Last Modified 9/1/17 by Akensai
Previously I explained how to setup a PPTP VPN server on Debian and that's plenty for the average user. In this article I will explain how to setup an OpenVPN server on Debian.
Why OpenVPN instead of PPTP?
To put it simply, OpenVPN is much more secure and works better. For example, on PPTP you can expect speeds to reach 10mbps. On OpenVPN you can generally expect to reach upwards of 60mbps. Aside from this, OpenVPN offers certificate based authentication, which we will be setting up in this guide.
Lets get started with the server setup
apt-get install openvpn
By default, the easy-rsa scripts are installed under the "/usr/share/easy-rsa/" directory. So, we need to copy these scripts to a desired location, such as: /etc/easy-rsa.
cp -prv /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/easy-rsa
Scroll to the bottom and modify to the following, example:
Export the values
Cleanup any old certificates
Generate CA.crt and CA.key
Generate Server Certificate
Generate Diffie Hellman
Generate Client Certificate. Each user needs their own certificate. For example, the following would be for user 'akensai'.
Copy certificates to readable directory
cp /etc/easy-rsa/2.0/keys/* /etc/openvpn/certs
Create server configuration
Paste the below and save the file.
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 126.96.36.199"
push "dhcp-option DNS 188.8.131.52"
keepalive 10 120
plugin /usr/lib/openvpn/openvpn-auth-pam.so login
Set OpenVPN to run on boot
update-rc.d -f openvpn defaults
Start OpenVPN Service
service openvpn restart
Configure the server networking
If you are not already running PPTP or any other VPN's you will need to configure some server level networking to insure you can make and keep a good connection to the OpenVPN server. These are also detailed in the tutorial for PPTP on Linux.
Enable IP Forwarding
Find and uncomment:
Echo changes for good measure:
Set iptables rules to allow for forwarding
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Set default MTU rules via iptables:
iptables -o eth0 -A FORWARD -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 800:1536 -j TCPMSS --clamp-mss-to-pmtu
Create iptables script
Enter the following rules and save the file
# VPN Routing
$IPT -t nat -A POSTROUTING -o eth0 -j MASQUERADE
$IPT -o eth0 -A FORWARD -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 800:1536 -j TCPMSS --clamp-mss-to-pmtu
Give iptables.sh the proper permissions
chown root /etc/iptables.sh
chmod 700 /etc/iptables.sh
Set the script to run on boot
And the following to the bottom of the file and save it
Installation and Configuration complete!
You should now have a working OpenVPN server. Now we just need to create the configuration files for the client (us) to connect to it.
For Windows, I use this client. There are many to choose from and they all work pretty much the same. So take your pick. Let's move onto actually configuring your new OpenVPN Client.
OpenVPN Client Configuration Example
This example is based on the configuration entered during the server configuration above.
In your OpenVPN client, create a new client configuration, for example
Past the following in the file, replacing the certificate files as your own scheming goes, for example
remote vpn.akensai.com 1999
You will need to copy over your certificate files from the server to a place you can call them in the above configuration, these are for example:-
You can copy these via FTP, SCP, etc - or the good ol' fashion way of opening them in nano/vim and copy/pasting the contents to duplicate files on your desktop.
I suggest rebooting the server if nothing else is running on it. This insures that the everything starts up as normal in the event of a crash, downtime, etc. If you find your server is not working, go back over the steps above and be sure you did everything.
This tutorial assumes you have a good working knowledge of Linux based systems. This was not written for beginners. If you have any questions or feedback feel free to leave a comment or contact me directly.