Computers

Openvpn Server Debian 11

Install OpenVPN server on Linux Debian 9

    • 801
    • 0
    • Last updated:

This post was last revised 1 year ago. It can happen that links are no longer valid, interfaces have changed or functions no longer work as explained here. Therefore it would be great if you could report such a case via the report bugs-function to give feedback. Thanks a lot! With OpenVPN you can set up your own VPN server. The software is free and open source. How to install your own server under Debian 9 and let your clients connect to it, I show in this post. Log in as root on the vServer and make sure all packages are up to date: apt-get update && apt-get upgrade -y Now use the following command to start and run the installation script: wget https://git.io/vpn -O openvpn-install.sh && bash openvpn-install.sh First you will be asked to enter the IP address of the server. Just enter it and press Enter. Now you have to select the protocol which will be used for the connections. UDP is recommended here. UDP is faster, but with TCP the destination server sends confirmation packets for sent packets, which is more reliable but also slower. Therefore I tend to use TCPso I enter 2 so. Now the port is requested. OpenVPN now defaults to the port 1194, but it makes more sense to change it, so that it is not directly obvious that OpenVPN is running on this server. It also has the advantage that the VPN will work even on networks that block the VPN ports. Therefore I use port 443, which is used by default for https. Depending on the server provider, the port may still need to be unblocked later in the firewall. Now specify which DNS server you want to use. This doesn’t really matter, so I simply use 1.1.1.1, so enter the number 2 in the field. Last but not least a client certificate is created. This will then be installed at the client, which should use this OpenVPN server. It is best to name this like the device, so that you have an overview of the certificates later. If you want to build a VPN network, it is recommended to name this client like the location. I call mine PC-Janis. OpenVPN is now ready for installation. Press any key to start. After a few seconds the installation is also finished. The just created client certificate must now of course be installed on the client. Connect to the server via FTP, download the file and copy it to the device. It should be noted that the file should not fall into the wrong hands. Anyone with this certificate can easily connect via VPN. For Windows you can find the OpenVPN client here. For smartphones, there is an app in the respective store.

Create additional client certificate

Surely more than one client should be able to access the VPN, therefore further client certificates are needed. To do this, simply run the script downloaded at the beginning again. Before that it is made executable: chmod +x openvpn-install.sh Execute it now: ./openvpn-install.sh Since OpenVPN is already installed, you now have different choices than during the installation. To create a certificate you have to enter 1 must be entered. Again enter a name and press Enter. The certificate will be generated within a few seconds.

Import client certificate under Windows

If OpenVPN is installed on the Windows client, you will find another icon in the taskbar: On it a right click and in the context menu Import file is selected in the context menu. Navigate to the file and select it. To connect to the VPN now, make another right click on the icon and click at the top on Connect. A new window with a log appears. As soon as the connection is established, it says succeeded and a sound with a message from Windows appears. If the connection cannot be established, the port has probably not yet been released in the firewall. To disconnect the connection, select in the context menu of OpenVPN Disconnect is clicked. All imported client certificates can be found under: 

C:\USER\OpenVPN\config.

Import client certificate on Android

For Android, you need the OpenVPN for Android app from the Google Play Store, plus the client certificate created for the device. Launch it and select from the menu OVPN Profile from the menu. Navigate to the path where the client certificate is located and select it. Then click in the upper right corner on IMPORT. Next you can give the VPN connection a name. Then click on ADD. In the OVPN Profiles overview you can now simply click on the connection to establish the connection. If the connection cannot be established, the port has probably not yet been released in the firewall.

Windows Autostart: Establish connection at system startup

If you want OpenVPN to automatically establish a connection directly after the Windows login, you have to create a shortcut in the Autostart folder. The following path is specified as the location of the element, for the parameter connect the name of the profile with file extension is specified: 

"C:\Program Files\OpenVPN\openvpn-gui.exe" --connect "PROFIL_NAME.ovpn".

How does this VPN connection work?

Once the VPN connection is established, all traffic from the client goes through the VPN server. Your IP address on the Internet is now that of the server, no one will know your actual IP address. The data from the client is encrypted and transferred to the VPN server, the internet provider resp. owner of the WLAN can therefore not see what the client is doing on the Internet. The VPN server now transmits the requests from the client to the Internet and forwards the responses back to the client. Source: hide-my-ass-anonym.blogspot.com

Introduction

This guide describes how to install an OpenVPN server and has been verified with Ubuntu as well as Debian.

Installation of the OpenVPN server

Installation of the available updates as well as the needed packages

1. first of all it is important to bring the Debian system up to date by installing all available updates from the repository using the following commands: 

# apt-get update # apt-get upgrade

2. in the next step you can also install OpenVPN from the repository. 

# apt-get install openvpn

Adopt and adjust the sample configuration

1. for an OpenVPN server, it is recommended that you use the OpenVPN sample configuration as the basis for your configuration. You can copy it using the following commands: 

# cd /usr/share/doc/openvpn/examples/sample-config-files/ # cp server.conf.gz /etc/openvpn/.

2. since the sample configuration file is still available as a packed gzip archive, it is necessary to unpack this file: 

# cd /etc/openvpn/ # gunzip server.conf.gz

Copy Easy-RSA certificate scripts

1. to easily create and manage the certificates, it is necessary to copy the key management scripts to /etc/openvpn/easy-rsa to the following directory. 

# mkdir /etc/openvpn/easy-rsa/ && cp -R /usr/share/easy-rsa/ /etc/openvpn/

2. in the next steps the created certificates and keys will be stored in the folder “keys”, but this folder does not exist at this time. Therefore, you can simply create the “keys” folder with the following command: 

# cd /etc/openvpn/easy-rsa # mkdir keys

3. it is also necessary that the OpenSSL configuration file openssl.cnf exists. For this you can use the already existing file openssl-1.0.0.cnf copy it: 

# cp openssl-1.0.0.cnf openssl.cnf

Adjusting Easy-RSA parameters

1. the parameters for Easy-RSA are in the file /etc/openvpn/easy-rsa/vars and are then copied to your current environment variables. To edit this file, you can use any text editor such as vim or nano. 

# vim vars

2. now you have to add the following lines to the file vars for your purposes. 

export KEY_COUNTRY="US" export KEY_PROVINCE="CA" export KEY_CITY="SanFrancisco" export KEY_ORG="Fort-Funston" export KEY_EMAIL="[email protected]"

For example, it would be possible to store the following settings: 

export KEY_COUNTRY="DE" export KEY_PROVINCE="BY" export KEY_CITY="Ismaning" export KEY_ORG="JiffyBox VPN" export KEY_EMAIL="[email protected]"

3. You can use the following command to include the variables stored in the “vars” file in your current environment variables. Among other things, this is necessary so that these settings can be used as defaults when you create the certificates. 

# source ./vars

Create certificates

Create CA

Now, before you can create the certificates for the OpenVPN server as well as the clients, it is necessary to create the CA certificate to sign the server and client certificates. You can do this with the following commands. Here you can simply accept the parameters configured in the square brackets in the previous step by pressing the Enter key. 

# ./clean-all # ./build-ca Generating a 1024 bit RSA private key .........................++++++ .....++++++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [DE]: State or Province Name (full name) [BY]: Locality Name (eg, city) [Ismaning]: Organization Name (eg, company) [JiffyBox VPN]: Organizational Unit Name (eg, section) [changeme]: Common Name (eg, your name or your server's hostname) [changeme]: Name [changeme]: Email Address [[email protected]]:

Create Server Certificate

You can easily create the certificate for the OpenVPN server with the following command. Here, however, it is important that the “Common Name” corresponds to the host name of the OpenVPN server. Please confirm twice at the end with ythat you want to sign the newly created server certificate. 

# ./build-key-server j12345.servers.jiffybox.net Generating a 1024 bit RSA private key ...++++++ ........++++++ writing new private key to 'j58613.servers.jiffybox.net.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [DE]: State or Province Name (full name) [BY]: Locality Name (eg, city) [Ismaning]: Organization Name (eg, company) [JiffyBox VPN]: Organizational Unit Name (eg, section) [changeme]: Common Name (eg, your name or your server's hostname) [j12345.servers.jiffybox.net]: Name [changeme]:JiffyBox VPN Server Email Address [[email protected]]:

Please enter the following ‘extra’ attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/easy-rsa/openssl.cnf Check that the request matches the signature Signature ok The Subject’s Distinguished Name is as follows countryName :PRINTABLE:’DE’ stateOrProvinceName :PRINTABLE:’BY’ localityName :PRINTABLE:’Ismaning’ organizationName :PRINTABLE:’JiffyBox VPN’ organizationalUnitName:PRINTABLE:’changeme’ commonName :PRINTABLE:’j12345.servers.jiffybox.net.’ name :PRINTABLE:’JiffyBox VPN-Server’ emailAddress :IA5STRING:’[email protected]’ Certificate is to be certified until Aug 14 10:41:34 2023 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated 



Client-Zertifikat erstellen


 Die Erstellung der Client-Zertifikate entspricht in etwa der Erstellung des Serverzertifikats, hierbei verwenden Sie jedoch bitte das Skript “build-key”. Auch hier ist es wichtig, dass der “Common Name” dem Hostnamen des OpenVPN-Clients entspricht. Bitte bestätigen Sie am Ende ebenfalls zweimal mit y, dass das gerade erstellte Client-Zertifikat signiert werden soll. Diesen Schritt können Sie für jeden Client, der sich mit einem Zertifikat anmelden soll, wiederholen. 


# ./build-key client1.domain.tld Generating a 1024 bit RSA private key ......++++++ .......++++++ writing new private key to 'client1.domain.tld.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [DE]: State or Province Name (full name) [BY]: Locality Name (eg, city) [Ismaning]: Organization Name (eg, company) [JiffyBox VPN]: Organizational Unit Name (eg, section) [changeme]: Common Name (eg, your name or your server's hostname) [client1.domain.tld]: Name [changeme]: Email Address [[email protected]]:


 Please enter the following ‘extra’ attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/easy-rsa/openssl.cnf Check that the request matches the signature Signature ok The Subject’s Distinguished Name is as follows countryName :PRINTABLE:’DE’ stateOrProvinceName :PRINTABLE:’BY’ localityName :PRINTABLE:’Ismaning’ organizationName :PRINTABLE:’JiffyBox VPN’ organizationalUnitName:PRINTABLE:’changeme’ commonName :PRINTABLE:’client1.domain.tld’ name :PRINTABLE:’changeme’ emailAddress :IA5STRING:’[email protected]’ Certificate is to be certified until Aug 14 12:52:31 2023 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated 




Create client certificate (with password)


 The creation of the client certificate is similar to the creation of the server certificate, but please use the script build-key-pass. Creating a certificate with password protection is recommended especially for mobile computers, so that if the device is lost, the password is still needed to get into the VPN network. Again, the “Common Name” should correspond to the host name of the OpenVPN client. Please confirm at the end also twice with ythat the just created client certificate should be signed. You can repeat this step for each client that should log in with a certificate and additionally with a password. 


# ./build-key-pass windows-client.local Generating a 1024 bit RSA private key ..++++++ .......++++++ writing new private key to 'windows-client.local.key' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [DE]: State or Province Name (full name) [BY]: Locality Name (eg, city) [Ismaning]: Organization Name (eg, company) [JiffyBox VPN]: Organizational Unit Name (eg, section) [changeme]: Common Name (eg, your name or your server's hostname) [windows-client.local]: Name [changeme]: Email Address [[email protected]]:


 Please enter the following ‘extra’ attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0. cnf Check that the request matches the signature ok The Subject’s Distinguished Name is as follows countryName :PRINTABLE:’DE’ stateOrProvinceName :PRINTABLE:’BY’ localityName :PRINTABLE:’Ismaning’ organizationName :PRINTABLE:’JiffyBox VPN’ organizationalUnitName:PRINTABLE:’changeme’ commonName :PRINTABLE:’windows-client. local’ name :PRINTABLE:’changeme’ emailAddress :IA5STRING:’[email protected]’ Certificate is to be certified until Aug 18 09:55:41 2023 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated 




Create Diffie-Hellman parameters on the server


 In order to transfer the keys securely over a potentially insecure connection (through the Internet) when establishing the connection, the Diffie-Hellman parameters are required. You can create them with the following command: 


# ./build-dh Generating DH parameters, 1024 bit long safe prime, generator 2 This is going to take a long time ........................+..........+...........................+.................................+..........++*++*++*


Adjust OpenVPN config file


 1. finally it is important that you adjust the OpenVPN sample configuration file copied in one of the previous steps, you can do this for example with vim or another text editor: 


# vim /etc/openvpn/server.conf


 2. next, you can adjust the following entries accordingly to your deployment purposes: 


ca ca.crt cert server.crt key server.key # This file should be kept secret


 dh dh2048.pem server 10.8.0.0 255.255.255.0 ;user nobody ;group nogroup 




 After editing, these entries could look like the following, for example. To avoid problems with the certificates, the absolute paths to the certificates were used in this example: 


ca /etc/openvpn/easy-rsa/keys/ca.crt cert /etc/openvpn/easy-rsa/keys/j12345.servers.jiffybox.net.crt key /etc/openvpn/easy-rsa/keys/j12345.servers.jiffybox.net.key dh /etc/openvpn/easy-rsa/keys/dh2048.pem


 server 172.16.0.0 255.255.255.0 user nobody group nogroup 




Starting the OpenVPN service


 1. since the OpenVPN server setup has been successfully completed, you can now start your OpenVPN server with the following command: 


# service openvpn start


 2. it should now appear in the syslog (/var/log/syslog), which tells you that the OpenVPN server has been successfully started and is now active: 


Aug 16 15:48:22 localhost ovpn-server[5839]: Initialization Sequence Completed


 3. furthermore you can check with the command ifconfig, if another interface tun0 has been created now, which is provided by the OpenVPN service: 


tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:172.16.0.1 P-t-P:172.16.0.2 Mask:255.255.255. 255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)


Installation and setup of the OpenVPN client on a Windows system


 Below is a description of how to connect to an OpenVPN server using the Windows OpenVPN client. 


Download of the OpenVPN client


 First of all, please download and install the latest version of the OpenVPN client from the OpenVPN project website: https://openvpn.net/index.php/open-source/downloads.html. If you are using a 64-bit Windows operating system, it is necessary to download and install the 64-bit version of the OpenVPN client. 


Transferring the certificates from the server


 For the operation of the OpenVPN client it is necessary that the CA certificate, the client certificate and the client key are transferred from the OpenVPN server. 


Transferring the certificate files


 The required files are located on the OpenVPN server in the following path: 


/etc/openvpn/easy-rsa/keys


 The following files have to be transferred from this directory to the Windows OpenVPN client in the directory C:\Program Files\OpenVPN\config ca.crt .crt .key Please replace  with the hostname of the OpenVPN client system you are using. 


Transferring the client configuration


 1. you can transfer the sample configuration file from the OpenVPN server to your Windows client and adjust it there accordingly. You can find this file under the following path on the OpenVPN server: /usr/share/doc/openvpn/examples/sample-config-files/client.conf. Please also save this file in the directory C:\Program Files\OpenVPN\config directory. However, please note that the file extension must be “.ovpn”, otherwise the OpenVPN client will not recognize it (sample file name: client.ovpn) 2. the following lines would have to be adapted if necessary, so that the OpenVPN connection works: 


remote my-server-1 1194


 cert client.crt key client.key 




 These could then look like this after editing, for example: 


remote ip.ip.ip 94


 cert windows-client.local.crt key windows-client.local.key 




 3. now the folder C:\Program Files\OpenVPN\config should contain the following files: 


    

  • ca.crt
    • 

  • .crt
    • 

  • .key
    • 

  • client.ovpn
    • 



Starting the client


 1. now call via the Windows start menu the OpenVPN GUI so that the OpenVPN logo appears in the notification area of the taskbar. 2. 2. click on this logo with the right mouse button and select the “Connect” button: 3. if you are using a certificate with password, a password prompt will now appear asking you for the password. Enter the password you have chosen in this input field. 4. 4. after entering the password, the connection is established so that your Windows system is in your OpenVPN system. 


Setting up an OpenVPN client on a Debian or an Ubuntu system.


Installation of the available updates as well as the required packages


 On the client system, it is also important to install the latest updates as well as the OpenVPN package from the repository. You can easily do this with the following commands: 


# apt-get update # apt-get upgrade # apt-get install openvpn


Adopt and adjust the sample configuration


 For the client system, it is recommended that you use the sample client configuration file, as you can adopt it as your configuration file with only a few changes. 1. use the following commands to copy this file to the directory /etc/openvpn directory: 


# cd /etc/openvpn # cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf .


 2. now open this file with a text editor, like vim: 


# vim client.conf


 3. Now please replace the hostname in the following line in the file client.conf with the IP or hostname of your JiffyBox: 


remote j54321.servers.jiffybox.net 1194


Transferring the certificates from the server


 Since the Linux client also needs the CA certificate as well as the client certificate, you can copy them from your OpenVPN server using scp with the following commands. Again, it is necessary to adjust the hostname or IP of your JiffyBox accordingly: 


# scp [email protected]:/etc/openvpn/easy-rsa/keys/ca.crt . # scp [email protected]:/etc/openvpn/easy-rsa/keys/client1.domain.tld.crt client.crt # scp [email protected]:/etc/openvpn/easy-rsa/keys/client1.domain.tld.key client.key


Start OpenVPN service


 Finally you can start the OpenVPN client with the following command, so that the Linux client is also in your OpenVPN network: 


# service openvpn start


 Openvpn Server Debian 11.









		


		

				
					
	
				
				

	

	


	
	
		

		
Leave a comment 
Your email address will not be published. Required fields are marked *