How To Configure OpenVPN on Debian & Ubuntu

Install OpenPNV and easy-rsa packages

user@localhost:~$ sudo apt update
user@localhost:~$ sudo apt install openvpn easyrsa

Basic configuration

  • Configuration file

Copy the example from the documentation folder

user@localhost:~$ sudo cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn

Go to the program settings folder

user@localhost:~$ cd /etc/openvpn

Open the main configuration file in a text editor

user@localhost:~$ sudo nano server.conf

Set the dh parameter pointing to the file ‘/etc/openvpn/dh.pem’

dh /etc/openvpn/dh.pem

After, you need to find the line:

;push redirect-gateway def1 bypass-dhcp "

Then uncomment it

push redirect-gateway def1 bypass-dhcp

Find the user parameter and set its value to nobody:

user nobody

The same thing with the group:

group nobody

The paths to keys and certificates:

ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
tls-auth /etc/openvpn/ta.key 0

  • Generation of keys and certificates

user@localhost:~$ mkdir -p ~/easy-rsa
user@localhost:~$ cp cp -rf /usr/share/easy-rsa/3.0.3/* ~/easy-rsa
user@localhost:~$ cd ~/easy-rsa

user@localhost:~$ ./easyrsa init-pki

A pki folder will be created with utility files in subdirectories

user@localhost:~$ ./easyrsa gen-dh

It will take some time and the file will be generated in the easy-rsa / pki / dh.pem folder

user@localhost:~$ ./easyrsa build-ca

You will be asked for a new password for the private key of your root certificate.

Plese, enter the password and write it down in a safe place, this password will be requested every time that everyone else signs this certificate.

user@localhost:~$ ./easyrsa build-server-full server nopass
user@localhost:~$ ./easyrsa build-client-full client nopass

user@localhost:~$ sudo cp pki/ca.crt pki/dh.pem pki/private/server.key pki/issued/server.crt /etc/openvpn/
user@localhost:~$ sudo chown root /etc/openvpn/*

Check the operability of the configuration

user@localhost:~$ sudo openvpn /etc/openvpn/server.conf

We get something like this “exhaust”

Tue Aug 13 09:31:11 2019 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019
Tue Aug 13 09:31:11 2019 Diffie-Hellman initialized with 2048 bit key
Tue Aug 13 09:31:11 2019 Outgoing Control Channel Authentication: Using 160 bit message hash ‘SHA1’ for HMAC authentication
Tue Aug 13 09:31:11 2019 Incoming Control Channel Authentication: Using 160 bit message hash ‘SHA1’ for HMAC authentication
Tue Aug 13 09:31:11 2019 ROUTE_GATEWAY 172.16.2.1/255.255.255.0 IFACE=eth0 HWADDR=52:54:00:10:3b:15
Tue Aug 13 09:31:11 2019 TUN/TAP device tun0 opened
Tue Aug 13 09:31:11 2019 TUN/TAP TX queue length set to 100
Tue Aug 13 09:31:11 2019 /sbin/ip link set dev tun0 up mtu 1500
Tue Aug 13 09:31:11 2019 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Tue Aug 13 09:31:11 2019 /sbin/ip route add 10.8.0.0/24 via 10.8.0.2
Tue Aug 13 09:31:11 2019 Could not determine IPv4/IPv6 protocol. Using AF_INET
Tue Aug 13 09:31:11 2019 Socket Buffers: R=[212992->212992] S=[212992->212992]
Tue Aug 13 09:31:11 2019 UDPv4 link local (bound): [AF_INET][undef]:1194
Tue Aug 13 09:31:11 2019 UDPv4 link remote: [AF_UNSPEC]
Tue Aug 13 09:31:11 2019 MULTI: multi_init called, r=256 v=256
Tue Aug 13 09:31:11 2019 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Tue Aug 13 09:31:11 2019 IFCONFIG POOL LIST
Tue Aug 13 09:31:11 2019 Initialization Sequence Completed

Press Ctrl + C and interrupt the process

Tue Aug 13 09:31:12 2019 event_wait : Interrupted system call (code=4)

Tue Aug 13 09:31:14 2019 /sbin/ip route del 10.8.0.0/24

Tue Aug 13 09:31:14 2019 Closing TUN/TAP interface

Tue Aug 13 09:31:14 2019 /sbin/ip addr del dev tun0 local 10.8.0.1 peer 10.8.0.2

Tue Aug 13 09:31:14 2019 SIGINT[hard,] received, process exiting

We start OpenVPN as a service, systemd allows you to run individual configurations by entering a name through ‘@’

user@localhost:~$ sudo systemctl start openvpn@server
user@localhost:~$ systemctl status openvpn@server

Open port 1194 in the firewall

If firewalld is active, we execute the commands

user@localhost:~$ sudo firewall-cmd --zone public --add-service=openvpn
user@localhost:~$ sudo firewall-cmd --runtime-to-permanent

For those who prefer iptables + netfilter-persistent before prohibiting rules, insert something like this

(It depends heavily on the current settings and before adding see what rules are already in iptables -nvL –line command)

user@localhost:~$ sudo iptables -I INPUT 4 -p tcp --dport 1194 -j ACCEPT user@localhost:~$ sudo service netfilter-persistent save

For those who chose nftables, we add the line in the /etc/nftables.conf file in the (chain) input chain before the prohibition rules

ip tcp dport 1194 accept

Reload the rules

On this, the basic setup on the server side can be considered complete

Was this article helpful?

Yes No

Related Articles

1 Comment