{"id":379,"date":"2024-01-20T13:52:33","date_gmt":"2024-01-20T05:52:33","guid":{"rendered":"https:\/\/www.stusc.com\/?p=379"},"modified":"2024-01-20T13:52:33","modified_gmt":"2024-01-20T05:52:33","slug":"how-to-install-openvpn-server-on-debian-11-12","status":"publish","type":"post","link":"https:\/\/www.stusc.com\/?p=379","title":{"rendered":"How to Install OpenVPN Server on Debian 11\/12"},"content":{"rendered":"\n

Method 1:<\/h2>\n\n\n\n

Installation Using a Script<\/strong><\/p>\n\n\n\n

Begin by obtaining the installation script and making it executable:<\/p>\n\n\n\n

$ curl -O https:\/\/raw.githubusercontent.com\/angristan\/openvpn-install\/master\/openvpn-install.sh\n$ chmod +x openvpn-install.sh<\/code><\/pre>\n\n\n\n
Next, run the script (ensure you have root privileges and the TUN module enabled):<\/p>\n\n\n\n
$ .\/openvpn-install.sh<\/code><\/pre>\n\n\n\n
Upon the first execution, you\u2019ll be prompted to answer a few questions to configure your VPN server. Once OpenVPN is installed, you can rerun the script to:<\/p>\n\n\n\n
$ .\/openvpn-install.sh\nWelcome to OpenVPN-install!\nThe git repository is available at: https:\/\/github.com\/angristan\/openvpn-install\nIt seems like OpenVPN is already installed.\nWhat would you like to do?\n   1) Add a new user\n   2) Revoke an existing user\n   3) Remove OpenVPN\n   4) Exit\nSelect an option [1-4]:<\/code><\/pre>\n\n\n\n
This allows you to add new users or revoke existing ones.<\/p>\n\n\n\n
Method 2:<\/h2>\n\n\n\n
Step 1: Update and Upgrade Debian<\/strong><\/p>\n\n\n\n
Before installing any software, it\u2019s essential to update and upgrade your Debian system. Execute the following commands:<\/p>\n\n\n\n
$ sudo apt update\n$ sudo apt upgrade<\/code><\/pre>\n\n\n\n
Step 2: Install OpenVPN<\/strong><\/p>\n\n\n\n
Install OpenVPN on your Debian server with the following command:<\/p>\n\n\n\n
$ sudo apt install openvpn easy-rsa<\/code><\/pre>\n\n\n\n
Step 3: Generate Certificates and Keys<\/strong><\/p>\n\n\n\n
OpenVPN relies on certificates and keys for client and server authentication. To generate these files, use the included easy-rsa script:<\/p>\n\n\n\n
$ make-cadir ~\/openvpn-ca && cd ~\/openvpn-ca<\/code><\/pre>\n\n\n\n
Edit the vars<\/code> file to configure Certificate Authority (CA) variables:<\/p>\n\n\n\n
set_var EASYRSA_REQ_COUNTRY    \"US\"\nset_var EASYRSA_REQ_PROVINCE   \"California\"\nset_var EASYRSA_REQ_CITY       \"San Francisco\"\nset_var EASYRSA_REQ_ORG        \"Copyleft Certificate Co\"\nset_var EASYRSA_REQ_EMAIL      \"me@example.net\"\nset_var EASYRSA_REQ_OU         \"My Organizational Unit\"<\/code><\/pre>\n\n\n\n
Generate the required certificates and keys:<\/p>\n\n\n\n
$ .\/easyrsa init-pki\n$ .\/easyrsa build-ca\n$ .\/easyrsa gen-req server nopass\n$ .\/easyrsa sign-req server server\n$ .\/easyrsa gen-dh\n$ openvpn --genkey --secret pki\/ta.key<\/code><\/pre>\n\n\n\n
These certificates and keys will be stored in the \/root\/openvpn-ca\/pki<\/code> directory.<\/p>\n\n\n\n
Step 4: Configure OpenVPN<\/strong><\/p>\n\n\n\n
After generating certificates and keys, proceed to configure OpenVPN. Create a new configuration file with the following command:<\/p>\n\n\n\n
$ zcat \/usr\/share\/doc\/openvpn\/examples\/sample-config-files\/server.conf.gz | sudo tee \/etc\/openvpn\/server.conf > \/dev\/null<\/code><\/pre>\n\n\n\n
Copy the necessary files to the OpenVPN directory:<\/p>\n\n\n\n
$ cp \/root\/openvpn-ca\/pki\/{ca.crt,dh.pem,ta.key} \/etc\/openvpn\n$ cp \/root\/openvpn-ca\/pki\/issued\/server.crt \/etc\/openvpn\n$ cp \/root\/openvpn-ca\/pki\/private\/server.key \/etc\/openvpn<\/code><\/pre>\n\n\n\n
Edit \/etc\/openvpn\/server.conf<\/code> to match the following:<\/p>\n\n\n\n
ca ca.crt\ncert server.crt\nkey server.key  # Keep this file secure\ndh dh.pem\n;tls-auth ta.key 0\ntls-crypt ta.key<\/code><\/pre>\n\n\n\n
Save and close the file.<\/p>\n\n\n\n
Step 5: Enable IP Forwarding<\/strong><\/p>\n\n\n\n
Edit the sysctl configuration:<\/p>\n\n\n\n
$ sudo nano \/etc\/sysctl.conf<\/code><\/pre>\n\n\n\n
Uncomment the following line:<\/p>\n\n\n\n
net.ipv4.ip_forward=1<\/code><\/pre>\n\n\n\n
Apply the changes:<\/p>\n\n\n\n
$ sudo sysctl -p<\/code><\/pre>\n\n\n\n
Step 6: Start and Enable OpenVPN<\/strong><\/p>\n\n\n\n
Start and enable the OpenVPN service:<\/p>\n\n\n\n
$ sudo systemctl start openvpn@server\n$ sudo systemctl enable openvpn@server<\/code><\/pre>\n\n\n\n
The @server<\/code> specifies the configuration file you created earlier.<\/p>\n\n\n\n
Step 7: Configure Firewall<\/strong><\/p>\n\n\n\n
Allow OpenVPN traffic through the firewall by creating a new rule:<\/p>\n\n\n\n
$ sudo ufw allow OpenVPN<\/code><\/pre>\n\n\n\n
Step 8: Connect to OpenVPN Server<\/strong><\/p>\n\n\n\n
With the OpenVPN server operational, you can connect to it from a client computer. Install the OpenVPN client software and download the client configuration file from the server:<\/p>\n\n\n\n
$ .\/easyrsa gen-req client1 nopass\n$ .\/easyrsa sign-req client client1\n$ cp pki\/private\/client1.key \/etc\/openvpn\/client\/\n$ cp pki\/issued\/client1.crt \/etc\/openvpn\/client\/\n$ cp pki\/{ca.crt,ta.key} \/etc\/openvpn\/client\/<\/code><\/pre>\n\n\n\n
Create a client configuration file in the \/root\/openvpn-ca<\/code> directory:<\/p>\n\n\n\n
$ cp \/usr\/share\/doc\/openvpn\/examples\/sample-config-files\/client.conf \/root\/openvpn-ca\/<\/code><\/pre>\n\n\n\n
Edit the file using nano<\/code> and configure the variables:<\/p>\n\n\n\n
remote my-server-1 1194 # my-server-1 is the server's public IP\nuser nobody\ngroup nogroup\n;ca ca.crt\n;cert client.crt\n;key client.key\n;tls-auth ta.key 1\nkey-direction 1<\/code><\/pre>\n\n\n\n
Create a script to compile the base configuration with the necessary certificate, key, and encryption files:<\/p>\n\n\n\n
$ nano config_gen.sh<\/code><\/pre>\n\n\n\n
Include the following content:<\/p>\n\n\n\n
#!\/bin\/bash# First argument: Client identifier<\/strong>\nKEY_DIR=\/etc\/openvpn\/client\nOUTPUT_DIR=\/root\nBASE_CONFIG=\/root\/openvpn-ca\/client.conf\ncat${BASE_CONFIG} \\\n    <(echo -e '<ca>') \\\n    ${KEY_DIR}\/ca.crt \\\n    <(echo -e '<\/ca>\\n<cert>') \\\n    ${KEY_DIR}\/${1}.crt \\\n    <(echo -e '<\/cert>\\n<key>') \\\n    ${KEY_DIR}\/${1}.key \\\n    <(echo -e '<\/key>\\n<tls-crypt>') \\\n    ${KEY_DIR}\/ta.key \\\n    <(echo -e '<\/tls-crypt>') \\\n    > ${OUTPUT_DIR}\/${1}.ovpn<\/code><\/pre>\n\n\n\n
Make the script executable:<\/p>\n\n\n\n
$ chmod 700 \/root\/openvpn-ca\/config_gen.sh\n$ .\/config_gen.sh client1<\/code><\/pre>\n\n\n\n
This command will create a client1.ovpn<\/code> file in the \/root\/<\/code> directory. Copy this file to your client computer and use it to connect to the OpenVPN server.<\/p>\n\n\n\n
Conclusion<\/h2>\n\n\n\n
In this tutorial, we\u2019ve demonstrated how to install and configure OpenVPN on a Debian server. With OpenVPN, you can securely access remote networks and their resources from anywhere in the world.<\/p>\n","protected":false},"excerpt":{"rendered":"
OpenVPN is a robust, open-source VPN (Virtual Private Network) solution that enables secure connections to remote networks via the internet. In this guide, we\u2019ll walk you through the process of setting up OpenVPN on a Debian server.<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[121,91,120,122],"class_list":{"0":"post-379","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"hentry","6":"category-tech","7":"tag-debian","8":"tag-linux","9":"tag-openvpn","10":"tag-server","11":"h-entry","13":"h-as-article"},"_links":{"self":[{"href":"https:\/\/www.stusc.com\/index.php?rest_route=\/wp\/v2\/posts\/379","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.stusc.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.stusc.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.stusc.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.stusc.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=379"}],"version-history":[{"count":1,"href":"https:\/\/www.stusc.com\/index.php?rest_route=\/wp\/v2\/posts\/379\/revisions"}],"predecessor-version":[{"id":380,"href":"https:\/\/www.stusc.com\/index.php?rest_route=\/wp\/v2\/posts\/379\/revisions\/380"}],"wp:attachment":[{"href":"https:\/\/www.stusc.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=379"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.stusc.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=379"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.stusc.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=379"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}