Install OpenVPN on Debian Jessie

OpenVPN is an SSL/TLS VPN solution. It is able to traverse NAT connections and firewalls. In this tutorial I'll show you how to install and configure a OpenVPN server to route all clients requests/traffic through the server. You should purchase a LOW COST VPS (1vcpu,128M,5G should be enough, FLAT bandwidth is preferred) with a TUN interface support.
Server side
Install the openvpn package:
apt-get update apt-get install openvpn easy-rsa
Copy easy-rsa examples:
cp -r /usr/share/easy-rsa/ /etc/openvpn mkdir /etc/openvpn/easy-rsa/keys
Edit certificate variables:
vim /etc/openvpn/easy-rsa/vars
# These are the default values for fields # which will be placed in the certificate. # Don't leave any of these fields blank. export KEY_COUNTRY="changeme" export KEY_PROVINCE="changeme" export KEY_CITY="changeme" export KEY_ORG="example" export KEY_EMAIL="changeme@example.com" export KEY_OU="changeme" # X509 Subject Field export KEY_NAME="server"
Generate 2048-bit DIFFIE-HELLMAN:
openssl dhparam -out /etc/openvpn/dh2048.pem 2048
Generate server certificates/keys:
cd /etc/openvpn/easy-rsa . ./vars ./clean-all ./build-ca ./build-key-server server
Copy generated keys/certificates:
cp /etc/openvpn/easy-rsa/keys/{server.crt,server.key,ca.crt} /etc/openvpn
Now we need to set up networking.
Enable IPv4 forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
and make it permanent
vim /etc/sysctl.conf
# Uncomment the next line to enable packet forwarding for IPv4 net.ipv4.ip_forward=1
Configure firewall (iptables):
iptables -t nat -A POSTROUTING -s 10.90.10.0/24 -o eth0 -j MASQUERADE iptables-save
In our server configuration we will use a default UDP port 1194.
TIP: If your client is behind a firewall or in a "secure" corporate network with closed ports, you should try to use UDP port 53 or 443 (don't forget to make changes in both server/client configurations).
Create server config file:
vim /etc/openvpn/server.conf
port 1194 proto udp dev tun ca ca.crt cert server.crt key server.key dh dh2048.pem server 10.90.10.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 8.8.8.8" client-to-client duplicate-cn keepalive 10 120 cipher AES-128-CBC comp-lzo user nobody group nogroup persist-key persist-tun status logs/status.log log-append logs/openvpn.log verb 3
Create the logs destination:
mkdir -p /etc/openvpn/logs touch /etc/openvpn/logs/{openvpn,status}.log
Restart the openvpn service:
systemctl restart openvpn@server.service
Generating client certificates is kind of "complicated" and involves multiple steps by default. To make it more friendly, I've created simple bash script.
vim /etc/openvpn/gen-client.sh
#!/bin/bash username=$1 # Generating key echo "Generating key for user ${username}" cd /etc/openvpn/easy-rsa/ source vars && ./pkitool ${username} cp /etc/openvpn/clients/.tmp/.tmp.ovpn /etc/openvpn/clients/.tmp/${username}.ovpn echo "Done" # Adding ca certificate to ovpn client configuration file echo "Adding ca certificate to ovpn client configuration file" echo "<ca>" >> /etc/openvpn/clients/.tmp/${username}.ovpn cat /etc/openvpn/easy-rsa/keys/ca.crt | grep -A 100 "BEGIN CERTIFICATE" | grep -B 100 "END CERTIFICATE" >> /etc/openvpn/clients/.tmp/${username}.ovpn echo "</ca>" >> /etc/openvpn/clients/.tmp/${username}.ovpn echo "Done" # Adding user certificate to ovpn client configuration file echo "Adding user certificate to ovpn client configuration file" echo "<cert>" >> /etc/openvpn/clients/.tmp/${username}.ovpn cat /etc/openvpn/easy-rsa/keys/${username}.crt | grep -A 100 "BEGIN CERTIFICATE" | grep -B 100 "END CERTIFICATE" >> /etc/openvpn/clients/.tmp/${username}.ovpn echo "</cert>" >> /etc/openvpn/clients/.tmp/${username}.ovpn echo "Done" # Adding user key to ovpn client configuration file echo "Adding user key to ovpn client configuration file" echo "<key>" >> /etc/openvpn/clients/.tmp/${username}.ovpn cat /etc/openvpn/easy-rsa/keys/${username}.key | grep -A 100 "BEGIN PRIVATE KEY" | grep -B 100 "END PRIVATE KEY" >> /etc/openvpn/clients/.tmp/${username}.ovpn echo "</key>" >> /etc/openvpn/clients/.tmp/${username}.ovpn mkdir -p /etc/openvpn/clients/${username} mv /etc/openvpn/clients/.tmp/${username}.ovpn /etc/openvpn/clients/${username}/${username}.ovpn cp /etc/openvpn/easy-rsa/keys/${username}.{crt,key} /etc/openvpn/clients/${username} cp /etc/openvpn/easy-rsa/keys/ca.crt /etc/openvpn/clients/${username} cd /etc/openvpn/clients; tar -jcf ${username}.tar.gz ${username}/ echo "Done" echo " ========================================================================================= Configurations are located in /etc/openvpn/clients/${username} --------------------------------------------------------------------------------- Download friendly version with: 'scp root@`hostname -f`:/etc/openvpn/clients/${username}.tar.gz .' ========================================================================================= " exit 0
Make it executable:
chmod +x /etc/openvpn/gen-client.sh
Now we need to create client config template which will be used in the next step.
mkdir -p /etc/openvpn/clients/.tmp/
vim /etc/openvpn/clients/.tmp/.tmp.ovpn
client verb 1 dev tun proto udp port 1194 remote example.com 1194 udp remote-cert-tls server resolv-retry infinite nobind persist-key persist-tun comp-lzo cipher AES-128-CBC
And finally generate client config:
cd /etc/openvpn/ ./gen-client.sh username
Client configurations are located in /etc/openvpn/clients/username with friendly version /etc/openvpn/clients/username.tar.gz
tree /etc/openvpn/clients/
/etc/openvpn/clients/ ├── username │ ├── ca.crt │ ├── username.crt │ ├── username.key │ └── username.ovpn └── username.tar.gz
Client side
Install the openvpn package:
apt-get update apt-get install openvpn
Copy client vpn configuration from vpn server:
scp root@example.com:/etc/openvpn/clients/username.tar.gz tar -xzvf username.tar.gz
Connect to vpn server:
openvpn --config username.ovpn
Try to ping vpn server:
ping 10.90.10.1
PING 10.90.10.1 (10.90.10.1) 56(84) bytes of data. 64 bytes from 10.90.10.1: icmp_seq=1 ttl=63 time=21.6 ms 64 bytes from 10.90.10.1: icmp_seq=2 ttl=63 time=20.3 ms 64 bytes from 10.90.10.1: icmp_seq=3 ttl=63 time=20.3 ms 64 bytes from 10.90.10.1: icmp_seq=4 ttl=63 time=20.4 ms 64 bytes from 10.90.10.1: icmp_seq=5 ttl=63 time=20.4 ms ^C --- 10.90.10.1 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4006ms rtt min/avg/max/mdev = 20.322/20.657/21.685/0.549 ms
Now you're "safe" :)
Add new comment