OpenVPN on Debian
Setting up OpenVPN on Debian is as straight forward as on CentOS, though some of the file locations differ slightly.
This documentation details how to install and configure OpenVPN on a Debian server.
The first thing we need to do, is to get openvpn installed
apt-get install openvpn
Next we want to create a configuration file, we'll use and adapt the sample config file
cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
cd /etc/openvpn/
gunzip server.conf.gz
By default, the OpenVPN server will hand out IP's in the 10.8.0.0/24 subnet, if you want to change this, edit the config as follows (I'll change to 10.14.0.0/24)
nano server.conf
# Find server 10.8.0.0 255.255.255.0 and change to
server 10.14.0.0 255.255.255.0
Save and exit (Ctrl + X, Y)
Next we want to create our keys and certificates, assuming we're still cd'd into /etc/openvpn
mkdir easy-rsa/keys -p
cd easy-rsa/
cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* ./
At the bottom of the file vars are some variable that we probably want to change - they set the defaults used in config generation
nano vars
# Set these to suit
export KEY_COUNTRY="UK"
export KEY_PROVINCE="SUFF"
export KEY_CITY="Ipswich"
export KEY_ORG="myserver"
export KEY_EMAIL="me@adomain.com"
Save and exit
Key Generation
Now we're going to load the config variables, clean out any existing keys and generate some new ones
# Load the vars and clear out existing keys
. vars && ./clean-all
# Create the Certificate Authority
./build-ca
# Create the server certificate - we're calling our server 'server' - original huh?
./build-key-server server
# Build the key exchange files
./build-dh
# Now we're going to generate a key for a client called laptop
./build-key laptop
# Finally, put the server keys in the openvpn directory cd keys
cp server.crt server.key dh1024.pem /etc/openvpn
Note: If you decided that you wanted to call your server something more interesting that server, you'll need to adjust the config, as below
nano /etc/openvpn/server.conf
# Find any instance of server.crt or server.key and replace with your servername (i.e. bigiron.crt)
Enabling NAT
We (presumably) want VPN clients to be able to access more than the VPN server, so we'll add a quick firewall rule to sort out NAT
iptables -t nat -A POSTROUTING -s 10.14.0.0/24 -o venet0 -j MASQUERADE
Enable the Service
Now we're going to start OpenVPN
service openvpn start
If OpenVPN Fails to start
There might be any number of reasons why the service fails to start, but the place to find out is /var/log/syslog. If you see something like the below
Note: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2)
Then you don't have TUN/TAP support. You probably either need to load the module (modprobe tun) or need to recompile to include support. One big exception, is if your server is a VPS - If it's using OpenVZ then there's likely a Solus control panel for it - you'll need to enable TUN/TAP there (assuming your host has given you the option)
Starting at Boot
We've now successfully started openvpn, so lets get it to start at boot
update-rc.d openvpn defaults
Configuring a client
We now have a functioning OpenVPN server but nothing to connect to it. During the key generation stage we created a key for a client we simply called laptop. We'll now configure it
First, we need to securely copy the key files to laptop - these things give entry to your VPN, so don't do something stupid like emailing or using plain FTP!
The files we need are;
- laptop.crt
- laptop.key
- ca.crt
The simplest way is with scp;
ben@laptop:~ mkdir VPNs
ben@laptop:~ scp root@myvpnserver://etc/openvpn/easy-rsa/keys/laptop.* ./ ben@laptop:~ scp root@myvpnserver://etc/openvpn/easy-rsa/keys/ca.crt ./
Now that we've got the keys (however you did it) we need to create an openvpn config file, it's a simple text file and there's a multitude of entries you can include (the OpenVPN Documentation is your friend) but we're going to keep it simple for now
Create the file vpnserver.conf with the following entries (don't forget to insert your VPN servers IP or FQDN
client
dev tun
port 1194
proto udp
remote [SERVER IP OR FQDN] 1194
nobind
ca ca.crt
cert laptop.crt
key laptop.key
comp-lzo
persist-key
persist-tun
Save and exit
For reference, the options we specified are as follows
- dev The TUN/TAP virtual network device to use. We didn't specify a number, so it'll use the dynamic device
- port The port on the server to connect to - actually a little redundant as we specify the port in remote but it doesn't harm
- proto The protocol to use (we said UDP)
- remote The remote server to connect to, optionally followed by a port number
- nobind Don't bind to local address and port
- ca The certificate authority keychain
- cert Our authentication certificate
- key The private key for our certificate
- comp-lzo Use fast LZO compression
- persist-key Don't re-read the key files, useful if you're planning on dropping OpenVPNs privileges down from root after start (though we haven't)
- persist-tun Don't close and re-open the TUN/TAP device if the tunnel is being restarted
Connecting the Client
Connecting should now be as simple as
openvpn vpnserver.conf
Once the connection is established, you should be able to ping the VPN server on it's VPN IP (if you changed the subnet from 10.8.0.0/24 adjust the following command to suit)
ping -c 3 10.8.0.1
With the config we used, most of our traffic won't go over the VPN, if you want to change this, then on the server you just need to edit the configuration to uncomment
push "redirect-gateway def1 bypass-dhcp"
and then restart OpenVPN
Adding Clients
Whilst we've got one client connected, it's almost certain we're going to want to add another at a later date. At that point, we connect to the VPN server and do the following
cd /etc/openvpn/easy-rsa
. vars
./build-key laptop2
and the go through the steps on configuring and connecting that client