Install OpenVPN on Debian Jessie

OpenVPN is an SSL/TLS VPN solution. It is able to traverse NAT connections and firewalls. In this tutorial I'll show you how to install and configure a OpenVPN server to route all clients requests/traffic through the server. You should purchase a LOW COST VPS (1vcpu,128M,5G should be enough, FLAT bandwidth is preferred) with a TUN interface support.

Server side

Install the openvpn package:

apt-get update
apt-get install openvpn easy-rsa

Copy easy-rsa examples:

cp -r /usr/share/easy-rsa/ /etc/openvpn
mkdir /etc/openvpn/easy-rsa/keys

Edit certificate variables:

vim /etc/openvpn/easy-rsa/vars
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="changeme"
export KEY_PROVINCE="changeme"
export KEY_CITY="changeme"
export KEY_ORG="example"
export KEY_EMAIL="changeme@example.com"
export KEY_OU="changeme"

# X509 Subject Field
export KEY_NAME="server"

Generate 2048-bit DIFFIE-HELLMAN:

openssl dhparam -out /etc/openvpn/dh2048.pem 2048

Generate server certificates/keys:

cd /etc/openvpn/easy-rsa
. ./vars
./clean-all
./build-ca
./build-key-server server

Copy generated keys/certificates:

cp /etc/openvpn/easy-rsa/keys/{server.crt,server.key,ca.crt} /etc/openvpn

Now we need to set up networking.

Enable IPv4 forwarding

echo 1 > /proc/sys/net/ipv4/ip_forward

and make it permanent

vim /etc/sysctl.conf
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1

Configure firewall (iptables):

iptables -t nat -A POSTROUTING -s 10.90.10.0/24 -o eth0 -j MASQUERADE
iptables-save

In our server configuration we will use a default UDP port 1194.
TIP: If your client is behind a firewall or in a "secure" corporate network with closed ports, you should try to use UDP port 53 or 443 (don't forget to make changes in both server/client configurations).

Create server config file:

vim /etc/openvpn/server.conf
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key 
dh dh2048.pem
server 10.90.10.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
client-to-client
duplicate-cn
keepalive 10 120
cipher AES-128-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status logs/status.log
log-append logs/openvpn.log
verb 3

Create the logs destination:

mkdir -p /etc/openvpn/logs
touch /etc/openvpn/logs/{openvpn,status}.log

Restart the openvpn service:

systemctl restart openvpn@server.service

Generating client certificates is kind of "complicated" and involves multiple steps by default. To make it more friendly, I've created simple bash script.

vim /etc/openvpn/gen-client.sh
#!/bin/bash

username=$1

# Generating key
echo "Generating key for user ${username}"
cd /etc/openvpn/easy-rsa/
source vars && ./pkitool ${username}
cp /etc/openvpn/clients/.tmp/.tmp.ovpn /etc/openvpn/clients/.tmp/${username}.ovpn
echo "Done"

# Adding ca certificate to ovpn client configuration file
echo "Adding ca certificate to ovpn client configuration file"
echo "<ca>" >> /etc/openvpn/clients/.tmp/${username}.ovpn
cat /etc/openvpn/easy-rsa/keys/ca.crt | grep -A 100 "BEGIN CERTIFICATE" | grep -B 100 "END CERTIFICATE" >> /etc/openvpn/clients/.tmp/${username}.ovpn
echo "</ca>" >> /etc/openvpn/clients/.tmp/${username}.ovpn
echo "Done"

# Adding user certificate to ovpn client configuration file
echo "Adding user certificate to ovpn client configuration file"
echo "<cert>" >> /etc/openvpn/clients/.tmp/${username}.ovpn
cat /etc/openvpn/easy-rsa/keys/${username}.crt | grep -A 100 "BEGIN CERTIFICATE" | grep -B 100 "END CERTIFICATE" >> /etc/openvpn/clients/.tmp/${username}.ovpn
echo "</cert>" >> /etc/openvpn/clients/.tmp/${username}.ovpn
echo "Done"

# Adding user key to ovpn client configuration file
echo "Adding user key to ovpn client configuration file"
echo "<key>" >> /etc/openvpn/clients/.tmp/${username}.ovpn
cat /etc/openvpn/easy-rsa/keys/${username}.key | grep -A 100 "BEGIN PRIVATE KEY" | grep -B 100 "END PRIVATE KEY" >> /etc/openvpn/clients/.tmp/${username}.ovpn
echo "</key>" >> /etc/openvpn/clients/.tmp/${username}.ovpn

mkdir -p /etc/openvpn/clients/${username}
mv /etc/openvpn/clients/.tmp/${username}.ovpn /etc/openvpn/clients/${username}/${username}.ovpn
cp /etc/openvpn/easy-rsa/keys/${username}.{crt,key} /etc/openvpn/clients/${username}
cp /etc/openvpn/easy-rsa/keys/ca.crt /etc/openvpn/clients/${username}

cd /etc/openvpn/clients; tar -jcf ${username}.tar.gz ${username}/

echo "Done"

echo "
=========================================================================================

            Configurations are located in /etc/openvpn/clients/${username}

    ---------------------------------------------------------------------------------

                        Download friendly version with:

         'scp root@`hostname -f`:/etc/openvpn/clients/${username}.tar.gz .'

=========================================================================================
"

exit 0

Make it executable:

chmod +x /etc/openvpn/gen-client.sh

Now we need to create client config template which will be used in the next step.

mkdir -p /etc/openvpn/clients/.tmp/
vim /etc/openvpn/clients/.tmp/.tmp.ovpn
client
verb 1
dev tun
proto udp
port 1194
remote example.com 1194 udp
remote-cert-tls server
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
cipher AES-128-CBC

And finally generate client config:

cd /etc/openvpn/
./gen-client.sh username

Client configurations are located in /etc/openvpn/clients/username with friendly version /etc/openvpn/clients/username.tar.gz

tree /etc/openvpn/clients/
/etc/openvpn/clients/
├── username
│   ├── ca.crt
│   ├── username.crt
│   ├── username.key
│   └── username.ovpn
└── username.tar.gz

 

Client side

Install the openvpn package:

apt-get update
apt-get install openvpn

Copy client vpn configuration from vpn server: ​

scp root@example.com:/etc/openvpn/clients/username.tar.gz
tar -xzvf username.tar.gz

Connect to vpn server:

openvpn --config username.ovpn

Try to ping vpn server:

ping 10.90.10.1
PING 10.90.10.1 (10.90.10.1) 56(84) bytes of data.
64 bytes from 10.90.10.1: icmp_seq=1 ttl=63 time=21.6 ms
64 bytes from 10.90.10.1: icmp_seq=2 ttl=63 time=20.3 ms
64 bytes from 10.90.10.1: icmp_seq=3 ttl=63 time=20.3 ms
64 bytes from 10.90.10.1: icmp_seq=4 ttl=63 time=20.4 ms
64 bytes from 10.90.10.1: icmp_seq=5 ttl=63 time=20.4 ms
^C
--- 10.90.10.1 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 20.322/20.657/21.685/0.549 ms

Now you're "safe" :)

Add new comment

Filtered HTML

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
CAPTCHA
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.