How to install and configure OpenVPN Server on Debian 10
OpenVPN is open-source software that can be used to access the internet securely when connected to an untrusted network. OpenVPN allows you to keep your online data safe by tunneling them through encrypted servers. OpenVPN uses SSL/TLS for key exchange and capable of traversing network address translators. There are many VPN software available in the market but all are costly, and/or challenging to set up and manage. While OpenVPN is a free, simple to set up, configure, and manage.
In this tutorial, we will explain how to setup OpenVPN server on Debian 10 server.
Requirements
- Two server running Debian 10.
- A static IP address 192.168.0.103 is configured on VPN server and 192.168.0.102 is configured on VPN client.
- A root password is configured on both servers.
Install OpenVPN
First, you will need to enable IP forwarding to forward network packets properly. You can do this by editing /etc/sysctl.conf file:
nano /etc/sysctl.conf
Change the following line:
net.ipv4.ip_forward=1
Save and close the file, when you are finished. Then, apply the new settings by running the following command:
sysctl -p
Next, install OpenVPN package by just running the following command:
apt-get install openvpn -y
Once the installation has been completed, you can proceed to the next step.
Generate Server Certificate and Key
First, you will need to copy the EasyRSA directory to /etc/openvpn/. You can do it with the following command:
cp -r /usr/share/easy-rsa /etc/openvpn/
Next, change the directory to easy-rsa and rename the vars.example file:
cd /etc/openvpn/easy-rsa
mv vars.example vars
Next, open the vars file:
nano vars
Add the following lines:
export KEY_COUNTRY="INDIA" export KEY_PROVINCE="CA" export KEY_CITY="Junagadh" export KEY_ORG="Howtoforge" export KEY_EMAIL="[email protected]" export KEY_OU="OpenVPN"
Save and close the file when you are finished. Then, initialize PKI with the following command:
./easyrsa init-pki
You should see the following output:
Note: using Easy-RSA configuration from: ./vars init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /etc/openvpn/easy-rsa/pki
Next, build the CA without a password as shown below:
./easyrsa build-ca nopass
You should see the following output:
Note: using Easy-RSA configuration from: ./vars Using SSL: openssl OpenSSL 1.1.1c 28 May 2019 Generating RSA private key, 2048 bit long modulus (2 primes) ...................................+++++ ..............+++++ e is 65537 (0x010001) Can't load /etc/openvpn/easy-rsa/pki/.rnd into RNG 140449484268672:error:2406F079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:98:Filename=/etc/openvpn/easy-rsa/pki/.rnd You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [Easy-RSA CA]:server CA creation complete and you may now import and sign cert requests. Your new CA certificate file for publishing is at: /etc/openvpn/easy-rsa/pki/ca.crt
Next, generate the server key with the following command:
./easyrsa gen-req server nopass
You should see the following output:
Note: using Easy-RSA configuration from: ./vars Using SSL: openssl OpenSSL 1.1.1c 28 May 2019 Generating a RSA private key ...+++++ ................................................................................................................+++++ writing new private key to '/etc/openvpn/easy-rsa/pki/private/server.key.uQ7rqU8ryK' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [server]: Keypair and certificate request completed. Your files are: req: /etc/openvpn/easy-rsa/pki/reqs/server.req key: /etc/openvpn/easy-rsa/pki/private/server.key
Next, sign the server certificate with the following command:
./easyrsa sign-req server server
You should see the following output:
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.1.1c 28 May 2019
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate for 1080 days:
subject=
commonName = server
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /etc/openvpn/easy-rsa/pki/safessl-easyrsa.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'server'
Certificate is to be certified until Sep 5 15:43:29 2022 GMT (1080 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa/pki/issued/server.crt
Next, build a Diffie-Hellman key exchange with the following command:
./easyrsa gen-dh
You should see the following output:
Note: using Easy-RSA configuration from: ./vars Using SSL: openssl OpenSSL 1.1.1c 28 May 2019 Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time ...................+.............................................+..........................................................................................................................................................................................................................................................+.......+................................................................................+................+....................................+..........................+........................................+............................................................................................+.......................................................+............................+......................................................................................................+...................................................................................+.................+............+.+............................+...............................................................................................................................................+............+...............................................+................................................................................................................................................................................+.....................................................................................................................+...................................................................................................................................................................................................+.............................................+..................................................................................................................................+......................................................................................................................................+....................................+..................................................................................................................................................................................+................................................................................................+..............................................................................................+............................................................................................................................................................................................+...........+.................+.....+..........................................................................................................+..........................................................+............+......................................+............................................................................................................................................................................................................................................................................................................+..................................+.................................................................................+.............................+.....................................................................................................................................................................................................................+..........................+.......................................................+......................+.................................+..............................................................+.............................................................................................................................................................+........................................................................+...............................+...............................................................................................................+..............................................+......................................................+.......................+......................................................................................................................................................................................................................+............................................................................................................................+..........................+......................................................................................................................................................................+..........................................................................................+..........................................................++*++*++*++* DH parameters of size 2048 created at /etc/openvpn/easy-rsa/pki/dh.pem
Next, generate a HMAC signature with the following command:
openvpn --genkey --secret ta.key
Finally, copy all the certificate and key to the /etc/openvpn directory:
cp ta.key /etc/openvpn/
cp pki/ca.crt /etc/openvpn/
cp pki/private/server.key /etc/openvpn/
cp pki/issued/server.crt /etc/openvpn/
cp pki/dh.pem /etc/openvpn/
Generate Client Certificate and Key
Next, generate Client certificate with the following command:
./easyrsa gen-req client nopass
You should see the following output:
Note: using Easy-RSA configuration from: ./vars Using SSL: openssl OpenSSL 1.1.1c 28 May 2019 Generating a RSA private key ..........................................+++++ ...............+++++ writing new private key to '/etc/openvpn/easy-rsa/pki/private/client.key.wU45j6E0Dt' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [client]: Keypair and certificate request completed. Your files are: req: /etc/openvpn/easy-rsa/pki/reqs/client.req key: /etc/openvpn/easy-rsa/pki/private/client.key
Next, sign the Client certificate with the following command:
./easyrsa sign-req client client
You should see the following output:
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.1.1c 28 May 2019
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a client certificate for 1080 days:
subject=
commonName = client
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /etc/openvpn/easy-rsa/pki/safessl-easyrsa.cnf
Enter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'client'
Certificate is to be certified until Sep 5 12:28:25 2022 GMT (1080 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa/pki/issued/client.crt
Next, copy all client certificate and key to /etc/openvpn/client/ directory:
cp pki/ca.crt /etc/openvpn/client/
cp pki/issued/client.crt /etc/openvpn/client/
cp pki/private/client.key /etc/openvpn/client/
Configure OpenVPN Server
All the required certificate and key for server and client are now generated. Next, you will need to create an OpenVPN configuration file. You can create it with the following command:
nano /etc/openvpn/server.conf
Add the following content:
port 1194 proto udp dev tun ca ca.crt cert server.crt key server.key # This file should be kept secret dh dh.pem server 10.8.0.0 255.255.255.0 push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 208.67.222.222" push "dhcp-option DNS 208.67.220.220" keepalive 10 120 tls-auth ta.key 0 # This file is secret cipher AES-256-CBC user nobody group nogroup persist-key persist-tun status /var/log/openvpn/openvpn-status.log log /var/log/openvpn/openvpn.log log-append /var/log/openvpn/openvpn.log verb 3 explicit-exit-notify 1
Save and close the file. Then, start OpenVPN service with the following command:
systemctl start openvpn@server
Next, verify the OpenVPN server using the following command:
systemctl status openvpn@server
Output:
? [email protected] - OpenVPN connection to server Loaded: loaded (/lib/systemd/system/[email protected]; disabled; vendor preset: enabled) Active: active (running) since Sat 2019-09-21 08:46:47 EDT; 6s ago Docs: man:openvpn(8) https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage https://community.openvpn.net/openvpn/wiki/HOWTO Main PID: 5040 (openvpn) Status: "Initialization Sequence Completed" Tasks: 1 (limit: 1138) Memory: 1.7M CGroup: /system.slice/system-openvpn.slice/[email protected] ??5040 /usr/sbin/openvpn --daemon ovpn-server --status /run/openvpn/server.status 10 --cd /etc/openvpn --config /etc/openvpn/server. Sep 21 08:46:47 debian systemd[1]: Starting OpenVPN connection to server... Sep 21 08:46:47 debian systemd[1]: Started OpenVPN connection to server.
Install and Configure OpenVPN Client
Next, log in to OpenVPN client system and install OpenVPN package with the following command:
apt-get install openvpn -y
Once installed, create a new configuration file for OpenVPN Client:
nano /etc/openvpn/client.conf
Define your server IP address and client certificate file as shown below:
client dev tun proto udp remote 192.168.0.103 1194 resolv-retry infinite nobind user nobody group nogroup persist-key persist-tun ca ca.crt cert client.crt key client.key remote-cert-tls server tls-auth ta.key 1 cipher AES-256-CBC verb 3
Save and close the file. Then, copy all the client certificate and key file from OpenVPN server to OpenVPN client system with the following command:
scp [email protected]:/etc/openvpn/client/ca.crt /etc/openvpn/
scp [email protected]:/etc/openvpn/client/client.crt /etc/openvpn/
scp [email protected]:/etc/openvpn/client/client.key /etc/openvpn/
scp [email protected]:/etc/openvpn/ta.key /etc/openvpn/
Next, start OpenVPN client service with the following command:
systemctl start openvpn@client
Now, you can see the new IP address assigned by OpenVPN server with the following command:
ifconfig
You should see the following output:
enp0s3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.102 netmask 255.255.255.0 broadcast 192.168.0.255
inet6 fe80::a00:27ff:fe99:dc40 prefixlen 64 scopeid 0x20
ether 08:00:27:99:dc:40 txqueuelen 1000 (Ethernet)
RX packets 447 bytes 42864 (41.8 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 334 bytes 47502 (46.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10
loop txqueuelen 1000 (Local Loopback)
RX packets 57 bytes 9754 (9.5 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 57 bytes 9754 (9.5 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.8.0.6 netmask 255.255.255.255 destination 10.8.0.5
inet6 fe80::52b5:a1d2:fa23:f51e prefixlen 64 scopeid 0x20
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 9 bytes 472 (472.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Next, go to the OpenVPN server system and check the OpenVPN log with the following command:
tail -f /var/log/openvpn/openvpn.log
You should get the following output:
Sun Sep 22 19:46:08 2019 192.168.0.103:45700 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA Sun Sep 22 19:46:08 2019 192.168.0.103:45700 [_] Peer Connection Initiated with [AF_INET]192.168.0.103:45700 Sun Sep 22 19:46:08 2019 _/192.168.0.103:45700 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled) Sun Sep 22 19:46:08 2019 _/192.168.0.103:45700 MULTI: Learn: 10.8.0.6 -> _/192.168.0.103:45700 Sun Sep 22 19:46:08 2019 _/192.168.0.103:45700 MULTI: primary virtual IP for _/192.168.0.103:45700: 10.8.0.6 Sun Sep 22 19:46:09 2019 _/192.168.0.103:45700 PUSH: Received control message: 'PUSH_REQUEST' Sun Sep 22 19:46:09 2019 _/192.168.0.103:45700 SENT CONTROL [_]: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM' (status=1) Sun Sep 22 19:46:09 2019 _/192.168.0.103:45700 Data Channel: using negotiated cipher 'AES-256-GCM' Sun Sep 22 19:46:09 2019 _/192.168.0.103:45700 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Sun Sep 22 19:46:09 2019 _/192.168.0.103:45700 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Congratulations! you have successfully installed and configured OpenVPN server and Client on Debian 10.
