How to Install OpenVPN Server on Debian 11/12

OpenVPN is a robust, open-source VPN (Virtual Private Network) solution that enables secure connections to remote networks via the internet. In this guide, we’ll walk you through the process of setting up OpenVPN on a Debian server.

Method 1:

Installation Using a Script

Begin by obtaining the installation script and making it executable:

$ curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh
$ chmod +x openvpn-install.sh

Next, run the script (ensure you have root privileges and the TUN module enabled):

$ ./openvpn-install.sh

Upon the first execution, you’ll be prompted to answer a few questions to configure your VPN server. Once OpenVPN is installed, you can rerun the script to:

$ ./openvpn-install.sh
Welcome to OpenVPN-install!
The git repository is available at: https://github.com/angristan/openvpn-install
It seems like OpenVPN is already installed.
What would you like to do?
   1) Add a new user
   2) Revoke an existing user
   3) Remove OpenVPN
   4) Exit
Select an option [1-4]:

This allows you to add new users or revoke existing ones.

Method 2:

Step 1: Update and Upgrade Debian

Before installing any software, it’s essential to update and upgrade your Debian system. Execute the following commands:

$ sudo apt update
$ sudo apt upgrade

Step 2: Install OpenVPN

Install OpenVPN on your Debian server with the following command:

$ sudo apt install openvpn easy-rsa

Step 3: Generate Certificates and Keys

OpenVPN relies on certificates and keys for client and server authentication. To generate these files, use the included easy-rsa script:

$ make-cadir ~/openvpn-ca && cd ~/openvpn-ca

Edit the vars file to configure Certificate Authority (CA) variables:

set_var EASYRSA_REQ_COUNTRY    "US"
set_var EASYRSA_REQ_PROVINCE   "California"
set_var EASYRSA_REQ_CITY       "San Francisco"
set_var EASYRSA_REQ_ORG        "Copyleft Certificate Co"
set_var EASYRSA_REQ_EMAIL      "[email protected]"
set_var EASYRSA_REQ_OU         "My Organizational Unit"

Generate the required certificates and keys:

$ ./easyrsa init-pki
$ ./easyrsa build-ca
$ ./easyrsa gen-req server nopass
$ ./easyrsa sign-req server server
$ ./easyrsa gen-dh
$ openvpn --genkey --secret pki/ta.key

These certificates and keys will be stored in the /root/openvpn-ca/pki directory.

Step 4: Configure OpenVPN

After generating certificates and keys, proceed to configure OpenVPN. Create a new configuration file with the following command:

$ zcat /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | sudo tee /etc/openvpn/server.conf > /dev/null

Copy the necessary files to the OpenVPN directory:

$ cp /root/openvpn-ca/pki/{ca.crt,dh.pem,ta.key} /etc/openvpn
$ cp /root/openvpn-ca/pki/issued/server.crt /etc/openvpn
$ cp /root/openvpn-ca/pki/private/server.key /etc/openvpn

Edit /etc/openvpn/server.conf to match the following:

ca ca.crt
cert server.crt
key server.key  # Keep this file secure
dh dh.pem
;tls-auth ta.key 0
tls-crypt ta.key

Save and close the file.

Step 5: Enable IP Forwarding

Edit the sysctl configuration:

$ sudo nano /etc/sysctl.conf

Uncomment the following line:

net.ipv4.ip_forward=1

Apply the changes:

$ sudo sysctl -p

Step 6: Start and Enable OpenVPN

Start and enable the OpenVPN service:

$ sudo systemctl start openvpn@server
$ sudo systemctl enable openvpn@server

The @server specifies the configuration file you created earlier.

Step 7: Configure Firewall

Allow OpenVPN traffic through the firewall by creating a new rule:

$ sudo ufw allow OpenVPN

Step 8: Connect to OpenVPN Server

With the OpenVPN server operational, you can connect to it from a client computer. Install the OpenVPN client software and download the client configuration file from the server:

$ ./easyrsa gen-req client1 nopass
$ ./easyrsa sign-req client client1
$ cp pki/private/client1.key /etc/openvpn/client/
$ cp pki/issued/client1.crt /etc/openvpn/client/
$ cp pki/{ca.crt,ta.key} /etc/openvpn/client/

Create a client configuration file in the /root/openvpn-ca directory:

$ cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /root/openvpn-ca/

Edit the file using nano and configure the variables:

remote my-server-1 1194 # my-server-1 is the server's public IP
user nobody
group nogroup
;ca ca.crt
;cert client.crt
;key client.key
;tls-auth ta.key 1
key-direction 1

Create a script to compile the base configuration with the necessary certificate, key, and encryption files:

$ nano config_gen.sh

Include the following content:

#!/bin/bash# First argument: Client identifier
KEY_DIR=/etc/openvpn/client
OUTPUT_DIR=/root
BASE_CONFIG=/root/openvpn-ca/client.conf
cat ${BASE_CONFIG} \
    <(echo -e '<ca>') \
    ${KEY_DIR}/ca.crt \
    <(echo -e '</ca>\n<cert>') \
    ${KEY_DIR}/${1}.crt \
    <(echo -e '</cert>\n<key>') \
    ${KEY_DIR}/${1}.key \
    <(echo -e '</key>\n<tls-crypt>') \
    ${KEY_DIR}/ta.key \
    <(echo -e '</tls-crypt>') \
    > ${OUTPUT_DIR}/${1}.ovpn

Make the script executable:

$ chmod 700 /root/openvpn-ca/config_gen.sh
$ ./config_gen.sh client1

This command will create a client1.ovpn file in the /root/ directory. Copy this file to your client computer and use it to connect to the OpenVPN server.

Conclusion

In this tutorial, we’ve demonstrated how to install and configure OpenVPN on a Debian server. With OpenVPN, you can securely access remote networks and their resources from anywhere in the world.