Tutorial-9122023

How to install and configure OpenVPN Server on Debian 10

How to install and configure OpenVPN Server on Debian 10

OpenVPN is open-source software that can be used to access the internet securely when connected to an untrusted network. OpenVPN allows you to keep your online data safe by tunneling them through encrypted servers. OpenVPN uses SSL/TLS for key exchange and capable of traversing network address translators. There are many VPN software available in the market but all are costly, and/or challenging to set up and manage. While OpenVPN is a free, simple to set up, configure, and manage.

In this tutorial, we will explain how to setup OpenVPN server on Debian 10 server.

Requirements

  • Two server running Debian 10.
  • A static IP address 192.168.0.103 is configured on VPN server and 192.168.0.102 is configured on VPN client.
  • A root password is configured on both servers.

Install OpenVPN

First, you will need to enable IP forwarding to forward network packets properly. You can do this by editing /etc/sysctl.conf file:
nano /etc/sysctl.conf

Change the following line:
net.ipv4.ip_forward=1

Save and close the file, when you are finished. Then, apply the new settings by running the following command:
sysctl -p

Next, install OpenVPN package by just running the following command:
apt-get install openvpn -y

Once the installation has been completed, you can proceed to the next step.

Generate Server Certificate and Key

First, you will need to copy the EasyRSA directory to /etc/openvpn/. You can do it with the following command:
cp -r /usr/share/easy-rsa /etc/openvpn/

Next, change the directory to easy-rsa and rename the vars.example file:
cd /etc/openvpn/easy-rsa
mv vars.example vars

Next, open the vars file:
nano vars

Add the following lines:
export KEY_COUNTRY="INDIA"
export KEY_PROVINCE="CA"
export KEY_CITY="Junagadh"
export KEY_ORG="Howtoforge"
export KEY_EMAIL="[email protected]"
export KEY_OU="OpenVPN"

Save and close the file when you are finished. Then, initialize PKI with the following command:
./easyrsa init-pki

You should see the following output:
Note: using Easy-RSA configuration from: ./vars

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa/pki

Next, build the CA without a password as shown below:
./easyrsa build-ca nopass

You should see the following output:
Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.1.1c 28 May 2019
Generating RSA private key, 2048 bit long modulus (2 primes)
...................................+++++
..............+++++
e is 65537 (0x010001)
Can't load /etc/openvpn/easy-rsa/pki/.rnd into RNG
140449484268672:error:2406F079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:98:Filename=/etc/openvpn/easy-rsa/pki/.rnd
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:server

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa/pki/ca.crt

Next, generate the server key with the following command:
./easyrsa gen-req server nopass

You should see the following output:
Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.1.1c 28 May 2019
Generating a RSA private key
...+++++
................................................................................................................+++++
writing new private key to '/etc/openvpn/easy-rsa/pki/private/server.key.uQ7rqU8ryK'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]:

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/pki/reqs/server.req
key: /etc/openvpn/easy-rsa/pki/private/server.key

Next, sign the server certificate with the following command:
./easyrsa sign-req server server

You should see the following output:
Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.1.1c 28 May 2019

You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a server certificate for 1080 days:

subject=
commonName = server

Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /etc/openvpn/easy-rsa/pki/safessl-easyrsa.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'server'
Certificate is to be certified until Sep 5 15:43:29 2022 GMT (1080 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/openvpn/easy-rsa/pki/issued/server.crt

Next, build a Diffie-Hellman key exchange with the following command:
./easyrsa gen-dh

You should see the following output:
Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.1.1c 28 May 2019
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
...................+.............................................+..........................................................................................................................................................................................................................................................+.......+................................................................................+................+....................................+..........................+........................................+............................................................................................+.......................................................+............................+......................................................................................................+...................................................................................+.................+............+.+............................+...............................................................................................................................................+............+...............................................+................................................................................................................................................................................+.....................................................................................................................+...................................................................................................................................................................................................+.............................................+..................................................................................................................................+......................................................................................................................................+....................................+..................................................................................................................................................................................+................................................................................................+..............................................................................................+............................................................................................................................................................................................+...........+.................+.....+..........................................................................................................+..........................................................+............+......................................+............................................................................................................................................................................................................................................................................................................+..................................+.................................................................................+.............................+.....................................................................................................................................................................................................................+..........................+.......................................................+......................+.................................+..............................................................+.............................................................................................................................................................+........................................................................+...............................+...............................................................................................................+..............................................+......................................................+.......................+......................................................................................................................................................................................................................+............................................................................................................................+..........................+......................................................................................................................................................................+..........................................................................................+..........................................................++*++*++*++*

DH parameters of size 2048 created at /etc/openvpn/easy-rsa/pki/dh.pem

Next, generate a HMAC signature with the following command:
openvpn --genkey --secret ta.key

Finally, copy all the certificate and key to the /etc/openvpn directory:
cp ta.key /etc/openvpn/
cp pki/ca.crt /etc/openvpn/
cp pki/private/server.key /etc/openvpn/
cp pki/issued/server.crt /etc/openvpn/
cp pki/dh.pem /etc/openvpn/

Generate Client Certificate and Key

Next, generate Client certificate with the following command:
./easyrsa gen-req client nopass

You should see the following output:
Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.1.1c 28 May 2019
Generating a RSA private key
..........................................+++++
...............+++++
writing new private key to '/etc/openvpn/easy-rsa/pki/private/client.key.wU45j6E0Dt'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [client]:

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/pki/reqs/client.req
key: /etc/openvpn/easy-rsa/pki/private/client.key

Next, sign the Client certificate with the following command:
./easyrsa sign-req client client

You should see the following output:
Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.1.1c 28 May 2019

You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a client certificate for 1080 days:

subject=
commonName = client

Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /etc/openvpn/easy-rsa/pki/safessl-easyrsa.cnf
Enter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'client'
Certificate is to be certified until Sep 5 12:28:25 2022 GMT (1080 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/openvpn/easy-rsa/pki/issued/client.crt

Next, copy all client certificate and key to /etc/openvpn/client/ directory:
cp pki/ca.crt /etc/openvpn/client/
cp pki/issued/client.crt /etc/openvpn/client/
cp pki/private/client.key /etc/openvpn/client/

Configure OpenVPN Server

All the required certificate and key for server and client are now generated. Next, you will need to create an OpenVPN configuration file. You can create it with the following command:
nano /etc/openvpn/server.conf

Add the following content:
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh.pem
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 10 120
tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
log-append /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1

Save and close the file. Then, start OpenVPN service with the following command:
systemctl start openvpn@server

Next, verify the OpenVPN server using the following command:
systemctl status openvpn@server

Output:
? [email protected] - OpenVPN connection to server
Loaded: loaded (/lib/systemd/system/[email protected]; disabled; vendor preset: enabled)
Active: active (running) since Sat 2019-09-21 08:46:47 EDT; 6s ago
Docs: man:openvpn(8)
https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
https://community.openvpn.net/openvpn/wiki/HOWTO
Main PID: 5040 (openvpn)
Status: "Initialization Sequence Completed"
Tasks: 1 (limit: 1138)
Memory: 1.7M
CGroup: /system.slice/system-openvpn.slice/[email protected]
??5040 /usr/sbin/openvpn --daemon ovpn-server --status /run/openvpn/server.status 10 --cd /etc/openvpn --config /etc/openvpn/server.

Sep 21 08:46:47 debian systemd[1]: Starting OpenVPN connection to server...
Sep 21 08:46:47 debian systemd[1]: Started OpenVPN connection to server.

Install and Configure OpenVPN Client

Next, log in to OpenVPN client system and install OpenVPN package with the following command:
apt-get install openvpn -y

Once installed, create a new configuration file for OpenVPN Client:
nano /etc/openvpn/client.conf

Define your server IP address and client certificate file as shown below:
client
dev tun
proto udp
remote 192.168.0.103 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
verb 3

Save and close the file. Then, copy all the client certificate and key file from OpenVPN server to OpenVPN client system with the following command:
scp [email protected]:/etc/openvpn/client/ca.crt /etc/openvpn/
scp [email protected]:/etc/openvpn/client/client.crt /etc/openvpn/
scp [email protected]:/etc/openvpn/client/client.key /etc/openvpn/
scp [email protected]:/etc/openvpn/ta.key /etc/openvpn/

Next, start OpenVPN client service with the following command:
systemctl start openvpn@client

Now, you can see the new IP address assigned by OpenVPN server with the following command:
ifconfig

You should see the following output:
enp0s3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.102 netmask 255.255.255.0 broadcast 192.168.0.255
inet6 fe80::a00:27ff:fe99:dc40 prefixlen 64 scopeid 0x20
ether 08:00:27:99:dc:40 txqueuelen 1000 (Ethernet)
RX packets 447 bytes 42864 (41.8 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 334 bytes 47502 (46.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10
loop txqueuelen 1000 (Local Loopback)
RX packets 57 bytes 9754 (9.5 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 57 bytes 9754 (9.5 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.8.0.6 netmask 255.255.255.255 destination 10.8.0.5
inet6 fe80::52b5:a1d2:fa23:f51e prefixlen 64 scopeid 0x20
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 9 bytes 472 (472.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

Next, go to the OpenVPN server system and check the OpenVPN log with the following command:
tail -f /var/log/openvpn/openvpn.log

You should get the following output:
Sun Sep 22 19:46:08 2019 192.168.0.103:45700 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Sun Sep 22 19:46:08 2019 192.168.0.103:45700 [_] Peer Connection Initiated with [AF_INET]192.168.0.103:45700
Sun Sep 22 19:46:08 2019 _/192.168.0.103:45700 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Sun Sep 22 19:46:08 2019 _/192.168.0.103:45700 MULTI: Learn: 10.8.0.6 -> _/192.168.0.103:45700
Sun Sep 22 19:46:08 2019 _/192.168.0.103:45700 MULTI: primary virtual IP for _/192.168.0.103:45700: 10.8.0.6
Sun Sep 22 19:46:09 2019 _/192.168.0.103:45700 PUSH: Received control message: 'PUSH_REQUEST'
Sun Sep 22 19:46:09 2019 _/192.168.0.103:45700 SENT CONTROL [_]: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM' (status=1)
Sun Sep 22 19:46:09 2019 _/192.168.0.103:45700 Data Channel: using negotiated cipher 'AES-256-GCM'
Sun Sep 22 19:46:09 2019 _/192.168.0.103:45700 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sun Sep 22 19:46:09 2019 _/192.168.0.103:45700 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

Congratulations! you have successfully installed and configured OpenVPN server and Client on Debian 10.

Đăng ký liền tay Nhận Ngay Bài Mới

Subscribe ngay

Cám ơn bạn đã đăng ký !

Lỗi đăng ký !

Add Comment

Click here to post a comment

Đăng ký liền tay
Nhận Ngay Bài Mới

Subscribe ngay

Cám ơn bạn đã đăng ký !

Lỗi đăng ký !