1045 words
5 minutes
Create an OpenVPN server on debian
Server Configuration
- Install OpenVPN
sudo apt update && apt install openvpn- Copy the easy-rsa directory
easy-rsa is used to generate certificates.
sudo cp -pr /usr/share/easy-rsa /etc/openvpn/server/ && cd /etc/openvpn/server/easy-rsa/└── 📁etc └── 📁openvpn └── 📁server └── 📁easy-rsa- Rename and edit the vars file from template
cp vars.example vars && nano vars/└── 📁etc └── 📁openvpn └── 📁server └── 📁easy-rsa ├── 📄vars.example └── 📄vars- Search for the following block:
# Organizational fields (used with 'org' mode and ignored in 'cn_only' mode.)# These are the default values for fields which will be placed in the# certificate. Don't leave any of these fields blank, although interactively# you may omit any specific field by typing the "." symbol (not valid for# email.)
#set_var EASYRSA_REQ_COUNTRY "US"#set_var EASYRSA_REQ_PROVINCE "California"#set_var EASYRSA_REQ_CITY "San Francisco"#set_var EASYRSA_REQ_ORG "Copyleft Certificate Co"#set_var EASYRSA_REQ_EMAIL "me@example.net"#set_var EASYRSA_REQ_OU "My Organizational Unit"
# Choose a size in bits for your keypairs. The recommended value is 2048. Using# 2048-bit keys is considered more than sufficient for many years into the# future. Larger keysizes will slow down TLS negotiation and make key/DH param# generation take much longer. Values up to 4096 should be accepted by most# software. Only used when the crypto alg is rsa (see below.)- Uncomment the lines and enter your configuration:
set_var EASYRSA_REQ_COUNTRY "FR"set_var EASYRSA_REQ_PROVINCE "France"set_var EASYRSA_REQ_CITY "maville"set_var EASYRSA_REQ_ORG "xsec"set_var EASYRSA_REQ_EMAIL "test@gmail.com"set_var EASYRSA_REQ_OU "it"- Create the Certificate Authority
- Here without password, in production it’s recommended to set one.
./easyrsa init-pki./easyrsa build-ca nopassNote: using Easy-RSA configuration from: /etc/openvpn/server/easy-rsa/varsUsing SSL: openssl OpenSSL 1.1.1k 25 Mar 2021Generating RSA private key, 2048 bit long modulus (2 primes).............................+++++..................................+++++e is 65537 (0x010001)You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Common Name (eg: your user, host, or server name) [Easy-RSA CA]:
CA creation complete and you may now import and sign cert requests.Your new CA certificate file for publishing is at:/etc/openvpn/server/easy-rsa/pki/ca.crtCommon Name [Easy-RSA CA]:Press Enter to keep the default name.
- Generate the server certificate
- Here without password, in production it’s recommended to set one.
./easyrsa build-server-full server nopass- Generate the client certificate
- Here without password, in production it’s recommended to set one.
./easyrsa build-client-full client nopass- Generate the dh.pem file
- This file will be used for the first connection with symmetric encryption
./easyrsa gen-dh- This operation may take time, depending on your machine’s power.
- Generate the key file
openvpn --genkey tls-auth ta.key- Reorder the files
- Copy the entire directory of generated files from the server and the Certificate Authority to
/etc/openvpn/
cp pki/issued/server.crt pki/private/server.key pki/ca.crt pki/dh.pem ta.key /etc/openvpn//└── 📁etc └── 📁openvpn ├── 📄server.crt ├── 📄server.key ├── 📄ca.crt ├── 📄dh.pem └── 📄ta.key- Copy the entire directory of generated files from the client to
/etc/openvpn/client/
cp pki/issued/client.crt pki/private/client.key pki/ca.crt pki/dh.pem ta.key /etc/openvpn/client//└── 📁etc └── 📁openvpn └── 📁client ├── 📄client.crt ├── 📄client.key ├── 📄ca.crt ├── 📄dh.pem └── 📄ta.key- Create the configuration file from the template
cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf /etc/openvpn/server.conf && cd /etc/openvpn/└── 📁etc └── 📁openvpn ├── 📄server.conf ├── 📄server.crt ├── 📄server.key ├── 📄ca.crt ├─��� 📄dh.pem └── 📄ta.key- Here we copy the configuration file to the default directory
/etc/openvpn/and enter the directory.
- Rename the dh.pem file
mv /etc/openvpn/dh.pem /etc/openvpn/dh2048.pemNOTEBy renaming it to
dh2048.pem, the fileserver.confwill recognize it directly, since the file namedh2048.pemis specified by default.
- Test the configuration
openvpn --config /etc/openvpn/server.confTIPIf your configuration is correct, you will see in the last line:
Erreur "Already in use"
CAUTIONIf you already have an instance of openvpn running, there may be a conflict with the installation (error: Alredy in use).
You need to find the process that blocks the port of the service.You can list the list of used ports:
Terminal window
You can filter the default port of OpenVPN to see if an instance is running:
ss -pan | grep 1194udp UNCONN 0 0 0.0.0.0:1194 0.0.0.0:* users:(("openvpn",pid=8660,fd=7))- You can see the
pid=8660here, you need to stop this process:
sudo kill -9 8660- Continue the operation until
ss -pan | grep 1194no longer returns a result (adapt the pid each time)
- Restart openvpn on the server
systemctl daemon-reload && systemctl restart openvpnNOTEYou can add
systemctl enable openvpnto make OpenVPN start automatically with the machine.
Client Configuration
- Install OpenVPN on the client
apt update && apt install openvpn- Copy files from /etc/openvpn/client directory to transfer them to the client machine
On the client machine, move them to /etc/openvpn/
/└── 📁etc └── 📁openvpn ├── 📄client.crt ├── 📄client.key ├── 📄ca.crt ├── 📄dh.pem └── 📄ta.key- Copy and edit the client configuration file
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/ && nano /etc/openvpn/client.conf/└── 📁etc └── 📁openvpn └── 📄client.conf############################################### Sample client-side OpenVPN 2.0 config file ## for connecting to multi-client server. ## ## This configuration can be used by multiple ## clients, however each client should have ## its own cert and key files. ## ## On Windows, you might want to rename this ## file so it has a .ovpn extension ###############################################
# Specify that we are a client and that we# will be pulling certain config file directives# from the server.client
# Use the same setting as you are using on# the server.# On most systems, the VPN will not function# unless you partially or fully disable# the firewall for the TUN/TAP interface.;dev tapdev tun
# Windows needs the TAP-Win32 adapter name# from the Network Connections panel# if you have more than one. On XP SP2,# you may need to disable the firewall# for the TAP adapter.;dev-node MyTap
# Are we connecting to a TCP or# UDP server? Use the same setting as# on the server.;proto tcpproto udp
# The hostname/IP and port of the server.# You can have multiple remote entries# to load balance between the servers.remote my-server-1 1194;remote my-server-2 1194Replace remote my-server-1 1194 by remote OPENVPN_SERVER_IP 1194
- Restart OpenVPN on the client
sudo systemctl daemon-reload && systemctl restart openvpnMake it autostart at sessionYou can add
systemctl enable openvpnto make OpenVPN start automatically with the machine.
- Connect to the OpenVPN server
openvpn --config /etc/openvpn/client.confIf your configuration is correct, you will see in the last line: Initialization Sequence Completed
Create an OpenVPN server on debian
https://xsec.fr/posts/linux/openvpn-server/