Setup OpenVPN Server on Debian

ByAkensai

Previously I explained how to setup a PPTP VPN server on Debian and that’s plenty for the average user. In this article I will explain how to setup an OpenVPN server on Debian.

Why OpenVPN instead of PPTP?

To put it simply, OpenVPN is much more secure and works better. For example, on PPTP you can expect speeds to reach 10mbps. On OpenVPN you can generally expect to reach upwards of 60mbps. Aside from this, OpenVPN offers certificate based authentication, which we will be setting up in this guide.

Lets get started with the server setup

Install OpenVPN

apt-get install openvpn

By default, the easy-rsa scripts are installed under the “/usr/share/easy-rsa/” directory. So, we need to copy these scripts to a desired location, such as: /etc/easy-rsa.

mkdir /etc/easy-rsa
cp -prv /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/easy-rsa

Generate Certificates

nano /etc/easy-rsa/2.0/vars

Scroll to the bottom and modify to the following, example:

export KEY_COUNTRY="US"
export KEY_PROVINCE="FL"
export KEY_CITY="Tampa"
export KEY_ORG="Akensai"
export KEY_EMAIL="[email protected]"
export KEY_CN=vpn.akensai.com
export KEY_NAME=vpn.akensai.com
export KEY_OU=Admin
export PKCS11_MODULE_PATH=changeme
export PKCS11_PIN=1234

Export the values

source ./vars

Cleanup any old certificates

./clean-all

Generate CA.crt and CA.key

./build-ca

Generate Server Certificate

./build-key-server server

Generate Diffie Hellman

./build-dh

Generate Client Certificate. Each user needs their own certificate. For example, the following would be for user ‘akensai’.

./build-key akensai
Configure OpenVPN

Copy certificates to readable directory

mkdir /etc/openvpn/certs
cp /etc/easy-rsa/2.0/keys/* /etc/openvpn/certs

Create server configuration

nano /etc/openvpn/server.conf

Paste the below and save the file.

port 1999
proto udp
dev tun
ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/server.crt
key /etc/openvpn/certs/server.key
dh /etc/openvpn/certs/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
log /etc/openvpn/server.log
verb 3
plugin /usr/lib/openvpn/openvpn-auth-pam.so login

Set OpenVPN to run on boot

update-rc.d -f openvpn defaults

Start OpenVPN Service

service openvpn restart
Configure the server networking

If you are not already running PPTP or any other VPN’s you will need to configure some server level networking to insure you can make and keep a good connection to the OpenVPN server. These are also detailed in the tutorial for PPTP on Linux.

Enable IP Forwarding

nano /etc/sysctl.conf

Find and uncomment:

#net.ipv4.ip_forward=1

Echo changes for good measure:

sysctl -p

Set iptables rules to allow for forwarding

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Set default MTU rules via iptables:

iptables -o eth0 -A FORWARD -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 800:1536 -j TCPMSS --clamp-mss-to-pmtu

Create iptables script

nano /etc/iptables.sh

Enter the following rules and save the file

#!/bin/sh
IPT="/sbin/iptables"

# VPN Routing
$IPT -t nat -A POSTROUTING -o eth0 -j MASQUERADE
$IPT -o eth0 -A FORWARD -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 800:1536 -j TCPMSS --clamp-mss-to-pmtu

Give iptables.sh the proper permissions

chown root /etc/iptables.sh

chmod 700 /etc/iptables.sh

Set the script to run on boot

nano /etc/network/interfaces

And the following to the bottom of the file and save it

pre-up /etc/iptables.sh
Installation and Configuration complete!

You should now have a working OpenVPN server. Now we just need to create the configuration files for the client (us) to connect to it.

OpenVPN Client

For Windows, I use this client. There are many to choose from and they all work pretty much the same. So take your pick. Let’s move onto actually configuring your new OpenVPN Client.

OpenVPN Client Configuration Example

This example is based on the configuration entered during the server configuration above.

In your OpenVPN client, create a new client configuration, for example

vpn-akensai-com.ovpn

Paste the following in the file, replacing the certificate files as your own scheming goes, for example

client
dev tun
proto udp
remote vpn.akensai.com 1999
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert akensai/akensai.crt
key akensai/akensai.key
ns-cert-type server
verb 3

You will need to copy over your certificate files from the server to a place you can call them in the above configuration, these are for example:-

ca.crt
server.crt
server.key
akensai.crt
akensai.key

You can copy these via FTP, SCP, etc – or the good ol’ fashion way of opening them in nano/vim and copy/pasting the contents to duplicate files on your desktop.

Almost done!

I suggest rebooting the server if nothing else is running on it. This insures that the everything starts up as normal in the event of a crash, downtime, etc. If you find your server is not working, go back over the steps above and be sure you did everything.

Notice

This tutorial assumes you have a good working knowledge of Linux based systems. This was not written for beginners. If you have any questions or feedback feel free to leave a comment or contact me directly.

Similar Posts

Host File Edit: Viewing Websites Without DNS

ByAkensai

Learn the power of host file editing for web development and troubleshooting across multiple platforms. This comprehensive guide walks you through the process on Windows, Mac, Android, and Apple devices, enabling you to view websites without DNS updates. Learn how to modify your hosts file, use helpful tools like BlueLife Hosts Editor, and gain valuable insights into web development intricacies. Whether you’re a seasoned developer or just starting out, mastering host file editing is an essential skill for efficient website testing and troubleshooting.

VPN on Linode using Debian (PPTP)

ByAkensai

Unlock the potential of a high-performance VPN using a budget-friendly 512MB Linode VPS. This comprehensive guide walks you through the process of creating a VPN server that boasts impressive uptime and speeds. Follow detailed instructions covering every step: from ordering your Linode VPS and installing Debian, to configuring PPTPD and setting up VPN users. Learn essential networking techniques, including iptables configuration and boot-time scripts, often overlooked in other tutorials. Perfect for networking enthusiasts and those seeking a reliable, fast VPN solution, this guide empowers you to build your own secure server without breaking the bank.

Source Server with DreamHost VPS

ByAkensai

Learn how to run a 32-slot Team Fortress 2 server for as little as $11 a month using DreamHost Private Servers. This comprehensive guide walks you through every step of the process, from setting up your DreamHost account to installing and configuring the Source Dedicated Server (SRCDS). Discover how to optimize server performance with minimal RAM usage, create auto-start scripts, and manage your server via FTP. Perfect for gamers and server administrators on a budget, this tutorial provides insights into running a cost-effective game server without compromising on performance. Whether you’re a TF2 enthusiast or looking to dive into game server management, this guide offers valuable knowledge to get your server up and running efficiently on DreamHost’s robust infrastructure.