OpenVPN is an open-source virtual private network (VPN).
This tutorial was written for Debian 10 (buster) in March, 2020.
- Internet Access
- External Links
The official Debian 10 repository contains a package for OpenVPN 2.4.
The following command installs this package:
apt install openvpn
OpenVPN utilizes SSL/TLS security mechanisms.
Therefore, certificates (and keys) need to be generated and signed
by a certificate authority (CA). Easy RSA is helpful in that regard.
Use the following command to initialize a directory
easy-rsa with files
that help creating the required certificates:
cd /etc/openvpn make-cadir easy-rsa
Default values for certificates can be specified by uncommenting corresponding
fields in the following file:
#... # Organizational fields (used with 'org' mode and ignored in 'cn_only' mode.) # These are the default values for fields which will be placed in the # certificate. Don't leave any of these fields blank, although interactively # you may omit any specific field by typing the "." symbol (not valid for # email.) #set_var EASYRSA_REQ_COUNTRY "US" #set_var EASYRSA_REQ_PROVINCE "California" #set_var EASYRSA_REQ_CITY "San Francisco" #set_var EASYRSA_REQ_ORG "Copyleft Certificate Co" #set_var EASYRSA_REQ_EMAIL "email@example.com" #set_var EASYRSA_REQ_OU "My Organizational Unit" #...
The following commands generate the certificate authority (CA),
a certificate/key pair for the server and a certificate/key pair for
a client named
cd /etc/openvpn/easy-rsa ./easyrsa init-pki ./easyrsa build-ca ./easyrsa build-server-full server ./easyrsa gen-dh ./easyrsa build-client-full client1
If the OpenVPN server is started on boot, removing the passphrase
prevents being prompted for a password:
./easyrsa set-rsa-pass server nopass
To change the passphrase:
./easyrsa set-rsa-pass server
Create an archive for the client:
cd /etc/openvpn tar czvf client1_ovpn.tar.gz easy-rsa/pki/ca.crt easy-rsa/pki/issued/client1.crt easy-rsa/pki/private/client1.key
Copy the example config file for the server to the correct location:
zcat /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server/server.conf
Edit relevant parts in server config file:
#... # SSL/TLS root certificate (ca), certificate # (cert), and private key (key). Each client # and the server must have their own cert and # key file. The server and all clients will # use the same ca file. # # See the "easy-rsa" directory for a series # of scripts for generating RSA certificates # and private keys. Remember to use # a unique Common Name for the server # and each of the client certificates. # # Any X509 key management system can be used. # OpenVPN can also use a PKCS #12 formatted key file # (see "pkcs12" directive in man page). ca /etc/openvpn/easy-rsa/pki/ca.crt cert /etc/openvpn/easy-rsa/pki/issued/server.crt key /etc/openvpn/easy-rsa/pki/private/server.key # Diffie hellman parameters. # Generate your own with: # openssl dhparam -out dh2048.pem 2048 dh /etc/openvpn/easy-rsa/pki/dh.pem #... # Uncomment this directive to allow different # clients to be able to "see" each other. # By default, clients will only see the server. # To force clients to only see the server, you # will also need to appropriately firewall the # server's TUN/TAP interface. client-to-client #... # For extra security beyond that provided # by SSL/TLS, create an "HMAC firewall" # to help block DoS attacks and UDP port flooding. # # Generate with: # openvpn --genkey --secret ta.key # # The server and each client must have # a copy of this key. # The second parameter should be '0' # on the server and '1' on the clients. ;tls-auth ta.key 0 # This file is secret #...
Start OpenVPN with the config
systemctl start openvpn-server@server
Start the given config on boot:
systemctl enable openvpn-server@server
OpenVPN needs to be installed on the clients:
apt install openvpn
Copy the certificate/key pair from the server to a client:
cd /etc/openvpn tar xvf client1_ovpn.tar.gz
Each client should have its own certificate/key pair.
Copy the example config file for the client to the correct location:
cat /usr/share/doc/openvpn/examples/sample-config-files/client.conf > /etc/openvpn/client/vpn.example.net.conf
Edit relevant parts in the client config file:
#... # The hostname/IP and port of the server. # You can have multiple remote entries # to load balance between the servers. remote vpn.example.net 1194 #... # SSL/TLS parms. # See the server config file for more # description. It's best to use # a separate .crt/.key file pair # for each client. A single ca # file can be used for all clients. ca /etc/openvpn/easy-rsa/pki/ca.crt cert /etc/openvpn/easy-rsa/pki/issued/client1.crt key /etc/openvpn/easy-rsa/pki/private/client1.key #... # If a tls-auth key is used on the server # then every client must also have the key. ;tls-auth ta.key 1 #...
Start OpenVPN with the config
systemctl start firstname.lastname@example.org
A system tray icon for systemd services can be used as graphical user interface (GUI)
for an OpenVPN client.
This section describes how to route all client traffic (including web-traffic)
through the VPN.
Enable IPv4 packet forwarding in the kernel:
#... # Uncomment the next line to enable packet forwarding for IPv4 net.ipv4.ip_forward=1 #...
Forward traffic from the VPN over the interface
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
#... redirect-gateway autolocal