP address and identity.
Regarding DigitalOcean VPNs, I think enough people have been doing this that it is starting to show in unpleasant ways. While using my DO VPN I've encountered captchas while using YouTube, of all sites, likely because of abuse they've seen at the hands of DO VPN users. I've also seen my DO IP range outright banned by other sites.
I prefer to use layer2 bridging in OpenVPN with a separate hardware device (openwrt on a wallwart router, rackmount atom board). This way my client machines have no idea they are on a VPN and everything gets tunneled though the VPN (no DNS leaks unless my router is misconfigured).<p>In OpenWRT, it's basically:<p>-setup OpenVPN with a TAP device<p>-create a VLAN, assign some ports on the switch (optionally, a wifi SSID for VPNed wifi)<p>-bridge VLAN with TAP device
this is not secure; it will leak your ipv6 address by default. use openvpn's ipv6 features to route ipv6 traffic as well[0]. using openvpn ipv6 is a PITA on digitalocean because they only provide a /124, when openvpn requires at least a /112. you can get around this using ip6tables to route a /112 address range you don't actually have access to, and the only consequence will be a loopback if you try to access one of the digitalocean IPs you are claiming to have in your available pool while connected to the VPN.<p>also, 1024 dh prime is unsafe depending on your threat model[1]. use 2048 if nation states bother you, or 4096 if truly paranoid or at high risk / performance isn't an issue. no reason not to bump up the RSA keys too.<p>0. <a href="https://community.openvpn.net/openvpn/wiki/IPv6" rel="nofollow">https://community.openvpn.net/openvpn/wiki/IPv6</a><p>1. <a href="https://weakdh.org/" rel="nofollow">https://weakdh.org/</a>
A good alternative is Algo: <a href="https://github.com/trailofbits/algo" rel="nofollow">https://github.com/trailofbits/algo</a>
Nice post. I actually just wrote a post myself on setting up a native Cisco IPsec VPN sever on a Raspberry Pi 3. Cisco IPsec works natively on macOS and iOS with no 3rd party software which was a requirement for me.<p><a href="https://blog.elasticbyte.net/setting-up-a-native-cisco-ipsec-vpn-server-using-a-raspberry-pi/" rel="nofollow">https://blog.elasticbyte.net/setting-up-a-native-cisco-ipsec...</a>
Is there an easy way to enable DNS over OpenVPN? That appears to be the biggest hole in this tutorial. Untrusted networks get to observe/spoof DNS, and the clients can't use the LAN DNS server to find stuff behind the firewall. (Or am I missing something?)
This seems a bit pointless to me.<p>If your aim is to hide your traffic from third-party networks you might be on (free wifi, school, hotels, etc) then a yearly VPN subscription is almost certainly cheaper than the cheapest DigitalOcean droplet. If you get a good provider (I use PIA but am not affiliated with them) then you get unlimited traffic, multiple clients, endpoints all over the world, tech support, all without having to setup and administer the server yourself.<p>If your aim is to disassociate traffic with yourself, your DigitalOcean IP will be tied back to you anyway.<p>If your aim is to stop government snooping, DigitalOcean is hosted in the USA so you may as well just send the NSA your browsing history.
Interesting. I have set up a few VPN servers of various kinds (and other network trickery) in Virtual Machine hosting services, and ultimately gave up due to issues with TSO (TCP Segmentation Offload <a href="https://en.wikipedia.org/wiki/Large_receive_offload" rel="nofollow">https://en.wikipedia.org/wiki/Large_receive_offload</a>) interacting badly with PMTUD (<a href="https://en.wikipedia.org/wiki/Path_MTU_Discovery" rel="nofollow">https://en.wikipedia.org/wiki/Path_MTU_Discovery</a>). The result was that TCP streams (often Downton Abbey, fwiw) inbound from a remote server, tunneled to me via the VPN, would stall and generally suffer from poor QoS.<p>I spent some time submitting support tickets to all the hosting providers I had tried (many). Every one of them told me that they had no way to disable TSO and the other common TCP offload features on their hosts.<p>So now I use Packet.net which gives me a honest to goodness actual bare metal machine (over which I have complete control), for much the same price.
This reminded me of <a href="https://www.softether.org" rel="nofollow">https://www.softether.org</a> which is purported to be a faster and just as secure Alternative to openVPN and looks pretty straightforward to setup. I did post another thread in this but I'm not sure if it's inappropriate to post here too....wondering if anyone has had experience with it<p>Also shoutout to Dr Duh who gave a nice run down of setting up vpn on a VPS<p><a href="https://github.com/drduh/Debian-Privacy-Server-Guide/blob/master/README.md#openvpn" rel="nofollow">https://github.com/drduh/Debian-Privacy-Server-Guide/blob/ma...</a><p>Edit: Just realized that others have already noted and commented about SoftEther. Sorry guys!
These are the steps I take: <a href="https://github.com/git-sgmoore/OpenVPN_Ipsec_L2tp_server_on_Digital_Ocean" rel="nofollow">https://github.com/git-sgmoore/OpenVPN_Ipsec_L2tp_server_on_...</a>
If it's just for yourself, install the OpenVPN AS (Access Server), and call it a day. You get 2 free simultaneous users, and it deals with all of the certificates, etc for you.
I use <a href="https://www.softether.org/" rel="nofollow">https://www.softether.org/</a>. Setup of a VPN server never was easier.
I did a reasonably detailed tutorial for setting up your own VPN with Softether<p><a href="http://www.selectedintelligence.com/post/128701492804/softether" rel="nofollow">http://www.selectedintelligence.com/post/128701492804/softet...</a>
You can check oh-my-vpn to setup openvpn server in a oneliner command. <a href="https://github.com/alaa/oh-my-vpn" rel="nofollow">https://github.com/alaa/oh-my-vpn</a>
Not really that knowledgeable about maintaining servers, but is it really enough, but is it really enough to just straight away 'apt-get openvpn'.<p>Surely for it to be a 'secure VPN server' there has got to be some stuff set up first, like setting up key only login, disabling root ssh login, disabling everything ssh, setting up firewall, disabling ipv6 entirely in the case of openvpn?<p>I run a vpn on digital ocean and its amazing looking at the logs and seeing how quickly, and how many attempts there are to break into the server straight after setting it up. As a person who isnt completely sure of what i am doing when it comes to firewalls and setting up 'jails' or whatever, this kinda makes me uneasy. I wouldnt even be sure how to tell if anyone had broken in to my server...<p><a href="https://www.linode.com/docs/networking/vpn/set-up-a-hardened-openvpn-server" rel="nofollow">https://www.linode.com/docs/networking/vpn/set-up-a-hardened...</a><p>This has been the most useful guide that I have found on setting up an openvpn server. It has a bunch of steps to go through before you get to actually installing openvpn. But as I said, I am not that knowledgeable myself when it comes to running a server, so this may all just be unnecessary.