How to Install OpenVPN Server on Debian 11/12
Method 1:
Installation Using a Script
Begin by obtaining the installation script and making it executable:
$ curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh
$ chmod +x openvpn-install.shNext, run the script (ensure you have root privileges and the TUN module enabled):
$ ./openvpn-install.shUpon the first execution, you’ll be prompted to answer a few questions to configure your VPN server. Once OpenVPN is installed, you can rerun the script to:
$ ./openvpn-install.sh
Welcome to OpenVPN-install!
The git repository is available at: https://github.com/angristan/openvpn-install
It seems like OpenVPN is already installed.
What would you like to do?
1) Add a new user
2) Revoke an existing user
3) Remove OpenVPN
4) Exit
Select an option [1-4]:This allows you to add new users or revoke existing ones.
Method 2:
Step 1: Update and Upgrade Debian
Before installing any software, it’s essential to update and upgrade your Debian system. Execute the following commands:
$ sudo apt update
$ sudo apt upgradeStep 2: Install OpenVPN
Install OpenVPN on your Debian server with the following command:
$ sudo apt install openvpn easy-rsaStep 3: Generate Certificates and Keys
OpenVPN relies on certificates and keys for client and server authentication. To generate these files, use the included easy-rsa script:
$ make-cadir ~/openvpn-ca && cd ~/openvpn-caEdit the vars file to configure Certificate Authority (CA) variables:
set_var EASYRSA_REQ_COUNTRY "US"
set_var EASYRSA_REQ_PROVINCE "California"
set_var EASYRSA_REQ_CITY "San Francisco"
set_var EASYRSA_REQ_ORG "Copyleft Certificate Co"
set_var EASYRSA_REQ_EMAIL "me@example.net"
set_var EASYRSA_REQ_OU "My Organizational Unit"Generate the required certificates and keys:
$ ./easyrsa init-pki
$ ./easyrsa build-ca
$ ./easyrsa gen-req server nopass
$ ./easyrsa sign-req server server
$ ./easyrsa gen-dh
$ openvpn --genkey --secret pki/ta.keyThese certificates and keys will be stored in the /root/openvpn-ca/pki directory.
Step 4: Configure OpenVPN
After generating certificates and keys, proceed to configure OpenVPN. Create a new configuration file with the following command:
$ zcat /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | sudo tee /etc/openvpn/server.conf > /dev/nullCopy the necessary files to the OpenVPN directory:
$ cp /root/openvpn-ca/pki/{ca.crt,dh.pem,ta.key} /etc/openvpn
$ cp /root/openvpn-ca/pki/issued/server.crt /etc/openvpn
$ cp /root/openvpn-ca/pki/private/server.key /etc/openvpnEdit /etc/openvpn/server.conf to match the following:
ca ca.crt
cert server.crt
key server.key # Keep this file secure
dh dh.pem
;tls-auth ta.key 0
tls-crypt ta.keySave and close the file.
Step 5: Enable IP Forwarding
Edit the sysctl configuration:
$ sudo nano /etc/sysctl.confUncomment the following line:
net.ipv4.ip_forward=1Apply the changes:
$ sudo sysctl -pStep 6: Start and Enable OpenVPN
Start and enable the OpenVPN service:
$ sudo systemctl start openvpn@server
$ sudo systemctl enable openvpn@serverThe @server specifies the configuration file you created earlier.
Step 7: Configure Firewall
Allow OpenVPN traffic through the firewall by creating a new rule:
$ sudo ufw allow OpenVPNStep 8: Connect to OpenVPN Server
With the OpenVPN server operational, you can connect to it from a client computer. Install the OpenVPN client software and download the client configuration file from the server:
$ ./easyrsa gen-req client1 nopass
$ ./easyrsa sign-req client client1
$ cp pki/private/client1.key /etc/openvpn/client/
$ cp pki/issued/client1.crt /etc/openvpn/client/
$ cp pki/{ca.crt,ta.key} /etc/openvpn/client/Create a client configuration file in the /root/openvpn-ca directory:
$ cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /root/openvpn-ca/Edit the file using nano and configure the variables:
remote my-server-1 1194 # my-server-1 is the server's public IP
user nobody
group nogroup
;ca ca.crt
;cert client.crt
;key client.key
;tls-auth ta.key 1
key-direction 1Create a script to compile the base configuration with the necessary certificate, key, and encryption files:
$ nano config_gen.shInclude the following content:
#!/bin/bash# First argument: Client identifier
KEY_DIR=/etc/openvpn/client
OUTPUT_DIR=/root
BASE_CONFIG=/root/openvpn-ca/client.conf
cat${BASE_CONFIG} \
<(echo -e '<ca>') \
${KEY_DIR}/ca.crt \
<(echo -e '</ca>\n<cert>') \
${KEY_DIR}/${1}.crt \
<(echo -e '</cert>\n<key>') \
${KEY_DIR}/${1}.key \
<(echo -e '</key>\n<tls-crypt>') \
${KEY_DIR}/ta.key \
<(echo -e '</tls-crypt>') \
> ${OUTPUT_DIR}/${1}.ovpnMake the script executable:
$ chmod 700 /root/openvpn-ca/config_gen.sh
$ ./config_gen.sh client1This command will create a client1.ovpn file in the /root/ directory. Copy this file to your client computer and use it to connect to the OpenVPN server.
Conclusion
In this tutorial, we’ve demonstrated how to install and configure OpenVPN on a Debian server. With OpenVPN, you can securely access remote networks and their resources from anywhere in the world.
