How to Set Up OpenVPN Server on Debian

Edited 5 months ago by ExtremeHow Editorial Team

DebianOpenVPNServer SetupNetworkingSecurityLinuxVPNSystem AdministrationOpen SourceCLI

Setting up an OpenVPN server on Debian may seem complicated, but by carefully following a few steps, you can configure a secure VPN. This guide assumes you have a basic knowledge of using the command line and have Debian installed. We will look at each step in detail, providing all the necessary commands and configuration to get your OpenVPN server up and running. This will include setting up, configuring, and testing your VPN server.

1. Prerequisites

Before you begin, make sure that:

• You have a Debian server with root privileges.
• Your system is up-to-date. You can update your system by running the following:

sudo apt update && sudo apt upgrade -y

After making sure your system is updated, the next step is to configure the firewall.

2. Set up Simple Firewall (UFW)

Uncomplicated Firewall (UFW) is a simple way to manage firewall settings. If UFW is not already installed, use the following to install it:

sudo apt install ufw

Next, allow SSH connections through the firewall (if not already allowed) using this:

sudo ufw allow OpenSSH

Allow OpenVPN connections:

sudo ufw allow 1194/udp

Enable the firewall:

sudo ufw enable

Check the status of UFW to make sure the rules are set correctly:

sudo ufw status

3. Installing OpenVPN

Install the OpenVPN package on Debian with the following command:

sudo apt install openvpn

After installation, it's time to configure the server. You will need the easy-rsa package to help you create a certificate authority and client/server certificates.

4. Setting up Easy-RSA

Download the easy-rsa package, which contains scripts for managing the public key infrastructure (PKI):

sudo apt install easy-rsa

Next, we copy the easy-rsa script to a new directory that will be used to store all the keys and certificates:

make-cadir ~/openvpn-ca

Go to the new directory:

cd ~/openvpn-ca

Edit the 'vars' file in this directory to set the variables needed for certificate creation:

nano vars

Here are some key variables to edit:

export KEY_COUNTRY="US" export KEY_PROVINCE="CA" export KEY_CITY="SanFrancisco" export KEY_ORG="Example" export KEY_EMAIL="email@example.com" export KEY_OU="MyOrganizationalUnit"

Save and exit the editor by pressing CTRL + X, then Y, and press Enter.

5. Building Certificate Authority (CA)

Start the Public Key Infrastructure (PKI) directory:

./easyrsa init-pki

Create a Certificate Authority (CA) by doing the following:

./easyrsa build-ca

You will be asked to enter other details like password and common name for the CA. Set them as per your preference.

6. Generating server certificates and keys

Next, create the server certificate and key. Run:

./easyrsa gen-req server nopass

This command generates a private server key named 'server.key'.

Now sign the certificate with the CA:

./easyrsa sign-req server server

You will be asked to confirm the signing request. Type "yes" and press Enter.

7. Generating client certificates and keys

Similarly, prepare certificates for customers:

./easyrsa gen-req client1 nopass

Sign the client certificate:

./easyrsa sign-req client client1

Repeat these steps to create more client certificates as needed.

8. Generate Diffie-Hellman parameters and HMAC signature

Generate the Diffie-Hellman file:

./easyrsa gen-dh

And generate a static HMAC signature to strengthen the server's TLS integrity verification capabilities:

openvpn --genkey secret ta.key

9. Configuring the OpenVPN Server

Create a new configuration file for the OpenVPN server:

sudo nano /etc/openvpn/server.conf

Paste the following configuration into the file:

port 1194 proto udp dev tun ca ca.crt cert server.crt key server.key dh dh.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" keepalive 10 120 tls-auth ta.key 0 cipher AES-256-CBC user nobody group nogroup persist-key persist-tun status openvpn-status.log verb 3

Make sure all the file paths point to the correct files. Now save the file and exit the editor.

10. Adjust network settings

You need to make changes to the network to allow traffic forwarding. Open `/etc/sysctl.conf`:

sudo nano /etc/sysctl.conf

Uncomment the line:

net.ipv4.ip_forward=1

Apply changes:

sudo sysctl -p

Add the UFW rule:

sudo nano /etc/ufw/before.rules

Add to the top of the file:

# START OPENVPN RULES *nat :POSTROUTING ACCEPT [0:0] -A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE COMMIT # END OPENVPN RULES

Allow IP Masquerading:

sudo nano /etc/default/ufw

Change `DEFAULT_FORWARD_POLICY` to:

DEFAULT_FORWARD_POLICY="ACCEPT"

Finally, apply the UFW rules:

sudo ufw allow 1194/udp

Restart UFW:

sudo ufw disable

sudo ufw enable

11. Starting and enabling OpenVPN

Start and enable the OpenVPN service:

sudo systemctl start openvpn@server

sudo systemctl enable openvpn@server

Check the status to make sure it's running without any errors:

sudo systemctl status openvpn@server

12. Configuring the client

The last step is to configure the client. Install the OpenVPN client by running the installation command specific to your client operating system. Then, create a client configuration file, usually a `.ovpn` file that contains all the server information, the client certificate, and the private key for authentication.

Create a new client configuration file on your machine (client1.ovpn):

client dev tun proto udp remote your-server-ip 1194 resolv-retry infinite nobind persist-key persist-tun remote-cert-tls server cipher AES-256-CBC auth SHA256 auth-nocache tls-auth ta.key 1 verb 3 # paste ca.crt content here # paste client1.crt content here # paste client1.key content here # paste ta.key content here

Transfer the certificates and setup the client configuration on your client machine.

13. VPN testing

Finally, it’s now time for testing. Run the OpenVPN client on your machine, using the configuration file you created. If everything is configured correctly, you should connect without any problems and your network traffic will now be routed through your VPN!

Once connected, verify your external IP address to ensure it reflects the server’s IP and not your original client IP.

Conclusion

By following these detailed steps, you have successfully installed an OpenVPN server on a Debian machine. This setup ensures secure communication for your data over a potentially insecure network. Always remember to keep your server and client up-to-date and constantly monitor for security updates.

  Share This Article

If you find anything wrong with the article content, you can request an update