OpenVPN is a robust, open-source VPN (Virtual Private Network) solution that enables secure connections to remote networks via the internet. In this guide, we’ll walk you through the process of setting up OpenVPN on a Debian server.
Method 1:
Installation Using a Script
Begin by obtaining the installation script and making it executable:
$ curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh
$ chmod +x openvpn-install.sh
Next, run the script (ensure you have root privileges and the TUN module enabled):
$ ./openvpn-install.sh
Upon the first execution, you’ll be prompted to answer a few questions to configure your VPN server. Once OpenVPN is installed, you can rerun the script to:
$ ./openvpn-install.sh
Welcome to OpenVPN-install!
The git repository is available at: https://github.com/angristan/openvpn-install
It seems like OpenVPN is already installed.
What would you like to do?
1) Add a new user
2) Revoke an existing user
3) Remove OpenVPN
4) Exit
Select an option [1-4]:
This allows you to add new users or revoke existing ones.
Method 2:
Step 1: Update and Upgrade Debian
Before installing any software, it’s essential to update and upgrade your Debian system. Execute the following commands:
$ sudo apt update
$ sudo apt upgrade
Step 2: Install OpenVPN
Install OpenVPN on your Debian server with the following command:
$ sudo apt install openvpn easy-rsa
Step 3: Generate Certificates and Keys
OpenVPN relies on certificates and keys for client and server authentication. To generate these files, use the included easy-rsa script:
$ make-cadir ~/openvpn-ca && cd ~/openvpn-ca
Edit the vars
file to configure Certificate Authority (CA) variables:
set_var EASYRSA_REQ_COUNTRY "US"
set_var EASYRSA_REQ_PROVINCE "California"
set_var EASYRSA_REQ_CITY "San Francisco"
set_var EASYRSA_REQ_ORG "Copyleft Certificate Co"
set_var EASYRSA_REQ_EMAIL "[email protected]"
set_var EASYRSA_REQ_OU "My Organizational Unit"
Generate the required certificates and keys:
$ ./easyrsa init-pki
$ ./easyrsa build-ca
$ ./easyrsa gen-req server nopass
$ ./easyrsa sign-req server server
$ ./easyrsa gen-dh
$ openvpn --genkey --secret pki/ta.key
These certificates and keys will be stored in the /root/openvpn-ca/pki
directory.
Step 4: Configure OpenVPN
After generating certificates and keys, proceed to configure OpenVPN. Create a new configuration file with the following command:
$ zcat /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | sudo tee /etc/openvpn/server.conf > /dev/null
Copy the necessary files to the OpenVPN directory:
$ cp /root/openvpn-ca/pki/{ca.crt,dh.pem,ta.key} /etc/openvpn
$ cp /root/openvpn-ca/pki/issued/server.crt /etc/openvpn
$ cp /root/openvpn-ca/pki/private/server.key /etc/openvpn
Edit /etc/openvpn/server.conf
to match the following:
ca ca.crt
cert server.crt
key server.key # Keep this file secure
dh dh.pem
;tls-auth ta.key 0
tls-crypt ta.key
Save and close the file.
Step 5: Enable IP Forwarding
Edit the sysctl configuration:
$ sudo nano /etc/sysctl.conf
Uncomment the following line:
net.ipv4.ip_forward=1
Apply the changes:
$ sudo sysctl -p
Step 6: Start and Enable OpenVPN
Start and enable the OpenVPN service:
$ sudo systemctl start openvpn@server
$ sudo systemctl enable openvpn@server
The @server
specifies the configuration file you created earlier.
Step 7: Configure Firewall
Allow OpenVPN traffic through the firewall by creating a new rule:
$ sudo ufw allow OpenVPN
Step 8: Connect to OpenVPN Server
With the OpenVPN server operational, you can connect to it from a client computer. Install the OpenVPN client software and download the client configuration file from the server:
$ ./easyrsa gen-req client1 nopass
$ ./easyrsa sign-req client client1
$ cp pki/private/client1.key /etc/openvpn/client/
$ cp pki/issued/client1.crt /etc/openvpn/client/
$ cp pki/{ca.crt,ta.key} /etc/openvpn/client/
Create a client configuration file in the /root/openvpn-ca
directory:
$ cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /root/openvpn-ca/
Edit the file using nano
and configure the variables:
remote my-server-1 1194 # my-server-1 is the server's public IP
user nobody
group nogroup
;ca ca.crt
;cert client.crt
;key client.key
;tls-auth ta.key 1
key-direction 1
Create a script to compile the base configuration with the necessary certificate, key, and encryption files:
$ nano config_gen.sh
Include the following content:
#!/bin/bash # First argument: Client identifier
KEY_DIR=/etc/openvpn/client
OUTPUT_DIR=/root
BASE_CONFIG=/root/openvpn-ca/client.conf
cat ${BASE_CONFIG} \
<(echo -e '<ca>') \
${KEY_DIR}/ca.crt \
<(echo -e '</ca>\n<cert>') \
${KEY_DIR}/${1}.crt \
<(echo -e '</cert>\n<key>') \
${KEY_DIR}/${1}.key \
<(echo -e '</key>\n<tls-crypt>') \
${KEY_DIR}/ta.key \
<(echo -e '</tls-crypt>') \
> ${OUTPUT_DIR}/${1}.ovpn
Make the script executable:
$ chmod 700 /root/openvpn-ca/config_gen.sh
$ ./config_gen.sh client1
This command will create a client1.ovpn
file in the /root/
directory. Copy this file to your client computer and use it to connect to the OpenVPN server.
Conclusion
In this tutorial, we’ve demonstrated how to install and configure OpenVPN on a Debian server. With OpenVPN, you can securely access remote networks and their resources from anywhere in the world.
16 thoughts on - How to Install OpenVPN Server on Debian 11/12
Updates:
`openvpn –genkey secret pki/ta.key`
`cat /usr/share/doc/openvpn/examples/sample-config-files/server.conf`
instead of zcat.
“`
#!/bin/bash
# First argument: Client identifier
KEY_DIR=/etc/openvpn/client
OUTPUT_DIR=/root
BASE_CONFIG=/root/openvpn-ca/client.conf
cat ${BASE_CONFIG} \
“`
Thank you, we updated the article.
Ah, brilliant article, btw, the only thing I haven’t figured out is how to use OpenVPN connect as a proxy for browsers on my mac, after the connection is green.
Hi
Also, I can’t find at step “Edit /etc/openvpn/server.conf to match the following:”
tls-crypt ta.key
do we have to add it?
at step “Edit the file using nano and configure the variables:”
I can’t find key-direction 1 – do we have to add it?
then on step “Include the following content:”
There is a space necessary between cat${BASE_CONFIG} so it should be cat ${BASE_CONFIG}
We fixed
cat ${BASE_CONFIG}
please add missing settings to config files.
Best regards.
You said you updated the article, but you missed two of the three changes that were needed.
`openvpn –genkey secret pki/ta.key`
`cat /usr/share/doc/openvpn/examples/sample-config-files/server.conf`
instead of zcat.
those changes that were pointed out by someone have still not been updated
Zcat is a different command than cat please follow the article step by step to reach the desired result, skipping steps will not work as every step is dependent on the ones before it.
./config_gen.sh client01
/bin/bash: # First argument: Client identifier: No such file or directory
Hello,
please change parameters on the config_gen.sh file to match your own:
KEY_DIR=/etc/openvpn/client
OUTPUT_DIR=/root
BASE_CONFIG=/root/openvpn-ca/client.conf
Best regards.
-bash: ./config_gen.sh: cannot execute: required file not found
These parameters match to my own:
KEY_DIR=/etc/openvpn/client
OUTPUT_DIR=/root
BASE_CONFIG=/root/openvpn-ca/client.conf
Please run the
./config_gen.sh client1
from the same directory you created the script in.
Do you happen to know of any alternative scripts that do not force the usage of iptables but that support nftables (which has been the default in Debian since Buster), or that offers the option to not touch the firewall? Neither the developer of this script, as well as the one from PiVPN, are willing to update their scripts…
Hi, can you please help. ./config_gen.sh client1 shows
bad interpreter: No such file or directory
I did your recommendations above but same result
Make sure your script starts with
#!/bin/bash
.Best regards.
/bin/bash# First argument: Client identifier: No such file or directory
change to:
/bin/bash
# too close to /bin/bash
Thanks for your input , we added a space to the comment.