How to install and configure OpenVPN Server on Debian 10

OpenVPN is open-source software that can be used to access the internet securely when connected to an untrusted network. OpenVPN allows you to keep your online data safe by tunneling them through encrypted servers. OpenVPN uses SSL/TLS for key exchange and capable of traversing network address translators. There are many VPN software available in the market but all are costly, and/or challenging to set up and manage. While OpenVPN is a free, simple to set up, configure, and manage.

In this tutorial, we will explain how to setup OpenVPN server on Debian 10 server.

Requirements

  • Two server running Debian 10.
  • A static IP address 192.168.0.103 is configured on VPN server and 192.168.0.102 is configured on VPN client.
  • A root password is configured on both servers.

Install OpenVPN

First, you will need to enable IP forwarding to forward network packets properly. You can do this by editing /etc/sysctl.conf file:

nano /etc/sysctl.conf

Change the following line:

net.ipv4.ip_forward=1

Save and close the file, when you are finished. Then, apply the new settings by running the following command:

sysctl -p

Next, install OpenVPN package by just running the following command:

apt-get install openvpn -y

Once the installation has been completed, you can proceed to the next step.

Generate Server Certificate and Key

First, you will need to copy the EasyRSA directory to /etc/openvpn/. You can do it with the following command:

cp -r /usr/share/easy-rsa /etc/openvpn/

Next, change the directory to easy-rsa and rename the vars.example file:

cd /etc/openvpn/easy-rsa
mv vars.example vars

Next, open the vars file:

nano vars

Add the following lines:

export KEY_COUNTRY="INDIA"
export KEY_PROVINCE="CA"
export KEY_CITY="Junagadh"
export KEY_ORG="Howtoforge"
export KEY_EMAIL="[email protected]"
export KEY_OU="OpenVPN"

Save and close the file when you are finished. Then, initialize PKI with the following command:

./easyrsa init-pki

You should see the following output:

Note: using Easy-RSA configuration from: ./vars

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa/pki

Next, build the CA without a password as shown below:

./easyrsa build-ca nopass

You should see the following output:

Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.1.1c  28 May 2019
Generating RSA private key, 2048 bit long modulus (2 primes)
...................................+++++
..............+++++
e is 65537 (0x010001)
Can't load /etc/openvpn/easy-rsa/pki/.rnd into RNG
140449484268672:error:2406F079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:98:Filename=/etc/openvpn/easy-rsa/pki/.rnd
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:server

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa/pki/ca.crt

Next, generate the server key with the following command:

./easyrsa gen-req server nopass

You should see the following output:

Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.1.1c  28 May 2019
Generating a RSA private key
...+++++
................................................................................................................+++++
writing new private key to '/etc/openvpn/easy-rsa/pki/private/server.key.uQ7rqU8ryK'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]:

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/pki/reqs/server.req
key: /etc/openvpn/easy-rsa/pki/private/server.key

Next, sign the server certificate with the following command:

./easyrsa sign-req server server

You should see the following output:

Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.1.1c  28 May 2019


You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a server certificate for 1080 days:

subject=
    commonName                = server


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
Using configuration from /etc/openvpn/easy-rsa/pki/safessl-easyrsa.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'server'
Certificate is to be certified until Sep  5 15:43:29 2022 GMT (1080 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/openvpn/easy-rsa/pki/issued/server.crt

Next, build a Diffie-Hellman key exchange with the following command:

./easyrsa gen-dh

You should see the following output:

Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.1.1c  28 May 2019
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
...................+.............................................+..........................................................................................................................................................................................................................................................+.......+................................................................................+................+....................................+..........................+........................................+............................................................................................+.......................................................+............................+......................................................................................................+...................................................................................+.................+............+.+............................+...............................................................................................................................................+............+...............................................+................................................................................................................................................................................+.....................................................................................................................+...................................................................................................................................................................................................+.............................................+..................................................................................................................................+......................................................................................................................................+....................................+..................................................................................................................................................................................+................................................................................................+..............................................................................................+............................................................................................................................................................................................+...........+.................+.....+..........................................................................................................+..........................................................+............+......................................+............................................................................................................................................................................................................................................................................................................+..................................+.................................................................................+.............................+.....................................................................................................................................................................................................................+..........................+.......................................................+......................+.................................+..............................................................+.............................................................................................................................................................+........................................................................+...............................+...............................................................................................................+..............................................+......................................................+.......................+......................................................................................................................................................................................................................+............................................................................................................................+..........................+......................................................................................................................................................................+..........................................................................................+..........................................................++*++*++*++*

DH parameters of size 2048 created at /etc/openvpn/easy-rsa/pki/dh.pem

Next, generate a HMAC signature with the following command:

openvpn --genkey --secret ta.key

Finally, copy all the certificate and key to the /etc/openvpn directory:

cp ta.key /etc/openvpn/
cp pki/ca.crt /etc/openvpn/
cp pki/private/server.key /etc/openvpn/
cp pki/issued/server.crt /etc/openvpn/
cp pki/dh.pem /etc/openvpn/

Generate Client Certificate and Key

Next, generate Client certificate with the following command:

./easyrsa gen-req client nopass

You should see the following output:

Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.1.1c  28 May 2019
Generating a RSA private key
..........................................+++++
...............+++++
writing new private key to '/etc/openvpn/easy-rsa/pki/private/client.key.wU45j6E0Dt'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [client]:

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/pki/reqs/client.req
key: /etc/openvpn/easy-rsa/pki/private/client.key

Next, sign the Client certificate with the following command:

./easyrsa sign-req client client

You should see the following output:

Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.1.1c  28 May 2019


You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a client certificate for 1080 days:

subject=
    commonName                = client


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
Using configuration from /etc/openvpn/easy-rsa/pki/safessl-easyrsa.cnf
Enter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'client'
Certificate is to be certified until Sep  5 12:28:25 2022 GMT (1080 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/openvpn/easy-rsa/pki/issued/client.crt

Next, copy all client certificate and key to /etc/openvpn/client/ directory:

cp pki/ca.crt /etc/openvpn/client/
cp pki/issued/client.crt /etc/openvpn/client/
cp pki/private/client.key /etc/openvpn/client/

Configure OpenVPN Server

All the required certificate and key for server and client are now generated. Next, you will need to create an OpenVPN configuration file. You can create it with the following command:

nano /etc/openvpn/server.conf

Add the following content:

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh.pem
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 10 120
tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log         /var/log/openvpn/openvpn.log
log-append  /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1

Save and close the file. Then, start OpenVPN service with the following command:

systemctl start [email protected]

Next, verify the OpenVPN server using the following command:

systemctl status [email protected]

Output:

? [email protected] - OpenVPN connection to server
   Loaded: loaded (/lib/systemd/system/[email protected]; disabled; vendor preset: enabled)
   Active: active (running) since Sat 2019-09-21 08:46:47 EDT; 6s ago
     Docs: man:openvpn(8)
           https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
           https://community.openvpn.net/openvpn/wiki/HOWTO
 Main PID: 5040 (openvpn)
   Status: "Initialization Sequence Completed"
    Tasks: 1 (limit: 1138)
   Memory: 1.7M
   CGroup: /system.slice/system-openvpn.slice/[email protected]
           ??5040 /usr/sbin/openvpn --daemon ovpn-server --status /run/openvpn/server.status 10 --cd /etc/openvpn --config /etc/openvpn/server.

Sep 21 08:46:47 debian systemd[1]: Starting OpenVPN connection to server...
Sep 21 08:46:47 debian systemd[1]: Started OpenVPN connection to server.

Install and Configure OpenVPN Client

Next, log in to OpenVPN client system and install OpenVPN package with the following command:

apt-get install openvpn -y

Once installed, create a new configuration file for OpenVPN Client:

nano /etc/openvpn/client.conf

Define your server IP address and client certificate file as shown below:

client
dev tun
proto udp
remote 192.168.0.103 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
verb 3

Save and close the file. Then, copy all the client certificate and key file from OpenVPN server to OpenVPN client system with the following command:

scp [email protected]:/etc/openvpn/client/ca.crt /etc/openvpn/
scp [email protected]:/etc/openvpn/client/client.crt /etc/openvpn/
scp [email protected]:/etc/openvpn/client/client.key /etc/openvpn/
scp [email protected]:/etc/openvpn/ta.key /etc/openvpn/

Next, start OpenVPN client service with the following command:

systemctl start [email protected]

Now, you can see the new IP address assigned by OpenVPN server with the following command:

ifconfig

You should see the following output:

enp0s3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.0.102  netmask 255.255.255.0  broadcast 192.168.0.255
        inet6 fe80::a00:27ff:fe99:dc40  prefixlen 64  scopeid 0x20
        ether 08:00:27:99:dc:40  txqueuelen 1000  (Ethernet)
        RX packets 447  bytes 42864 (41.8 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 334  bytes 47502 (46.3 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 57  bytes 9754 (9.5 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 57  bytes 9754 (9.5 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.8.0.6  netmask 255.255.255.255  destination 10.8.0.5
        inet6 fe80::52b5:a1d2:fa23:f51e  prefixlen 64  scopeid 0x20
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 9  bytes 472 (472.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Next, go to the OpenVPN server system and check the OpenVPN log with the following command:

tail -f /var/log/openvpn/openvpn.log

You should get the following output:

Sun Sep 22 19:46:08 2019 192.168.0.103:45700 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Sun Sep 22 19:46:08 2019 192.168.0.103:45700 [_] Peer Connection Initiated with [AF_INET]192.168.0.103:45700
Sun Sep 22 19:46:08 2019 _/192.168.0.103:45700 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Sun Sep 22 19:46:08 2019 _/192.168.0.103:45700 MULTI: Learn: 10.8.0.6 -> _/192.168.0.103:45700
Sun Sep 22 19:46:08 2019 _/192.168.0.103:45700 MULTI: primary virtual IP for _/192.168.0.103:45700: 10.8.0.6
Sun Sep 22 19:46:09 2019 _/192.168.0.103:45700 PUSH: Received control message: 'PUSH_REQUEST'
Sun Sep 22 19:46:09 2019 _/192.168.0.103:45700 SENT CONTROL [_]: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM' (status=1)
Sun Sep 22 19:46:09 2019 _/192.168.0.103:45700 Data Channel: using negotiated cipher 'AES-256-GCM'
Sun Sep 22 19:46:09 2019 _/192.168.0.103:45700 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sun Sep 22 19:46:09 2019 _/192.168.0.103:45700 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

Congratulations! you have successfully installed and configured OpenVPN server and Client on Debian 10.

Share this page:

Suggested articles

21 Comment(s)

Add comment

Comments

By: mccharlet

Hi,

You don't need NAT in the configuration ?

By: Muhammad Arul

You just enabled NAT without Firewall configuration.

Is thats how openvpn works?

By: Pavel

AFTER:

apt-get install openvpn -y

YOU SHOULD RUN:

apt-get install easy-rsa

 

By: bari

hello, that's good. I have been sucess configure my server based your guide. for this time, how to access vpn server to windows client based this tutorial.?? i tried since yesterday, and did not get  a clue..

thank you

By: Walter

I was created as shell script that create a user client automaticaly

vim create_client.sh

#!/bin/bash

rm -f /etc/openvpn/easy-rsa/pki/private/client.key

./easyrsa gen-req client nopass

./easyrsa sign-req client client

input="/etc/openvpn/easy-rsa/pki/issued/client.crt"

while IFS= read -r line

do

  if [[ $line == *"Subject: CN="* ]]; then

    #echo "$line"

    linha=$line

  fi

done < "$input"

echo =====================================================

empty=""

nome_escolhido=${linha/Subject: CN=/$empty}

if [[ -z "$nome_escolhido" ]]; then

  nome_escolhido="novo_cliente"

fi

 

cp /etc/openvpn/easy-rsa/pki/issued/client.crt .

cp /etc/openvpn/easy-rsa/pki/private/client.key .

/usr/bin/tar -zvcf $nome_escolhido.tar.gz client.crt client.key ta.key ca.crt client.conf

rm client.crt client.key

 

By: Michael

Hi, first error on: sysctl -p

Command not found.

By: till

The sysctl command exist on every Debian 10 server. Maybe you are not logged in as root user or it's not a Debian 10 system or you mistyped the command.

By: Michael

No export lines in var

By: Carlos

Hi, when I'm in the client trying: scp [email protected]:/etc/openvpn/client/ca.crt /etc/openvpn/

I am asked the root password of the server, I write it, and I am sure I am doing It right but It says: permission denied, please try again.

Any idea of why this is happening?

Thank you very much

 

By: Carlos

Hello,

When im doing: scp [email protected]:/etc/openvpn/client/ca.crt /etc/openvpn/

I am asked to write the password of the root user of the server. I write it correctly but It says Permission denied, please try again.

Any idea of this problem?

Thank you

 

By: Brrng

Bonjour, je suis sous debian 10.2.0 et la commande sysctl -p ne passe pas. bash: sysctl: commande introuvable.

 

C'est la même chse pour openvpn --genkey --secret ta.key

By: habib ahmad purba

How do I configure it with a Windows client? Please..

By: Charlie

Do you have the command to genarate an client.ovpn profile to import to the windows open vpn client.

 

By: Pablo

changing the extension .conf for .ovpn will work.

By: Hackmond

Bro, you are the best! Thank you very much! I couldn't do that for several hours. Thanks!

By: Liviu

Hi, for those receiving the error: bash: openvpn: command not found

Most likely you used "su" instead of "su -".

just run: su -

and it should work.

By: caladev

This article is missing the NAT configuration step.

You can clearly see in the Centos version of this article there is a section on `iptables` config which does not exist here: https://www.howtoforge.com/tutorial/how-to-install-openvpn-on-centos-7/

Since on Debian the new preferred firewall app is not `iptables` but rather `nftables`, the following configuration example should hopefully help someone in the same position as me that followed this from start to finish and it only worked after I configured NAT correctly.

Example with `nftables`: https://github.com/mqus/nft-rules/blob/master/files/VPN.md

By: nab

scp [email protected] : /etc/openvpn/client/ca.crt / etc / openvpn / pour ce pbm il faut autoriser root pour ssh:https://cloriou.fr/2016/12/05/debian-autoriser-acces-root-via-ssh/

By: Stefan

Who needs to make an .ovpn do like this:

- nano /etc/openvpn/client.ovpn

- put in the content made for client.conf

- at the end add <ca> and save

- cat client/ca.crt >> ./client.ovpn

- add </ca> and <cert> and save

- cat client/client.crt >> ./client.ovpn

- delete the new added lines which are before -----BEGIN CERTIFICATE-----

- add </cert> and <key> and save

- cat client/client.key >> ./client.ovpn

- add </key>

 

Now it should work with Android, Windows etc.

By: Richard

Can you please update the above to include how to revoke a certificate ? 

By: Cs

Hi,

The tutorial is great!!

I successfully installed it on server and on client too. When I am starting openvpn client on my laptop, it connects, but my laptop internet goes away.

Could you help me in this?