How to Install OpenVPN Server on Debian 11/12

By Posted on

How to Install OpenVPN Server on Debian 11/12

How to Install OpenVPN Server on Debian 11/12

OpenVPN is a powerful, open-source VPN (Virtual Private Network) solution that provides secure connections to remote networks over the internet. This guide will walk you through setting up OpenVPN on a Debian server, ensuring your data remains protected. Setting up your own OpenVPN server is a great way to improve your online security.

Method 1:

Installation Using a Script

This method utilizes a readily available script to automate the installation process.

First, download the installation script and grant it execute permissions:

$ curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh
$ chmod +x openvpn-install.sh

Next, execute the script. Make sure you have root privileges and the TUN module is enabled in your kernel.

$ ./openvpn-install.sh

The script will guide you through a series of prompts to configure your VPN server. After the initial installation, you can rerun the script to manage users:

$ ./openvpn-install.sh
Welcome to OpenVPN-install!
The git repository is available at: https://github.com/angristan/openvpn-install
It seems like OpenVPN is already installed.
What would you like to do?
   1) Add a new user
   2) Revoke an existing user
   3) Remove OpenVPN
   4) Exit
Select an option [1-4]:

This provides options to add new users or revoke access for existing ones, streamlining user management.

Method 2:

This method provides a manual, step-by-step installation of OpenVPN.

Step 1: Update and Upgrade Debian

Before proceeding, it’s crucial to update and upgrade your Debian system to ensure you have the latest packages.

$ sudo apt update
$ sudo apt upgrade

Step 2: Install OpenVPN

Install OpenVPN and the easy-rsa package, which is used for generating certificates.

$ sudo apt install openvpn easy-rsa

Step 3: Generate Certificates and Keys

OpenVPN uses certificates and keys for secure authentication. easy-rsa simplifies the creation of these essential files.

$ make-cadir ~/openvpn-ca && cd ~/openvpn-ca

Edit the vars file to set Certificate Authority (CA) variables. Adjust these values to match your organization.

set_var EASYRSA_REQ_COUNTRY    "US"
set_var EASYRSA_REQ_PROVINCE   "California"
set_var EASYRSA_REQ_CITY       "San Francisco"
set_var EASYRSA_REQ_ORG        "Copyleft Certificate Co"
set_var EASYRSA_REQ_EMAIL      "<a href="/cdn-cgi/l/email-protection" data-cfemail="620f0722071a030f120e074c0c0716">[email&nbsp;protected]</a>"
set_var EASYRSA_REQ_OU         "My Organizational Unit"

Generate the necessary certificates and keys:

$ ./easyrsa init-pki
$ ./easyrsa build-ca
$ ./easyrsa gen-req server nopass
$ ./easyrsa sign-req server server
$ ./easyrsa gen-dh
$ openvpn --genkey --secret pki/ta.key

These commands will create the required CA, server certificate, server key, Diffie-Hellman parameters, and TLS authentication key, all stored in the /root/openvpn-ca/pki directory.

Step 4: Configure OpenVPN

Configure the OpenVPN server by creating a configuration file based on the sample provided.

$ zcat /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | sudo tee /etc/openvpn/server.conf > /dev/null

Copy the generated certificates and keys to the OpenVPN configuration directory.

$ cp /root/openvpn-ca/pki/{ca.crt,dh.pem,ta.key} /etc/openvpn
$ cp /root/openvpn-ca/pki/issued/server.crt /etc/openvpn
$ cp /root/openvpn-ca/pki/private/server.key /etc/openvpn

Edit /etc/openvpn/server.conf to reflect the correct paths to your certificates and keys. Ensure the file contains the following:

ca ca.crt
cert server.crt
key server.key  # Keep this file secure
dh dh.pem
;tls-auth ta.key 0
tls-crypt ta.key

Save and close the file.

Step 5: Enable IP Forwarding

Enable IP forwarding in the kernel to allow OpenVPN to route traffic.

$ sudo nano /etc/sysctl.conf

Uncomment the following line:

net.ipv4.ip_forward=1

Apply the changes:

$ sudo sysctl -p

Step 6: Start and Enable OpenVPN

Start and enable the OpenVPN service to ensure it starts automatically on boot.

$ sudo systemctl start openvpn@server
$ sudo systemctl enable openvpn@server

The @server specifies the configuration file (server.conf) you created earlier.

Step 7: Configure Firewall

Allow OpenVPN traffic through the firewall. This example uses UFW (Uncomplicated Firewall).

$ sudo ufw allow OpenVPN

Step 8: Connect to OpenVPN Server

To connect to the OpenVPN server from a client, you need to create a client configuration file and distribute it to the client machine.

First, generate client certificates and keys:

$ ./easyrsa gen-req client1 nopass
$ ./easyrsa sign-req client client1
$ cp pki/private/client1.key /etc/openvpn/client/
$ cp pki/issued/client1.crt /etc/openvpn/client/
$ cp pki/{ca.crt,ta.key} /etc/openvpn/client/

Create a client configuration file in the /root/openvpn-ca directory:

$ cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /root/openvpn-ca/

Edit the file using nano and configure the variables:

remote my-server-1 1194 # my-server-1 is the server's public IP
user nobody
group nogroup
;ca ca.crt
;cert client.crt
;key client.key
;tls-auth ta.key 1
key-direction 1

Create a script to compile the base configuration with the necessary certificate, key, and encryption files:

$ nano config_gen.sh

Include the following content:

#!/bin/bash
# First argument: Client identifier
KEY_DIR=/etc/openvpn/client
OUTPUT_DIR=/root
BASE_CONFIG=/root/openvpn-ca/client.conf
cat ${BASE_CONFIG} 
    <(echo -e '<ca>') 
    ${KEY_DIR}/ca.crt 
    <(echo -e '</ca>n<cert>') 
    ${KEY_DIR}/${1}.crt 
    <(echo -e '</cert>n<key>') 
    ${KEY_DIR}/${1}.key 
    <(echo -e '</key>n<tls-crypt>') 
    ${KEY_DIR}/ta.key 
    <(echo -e '</tls-crypt>') 
    > ${OUTPUT_DIR}/${1}.ovpn

Make the script executable:

$ chmod 700 /root/openvpn-ca/config_gen.sh
$ ./config_gen.sh client1

This command will create a client1.ovpn file in the /root/ directory. Copy this file to your client computer and use it to connect to the OpenVPN server.

Alternative Solutions for Setting up a VPN on Debian

While OpenVPN is a solid choice, other options exist for establishing a VPN server on Debian, each with its own advantages and disadvantages. Here are two alternative methods:

1. WireGuard

WireGuard is a modern VPN protocol known for its speed and simplicity. It uses state-of-the-art cryptography and is designed to be easier to configure and maintain than OpenVPN.

Explanation:

WireGuard operates at Layer 3 of the OSI model, directly encapsulating IP packets within UDP. This streamlined approach contributes to its high performance and low overhead. Its simplified configuration, based on cryptographic key pairs, reduces complexity compared to OpenVPN’s certificate-based system.

Installation and Configuration (Simplified Example):

First, install WireGuard:

sudo apt update
sudo apt install wireguard

Generate key pairs for both the server and the client:

wg genkey | tee privatekey | wg pubkey > publickey

On the server, create a configuration file /etc/wireguard/wg0.conf:

[Interface]
PrivateKey = <server_private_key>
Address = 10.6.0.1/24
ListenPort = 51820
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
SaveConfig = true

[Peer]
PublicKey = <client_public_key>
AllowedIPs = 10.6.0.2/32

On the client, create a configuration file (e.g., wg0.conf):

[Interface]
PrivateKey = <client_private_key>
Address = 10.6.0.2/32
DNS = 8.8.8.8

[Peer]
PublicKey = <server_public_key>
Endpoint = <server_ip_address>:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25

Enable and start the WireGuard interface on the server:

sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0

This example provides a basic configuration. More advanced setups might involve routing, firewall rules, and DNS configurations.

2. Algo VPN

Algo VPN is a set of scripts designed to quickly deploy a personal IPsec VPN in the cloud. It prioritizes security and ease of use.

Explanation:

Algo VPN automates the process of setting up a secure VPN server using strong encryption protocols like IKEv2/IPsec. It’s designed to minimize the attack surface by disabling unnecessary services and hardening the server configuration. Unlike OpenVPN which often uses a single, long-lived connection, IPsec creates a secure tunnel and negotiates new keys frequently for enhanced security.

Installation and Configuration (Simplified Overview):

  1. Install Dependencies: Algo requires Python and other dependencies. Install them using apt.

  2. Download Algo: Download the Algo repository from GitHub.

  3. Configure config.cfg: Customize the config.cfg file to specify the server’s hostname and other settings.

  4. Run the Installation Script: Execute the algo script. This script automates the creation of the server, configures the VPN, and generates client configuration files.

The Algo VPN script handles much of the complexity, making it easier to deploy a secure VPN compared to manual OpenVPN configuration. However, it often requires a cloud provider account (like AWS, DigitalOcean, or Vultr) for deployment.

Conclusion

This tutorial covered two methods for installing and configuring OpenVPN on a Debian server, providing you with a solid foundation for secure remote access. Furthermore, we explored alternative VPN solutions like WireGuard and Algo VPN, offering different approaches to securing your network traffic. The best choice depends on your specific needs, technical expertise, and security requirements.

Related posts:

Leave a Reply

Your email address will not be published. Required fields are marked *