Install openvpn server on Debian 9 “Stretch” Linux systems
In this article we will discuss the installation of Openvpn server on Linux systems (Debian Family “Debian 9 “Stretch”/Ubuntu 16.04, and higher”).
VPN, or virtual private network, is a secure method of connecting remote internet resources together as if they were under the same LAN. OpenVPN is a tool for creating private networking tunnels between remote computers/servers that are not on the same local network. This is useful if you want to remotely access services on a network or computer without making those services publicly accessible.
Requirements:
- Linux server “any member of Debian Linux family”
- root access to the server.
Step 1: Installing OpenVPN Server
We will install two packages. Run the following commands as a root to install easy-rsa and the OpenVPN server.
# apt-get -y update # apt-get -y install openvpn easy-rsa
Now we need to unzip the openvpn.conf sample file into /etc/openvpn, so Run the following command:
# gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf
Also, we need to create a directory for holding our generated keys and certificates using the below command:
# mkdir /etc/openvpn/rsa
Finally, copy the key and certificate generation scripts into the directory as below:
# cp -rf /usr/share/easy-rsa/* /etc/openvpn/rsa
At this point we are ready to Generate our keys,and certificates.
Step 2: Generating Keys and Certificates
Now, we’ll need to generate our keys and certificates. Let’s start step by step to generate the needed keys, and certificates.
Here you can specify the identification information for your OpenVPN server’s certificate authority, which then will be passed to client certificates. Changing these fields is optional and you can always input them manually during certificate creation, but setting them here creates less work during client cert creation. We use vim text editor to edit vars file
# vim /etc/openvpn/rsa/vars
Update the following entities with your openvpn server data:
. . . # These are the default values for fields # which will be placed in the certificate. # Don't leave any of these fields blank. export KEY_COUNTRY="EG" export KEY_PROVINCE="BH" export KEY_CITY="Kafr El Dawar" export KEY_ORG="MimasTech.com" export KEY_EMAIL="contact@mydomain.com" export KEY_OU="Systems Engineering" # X509 Subject Field export KEY_NAME="Mohammed Semari"
As I said before the above modifications are optional, but before we leave this file, there are two other important entities you may need to change their values:
One of the two important entities is the root CA key expire, the default one was 10 years I made it one year.
# In how many days should the root CA key expire? export CA_EXPIRE=365
Then come the client certificate expiration date, one year is good to have more control on you clients
# In how many days should certificates expire? export KEY_EXPIRE=365
Save and exit the vars file.
The following steps will generate the server root CA, server certificate ” optional “, and client certificate, So run all the below commands
# cd /etc/openvpn/rsa/ # source ./vars # ./clean-all # ./build-ca # ./build-key-server server # ./build-dh # ./build-key <client_name>
In the above commands, we sourced the changes we made in vars file, then cleaned previously existing keys and certifications which may exist in the keys directory, then create the root CA, then the server certificate” which is optional to add a more secure layer to the connection”, then generate Diffie-Hellman key exchange file “will take some time to complete”, finally create the client key and certificate.
Hints: 1. We need to press ENTER for each blanked field we asked to fill, also answer y in case of questions. 2. <client_name> is your client name, each client must has a unique/descriptive name for better control on them, and for security aspects.
We need to copy the generated files into our OpenVPN directory, Run the following commands:
# cd keys # cp dh2048.pem ca.crt server.crt server.key /etc/openvpn
Next, For client to connect to the openvpn server, He needs to have three files we generated previously ” ca.crt, client.crt, client.key”, Also he will need a configuration file for the client software he will use to connect to the openvpn server, this file we will create under name “client.ovpn”. This file contains the following entities:
client dev tun proto udp remote <openvpn server IP> 1194 resolv-retry infinite nobind persist-key persist-tun comp-lzo verb 3 ca ca.crt cert <client_name>.crt key <client_name>.key
Just replace the entities between < > with your server IP address, and client certificates, and Send the four files to your client.
At this point we are ready to configure the openVPN server.
Step 3: Configuring OpenVPN
Now it’s time to configure the openvpn server, the file is self-explanatory file, each field has explanation above it. I’ll go and do a minimal changes for the openvpn server to start.
Let’s edit the configuration file:
# vim /etc/openvpn/server.conf
We need to change the dh file name to dh2048.pem. Because the default Diffie-Hellman encryption length we previously generated by Easy RSA was 2048 bytes. Find the entity <dh dh1024.pem> and change it with <dh dh2048.pem>. This is a mandatory step for the openvpn to work
dh dh2048.pem
Next comes the optional steps, we need to uncomment the push “redirect-gateway def1 bypass-dhcp” line, which tells the client to redirect all traffic through our OpenVPN.
push "redirect-gateway def1 bypass-dhcp"
Hints:
1. This step and the below 4 steps are optional.
2. Uncommenting the redirect-gateway means forcing clients traffic to go to the openvpn, your clients will be forced to follow your Firewall rules, and your internet usage policy. They may not be able to surf the internet while connecting to your openvpn.
3. For me I received many complains from clients about not able to use the internet while connecting to my openvpn, So I commented this entity again, Now they can connect to my Openvpn, and enjoy their normal use of the internet.
Next we need to provide DNS servers to the clients, this step is needed if you enabled the push “redirect-gateway def1 bypass-dhcp”, otherwise leave it commented
push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4"
Finally, change user and group to nobody, as mention in the configuration file, it’s important for the none-windows systems
user nobody group nogroup
Save and exit the OpenVPN server configuration file.
Hints: 1. I only changed the necessary field "dh dh2048.pem", the other five steps I made is optional. 2. The configuration file has many important fields, you can use tcp protocol instead of the default udp protocol, you can change the listen port, you can change the listen IP, etc... 3. Other advanced configuration parameters depending on your needs, in this article I used the minimal configuration changes.
At this point we are ready to enable traffic routing to our openvpn.
If You Appreciate What We Do Here On Mimastech, You Should Consider:
- Stay Connected to: Facebook | Twitter | Google+
- Support us via PayPal Donation
- Subscribe to our email newsletters.
- Tell other sysadmins / friends about Us - Share and Like our posts and services
We are thankful for your never ending support.
Hi Mohammed. Thanks for the article. However I’m getting stuck on:
root@raspberrypi:/etc/openvpn/rsa# ./build-ca
pkitool: KEY_CONFIG (set by the ./vars script) is pointing to the wrong
version of openssl.cnf: /etc/openvpn/rsa/openssl.cnf
The correct version should have a comment that says: easy-rsa version 2.x
When I open the file /etc/openvpn/rsa/openssl.cnf, at the top there is the comment: # For use with Easy-RSA 3.0 and OpenSSL 1.0.*
Do you have a clean solution for me?
Hi Anton,
This issue because easy-rsa didn’t find openssl.cnf in this path /etc/openvpn/rsa
When we list the files in this path, we found
# ls /etc/openvpn/rsa
total 116
-rwxr-xr-x 1 root root 119 Sep 7 11:09 build-ca
-rwxr-xr-x 1 root root 352 Sep 7 11:09 build-dh
-rwxr-xr-x 1 root root 188 Sep 7 11:09 build-inter
-rwxr-xr-x 1 root root 163 Sep 7 11:09 build-key
-rwxr-xr-x 1 root root 157 Sep 7 11:09 build-key-pass
-rwxr-xr-x 1 root root 249 Sep 7 11:09 build-key-pkcs12
-rwxr-xr-x 1 root root 268 Sep 7 11:09 build-key-server
-rwxr-xr-x 1 root root 213 Sep 7 11:09 build-req
-rwxr-xr-x 1 root root 158 Sep 7 11:09 build-req-pass
-rwxr-xr-x 1 root root 449 Sep 7 11:09 clean-all
-rwxr-xr-x 1 root root 1471 Sep 7 11:09 inherit-inter
drwx—— 2 root root 4096 Dec 18 15:13 keys
-rwxr-xr-x 1 root root 302 Sep 7 11:09 list-crl
-rw-r–r– 1 root root 7859 Sep 7 11:09 openssl-0.9.6.cnf
-rw-r–r– 1 root root 8416 Sep 7 11:09 openssl-0.9.8.cnf
-rw-r–r– 1 root root 8313 Sep 7 11:09 openssl-1.0.0.cnf
-rwxr-xr-x 1 root root 13246 Sep 7 11:09 pkitool
-rwxr-xr-x 1 root root 1035 Sep 7 11:09 revoke-full
-rwxr-xr-x 1 root root 178 Sep 7 11:09 sign-req
-rw-r–r– 1 root root 2077 Sep 7 11:16 vars
-rwxr-xr-x 1 root root 740 Sep 7 11:09 whichopensslcnf
As you see, no openssl.cnf file exists.
Solution is very simple, we make a symbolic link of the latest openssl.cnf file we find, here the latest on is openssl-1.0.0.cnf
Run this commands:
# cd /etc/openvpn/rsa/
# ln -s openssl-1.0.0.cnf openssl.cnf
Now, the issue is solved, re-run your commands again.
Finally, I list the files again for checking
# ls -l /etc/openvpn/rsa
total 116
-rwxr-xr-x 1 root root 119 Sep 7 11:09 build-ca
-rwxr-xr-x 1 root root 352 Sep 7 11:09 build-dh
-rwxr-xr-x 1 root root 188 Sep 7 11:09 build-inter
-rwxr-xr-x 1 root root 163 Sep 7 11:09 build-key
-rwxr-xr-x 1 root root 157 Sep 7 11:09 build-key-pass
-rwxr-xr-x 1 root root 249 Sep 7 11:09 build-key-pkcs12
-rwxr-xr-x 1 root root 268 Sep 7 11:09 build-key-server
-rwxr-xr-x 1 root root 213 Sep 7 11:09 build-req
-rwxr-xr-x 1 root root 158 Sep 7 11:09 build-req-pass
-rwxr-xr-x 1 root root 449 Sep 7 11:09 clean-all
-rwxr-xr-x 1 root root 1471 Sep 7 11:09 inherit-inter
drwx—— 2 root root 4096 Dec 18 15:13 keys
-rwxr-xr-x 1 root root 302 Sep 7 11:09 list-crl
-rw-r–r– 1 root root 7859 Sep 7 11:09 openssl-0.9.6.cnf
-rw-r–r– 1 root root 8416 Sep 7 11:09 openssl-0.9.8.cnf
-rw-r–r– 1 root root 8313 Sep 7 11:09 openssl-1.0.0.cnf
lrwxrwxrwx 1 root root 17 Dec 18 15:01 openssl.cnf -> openssl-1.0.0.cnf
-rwxr-xr-x 1 root root 13246 Sep 7 11:09 pkitool
-rwxr-xr-x 1 root root 1035 Sep 7 11:09 revoke-full
-rwxr-xr-x 1 root root 178 Sep 7 11:09 sign-req
-rw-r–r– 1 root root 2077 Sep 7 11:16 vars
-rwxr-xr-x 1 root root 740 Sep 7 11:09 whichopensslcnf
Regards
Hello and thank you for this tutorial.
But, when I start the openvpn server, I have a problem with the ta.key.
Should not it also be generated with:
#openvpn –genkey –secret keys / ta.key?
Because without this ta.key, impossible to start the openvpn server.
Sorry for my English, I’m a French speaker 🙂