Create an OpenVPN server on debian

Server Configuration

Install OpenVPN

sudo apt update && apt install openvpn

Copy the easy-rsa directory

easy-rsa is used to generate certificates.

sudo cp -pr /usr/share/easy-rsa /etc/openvpn/server/ && cd /etc/openvpn/server/easy-rsa

1
/
2
└── 📁etc
3
    └── 📁openvpn
4
        └── 📁server
5
            └── 📁easy-rsa

Rename and edit the vars file from template

cp vars.example vars && nano vars

1
/
2
└── 📁etc
3
    └── 📁openvpn
4
        └── 📁server
5
            └── 📁easy-rsa
6
                ├── 📄vars.example
7
                └── 📄vars

Search for the following block:

# Organizational fields (used with 'org' mode and ignored in 'cn_only' mode.)
# These are the default values for fields which will be placed in the
# certificate.  Don't leave any of these fields blank, although interactively
# you may omit any specific field by typing the "." symbol (not valid for
# email.)

#set_var EASYRSA_REQ_COUNTRY    "US"
#set_var EASYRSA_REQ_PROVINCE   "California"
#set_var EASYRSA_REQ_CITY       "San Francisco"
#set_var EASYRSA_REQ_ORG        "Copyleft Certificate Co"
#set_var EASYRSA_REQ_EMAIL      "me@example.net"
#set_var EASYRSA_REQ_OU         "My Organizational Unit"

# Choose a size in bits for your keypairs. The recommended value is 2048.  Using
# 2048-bit keys is considered more than sufficient for many years into the
# future. Larger keysizes will slow down TLS negotiation and make key/DH param
# generation take much longer. Values up to 4096 should be accepted by most
# software. Only used when the crypto alg is rsa (see below.)

Uncomment the lines and enter your configuration:

set_var EASYRSA_REQ_COUNTRY     "FR"
set_var EASYRSA_REQ_PROVINCE    "France"
set_var EASYRSA_REQ_CITY        "maville"
set_var EASYRSA_REQ_ORG "xsec"
set_var EASYRSA_REQ_EMAIL       "test@gmail.com"
set_var EASYRSA_REQ_OU          "it"

Create the Certificate Authority

Here without password, in production it’s recommended to set one.

./easyrsa init-pki

./easyrsa build-ca nopass

Note: using Easy-RSA configuration from: /etc/openvpn/server/easy-rsa/vars
Using SSL: openssl OpenSSL 1.1.1k  25 Mar 2021
Generating RSA private key, 2048 bit long modulus (2 primes)
.............................+++++
..................................+++++
e is 65537 (0x010001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/server/easy-rsa/pki/ca.crt

Common Name [Easy-RSA CA]: Press Enter to keep the default name.

Generate the server certificate

Here without password, in production it’s recommended to set one.

./easyrsa build-server-full server nopass

Generate the client certificate

Here without password, in production it’s recommended to set one.

./easyrsa build-client-full client nopass

Generate the dh.pem file

This file will be used for the first connection with symmetric encryption

./easyrsa gen-dh

This operation may take time, depending on your machine’s power.

Generate the key file

openvpn --genkey tls-auth ta.key

Reorder the files

Copy the entire directory of generated files from the server and the Certificate Authority to /etc/openvpn/

cp pki/issued/server.crt pki/private/server.key pki/ca.crt pki/dh.pem ta.key /etc/openvpn/

1
/
2
└── 📁etc
3
    └── 📁openvpn
4
        ├── 📄server.crt
5
        ├── 📄server.key
6
        ├── 📄ca.crt
7
        ├── 📄dh.pem
8
        └── 📄ta.key

Copy the entire directory of generated files from the client to /etc/openvpn/client/

cp pki/issued/client.crt pki/private/client.key pki/ca.crt pki/dh.pem ta.key /etc/openvpn/client/

1
/
2
└── 📁etc
3
    └── 📁openvpn
4
        └── 📁client
5
            ├── 📄client.crt
6
            ├── 📄client.key
7
            ├── 📄ca.crt
8
            ├── 📄dh.pem
9
            └── 📄ta.key

Create the configuration file from the template

cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf /etc/openvpn/server.conf && cd /etc/openvpn

1
/
2
└── 📁etc
3
    └── 📁openvpn
4
        ├── 📄server.conf
5
    ├── 📄server.crt
6
        ├── 📄server.key
7
        ├── 📄ca.crt
8
        ├─��� 📄dh.pem
9
        └── 📄ta.key

Here we copy the configuration file to the default directory /etc/openvpn/ and enter the directory.

Rename the dh.pem file

mv /etc/openvpn/dh.pem /etc/openvpn/dh2048.pem

Note

By renaming it to dh2048.pem, the file server.conf will recognize it directly, since the file name dh2048.pem is specified by default.

Test the configuration

openvpn --config /etc/openvpn/server.conf

Tip

If your configuration is correct, you will see in the last line:

1
Initialization Sequence Completed

Erreur “Already in use”

Danger

If you already have an instance of openvpn running, there may be a conflict with the installation (error: Alredy in use).
You need to find the process that blocks the port of the service.

You can list the list of used ports:

ss -na

You can filter the default port of OpenVPN to see if an instance is running:

ss -pan | grep 1194
udp   UNCONN 0      0                                         0.0.0.0:1194             0.0.0.0:*      users:(("openvpn",pid=8660,fd=7))

You can see the pid=8660 here, you need to stop this process:

sudo kill -9 8660

Continue the operation until ss -pan | grep 1194 no longer returns a result (adapt the pid each time)

Restart openvpn on the server

systemctl daemon-reload && systemctl restart openvpn

Note

You can add systemctl enable openvpn to make OpenVPN start automatically with the machine.

Client Configuration

Install OpenVPN on the client

apt update && apt install openvpn

Copy files from /etc/openvpn/client directory to transfer them to the client machine

On the client machine, move them to /etc/openvpn/

1
/
2
└── 📁etc
3
    └── 📁openvpn
4
        ├── 📄client.crt
5
        ├── 📄client.key
6
        ├── 📄ca.crt
7
        ├── 📄dh.pem
8
        └── 📄ta.key

Copy and edit the client configuration file

cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/ && nano /etc/openvpn/client.conf

1
/
2
└── 📁etc
3
    └── 📁openvpn
4
        └── 📄client.conf

1
##############################################
2
# Sample client-side OpenVPN 2.0 config file #
3
# for connecting to multi-client server.     #
4
#                                            #
5
# This configuration can be used by multiple #
6
# clients, however each client should have   #
7
# its own cert and key files.                #
8
#                                            #
9
# On Windows, you might want to rename this  #
10
# file so it has a .ovpn extension           #
11
##############################################
12

13
# Specify that we are a client and that we
14
# will be pulling certain config file directives
15
# from the server.
16
client
17

18
# Use the same setting as you are using on
19
# the server.
20
# On most systems, the VPN will not function
21
# unless you partially or fully disable
22
# the firewall for the TUN/TAP interface.
23
;dev tap
24
dev tun
25

26
# Windows needs the TAP-Win32 adapter name
27
# from the Network Connections panel
28
# if you have more than one.  On XP SP2,
29
# you may need to disable the firewall
30
# for the TAP adapter.
31
;dev-node MyTap
32

33
# Are we connecting to a TCP or
34
# UDP server?  Use the same setting as
35
# on the server.
36
;proto tcp
37
proto udp
38

39
# The hostname/IP and port of the server.
40
# You can have multiple remote entries
41
# to load balance between the servers.
42
remote my-server-1 1194
43
;remote my-server-2 1194

Replace remote my-server-1 1194 by remote OPENVPN_SERVER_IP 1194

Restart OpenVPN on the client

sudo systemctl daemon-reload && systemctl restart openvpn

Note (Make it autostart at session)

You can add systemctl enable openvpn to make OpenVPN start automatically with the machine.

Connect to the OpenVPN server

openvpn --config /etc/openvpn/client.conf

If your configuration is correct, you will see in the last line: Initialization Sequence Completed