How To Set Up A Secure Remote Access VPN

Introduction

A Virtual Private Network (VPN) allows you to connect to a private network over the internet. By using a VPN, you can securely access your company’s intranet while working remotely. Setting up a secure remote access VPN takes careful planning and configuration, but is worth the effort for the privacy and security it provides. In this guide, I will walk you through the steps I took to set up my own remote access VPN.

VPN Basics

Before setting up a VPN, it’s important to understand the basics of how a VPN works.

A VPN creates an encrypted tunnel between your device and the private network you want to access. All traffic passing through the tunnel is encrypted and secured from prying eyes. Anyone intercepting the traffic will only see garbled data.

To create the encrypted tunnel, a VPN uses protocols like SSL/TLS, IPsec, or OpenVPN. These protocols handle the process of authenticating your device, encrypting data, and encapsulating private network traffic.

A VPN server must be set up on the private network side to handle connections from VPN clients. The server decrypts traffic coming through the tunnel and routes it to devices on the local network.

On the client side, VPN client software initiates the encrypted connection to the VPN server. The client encrypts traffic leaving your device and directs it to the server through the tunnel.

Choosing VPN Software

To set up my VPN, I first had to choose a VPN software solution. There are many options available including:

• OpenVPN – Open source software that uses OpenSSL encryption. Provides clients for many platforms.

• IPsec – Encryption protocol that can be used to create site-to-site or remote access VPNs.

• WireGuard – Newer protocol focused on speed and simplicity. Integrates well with Linux.

• Cisco AnyConnect – Proprietary client software that connects to Cisco VPN appliances.

• Microsoft VPN – Built into Windows and connects to Windows Server or RRAS VPN servers.

I opted to use OpenVPN because it is robust, widely supported, and open source.

Setting Up the VPN Server

With the software chosen, I then had to set up my VPN server.

Choose a Server Platform

You can install OpenVPN on many platforms, but I chose Ubuntu Linux for my VPN server. Linux servers are stable, secure, and can be configured as dedicated VPN gateways.

Other options including installing OpenVPN on a NAS device or even a Raspberry Pi for simple setups.

Install OpenVPN

On the Ubuntu server, I followed these steps to install OpenVPN:

• Update apt repo and install OpenVPN

  sudo apt update
sudo apt install openvpn

• Generate server certificates

  sudo make-cadir ~/openvpn-ca
cd ~/openvpn-ca
sudo ./build-ca

• Generate DH key

  sudo openvpn --genkey --secret dh.pem

Configure the VPN

With OpenVPN installed, I configured the server by modifying /etc/openvpn/server.conf. Key steps included:

• Specify protocol (UDP recommended)
• Set port number (I used 1194)
• Point to DH key and CA certificate
• Configure network settings like address pool and virtual subnet

Forward Ports and Enable IP Forwarding

To allow remote connections:

• I configured my router to forward UDP port 1194 traffic to the server
• Enabled IP forwarding on the server with sysctl net.ipv4.ip_forward=1

Generate Client Certificates

To authenticate connecting users, I generated a unique certificate and key for each client.

sudo ./build-key client1

This created client1.crt and client1.key. I copied these to the user’s device.

Installing the VPN Clients

With the server configured, I then installed OpenVPN on each device I wanted to connect with:

• Windows – Downloaded the OpenVPN GUI and copied my credentials.

• macOS – Installed Tunnelblick and imported my VPN settings file.

• iOS and Android – Imported the .ovpn profile in the OpenVPN app.

• Linux – Installed from apt and copied credentials to /etc/openvpn/client/client.conf.

Once OpenVPN was installed, I was able to securely connect by launching the app and entering my credentials.

Troubleshooting Issues

When first connecting, I ran into some issues that required troubleshooting:

• Firewall blocking – I had to open UDP port 1194 inbound on any firewalls between the client and server.

• Authentication failures – I double checked that my client certificate and key were properly installed.

• Connection timeouts – Server time was out of sync, so I used NTP to sync it.

Optimizing Performance

To optimize VPN performance, I enabled compression in OpenVPN and experimented with cipher and auth options to find an optimal balance of speed and security.

I also configured my router to avoid bottlenecking the VPN traffic.

Split tunneling settings on some clients can also be useful to exclude local traffic from going through the VPN.

Setting Up User Access Controls

As a final step, I configured user permissions to limit what VPN users could access:

• I created a dedicated user account on the private network for each VPN user.

• Used firewall rules to restrict each account’s network access as needed.

• Implemented an OpenVPN plugin to map VPN clients to the appropriate user account.

With the proper access controls in place, I could securely provide remote access to only approved parts of the private network for each authorized employee.

Conclusion

Setting up a remote access VPN takes research and careful configuration of both server and clients. But the effort is worth it for both individuals and businesses who need to provide secure remote access to a local network over the public internet.

With its ease of use, strong encryption, and wide support, OpenVPN is an excellent open source option to meet most VPN access needs. And proper access controls can limit exposure of private resources.

My own OpenVPN server has proven fast, reliable, and incredibly useful. With remote work so common, a personal VPN gives me essential privacy and security when using public Wi-Fi or accessing my home network.