OpenVPN is an open-source virtual private network (VPN).
This tutorial was written for Debian 10 (buster) in March, 2020.
The official Debian 10 repository contains a package for OpenVPN 2.4.
The following command installs this package:
apt install openvpn
OpenVPN utilizes SSL/TLS security mechanisms.
Therefore, certificates (and keys) need to be generated and signed
by a certificate authority (CA). Easy RSA is helpful in that regard.
Use the following command to initialize a directory easy-rsa with files
that help creating the required certificates:
cd /etc/openvpn
make-cadir easy-rsa
Default values for certificates can be specified by uncommenting corresponding
fields in the following file:
/etc/openvpn/easy-rsa/vars#...
# Organizational fields (used with 'org' mode and ignored in 'cn_only' mode.)
# These are the default values for fields which will be placed in the
# certificate. Don't leave any of these fields blank, although interactively
# you may omit any specific field by typing the "." symbol (not valid for
# email.)
#set_var EASYRSA_REQ_COUNTRY "US"
#set_var EASYRSA_REQ_PROVINCE "California"
#set_var EASYRSA_REQ_CITY "San Francisco"
#set_var EASYRSA_REQ_ORG "Copyleft Certificate Co"
#set_var EASYRSA_REQ_EMAIL "me@example.net"
#set_var EASYRSA_REQ_OU "My Organizational Unit"
#...
The following commands generate the certificate authority (CA),
a certificate/key pair for the server and a certificate/key pair for
a client named client1:
cd /etc/openvpn/easy-rsa
./easyrsa init-pki
./easyrsa build-ca
./easyrsa build-server-full server
./easyrsa gen-dh
./easyrsa build-client-full client1
If the OpenVPN server is started on boot, removing the passphrase
prevents being prompted for a password:
./easyrsa set-rsa-pass server nopassTo change the passphrase:
./easyrsa set-rsa-pass serverCreate an archive for the client:
cd /etc/openvpn
tar czvf client1_ovpn.tar.gz easy-rsa/pki/ca.crt easy-rsa/pki/issued/client1.crt easy-rsa/pki/private/client1.key
Copy the example config file for the server to the correct location:
zcat /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server/server.confEdit relevant parts in server config file:
/etc/openvpn/server/server.conf#...
# SSL/TLS root certificate (ca), certificate
# (cert), and private key (key). Each client
# and the server must have their own cert and
# key file. The server and all clients will
# use the same ca file.
#
# See the "easy-rsa" directory for a series
# of scripts for generating RSA certificates
# and private keys. Remember to use
# a unique Common Name for the server
# and each of the client certificates.
#
# Any X509 key management system can be used.
# OpenVPN can also use a PKCS #12 formatted key file
# (see "pkcs12" directive in man page).
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server.crt
key /etc/openvpn/easy-rsa/pki/private/server.key
# Diffie hellman parameters.
# Generate your own with:
# openssl dhparam -out dh2048.pem 2048
dh /etc/openvpn/easy-rsa/pki/dh.pem
#...
# Uncomment this directive to allow different
# clients to be able to "see" each other.
# By default, clients will only see the server.
# To force clients to only see the server, you
# will also need to appropriately firewall the
# server's TUN/TAP interface.
client-to-client
#...
# For extra security beyond that provided
# by SSL/TLS, create an "HMAC firewall"
# to help block DoS attacks and UDP port flooding.
#
# Generate with:
# openvpn --genkey --secret ta.key
#
# The server and each client must have
# a copy of this key.
# The second parameter should be '0'
# on the server and '1' on the clients.
;tls-auth ta.key 0 # This file is secret
#...
Start OpenVPN with the config /etc/openvpn/server/server.conf:
systemctl start openvpn-server@serverStart the given config on boot:
systemctl enable openvpn-server@serverOpenVPN needs to be installed on the clients:
apt install openvpnCopy the certificate/key pair from the server to a client:
cd /etc/openvpn
tar xvf client1_ovpn.tar.gz
Each client should have its own certificate/key pair.
Copy the example config file for the client to the correct location:
cat /usr/share/doc/openvpn/examples/sample-config-files/client.conf > /etc/openvpn/client/vpn.example.net.confEdit relevant parts in the client config file:
/etc/openvpn/client/vpn.example.net.conf#...
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote vpn.example.net 1194
#...
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/client1.crt
key /etc/openvpn/easy-rsa/pki/private/client1.key
#...
# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1
#...
Start OpenVPN with the config /etc/openvpn/client/vpn.example.net.conf:
systemctl start openvpn-client@vpn.example.net
A system tray icon for systemd services can be used as graphical user interface (GUI)
for an OpenVPN client.
This section describes how to route all client traffic (including web-traffic)
through the VPN.
Enable IPv4 packet forwarding in the kernel:
/etc/sysctl.conf#...
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1
#...
Forward traffic from the VPN over the interface eth0:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE/etc/openvpn/client/vpn.example.net.conf#...
redirect-gateway autolocal