OpenVPN Server Setup For CG-NAT ISP's

Last Tested 05-12-2019

In this setup I need to use openvpn over port 80 TCP. My ISP slows the speed of every other port but 80 & 443 TCP I will be using 2 external IPS on a VPS to have access to port 80 and 443 for my websites while still using port 80 for VPN.

I am using Vultr.com for my OpenVPN VPS server. I am using Debian 9.0 x64 image that they provide as a template for install. I will also be using a second static IP form Vultr for the VPS. This is a $3 cost per month the VPS that I am using is $5 per month for a total cost of $8 per month.


Head over to Vultr.com and sign up for an account!

New Server Step one launch a VPS that is located closest to your location:

Server Location Select the location that is closet to you: cdn.sesipod.info_sesipod.info_linux_debian_openvpn_2.jpg

Server Type Select Debian 9 x64: cdn.sesipod.info_sesipod.info_linux_debian_openvpn_3.jpg

Server Size Select a server size that has enough bandwith for your needs, I would not recommend anything less than the $5 / 25GB SSD server size: cdn.sesipod.info_sesipod.info_linux_debian_openvpn_4.jpg

Server Size: None

Startup Script: None

SSH Keys: None

IP Address: Assign New IP

Firewall Group: None

Server Hostname & Label: This is up to you.

cdn.sesipod.info_sesipod.info_linux_debian_openvpn_5.jpg

Now deploy the server and wait for it to be launched.

————————–

Adding Second IP - PT1: Click on the 3 dots on the right next to your new server and click on Server Details cdn.sesipod.info_sesipod.info_linux_debian_openvpn_6.jpg

Adding Second IP - PT2: Click on settings. cdn.sesipod.info_sesipod.info_linux_debian_openvpn_7.jpg

Adding Second IP - PT3: Click Add Another IPv4 Address. cdn.sesipod.info_sesipod.info_linux_debian_openvpn_8.jpg

Adding Second IP - PT4: Now that the new (1.) IP is assigned to the VPS Click on (2.) networking configuration cdn.sesipod.info_sesipod.info_linux_debian_openvpn_9.jpg

Setting Up 2nd Static IP -PT1: Login to your VPS, We will edit the Network config file and update it with the new config provided.

nano /etc/network/interfaces

Comment out the old config and paste in the new config as you see below. Save the file (CTRL + X) - and reboot the VPS.

cdn.sesipod.info_sesipod.info_linux_debian_openvpn_10.jpg

Your new IP is now configured and ready for use!

Please move to tab 2.

Installing Prerequisites & OpenVPN

apt-get update && apt-get install sudo -y && apt-get install git -y
git clone https://github.com/angristan/openvpn-install.git
cd /home && mkdir root && cd && cd openvpn-install
chmod +x openvpn-install.sh

————————–

Configuring OpenVPN Server & First User

sudo ./openvpn-install.sh
Confirm the Static IP matches your servers ip

Enter static IP of VPS

Do you want to enable IPv6 support (NAT)? [y/n]: n

Select N

What port do you want OpenVPN to listen to?: 

Select 2

Port Choice: 

Enter 80

What protocol do you want OpenVPN to use?

Select TCP

What DNS resolvers do you want to use with the VPN?

Select CloudFlare

Do you want to use compression? 

Select N

Customize encryption settings? 

Select N

Press any key to continue.
Client Name:

Enter Client Name (remember what you put here)

Do you want to protect the configuration file with a password? 

Select 1

Your vpn client config will be available here: **cd /home/root/** 
You should now see the new opvn file copy this to your client :)

Configuring OpenVPN Server for Static Client IP's

nano /etc/openvpn/server.conf

Add the following to the bottom of the file.

client-config-dir /etc/openvpn/ccd

Now create the folder where we will put the static leases.

mkdir /etc/openvpn/ccd

Now we will make a file for the user that we created above: I called my first user sesipod

nano /etc/openvpn/ccd/sesipod

Put the following in the file and then save and close. Change 170 to the octave that you want to set to the client.

ifconfig-push 10.8.0.170 255.255.255.0

Set the proper permissions for the folder so that OpenVPN can read the folder.

chown -R nobody:nogroup /etc/openvpn/ccd

————————–

Setting Up Client Machine

apt-get install openvpn screen nano

Lets make a new folder in the root dir to hold the vpn config file.

mkdir /root/VPN

Now copy over the VPN config file that you made on the server in the above step to the new folder.

Running the blow command you should see the new vpn config that you moved over.

ls /root/VPN

Lets start the VPN client connection.

cd /root/VPN && screen -d -m openvpn CLIENTNAMEHERE.ovpn

See the active running screen sessions.

screen -ls

Connect to the running screen session.

screen -r

Detach form screen session.

CTRL + A + D

End the vpn and screen session.

When you are connected to the screen session press the following keys. ( CTRL + C ) | To terminate the screen session ( CTRL + D )

Open ports over VPN tunnel to clients

We will be using the NEW IP that you added to the VPS in this step!

Lets create a file that you can run to open ports over the VPN tunnel.

nano /root/ports.sh

NOTE: I am running a Plex Media Server + a Web Server over this VPN setup here is my config. Paste in the following and make changes as necessary.

NOTICE: PLEX USERS If you pan to run a plex media server the iptables wan IP must match the ip that is used to make the VPN connection. Plex will use the Main IP of the vps/vpn ( h.h.h.h) to route traffic and this is also what is shown under the plex UI when setting up Remote Access. If this ip is set to your second IP (x.x.x.x) then the Remote Access will fail to setup and your connection will be classified as “Limited” and direct streaming and full resolution will not be available.

#!/bin/bash

### INTERNET CONNECTION ##
iptables -t nat -I POSTROUTING -o ens3 -s 10.8.0.0/24 -j MASQUERADE
sysctl -w net.ipv4.ip_forward=1
#########################################################################################################
########## PLEX ###############
iptables -t nat -A PREROUTING -d hhh.hhh.hhh.hhh -p tcp --dport 32400 -j DNAT --to-dest 10.8.0.100:32400
iptables -t nat -A POSTROUTING -d 10.8.0.100 -p tcp --dport 32400 -j SNAT --to-source 10.8.0.1
#########################################################################################################
########## WWW ###############
iptables -t nat -A PREROUTING -d xxx.xxx.xxx.xxx -p tcp --dport 443 -j DNAT --to-dest 10.8.0.152:443
iptables -t nat -A POSTROUTING -d 10.8.0.152 -p tcp --dport 443 -j SNAT --to-source 10.8.0.1

## SHOW PORTS THAT ARE OPEN
iptables -t nat -L

Save the file and run the below command to make the file executable.

chmod +x /root/ports.sh

Lets run the file so that the ports are active now.

./root/ports.sh

————————–

Here is an example of the lines above.

iptables -t nat -A PREROUTING -d x.x.x.x -p tcp --dport 6000 -j DNAT --to-dest y.y.y.100:6000
iptables -t nat -A POSTROUTING -d y.y.y.100 -p tcp --dport 6000 -j SNAT --to-source z.z.z.1
  • h.h.h.h is Wan IP 1 of the VPS.
  • X.X.X.X is Wan IP 2 of the VPS.
  • z.z.z.1 is OpenVPN Gateway IP. ( typically 10.8.0.1 )
  • y.y.y.y is VPN Client ip. ( typically starts as 10.8.0.x )

OpenVPN Server Speed Tweak

nano /etc/sysctl.conf

Add to the bottom of the file

net.core.rmem_max=26214400
net.core.rmem_default=26214400

Reboot the server.

————————–

Monitor Server

bash <(curl -Ss https://my-netdata.io/kickstart.sh)

Now that its installed http://serveriphere:19999