OpenVPN is a robust, open-source VPN (Virtual Private Network) solution that enables secure connections to remote networks via the internet. In this guide, we’ll walk you through the process of setting up OpenVPN on a Debian server.
Method 1:
Installation Using a Script
Begin by obtaining the installation script and making it executable:
$ curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh$ chmod +x openvpn-install.shNext, run the script (ensure you have root privileges and the TUN module enabled):
$ ./openvpn-install.shUpon the first execution, you’ll be prompted to answer a few questions to configure your VPN server. Once OpenVPN is installed, you can rerun the script to:
$ ./openvpn-install.shWelcome to OpenVPN-install!The git repository is available at: https://github.com/angristan/openvpn-installIt seems like OpenVPN is already installed.What would you like to do? 1) Add a new user 2) Revoke an existing user 3) Remove OpenVPN 4) ExitSelect an option [1-4]:This allows you to add new users or revoke existing ones.
Method 2:
Step 1: Update and Upgrade Debian
Before installing any software, it’s essential to update and upgrade your Debian system. Execute the following commands:
$ sudo apt update$ sudo apt upgradeStep 2: Install OpenVPN
Install OpenVPN on your Debian server with the following command:
$ sudo apt install openvpn easy-rsaStep 3: Generate Certificates and Keys
OpenVPN relies on certificates and keys for client and server authentication. To generate these files, use the included easy-rsa script:
$ make-cadir ~/openvpn-ca && cd ~/openvpn-caEdit thevarsfile to configure Certificate Authority (CA) variables:
set_var EASYRSA_REQ_COUNTRY "US"set_var EASYRSA_REQ_PROVINCE "California"set_var EASYRSA_REQ_CITY "San Francisco"set_var EASYRSA_REQ_ORG "Copyleft Certificate Co"set_var EASYRSA_REQ_EMAIL "[emailprotected]"set_var EASYRSA_REQ_OU "My Organizational Unit"Generate the required certificates and keys:
$ ./easyrsa init-pki$ ./easyrsa build-ca$ ./easyrsa gen-req server nopass$ ./easyrsa sign-req server server$ ./easyrsa gen-dh$ openvpn --genkey --secret pki/ta.keyThese certificates and keys will be stored in the/root/openvpn-ca/pkidirectory.
Step 4: Configure OpenVPN
After generating certificates and keys, proceed to configure OpenVPN. Create a new configuration file with the following command:
$ zcat /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | sudo tee /etc/openvpn/server.conf > /dev/nullCopy the necessary files to the OpenVPN directory:
$ cp /root/openvpn-ca/pki/{ca.crt,dh.pem,ta.key} /etc/openvpn$ cp /root/openvpn-ca/pki/issued/server.crt /etc/openvpn$ cp /root/openvpn-ca/pki/private/server.key /etc/openvpnEdit/etc/openvpn/server.confto match the following:
ca ca.crtcert server.crtkey server.key # Keep this file securedh dh.pem;tls-auth ta.key 0tls-crypt ta.keySave and close the file.
Step 5: Enable IP Forwarding
Edit the sysctl configuration:
$ sudo nano /etc/sysctl.confUncomment the following line:
net.ipv4.ip_forward=1Apply the changes:
$ sudo sysctl -pStep 6: Start and Enable OpenVPN
Start and enable the OpenVPN service:
$ sudo systemctl start openvpn@server$ sudo systemctl enable openvpn@serverThe@serverspecifies the configuration file you created earlier.
Step 7: Configure Firewall
Allow OpenVPN traffic through the firewall by creating a new rule:
$ sudo ufw allow OpenVPNStep 8: Connect to OpenVPN Server
With the OpenVPN server operational, you can connect to it from a client computer. Install the OpenVPN client software and download the client configuration file from the server:
$ ./easyrsa gen-req client1 nopass$ ./easyrsa sign-req client client1$ cp pki/private/client1.key /etc/openvpn/client/$ cp pki/issued/client1.crt /etc/openvpn/client/$ cp pki/{ca.crt,ta.key} /etc/openvpn/client/Create a client configuration file in the/root/openvpn-cadirectory:
$ cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /root/openvpn-ca/Edit the file usingnanoand configure the variables:
remote my-server-1 1194 # my-server-1 is the server's public IPuser nobodygroup nogroup;ca ca.crt;cert client.crt;key client.key;tls-auth ta.key 1key-direction 1Create a script to compile the base configuration with the necessary certificate, key, and encryption files:
$ nano config_gen.shInclude the following content:
#!/bin/bash# First argument: Client identifierKEY_DIR=/etc/openvpn/clientOUTPUT_DIR=/rootBASE_CONFIG=/root/openvpn-ca/client.confcat ${BASE_CONFIG} \ <(echo -e '<ca>') \ ${KEY_DIR}/ca.crt \ <(echo -e '</ca>\n<cert>') \ ${KEY_DIR}/${1}.crt \ <(echo -e '</cert>\n<key>') \ ${KEY_DIR}/${1}.key \ <(echo -e '</key>\n<tls-crypt>') \ ${KEY_DIR}/ta.key \ <(echo -e '</tls-crypt>') \ > ${OUTPUT_DIR}/${1}.ovpnMake the script executable:
$ chmod 700 /root/openvpn-ca/config_gen.sh$ ./config_gen.sh client1This command will create aclient1.ovpnfile in the/root/directory. Copy this file to your client computer and use it to connect to the OpenVPN server.
Conclusion
In this tutorial, we’ve demonstrated how to install and configure OpenVPN on a Debian server. With OpenVPN, you can securely access remote networks and their resources from anywhere in the world.
