In this tutorial I will explain how to install, configure and use a OpenVPN server on Debian, quick and painless
I will be using Debian “wheezy” 7.7.0, but the instructions will still be viable to newer and earlier releases.
A VPN is used to provide an encrypted “tunnel” between you, the VPN-Server, and possibly other clients who are also connected to the same VPN-Server.
All traffic passing between you and the VPN-Server is encrypted, thus preventing a third party/hacker from eavesdropping on your connection and stealing sensitive information from you.
A VPN can be very usefull if you are connected to a potentially unsafe internet connection on a public wifi-hotspot like an airport, coffe shop, restaurant, hotel, where a malicious user may be trying to steal your personal information.
A VPN can also be used if you want to hide your IP-address, or appear to be in a different country in order to bypass a firewall or access region restricted content (netflix, youtube..).
1. Install software
Fire up a shell, and type the following.
Make sure you are logged in as root, or use sudo, when running this command.
root@debian:~# apt-get install -y openvpn bind9
If you are wondering why we also install software called “bind9”, this is a DNS-server which is required in order to have all traffic pass through the VPN.
If you only want certain traffic going to a service within the VPN-network, but normal traffic to go outside the VPN, you dont need bind9 and can skip it.
2. Generate Certificates for OpenVPN
Copy the files needed to generate SSL certificates and keys:
root@debian:~# cp -r /usr/share/doc/openvpn/examples/easy-rsa /etc/openvpn
Start generating the CA (Certificate Authority) files:
root@debian:~# cd /etc/openvpn/easy-rsa/2.0/ root@debian:~# source ./vars root@debian:~# ./clean-all root@debian:~# ./build-ca
You will be asked to enter several pieces of information before the files are generated.
It really makes no difference what you type here, so just hit “enter” without typing anything.
Generate a private key for your server: (change “myserver” to your servername)
root@debian:~# . /etc/openvpn/easy-rsa/2.0/build-key-server myserver
Again, you will be asked for information. Just keep hitting enter until the last two questions, where you must type “y” and hit “enter” on both.
Generate a Diffie Hellman key:
root@debian:~# . /etc/openvpn/easy-rsa/2.0/build-dh
Generate an certificate for each client/computer that is going to connect to your server: (change “client” to an unique name for each client)
root@debian:~# sudo . /etc/openvpn/easy-rsa/2.0/build-key client
Run this command once for each client, and change the “client” name each time, because each client must have an unique name.
Now it’s time to copy all the files we generated to the OpenVPN config folder:
root@debian:~# cp /etc/openvpn/easy-rsa/2.0/keys/ca* /etc/openvpn root@debian:~# cp /etc/openvpn/easy-rsa/2.0/keys/myserver.crt /etc/openvpn root@debian:~# cp /etc/openvpn/easy-rsa/2.0/keys/myserver.key /etc/openvpn root@debian:~# cp /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem /etc/openvpn
Copy the client certicate(s) to your regular user account: (change “myuser” to your regular user account)
root@debian:~# cp /etc/openvpn/easy-rsa/2.0/keys/client.key /home/myuser root@debian:~# cp /etc/openvpn/easy-rsa/2.0/keys/client.crt /home/myuser
3. Configure OpenVPN Server
We start by decompressing a sample config file for the server
root@debian:~# gunzip -d /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz
Copy the file to the OpenVPN config folder:
root@debian:~# cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf /etc/openvpn
Copy a sample config file which will be used by each client connecting to the VPN: (change “myuser” to your regular user account)
root@debian:~# cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /home/myuser
This file must be downloaded to each VPN-client later.
Open the server configuration file: /etc/openvpn/server.conf
Change the following lines to reflect the servername you chose when you generated the certificates: (I used the name “myserver”)
cert server.crt key server.key
Uncomment the following line, by removing the “;” preceding the line:
(SKIP this if you want regular traffic to pass outside the VPN, instead of piping everything through the VPN.)
;push "redirect-gateway def1 bypass-dhcp"
Add the following line anywhere in the file:
(SKIP this if you want regular traffic to pass outside the VPN, instead of piping everything through the VPN.)
push "dhcp-option DNS 10.8.0.1"
Uncomment the following line, by removing the “;” preceding the line: (enable VPN clients to communicate with eachother through the VPN)
;client-to-client
That’s it. Save and close the file.
Edit /etc/sysctl.conf and uncomment the following line:
(SKIP this if you want regular traffic to pass outside the VPN, instead of piping everything through the VPN.)
#net.ipv4.ip_forward=1
This will allow all IP traffic to pass through the VPN.
Restart the networking service:
root@debian:~# service networking restart
Restart the OpenVPN server:
root@debian:~# service openvpn restart
Create some iptables rules needed to forward the traffic:
(SKIP this if you want regular traffic to pass outside the VPN, instead of piping everything through the VPN.)
root@debian:~# iptables -A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT root@debian:~# iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT
4. Setting up the OpenVPN client
If you are planning to have multiple clients, you must create a unique config file for each client and make the following changes..
Open the client configuration file that you copied to your regular user account earlier: /home/myuser/client.conf
Change “my-server” on the following line, to the IP of your OpenVPN-server:
root@debian:~# remote my-server-1 1194
Change these lines to reflect the name you chose for your client when you create the certificates:
cert client.crt key client.key
That’s it. Save and close the file.
Now it’s time to install the VPN client software on your client computer(s).
This should be very straight forward, so im not going into detail on this.
You can download the OpenVPN client software here:
http://openvpn.net/index.php/open-source/downloads.html
After you complete installing the OpenVPN client software, copy the following files from the server, to the config path for your VPN client:
/home/myuser/client.key /home/myuser/client.crt /home/myuser/client.conf /etc/openvpn/ca.crt
Note: If you are using the client on Windows, the “client.conf” file must be renamed to “client.ovpn” in order for the file to be loaded automatically.
5. Finished!
You are now finished! All that remains is to start the OpenVPN client, and it will automatically connect to your VPN-Server.