Multi-user VPN behind a single static IP
First published on January 25, 2014
I needed to set up a connection whereby multiple users in different locations could simultaneously connect to a VPN with a single static IP. We needed to access a third-party network through a single IP. I looked into many paid and free external VPN services, but they almost all had restrictions on multiple simultaneous connections (from different locations); or they didn’t provide a static IP; or they only provided a simple proxy service (which meant we’d have to configure port forwarding for each HTTP / SSH / other connection). I decided to set up our own VPN on one of our web servers using the free OpenVPN application. It was quite straightforward to set up both the VPN server and the clients. The only requirement is that you must already have a server where you have root access.
I followed this tutorial for installing the VPN server on CentOS. There is also a similar tutorial for installing the VPN server on Ubuntu. I have only a few corrections / modifications based on the CentOS tutorial:
- The “easy-rsa” key management package no longer comes with OpenVPN. You have to install it separately; for example: yum install easy-rsa. Then you’ll find the “easy-rsa” files in /usr/share/easy-rsa.
- There is a useful comment below the tutorial about how to set up TLS authentication for better security.
- If you want to use the same key for multiple clients, use the “duplicate-cn” setting in the server.conf file
- When you create your client.ovpn configuration file, you might want to reference the certificate files instead of pasting them directly into the configuration.
On the client side, there is an OpenVPN GUI client that works well. If you are using Ubuntu on the client side, you can use the built-in Network Manager; just add OpenVPN support — apt-get install network-manager-openvpn — and then import the .ovpn configuration file as outlined here.
Once you’ve set up the server and the clients, when you connect to the VPN, all of your network requests will run through the server.