Secure VPN | Secure VPS | Private Email | Security Consultancy

+1(352) 325-6111 sales@whattheserver.me

OpenVPN Server with port forwarding

This guide will show you how to install a OpenVPN server with port forwarding aka open ports.

This is great for Perfect Dark, Retroshare, or Torrent uploading where having an open port is required.

Requirements:

 

First install your desired OS (Centos, Ubuntu, Debian)

 

Once installed you will want to ensure the server is updated fully. If not doing this as root please add sudo to all commands.

For Centos

yum update -y

For Ubuntu/Debian

apt-get update && apt-get upgrade

Once that is done you will want to install a few required packages if there not currently installed.

For Centos

yum install nano wget curl htop -y

For Ubuntu/Debian

apt-get install htop nano wget curl -y

check for IPv4 forwarding enabled
can check for this by using the below command and looking for “net.ipv4.ip_forward = 0” and change to “net.ipv4.ip_forward = 1”

nano /etc/sysctl.conf

Or alternatively use the below command to add it to end of file if not enabled/commented out.

echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf

Then use this command to make it active.

sysctl -p

 

Install Openvpn and make script executable

wget https://raw.githubusercontent.com/Angristan/OpenVPN-install/master/openvpn-install.sh
chmod +x openvpn-install.sh

Start Openvpn installer and create users
See the source guide for details and explanation of options > https://github.com/Angristan/OpenVPN-install

./openvpn-install.sh

Create Openvpn ccd folder for storing user profiles

mkdir /etc/openvpn/ccd

 

Ceate the IP Pool persistent text

nano /etc/openvpn/ipp.txt

The OpenVPN Server Configuration should look like the below.  Note the “verb 0” for 0 logging and the “push “dhcp-option DNS 176.103.130.130″” which can be your desired DNS servers pushed to clients to prevent leaks. In this case were using Adguard DNS to block ads at the DNS level to speed up connections.

port 443
proto udp
dev tun
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt 0
push "dhcp-option DNS 176.103.130.130"
push "dhcp-option DNS 176.103.130.131"
push "redirect-gateway def1 bypass-dhcp"
crl-verify crl.pem
ca ca.crt
cert server_LZAWi5RVmWxVAdJa.crt
key server_LZAWi5RVmWxVAdJa.key
tls-auth tls-auth.key 0
dh dh.pem
auth SHA256
cipher AES-256-CBC
tls-server
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
status openvpn.log
verb 0
client-config-dir /etc/openvpn/ccd

 

To modify these values to your liking or to match the above.

nano /etc/openvpn/server.conf

 

To created your first client configuration. Replace user1 with the exact username from the user created via the script earlier.

nano /etc/openvpn/ccd/user1

Add the below for the first user1

ifconfig-push 10.8.0.2 255.255.255.0

 

CCD example content for additional users

ifconfig-push 10.8.0.2 255.255.255.0 > used for user1
ifconfig-push 10.8.0.3 255.255.255.0
ifconfig-push 10.8.0.4 255.255.255.0
ifconfig-push 10.8.0.5 255.255.255.0
ifconfig-push 10.8.0.6 255.255.255.0
ifconfig-push 10.8.0.7 255.255.255.0

 

Setup the Persistent IP Pool file. This ensures clients have static internal IP addresses for when we setup port forwards for clients it sticks to their static internal IP.

nano /etc/openvpn/ipp.txt

Set the below values with the matching usernames from the CCD file and script generated usernames.

user1,10.8.0.2
user2,10.8.0.3
user3,10.8.0.4
user4,10.8.0.5
user5,10.8.0.6
user6,10.8.0.7

Setup Port Forwarding for user1 find/replace YourVPSIPHere with your server/VPS IP. This will open port 32400 to the user1 internal vpn IP

iptables -t nat -A PREROUTING -d YourVPSIPHere -p tcp --dport 32400 -j DNAT --to-dest 10.8.0.2:32400
iptables -t filter -A INPUT -p tcp -d 10.8.0.2 --dport 32400 -j ACCEPT

Setup Port Forwarding for user2

iptables -t nat -A PREROUTING -d YourVPSIPHere -p tcp --dport 2634 -j DNAT --to-dest 10.8.0.3:2634
iptables -t filter -A INPUT -p tcp -d 10.8.0.3 --dport 2634 -j ACCEPT

Setup Port Forwarding for user3

iptables -t nat -A PREROUTING -d YourVPSIPHere -p tcp --dport 4634 -j DNAT --to-dest 10.8.0.4:4634
iptables -t filter -A INPUT -p tcp -d 10.8.0.4 --dport 4634 -j ACCEPT

Setup Port Forwarding for user4

iptables -t nat -A PREROUTING -d YourVPSIPHere -p tcp --dport 4634 -j DNAT --to-dest 10.8.0.5:4834
iptables -t filter -A INPUT -p tcp -d 10.8.0.5 --dport 4834 -j ACCEPT

Setup Port Forwarding for user5

iptables -t nat -A PREROUTING -d YourVPSIPHere -p tcp --dport 4934 -j DNAT --to-dest 10.8.0.6:4934
iptables -t filter -A INPUT -p tcp -d 10.8.0.6 --dport 4934 -j ACCEPT

Setup Port Forwarding for user6

iptables -t nat -A PREROUTING -d YourVPSIPHere -p tcp --dport 5034 -j DNAT --to-dest 10.8.0.7:5034
iptables -t filter -A INPUT -p tcp -d 10.8.0.7 --dport 5034 -j ACCEPT

 

Now this is important to save the iptables there is a package that needs installed so they persist on reboot. Source

apt-get install iptables-persistent

 

If adding additional rules later on and need to save manually

iptables-save

To start/stop/restart openvpn

service openvpn start
service openvpn stop
service openvpn restart

We hope you enjoyed the guide and find it useful.