In this blog, I will show you what VPN is, how it protects your online privacy, and how to build your own VPN server on the RISC-V Linux development board K1. We will start with the basic concepts, then gradually go into the technical implementation, and finally teach you how to use this server. This is not only an interesting technical challenge, but also can greatly improve the security and privacy of your network.
Introduction to VPN
A virtual private network (VPN) is a technology that creates an encrypted connection between devices over a public network, such as the Internet. This technology helps users transfer data securely over unsecured networks while protecting their online activities from surveillance. The most common uses of VPNs include protecting data privacy, bypassing geo-restricted content, and securely connecting to remote networks.
Why build a VPN server on the K1 development board?
The K1 development board is based on the powerful RISC-V architecture and runs the Linux operating system, which provides good support for advanced network functions. Using the K1 as a VPN server, you can take advantage of its powerful processing power and the flexibility of the Linux system to create a reliable and secure network connection point, allowing you to securely access network resources at home or in the office no matter where you are.
Install OpenVPN
To install OpenVPN on the K1 development board, first make sure your system is up to date, then execute the following command to install the OpenVPN software:
sudo apt-get update
sudo apt-get install openvpneasy-rsa
Generate Keys and Certificates
Use the Easy-RSA toolkit to generate the keys and certificates required for VPN. This step is critical to ensure your VPN connection is secure:
Create an EasyRSA working directory
make-cadir ~/openvpn-ca
cd ~/openvpn-caInitialize PKI (Public Key Infrastructure)
Initialize PKI in the EasyRSA directory:
./easyrsa init-pkiCreate a CA (Certificate Authority)
Generate a CA (Certificate Authority) certificate:
./easyrsa build-caYou will be asked to enter some information, such as organization name, country, etc. After filling in, ca.crt and private/ca.key files will be generated in the pki directory.
Generate Server Certificate
Generate server certificate and key:
./easyrsa build-server-full server nopassHere server is the name of the server, which you can customize as needed. nopass means no password is set for the server certificate. If you want to set a password for the key, you can remove nopass.
Generate client certificates
Generate certificates for each client:
./easyrsa build-client-full client1 nopassHere client1 is the name of the client, you can name it according to the actual situation. nopass means that the client key is not encrypted.
Generate Diffie-Hellman parameters
Generate Diffie-Hellman parameter file to support key exchange:
./easyrsa gen-dhThe generated file dh.pem will be saved in the pki directory.
Generate HMAC signature key
Generate HMAC signature key to prevent certain types of attacks:
openvpn --genkey secret ta.keyThese commands will initialize your certificate authority and server key, and create the necessary encryption parameters.
Configure the OpenVPN server
Copy the certificate and key to the OpenVPN configuration directory
Copy the generated certificate and key files to the OpenVPN configuration directory (usually /etc/openvpn):
sudo cp pki/ca.crt pki/private/server.key pki/issued/server.crt pki/dh.pem ta.key /etc/openvpnConfigure OpenVPN server
Create and edit the server configuration file server.conf in the /etc/openvpn directory:
sudo nano /etc/openvpn/server.confAdd the following content:
# OpenVPN sever config file
port 1194
proto udp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh.pem
tls-auth /etc/openvpn/ta.key 0
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3Modify the configuration file according to the actual situation, such as IP address range, port number and protocol.
Enable IP forwarding
Enable IP forwarding in the Linux kernel to allow traffic to be routed from the VPN client to the Internet:
sudo nano /etc/sysctl.confMake sure the following line is not commented out:
net.ipv4.ip_forward=1Then apply the changes:
sudo sysctl -pStart the VPN service
After the configuration is complete, start the OpenVPN service and set it to start at boot:
sudo systemctl start openvpn@server
sudo systemctl enable openvpn@serverClient connection settings
Create a client configuration file
Create a .ovpn configuration file on the client device, including the server’s IP address, port, certificate, key, etc.:
client
dev tun
proto udp
remote YOUR_SERVER_IP 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
tls-auth ta.key 1
cipher AES-256-CBC
comp-lzo
verb 3
Replace YOUR_SERVER_IP with the IP address of your OpenVPN server.
Transfer the client certificate and configuration file
Transfer the client certificate (client1.crt), client key (client1.key), CA certificate (ca.crt), HMAC key (ta.key), and .ovpn configuration file to your client device.
Use the OpenVPN client on the client to connect to the server. You can run the following command in the terminal (using Ubuntu as an example):
sudo openvpn --config client1.ovpnThe client will try to connect to the OpenVPN server. Once the connection is successful, your client will get an IP address of 10.8.0.x and can access the server network through VPN.
Verify the connection
On the client device, you can run the following command to verify that you are successfully connected to the VPN:
curl ifconfig.meCheck your public IP address. It should show the VPN server’s IP address instead of the client’s public IP address.
Conclusion
Building and running your own VPN server is a very educational project that can provide a deep understanding of network security and data encryption. By implementing this function on the K1 development board, you can not only improve the security of your personal network, but also enjoy the fun of learning and applying Linux system knowledge. I hope this blog can help you successfully build and run your own VPN server!
