Setting up OpenVPN on Debian

Setting_up_OpenVPN_on_DebianIn this tutorial I will explain how to install, configure and use a OpenVPN server on Debian, quick and painless :)

I will be using Debian “wheezy” 7.7.0, but the instructions will still be viable to newer and earlier releases.

A VPN is used to provide an encrypted “tunnel” between you, the VPN-Server, and possibly other clients who are also connected to the same VPN-Server.
All traffic passing between you and the VPN-Server is encrypted, thus preventing a third party/hacker from eavesdropping on your connection and stealing sensitive information from you.

A VPN can be very usefull if you are connected to a potentially unsafe internet connection on a public wifi-hotspot like an airport, coffe shop, restaurant, hotel, where a malicious user may be trying to steal your personal information.

A VPN can also be used if you want to hide your IP-address, or appear to be in a different country in order to bypass a firewall or access region restricted content (netflix, youtube..).
 
 

1. Install software

Fire up a shell, and type the following.
Make sure you are logged in as root, or use sudo, when running this command.

root@debian:~# apt-get install -y openvpn bind9

If you are wondering why we also install software called “bind9”, this is a DNS-server which is required in order to have all traffic pass through the VPN.

If you only want certain traffic going to a service within the VPN-network, but normal traffic to go outside the VPN, you dont need bind9 and can skip it.
 
 

2. Generate Certificates for OpenVPN

Copy the files needed to generate SSL certificates and keys:

root@debian:~# cp -r /usr/share/doc/openvpn/examples/easy-rsa /etc/openvpn

Start generating the CA (Certificate Authority) files:

root@debian:~# cd /etc/openvpn/easy-rsa/2.0/
root@debian:~# source ./vars
root@debian:~# ./clean-all
root@debian:~# ./build-ca

You will be asked to enter several pieces of information before the files are generated.
It really makes no difference what you type here, so just hit “enter” without typing anything.

Generate a private key for your server: (change “myserver” to your servername)

root@debian:~# . /etc/openvpn/easy-rsa/2.0/build-key-server myserver

Again, you will be asked for information. Just keep hitting enter until the last two questions, where you must type “y” and hit “enter” on both.

Generate a Diffie Hellman key:

root@debian:~# . /etc/openvpn/easy-rsa/2.0/build-dh

Generate an certificate for each client/computer that is going to connect to your server: (change “client” to an unique name for each client)

root@debian:~# sudo . /etc/openvpn/easy-rsa/2.0/build-key client

Run this command once for each client, and change the “client” name each time, because each client must have an unique name.

Now it’s time to copy all the files we generated to the OpenVPN config folder:

root@debian:~# cp /etc/openvpn/easy-rsa/2.0/keys/ca* /etc/openvpn
root@debian:~# cp /etc/openvpn/easy-rsa/2.0/keys/myserver.crt /etc/openvpn
root@debian:~# cp /etc/openvpn/easy-rsa/2.0/keys/myserver.key /etc/openvpn
root@debian:~# cp /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem /etc/openvpn

Copy the client certicate(s) to your regular user account: (change “myuser” to your regular user account)

root@debian:~# cp /etc/openvpn/easy-rsa/2.0/keys/client.key /home/myuser
root@debian:~# cp /etc/openvpn/easy-rsa/2.0/keys/client.crt /home/myuser

 

3. Configure OpenVPN Server

We start by decompressing a sample config file for the server

root@debian:~# gunzip -d /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz

Copy the file to the OpenVPN config folder:

root@debian:~# cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf /etc/openvpn

Copy a sample config file which will be used by each client connecting to the VPN: (change “myuser” to your regular user account)

root@debian:~# cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /home/myuser

This file must be downloaded to each VPN-client later.

Open the server configuration file: /etc/openvpn/server.conf

Change the following lines to reflect the servername you chose when you generated the certificates: (I used the name “myserver”)

cert server.crt
key server.key

Uncomment the following line, by removing the “;” preceding the line:
(SKIP this if you want regular traffic to pass outside the VPN, instead of piping everything through the VPN.)

;push "redirect-gateway def1 bypass-dhcp"

Add the following line anywhere in the file:
(SKIP this if you want regular traffic to pass outside the VPN, instead of piping everything through the VPN.)

push "dhcp-option DNS 10.8.0.1"

Uncomment the following line, by removing the “;” preceding the line: (enable VPN clients to communicate with eachother through the VPN)

;client-to-client

That’s it. Save and close the file.
 
 
Edit /etc/sysctl.conf and uncomment the following line:
(SKIP this if you want regular traffic to pass outside the VPN, instead of piping everything through the VPN.)

#net.ipv4.ip_forward=1

This will allow all IP traffic to pass through the VPN.
 
Restart the networking service:

root@debian:~# service networking restart

Restart the OpenVPN server:

root@debian:~# service openvpn restart

 
Create some iptables rules needed to forward the traffic:
(SKIP this if you want regular traffic to pass outside the VPN, instead of piping everything through the VPN.)

root@debian:~# iptables -A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
root@debian:~# iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT

 

4. Setting up the OpenVPN client

If you are planning to have multiple clients, you must create a unique config file for each client and make the following changes..

Open the client configuration file that you copied to your regular user account earlier: /home/myuser/client.conf

Change “my-server” on the following line, to the IP of your OpenVPN-server:

root@debian:~# remote my-server-1 1194

Change these lines to reflect the name you chose for your client when you create the certificates:

cert client.crt
key client.key

That’s it. Save and close the file.
 
 
Now it’s time to install the VPN client software on your client computer(s).
This should be very straight forward, so im not going into detail on this.

You can download the OpenVPN client software here:
http://openvpn.net/index.php/open-source/downloads.html
 
 
After you complete installing the OpenVPN client software, copy the following files from the server, to the config path for your VPN client:

/home/myuser/client.key
/home/myuser/client.crt
/home/myuser/client.conf
/etc/openvpn/ca.crt

Note: If you are using the client on Windows, the “client.conf” file must be renamed to “client.ovpn” in order for the file to be loaded automatically.
 
 

5. Finished!

You are now finished! All that remains is to start the OpenVPN client, and it will automatically connect to your VPN-Server.