On rebuilding a VPN server

As mentioned in connecting to Pokemon GO with OpenVPN, I’ve been running a personal OpenVPN server in DigitalOcean since late 2015. Recently, due to some bizarre behavior with Chromium and SSL on Google sites, I became a bit more paranoid and realized I hadn’t updated the server in over a year. Oops. TunnelBlick was also complaining about using an unsecure cipher. Double oops.

Time to rebuild with more secure settings. I deleted the droplet in DigitalOcean and started over. My bash history is below. Unfortunately, I rebuild the server a few months before writing this post, so the rationale for some of the choices escapes me. I wish I had taken notes at the time.

docker volume create --name $OVPN_DATA
docker run -v $OVPN_DATA:/etc/openvpn --rm kylemanna/openvpn ovpn_genconfig -u udp://<YOUR_VPN_DOMAIN>  -C 'AES-256-CBC' -a 'SHA384' -T 'TLS-DHE-RSA-WITH-AES-256-CBC-SHA256'
docker run -v $OVPN_DATA:/etc/openvpn --rm -it kylemanna/openvpn ovpn_initpki
docker run -v $OVPN_DATA:/etc/openvpn --rm -it kylemanna/openvpn easyrsa build-client-full macbook nopass
docker run -v $OVPN_DATA:/etc/openvpn --rm kylemanna/openvpn ovpn_getclient macbook > macbook.ovpn
docker run -v $OVPN_DATA:/etc/openvpn -p 1194:1194/udp --privileged -e DEBUG=1 kylemanna/openvpn
curl -L https://raw.githubusercontent.com/kylemanna/docker-openvpn/master/init/docker-openvpn%40.service > docker-openvpn@.service
mv docker-openvpn@.service /etc/systemd/system/
systemctl enable --now docker-openvpn@.service

Comparing the above with the original instructions I used to setup the server in 2015, the primary differences are the encryption functions and using systemd to manage the OpenVPN daemon.


Leave a Comment