Last Modified 9/1/17 by Akensai Previously I explained how to setup a PPTP VPN server on Debian and that's plenty for the average user. In this article I will explain how to setup an OpenVPN server on Debian.

Why OpenVPN instead of PPTP?

To put it simply, OpenVPN is much more secure and works better. For example, on PPTP you can expect speeds to reach 10mbps. On OpenVPN you can generally expect to reach upwards of 60mbps. Aside from this, OpenVPN offers certificate based authentication, which we will be setting up in this guide.

Lets get started with the server setup

Install OpenVPN apt-get install openvpn By default, the easy-rsa scripts are installed under the "/usr/share/easy-rsa/" directory. So, we need to copy these scripts to a desired location, such as: /etc/easy-rsa. mkdir /etc/easy-rsa cp -prv /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/easy-rsa Generate Certificates nano /etc/easy-rsa/2.0/vars Scroll to the bottom and modify to the following, example: export KEY_COUNTRY="US" export KEY_PROVINCE="FL" export KEY_CITY="Tampa" export KEY_ORG="Akensai" export KEY_EMAIL="" export export export KEY_OU=Admin export PKCS11_MODULE_PATH=changeme export PKCS11_PIN=1234 Export the values source ./vars Cleanup any old certificates ./clean-all Generate CA.crt and CA.key ./build-ca Generate Server Certificate ./build-key-server server Generate Diffie Hellman ./build-dh Generate Client Certificate. Each user needs their own certificate. For example, the following would be for user 'akensai'. ./build-key akensai

Configure OpenVPN

Copy certificates to readable directory mkdir /etc/openvpn/certs cp /etc/easy-rsa/2.0/keys/* /etc/openvpn/certs Create server configuration nano /etc/openvpn/server.conf Paste the below and save the file. port 1999 proto udp dev tun ca /etc/openvpn/certs/ca.crt cert /etc/openvpn/certs/server.crt key /etc/openvpn/certs/server.key dh /etc/openvpn/certs/dh1024.pem server ifconfig-pool-persist ipp.txt push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS" push "dhcp-option DNS" keepalive 10 120 user nobody group nogroup persist-key persist-tun status openvpn-status.log log /etc/openvpn/server.log verb 3 plugin /usr/lib/openvpn/ login Set OpenVPN to run on boot update-rc.d -f openvpn defaults Start OpenVPN Service service openvpn restart

Configure the server networking

If you are not already running PPTP or any other VPN's you will need to configure some server level networking to insure you can make and keep a good connection to the OpenVPN server. These are also detailed in the tutorial for PPTP on Linux. Enable IP Forwarding nano /etc/sysctl.conf Find and uncomment: #net.ipv4.ip_forward=1 Echo changes for good measure: sysctl -p Set iptables rules to allow for forwarding iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE Set default MTU rules via iptables: iptables -o eth0 -A FORWARD -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 800:1536 -j TCPMSS --clamp-mss-to-pmtu Create iptables script nano /etc/ Enter the following rules and save the file #!/bin/sh IPT="/sbin/iptables" # VPN Routing $IPT -t nat -A POSTROUTING -o eth0 -j MASQUERADE $IPT -o eth0 -A FORWARD -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 800:1536 -j TCPMSS --clamp-mss-to-pmtu Give the proper permissions chown root /etc/ chmod 700 /etc/ Set the script to run on boot nano /etc/network/interfaces And the following to the bottom of the file and save it pre-up /etc/

Installation and Configuration complete!

You should now have a working OpenVPN server. Now we just need to create the configuration files for the client (us) to connect to it.

OpenVPN Client

For Windows, I use this client. There are many to choose from and they all work pretty much the same. So take your pick. Let's move onto actually configuring your new OpenVPN Client.

OpenVPN Client Configuration Example

This example is based on the configuration entered during the server configuration above. In your OpenVPN client, create a new client configuration, for example vpn-akensai-com.ovpn Past the following in the file, replacing the certificate files as your own scheming goes, for example client dev tun proto udp remote 1999 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert akensai/akensai.crt key akensai/akensai.key ns-cert-type server verb 3 You will need to copy over your certificate files from the server to a place you can call them in the above configuration, these are for example:- ca.crt server.crt server.key akensai.crt akensai.key You can copy these via FTP, SCP, etc - or the good ol' fashion way of opening them in nano/vim and copy/pasting the contents to duplicate files on your desktop.

Almost done!

I suggest rebooting the server if nothing else is running on it. This insures that the everything starts up as normal in the event of a crash, downtime, etc. If you find your server is not working, go back over the steps above and be sure you did everything.


This tutorial assumes you have a good working knowledge of Linux based systems. This was not written for beginners. If you have any questions or feedback feel free to leave a comment or contact me directly.

AkensaiCMS v3.24.198