OpenVPN server on Debian

1. Software installation

Install OpenVPN and Easy-RSA :

apt-get install openvpn easy-rsa

2. Configuration

Copy the sample configuration file :

gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf


And edit it :

vim /etc/openvpn/server.conf

Here is my configuration :

local XXX.XXX.XXX.XXX
port 1194
proto udp
dev tun
ca keys/ca.crt
cert keys/server.crt
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
;client-config-dir ccd
;client-to-client
;duplicate-cn
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
;log         openvpn.log
;log-append  openvpn.log
verb 3
;mute 20
explicit-exit-notify 1

3. Diffie-Helman certificate

Generate the Diffie-Helman certificate:

openssl dhparam -out /etc/openvpn/dh2048.pem 2048

4. Keys and certificates generation

4.1 Preparation

Copy the Easy-RSA generation scripts in the OpenVPN folder :

cp -r /usr/share/easy-rsa/ /etc/openvpn

Create a folder for the generated keys :

mkdir /etc/openvpn/easy-rsa/keys

Edit the variable file :

/etc/openvpn/easy-rsa/vars

And adjust the following ones :

export KEY_COUNTRY="US"
export KEY_PROVINCE="TX"
export KEY_CITY="Dallas"
export KEY_ORG="My Company Name"
export KEY_EMAIL="sammy@example.com"
export KEY_OU="MYOrganizationalUnit"

Move to the Easy-RSA folder in order to generate the keys :

cd /etc/openvpn/easy-rsa

Initialize the PKI :

. ./vars

The output should looks like this :

$ . ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys

You might have the following issue :

**************************************************************
  No /etc/openvpn/easy-rsa/openssl.cnf file could be found
  Further invocations will fail
**************************************************************

In this case, just create a symbolic link :

ln -s openssl-1.0.0.cnf openssl.cnf

And then clean everything :

./clean-all

4.2 Server certificate

Build the CA :

./build-ca

You might have the following error :

grep: /etc/openvpn/easy-rsa/openssl.cnf: No such file or directory
pkitool: KEY_CONFIG (set by the ./vars script) is pointing to the wrong
version of openssl.cnf: /etc/openvpn/easy-rsa/openssl.cnf
The correct version should have a comment that says: easy-rsa version 2.x

In this case, just create a symbolic link :

ln -s openssl-1.0.0.cnf openssl.cnf

And try again to build the certificate.

4.3 Server private key

Generate server key :

./build-key-server server

5. Files copy

Create a folder for the generated keys in the OpenVPN folder :

mkdir /etc/openvpn/keys/

And copy the generated files in this folder :

cp /etc/openvpn/easy-rsa/keys/{server.crt,server.key,ca.crt} /etc/openvpn/keys/

6. Start OpenVPN

We can now start the service :

service openvpn start

You can check that everything is fine by checking the logs :

tail -f /var/log/syslog

You should have something close to :

MyServer systemd[1]: Starting OpenVPN service...
MyServer systemd[1]: Started OpenVPN service.
MyServer ovpn-server[10186]: OpenVPN 2.4.0 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jun 22 2017
MyServer ovpn-server[10186]: library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.08
MyServer systemd[1]: Started OpenVPN connection to server.
MyServer ovpn-server[10189]: Diffie-Hellman initialized with 2048 bit key
MyServer ovpn-server[10189]: ROUTE_GATEWAY XX.XX.XX.XX/255.255.255.0 IFACE=eth0 HWADDR=00:22:4d:ad:6f:81
MyServer ovpn-server[10189]: TUN/TAP device tun0 opened
MyServer ovpn-server[10189]: TUN/TAP TX queue length set to 100
MyServer ovpn-server[10189]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
MyServer ovpn-server[10189]: /sbin/ip link set dev tun0 up mtu 1500
MyServer charon: 10[KNL] interface tun0 activated
MyServer ovpn-server[10189]: /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
MyServer charon: 14[KNL] fe80::6db6:ce8e:78a2:3ed6 appeared on tun0
MyServer charon: 04[KNL] 10.8.0.1 appeared on tun0
MyServer ovpn-server[10189]: /sbin/ip route add 10.8.0.0/24 via 10.8.0.2
MyServer ovpn-server[10189]: Could not determine IPv4/IPv6 protocol. Using AF_INET
MyServer ovpn-server[10189]: Socket Buffers: R=[212992->212992] S=[212992->212992]
MyServer ovpn-server[10189]: UDPv4 link local (bound): [AF_INET]XX.XX.XX.XX:1194
MyServer ovpn-server[10189]: UDPv4 link remote: [AF_UNSPEC]
MyServer ovpn-server[10189]: MULTI: multi_init called, r=256 v=256
MyServer ovpn-server[10189]: IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
MyServer ovpn-server[10189]: IFCONFIG POOL LIST
MyServer ovpn-server[10189]: Initialization Sequence Completed

7. Add new clients

7.1 Generate a new key

Let’s move in the right folder to generate a new key for our client :

cd /etc/openvpn/easy-rsa

And generate a new key :

./build-key MyClientName

You’re ready to connect your first client !

One thought on “OpenVPN server on Debian”

Leave a Reply

Your email address will not be published. Required fields are marked *