How To Set Up an OpenVPN Server on Debian 10

A virtual private network (VPN) is a secure and encrypted connection between two networks and individual users that protects your internet connection and privacy online. OpenVPN is a free and open-source VPN protocol that implements techniques to create secure point-to-point in routed configurations. It is cross-platform and compatible with all major operating systems.

In this tutorial, we will show you how to install and setup the OpenVPN on Debian 10 server.

Prerequisites

• Debian 10 VPS (we’ll be using our NVMe 2 VPS plan)
• Access to the root user account (or access to an admin account with root privileges)

Step 1: Log in to the Server & Update the Server OS Packages

First, log in to your Debian 10 server via SSH as the root user:

ssh root@IP_Address -p Port_number

You will need to replace ‘IP_Address’ and ‘Port_number’ with your server’s respective IP address and SSH port number. Additionally, replace ‘root’ with the username of the admin account if necessary.

Before starting, you have to make sure that all Debian OS packages installed on the server are up to date. You can do this by running the following commands:

apt-get update -y
apt-get upgrade -y

Step 2: Install OpenVPN and EasyRSA

By default, OpenVPN is included in the Debian default repository. You can install it with the following command:

apt-get install openvpn -y

Once the OpenVPN package has been installed, you will need to download EasyRSA to your system.

EasyRSA is a command-line utility to build and manage a PKI CA. It allows you to generate multiple types of certificates.
It is used to create a root certificate authority, and request and sign certificates for OpenVPN.

You can download the latest version of EasyRSA from the Git repository using the following command:

wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.8/EasyRSA-3.0.8.tgz

Once the download is completed, extract the downloaded file using the following command:

tar -xvzf EasyRSA-3.0.8.tgz

Next, copy the extracted directory to the OpenVPN directory:

cp -r EasyRSA-3.0.8 /etc/openvpn/easy-rsa

At this point, OpenVPN and EasyRSA is installed in your server.

Step 3: Build the Certificate Authority

Next, you will need to build the Certificate Authority (CA) for OpenVPN.

First, change the directory to EasyRSA with the following command:

cd /etc/openvpn/easy-rsa

Next, you will need to create a vars file inside this. A vars file is a simple file that Easy-RSA will source for configuration.

You can create it with the following command:

nano vars

Add the following lines as per your needs:

set_var EASYRSA                 "$PWD"
set_var EASYRSA_PKI             "$EASYRSA/pki"
set_var EASYRSA_DN              "cn_only"
set_var EASYRSA_REQ_COUNTRY     "USA"
set_var EASYRSA_REQ_PROVINCE    "Newyork"
set_var EASYRSA_REQ_CITY        "Newyork"
set_var EASYRSA_REQ_ORG         "ROSE CERTIFICATE AUTHORITY"
set_var EASYRSA_REQ_EMAIL    "admin@example.com"
set_var EASYRSA_REQ_OU          "ROSE EASY CA"
set_var EASYRSA_KEY_SIZE        2048
set_var EASYRSA_ALGO            rsa
set_var EASYRSA_CA_EXPIRE    7500
set_var EASYRSA_CERT_EXPIRE     365
set_var EASYRSA_NS_SUPPORT    "no"
set_var EASYRSA_NS_COMMENT    "ROSE CERTIFICATE AUTHORITY"
set_var EASYRSA_EXT_DIR         "$EASYRSA/x509-types"
set_var EASYRSA_SSL_CONF        "$EASYRSA/openssl-easyrsa.cnf"
set_var EASYRSA_DIGEST          "sha256"

Save and close the file when you are finished.

Next, initiate the public key infrastructure with the following command:

./easyrsa init-pki

You should get the following output:

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa/pki

Next, you will need to run build-ca command to create ca.crt and ca.key file. You can run it with the following command:

./easyrsa build-ca nopass

You will be asked for several questions as shown below:

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.1.1f  31 Mar 2020

Enter New CA Key Passphrase: 
Re-Enter New CA Key Passphrase: 
Generating RSA private key, 2048 bit long modulus (2 primes)
...+++++
......................................................................+++++
e is 65537 (0x010001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:vpnserver

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa/pki/ca.crt

Step 4: Generate Server Certificate and Key Files

Next, you will need to use the gen-req command followed by common name to generate the server key.

./easyrsa gen-req vpnserver nopass

You should see the following output:

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.1.1f  31 Mar 2020
Generating a RSA private key
.......................................................+++++
....+++++
writing new private key to '/etc/openvpn/easy-rsa/pki/easy-rsa-1428.Angtmh/tmp.C9prw4'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [vpnserver]:

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/pki/reqs/vpnserver.req
key: /etc/openvpn/easy-rsa/pki/private/vpnserver.key

Next, you will need to sign the vpnserver key using your CA certificate. You can do it with the following command:

./easyrsa sign-req server vpnserver

You should get the following output:

Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'vpnserver'
Certificate is to be certified until Feb  6 14:38:52 2022 GMT (365 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/openvpn/easy-rsa/pki/issued/vpnserver.crt

Next, you will need to generate a strong Diffie-Hellman key to use for the key exchange. You can generate it with the following command:

./easyrsa gen-dh

Step 5: Copy All Certificate and Key File

Next, you will need to copy all certificate and key file to the /etc/openvpn/server/ directory. You can copy the using the following command:

cp pki/ca.crt /etc/openvpn/server/
cp pki/dh.pem /etc/openvpn/server/
cp pki/private/vpnserver.key /etc/openvpn/server/
cp pki/issued/vpnserver.crt /etc/openvpn/server/

Step 6: Create Client Certificate and Key File

Next, you will need to generate a certificate and key file for the client system.

You can create it with the following command:

./easyrsa gen-req vpnclient nopass

You should get the following output:

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.1.1f  31 Mar 2020
Generating a RSA private key
....+++++
.................................+++++
writing new private key to '/etc/openvpn/easy-rsa/pki/easy-rsa-1563.TeOf5v/tmp.i4YxLz'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [vpnclient]:

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/pki/reqs/vpnclient.req
key: /etc/openvpn/easy-rsa/pki/private/vpnclient.key

Next, sign the client key with the following command:

./easyrsa sign-req client vpnclient

You should get the following output:

Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'vpnclient'
Certificate is to be certified until Feb  6 14:43:18 2022 GMT (365 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/openvpn/easy-rsa/pki/issued/vpnclient.crt

Next, copy all client certificate and key to the /etc/openvpn/client/ directory.

cp pki/ca.crt /etc/openvpn/client/
cp pki/issued/vpnclient.crt /etc/openvpn/client/
cp pki/private/vpnclient.key /etc/openvpn/client/

Step 7: Configure OpenVPN Server

At this point, both server and client certificate and key are ready. Now, you will need to create an OpenVPN configuration file and define all certificates and keys.

nano /etc/openvpn/server.conf

Add the following lines:

port 1194
proto udp
dev tun
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/vpnserver.crt
key /etc/openvpn/server/vpnserver.key
dh /etc/openvpn/server/dh.pem
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"

push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
duplicate-cn
cipher AES-256-CBC
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
auth SHA512
auth-nocache
keepalive 20 60
persist-key
persist-tun
compress lz4
daemon
user nobody
group nogroup
log-append /var/log/openvpn.log
verb 3

Save and close the file then start the OpenVPN service and enable it to start at system reboot:

systemctl start openvpn@server
systemctl enable openvpn@server

If everything is fine, a new interface will be created. You can check it using the following command:

ip a show tun0

You should get the following output:

4: tun0:  mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    link/none 
    inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::153d:f29:39a2:571a/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever

Step 8: Enable IP Forwarding

IP forwarding allows your operating system to accept the incoming network packets and forward it to the other network. You can enable it with the following command:

nano /etc/sysctl.conf

Uncomment or add the following line:

net.ipv4.ip_forward = 1

Save the file then apply the configuration changes with the following command:

sysctl -p

Step 9: Install and Configure OpenVPN Client

Next, you will need to install the OpenVPN client on another system and connect to the OpenVPN server.

First, install the OpenVPN with the following command:

apt-get install openvpn -y

Once installed, copy all Client certificate and key from the OpenVPN server to the Client machine. You can do it with the following command:

scp -r root@vpn-server-ip:/etc/openvpn/client .

Next, change the directory to client and create a Client configuration file:

cd client
nano client.ovpn

Add the following lines:

client
dev tun
proto udp
remote vpn-server-ip 1194
ca ca.crt
cert vpnclient.crt
key vpnclient.key
cipher AES-256-CBC
auth SHA512
auth-nocache
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
resolv-retry infinite
compress lz4
nobind
persist-key
persist-tun
mute-replay-warnings
verb 3

Save and close the file then connect to your OpenVPN server with the following command:

openvpn --config client.ovpn

Once the connection has been established, you should get the following output:

Sat Feb  6 14:53:50 2021 SENT CONTROL [vpnserver]: 'PUSH_REQUEST' (status=1)
Sat Feb  6 14:53:50 2021 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,route 10.8.0.1,topology net30,ping 20,ping-restart 60,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM'
Sat Feb  6 14:53:50 2021 OPTIONS IMPORT: timers and/or timeouts modified
Sat Feb  6 14:53:50 2021 OPTIONS IMPORT: --ifconfig/up options modified
Sat Feb  6 14:53:50 2021 OPTIONS IMPORT: route options modified

You can verify the OpenVPN interface on the client machine with the following command:

ip a show tun0

You should get the following output:

4: tun0:  mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    link/none 
    inet 10.8.0.6 peer 10.8.0.5/32 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::9206:94d7:8fb2:6b21/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever

Of course, you don’t have to install OpenVPN if you use one of our Managed OpenVPN Hosting services, in which case you can simply ask our expert Linux admins to install this for you. They are available 24×7 and will take care of your request immediately.

PS. If you liked this post on how to install OpenVPN on Ubuntu, please share it with your friends on the social networks using the buttons on the left or simply leave a reply below. Thanks.