Setup OpenVPN Server on Debian

Previously I explained how to setup a PPTP VPN server on Debian and that’s plenty for the average user. In this article I will explain how to setup an OpenVPN server on Debian.

Why OpenVPN instead of PPTP?

To put it simply, OpenVPN is much more secure and works better. For example, on PPTP you can expect speeds to reach 10mbps. On OpenVPN you can generally expect to reach upwards of 60mbps. Aside from this, OpenVPN offers certificate based authentication, which we will be setting up in this guide.

Lets get started with the server setup

Install OpenVPN

apt-get install openvpn

By default, the easy-rsa scripts are installed under the “/usr/share/easy-rsa/” directory. So, we need to copy these scripts to a desired location, such as: /etc/easy-rsa.

mkdir /etc/easy-rsa
cp -prv /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/easy-rsa

Generate Certificates

nano /etc/easy-rsa/2.0/vars

Scroll to the bottom and modify to the following, example:

export KEY_COUNTRY="US"
export KEY_PROVINCE="FL"
export KEY_CITY="Tampa"
export KEY_ORG="Akensai"
export KEY_EMAIL="[email protected]"
export KEY_CN=vpn.akensai.com
export KEY_NAME=vpn.akensai.com
export KEY_OU=Admin
export PKCS11_MODULE_PATH=changeme
export PKCS11_PIN=1234

Export the values

source ./vars

Cleanup any old certificates

./clean-all

Generate CA.crt and CA.key

./build-ca

Generate Server Certificate

./build-key-server server

Generate Diffie Hellman

./build-dh

Generate Client Certificate. Each user needs their own certificate. For example, the following would be for user ‘akensai’.

./build-key akensai

Configure OpenVPN

Copy certificates to readable directory

mkdir /etc/openvpn/certs
cp /etc/easy-rsa/2.0/keys/* /etc/openvpn/certs

Create server configuration

nano /etc/openvpn/server.conf

Paste the below and save the file.

port 1999
proto udp
dev tun
ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/server.crt
key /etc/openvpn/certs/server.key
dh /etc/openvpn/certs/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
log /etc/openvpn/server.log
verb 3
plugin /usr/lib/openvpn/openvpn-auth-pam.so login

Set OpenVPN to run on boot

update-rc.d -f openvpn defaults

Start OpenVPN Service

service openvpn restart

Configure the server networking

If you are not already running PPTP or any other VPN’s you will need to configure some server level networking to insure you can make and keep a good connection to the OpenVPN server. These are also detailed in the tutorial for PPTP on Linux.

Enable IP Forwarding

nano /etc/sysctl.conf

Find and uncomment:

#net.ipv4.ip_forward=1

Echo changes for good measure:

sysctl -p

Set iptables rules to allow for forwarding

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Set default MTU rules via iptables:

iptables -o eth0 -A FORWARD -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 800:1536 -j TCPMSS --clamp-mss-to-pmtu

Create iptables script

nano /etc/iptables.sh

Enter the following rules and save the file

#!/bin/sh
IPT="/sbin/iptables"

# VPN Routing
$IPT -t nat -A POSTROUTING -o eth0 -j MASQUERADE
$IPT -o eth0 -A FORWARD -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 800:1536 -j TCPMSS --clamp-mss-to-pmtu

Give iptables.sh the proper permissions

chown root /etc/iptables.sh

chmod 700 /etc/iptables.sh

Set the script to run on boot

nano /etc/network/interfaces

And the following to the bottom of the file and save it

pre-up /etc/iptables.sh

Installation and Configuration complete!

You should now have a working OpenVPN server. Now we just need to create the configuration files for the client (us) to connect to it.

OpenVPN Client

For Windows, I use this client. There are many to choose from and they all work pretty much the same. So take your pick. Let’s move onto actually configuring your new OpenVPN Client.

OpenVPN Client Configuration Example

This example is based on the configuration entered during the server configuration above.

In your OpenVPN client, create a new client configuration, for example

vpn-akensai-com.ovpn

Paste the following in the file, replacing the certificate files as your own scheming goes, for example

client
dev tun
proto udp
remote vpn.akensai.com 1999
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert akensai/akensai.crt
key akensai/akensai.key
ns-cert-type server
verb 3

You will need to copy over your certificate files from the server to a place you can call them in the above configuration, these are for example:-

ca.crt
server.crt
server.key
akensai.crt
akensai.key

You can copy these via FTP, SCP, etc – or the good ol’ fashion way of opening them in nano/vim and copy/pasting the contents to duplicate files on your desktop.

Almost done!

I suggest rebooting the server if nothing else is running on it. This insures that the everything starts up as normal in the event of a crash, downtime, etc. If you find your server is not working, go back over the steps above and be sure you did everything.

Notice

This tutorial assumes you have a good working knowledge of Linux based systems. This was not written for beginners. If you have any questions or feedback feel free to leave a comment or contact me directly.