Previously I explained how to setup a PPTP VPN server on Debian and that's plenty for the average user. In this article I will explain how to setup an OpenVPN server on Debian.
To put it simply, OpenVPN is much more secure and works better. For example, on PPTP you can expect speeds to reach 10mbps. On OpenVPN you can generally expect to reach upwards of 60mbps. Aside from this, OpenVPN offers certificate based authentication, which we will be setting up in this guide.
apt-get install openvpn
By default, the easy-rsa scripts are installed under the "/usr/share/easy-rsa/" directory. So, we need to copy these scripts to a desired location, such as: /etc/easy-rsa.
mkdir /etc/easy-rsa cp -prv /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/easy-rsa
Scroll to the bottom and modify to the following, example:
export KEY_COUNTRY="US" export KEY_PROVINCE="FL" export KEY_CITY="Tampa" export KEY_ORG="Akensai" export KEY_EMAIL="firstname.lastname@example.org" export KEY_CN=vpn.akensai.com export KEY_NAME=vpn.akensai.com export KEY_OU=Admin export PKCS11_MODULE_PATH=changeme export PKCS11_PIN=1234
Export the values
Cleanup any old certificates
Generate CA.crt and CA.key
Generate Server Certificate
Generate Diffie Hellman
Generate Client Certificate. Each user needs their own certificate. For example, the following would be for user 'akensai'.
Copy certificates to readable directory
mkdir /etc/openvpn/certs cp /etc/easy-rsa/2.0/keys/* /etc/openvpn/certs
Create server configuration
Paste the below and save the file.
port 1999 proto udp dev tun ca /etc/openvpn/certs/ca.crt cert /etc/openvpn/certs/server.crt key /etc/openvpn/certs/server.key dh /etc/openvpn/certs/dh1024.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 18.104.22.168" push "dhcp-option DNS 22.214.171.124" keepalive 10 120 user nobody group nogroup persist-key persist-tun status openvpn-status.log log /etc/openvpn/server.log verb 3 plugin /usr/lib/openvpn/openvpn-auth-pam.so login
Set OpenVPN to run on boot
update-rc.d -f openvpn defaults
Start OpenVPN Service
service openvpn restart
If you are not already running PPTP or any other VPN's you will need to configure some server level networking to insure you can make and keep a good connection to the OpenVPN server. These are also detailed in the tutorial for PPTP on Linux.
Enable IP Forwarding
Find and uncomment:
Echo changes for good measure:
Set iptables rules to allow for forwarding
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Set default MTU rules via iptables:
iptables -o eth0 -A FORWARD -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 800:1536 -j TCPMSS --clamp-mss-to-pmtu
Create iptables script
Enter the following rules and save the file
#!/bin/sh IPT="/sbin/iptables" # VPN Routing $IPT -t nat -A POSTROUTING -o eth0 -j MASQUERADE $IPT -o eth0 -A FORWARD -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 800:1536 -j TCPMSS --clamp-mss-to-pmtu
Give iptables.sh the proper permissions
chown root /etc/iptables.sh
chmod 700 /etc/iptables.sh
Set the script to run on boot
And the following to the bottom of the file and save it
You should now have a working OpenVPN server. Now we just need to create the configuration files for the client (us) to connect to it.
For Windows, I use this client. There are many to choose from and they all work pretty much the same. So take your pick. Let's move onto actually configuring your new OpenVPN Client.
This example is based on the configuration entered during the server configuration above.
In your OpenVPN client, create a new client configuration, for example
Paste the following in the file, replacing the certificate files as your own scheming goes, for example
client dev tun proto udp remote vpn.akensai.com 1999 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert akensai/akensai.crt key akensai/akensai.key ns-cert-type server verb 3
You will need to copy over your certificate files from the server to a place you can call them in the above configuration, these are for example:-
ca.crt server.crt server.key akensai.crt akensai.key
You can copy these via FTP, SCP, etc - or the good ol' fashion way of opening them in nano/vim and copy/pasting the contents to duplicate files on your desktop.
I suggest rebooting the server if nothing else is running on it. This insures that the everything starts up as normal in the event of a crash, downtime, etc. If you find your server is not working, go back over the steps above and be sure you did everything.
This tutorial assumes you have a good working knowledge of Linux based systems. This was not written for beginners. If you have any questions or feedback feel free to leave a comment or contact me directly.