Debian GNU/Linux
OpenVPN (2023)
Source: https://www.howtoforge.com/how-to-install-and-configure-openvpn-server-on-debian-12/
Server
On the server.
Install dependencies (with root access):
apt install openvpn easy-rsa rsync
Generate reqs/server.req and private/server.key in /etc/openvpn/server/easy-rsa/pki (with root access):
mkdir /etc/openvpn/server/easy-rsa && cd /etc/openvpn/server/easy-rsa
cp -r /usr/share/easy-rsa/* ./
chmod 700 .
./easyrsa init-pki
./easyrsa gen-req server nopass
cp /etc/openvpn/server/easy-rsa/pki/reqs/server.req /etc/openvpn/server/
cp /etc/openvpn/server/easy-rsa/pki/private/server.key /etc/openvpn/server/
Generate extra shared secret key for server and clients (with root access):
./easyrsa gen-dh
openvpn --genkey secret ta.key
cp ta.key /etc/openvpn/server/
cp pki/dh.pem /etc/openvpn/server/
(cd /etc/openvpn/server/ && ln -s dh.pem dh2048.pem)
Generate CA Certificate
Use a secure computer, ideally not the server and not a client.
Install dependencies (with root access):
apt install openvpn easy-rsa rsync
Generate CA Certificate (in ./easy-rsa_ca/pki/ca.crt)
mkdir easy-rsa_ca && cd easy-rsa_ca
cp -r /usr/share/easy-rsa/* ./
chmod 700 .
./easyrsa init-pki
# You can edit `pki/vars` to change configuration
./easyrsa build-ca # nopass
Get server.req from the server and sign it:
rsync -rlPthvc root@SERVER:/etc/openvpn/server/easy-rsa/pki/reqs/server.req ./
./easyrsa import-req server.req SERVER_NAME
./easyrsa sign-req server SERVER_NAME
Send pki/issued/SERVER_NAME.crt and pki/ca.crt to the server:
rsync -rlPthvc pki/issued/SERVER_NAME.crt root@SERVER:/etc/openvpn/server/server.crt
rsync -rlPthvc pki/ca.crt root@SERVER:/etc/openvpn/server/
Configure & Run Server
Configure (with root access):
cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf /etc/openvpn/server/
You can edit the /etc/openvpn/server/server.conf file.
To redirect all clients' network traffic, you can add these lines:
push "redirect-gateway def1"
push "dhcp-option DNS 10.8.0.1"
Edit the file /etc/sysctl.conf to uncomment this line to enable packet forwarding:
net.ipv4.ip_forward=1
You can run the server with these commands (with root access):
sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv6.conf.all.forwarding=1
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ens3 -j MASQUERADE
ip6tables -t nat -A POSTROUTING -s fd42:feed:feed:feed::/64 -o eth0 -j MASQUERADE
(cd /etc/openvpn/server && openvpn server.conf)
Client
Generate reqs/CLIENT_NAME.req and private/CLIENT_NAME.key files (in ./easy-rsa_client-CLIENT_NAME/pki directory)
mkdir easy-rsa_client-CLIENT_NAME && cd easy-rsa_client-CLIENT_NAME
cp -r /usr/share/easy-rsa/* ./
chmod 700 .
./easyrsa init-pki
./easyrsa gen-req CLIENT_NAME nopass
cp pki/private/CLIENT_NAME.key ./client.key
On the CA computer, get CLIENT_NAME.req, copy it in ./easy-rsa_ca/pki/reqs and sign it:
./easyrsa sign-req client CLIENT_NAME
Send pki/issued/CLIENT_NAME.crt and pki/ca.crt to the client.
Configure the client:
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ./
You can edit the client.conf file.
Change the server hostname or IP.
Add these lines:
# https://serverfault.com/questions/670440/in-openvpn-whats-the-risk-of-omitting-the-key-direction-when-using-tls-auth
key-direction 1
Client needs:
client.keyCLIENT_NAME.crt(rename itclient.crt) andca.crtfrom the CAta.keyfrom the server
Run the client (with root access):
openvpn ./client.conf
It possible to combine all files in one:
sed 's/ca ca.crt/;ca ca.crt/g' client.conf | sed 's/cert client.crt/;cert client.crt/g' | sed 's/key client.key/;key client.key/g' | sed 's/tls-auth ta.key 1/;tls-auth ta.key 1/g' > client.ovpn
echo -e "\n<ca>\n`cat ca.crt`\n</ca>\n\n<cert>\n`cat client.crt`\n</cert>\n\n<key>\n`cat client.key`\n</key>\n\n<tls-auth>\n`cat ta.key`\n</tls-auth>" >> client.ovpn
Run the client (with root access):
openvpn ./client.ovpn