Now that the server is ready, let’s switch on the client side !
1. Software installation
Install OpenVPN :
sudo apt-get install openvpn
2. Configuration
Copy the client configuration sample in the working directory :
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/
Here is my configuration:
client dev tun proto udp remote XXX.XXX.XXX.XXX 1194 resolv-retry infinite nobind user nobody group nogroup persist-key persist-tun ;mute-replay-warnings ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/MyClient.crt key /etc/openvpn/keys/MyClient.key ns-cert-type server cipher AES-256-CBC verb 3
Replace XXX.XXX.XXX.XXX by the IP of the OpenVPN server.
Create a folder to store the keys and certificates :
sudo mkdir /etc/openvpn/keys/
Download the ca.crt file from the server:
sudo scp user@XXX.XXX.XXX.XXX:/etc/openvpn/easy-rsa/keys/ca.crt /etc/openvpn/keys/
Download the client.key file from the server:
sudo scp user@XXX.XXX.XXX.XXX:/etc/openvpn/easy-rsa/keys/MyClient.key /etc/openvpn/keys/MyClient.key
Download the client.crt file from the server:
sudo scp user@XXX.XXX.XXX.XXX:/etc/openvpn/easy-rsa/keys/MyClient.crt /etc/openvpn/keys/MyClient.crt
Then we can try to start the client:
sudo openvpn --config /etc/openvpn/client.conf
Here is the output :
OpenVPN 2.3.4 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun 27 2017 library versions: OpenSSL 1.0.1t 3 May 2016, LZO 2.08 Socket Buffers: R=[163840->131072] S=[163840->131072] NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay UDPv4 link local: [undef] UDPv4 link remote: [AF_INET]XXX.XXX.XXX.XXX:1194 TLS: Initial packet from [AF_INET]XXX.XXX.XXX.XXX:1194, sid=2fc176a5 4d3fbbfd VERIFY OK: depth=1, C=XX, ST=XXXXXXXX, L=XXXXXXXX, O=XXXXXXXX, OU=XX, CN=XXXXXXXX, name=EasyRSA, emailAddress=XXXXXXXX VERIFY OK: nsCertType=SERVER VERIFY OK: depth=0, C=XX, ST=XXXXXXXX, L=XXXXXXXX, O=XXXXXXXX, OU=XXXXXXXX, CN=XXXXXXXX, name=EasyRSA, emailAddress=XXXXXXXX Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Control Channel: TLSv1, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-SHA, 2048 bit RSA [server] Peer Connection Initiated with [AF_INET]XXX.XXX.XXX.XXX:1194 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1) PUSH: Received control message: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.10 10.8.0.1' OPTIONS IMPORT: timers and/or timeouts modified OPTIONS IMPORT: --ifconfig/up options modified OPTIONS IMPORT: route options modified ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=eth0 HWADDR=XXXXXXXXXXXXXXXXXX TUN/TAP device tun0 opened TUN/TAP TX queue length set to 100 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 /sbin/ip link set dev tun0 up mtu 1500 /sbin/ip addr add dev tun0 local 10.8.0.10 peer 10.8.0.1 Fri Sep 8 09:08:44 2017 /sbin/ip route add 10.8.0.1/32 via 10.8.0.1 GID set to nogroup UID set to nobody Initialization Sequence Completed
To allow your pi to connect automatically after a reboot, edit the following file as below :
sudo vi /etc/default/openvpn
Then uncomment the line :
AUTOSTART="all"
One thought on “OpenVPN client on Debian”