OpenVPN is a robust, open-source VPN (Virtual Private Network) solution that enables secure connections to remote networks via the internet. In this guide, we’ll walk you through the process of setting up OpenVPN on a Debian server.
Method 1:
Installation Using a Script
Begin by obtaining the installation script and making it executable:
$ curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh$ chmod +x openvpn-install.sh
Next, run the script (ensure you have root privileges and the TUN module enabled):
$ ./openvpn-install.sh
Upon the first execution, you’ll be prompted to answer a few questions to configure your VPN server. Once OpenVPN is installed, you can rerun the script to:
$ ./openvpn-install.shWelcome to OpenVPN-install!The git repository is available at: https://github.com/angristan/openvpn-installIt seems like OpenVPN is already installed.What would you like to do? 1) Add a new user 2) Revoke an existing user 3) Remove OpenVPN 4) ExitSelect an option [1-4]:
This allows you to add new users or revoke existing ones.
Method 2:
Step 1: Update and Upgrade Debian
Before installing any software, it’s essential to update and upgrade your Debian system. Execute the following commands:
$ sudo apt update$ sudo apt upgrade
Step 2: Install OpenVPN
Install OpenVPN on your Debian server with the following command:
$ sudo apt install openvpn easy-rsa
Step 3: Generate Certificates and Keys
OpenVPN relies on certificates and keys for client and server authentication. To generate these files, use the included easy-rsa script:
$ make-cadir ~/openvpn-ca && cd ~/openvpn-ca
Edit thevars
file to configure Certificate Authority (CA) variables:
set_var EASYRSA_REQ_COUNTRY "US"set_var EASYRSA_REQ_PROVINCE "California"set_var EASYRSA_REQ_CITY "San Francisco"set_var EASYRSA_REQ_ORG "Copyleft Certificate Co"set_var EASYRSA_REQ_EMAIL "[emailprotected]"set_var EASYRSA_REQ_OU "My Organizational Unit"
Generate the required certificates and keys:
$ ./easyrsa init-pki$ ./easyrsa build-ca$ ./easyrsa gen-req server nopass$ ./easyrsa sign-req server server$ ./easyrsa gen-dh$ openvpn --genkey --secret pki/ta.key
These certificates and keys will be stored in the/root/openvpn-ca/pki
directory.
Step 4: Configure OpenVPN
After generating certificates and keys, proceed to configure OpenVPN. Create a new configuration file with the following command:
$ zcat /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | sudo tee /etc/openvpn/server.conf > /dev/null
Copy the necessary files to the OpenVPN directory:
$ cp /root/openvpn-ca/pki/{ca.crt,dh.pem,ta.key} /etc/openvpn$ cp /root/openvpn-ca/pki/issued/server.crt /etc/openvpn$ cp /root/openvpn-ca/pki/private/server.key /etc/openvpn
Edit/etc/openvpn/server.conf
to match the following:
ca ca.crtcert server.crtkey server.key # Keep this file securedh dh.pem;tls-auth ta.key 0tls-crypt ta.key
Save and close the file.
Step 5: Enable IP Forwarding
Edit the sysctl configuration:
$ sudo nano /etc/sysctl.conf
Uncomment the following line:
net.ipv4.ip_forward=1
Apply the changes:
$ sudo sysctl -p
Step 6: Start and Enable OpenVPN
Start and enable the OpenVPN service:
$ sudo systemctl start openvpn@server$ sudo systemctl enable openvpn@server
The@server
specifies the configuration file you created earlier.
Step 7: Configure Firewall
Allow OpenVPN traffic through the firewall by creating a new rule:
$ sudo ufw allow OpenVPN
Step 8: Connect to OpenVPN Server
With the OpenVPN server operational, you can connect to it from a client computer. Install the OpenVPN client software and download the client configuration file from the server:
$ ./easyrsa gen-req client1 nopass$ ./easyrsa sign-req client client1$ cp pki/private/client1.key /etc/openvpn/client/$ cp pki/issued/client1.crt /etc/openvpn/client/$ cp pki/{ca.crt,ta.key} /etc/openvpn/client/
Create a client configuration file in the/root/openvpn-ca
directory:
$ cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /root/openvpn-ca/
Edit the file usingnano
and configure the variables:
remote my-server-1 1194 # my-server-1 is the server's public IPuser nobodygroup nogroup;ca ca.crt;cert client.crt;key client.key;tls-auth ta.key 1key-direction 1
Create a script to compile the base configuration with the necessary certificate, key, and encryption files:
$ nano config_gen.sh
Include the following content:
#!/bin/bash# First argument: Client identifierKEY_DIR=/etc/openvpn/clientOUTPUT_DIR=/rootBASE_CONFIG=/root/openvpn-ca/client.confcat ${BASE_CONFIG} \ <(echo -e '<ca>') \ ${KEY_DIR}/ca.crt \ <(echo -e '</ca>\n<cert>') \ ${KEY_DIR}/${1}.crt \ <(echo -e '</cert>\n<key>') \ ${KEY_DIR}/${1}.key \ <(echo -e '</key>\n<tls-crypt>') \ ${KEY_DIR}/ta.key \ <(echo -e '</tls-crypt>') \ > ${OUTPUT_DIR}/${1}.ovpn
Make the script executable:
$ chmod 700 /root/openvpn-ca/config_gen.sh$ ./config_gen.sh client1
This command will create aclient1.ovpn
file in the/root/
directory. Copy this file to your client computer and use it to connect to the OpenVPN server.
Conclusion
In this tutorial, we’ve demonstrated how to install and configure OpenVPN on a Debian server. With OpenVPN, you can securely access remote networks and their resources from anywhere in the world.