OpenVPN on Debian

Setting up OpenVPN on Debian is as straight forward as on CentOS, though some of the file locations differ slightly.

This documentation details how to install and configure OpenVPN on a Debian server.


 The first thing we need to do, is to get openvpn installed

apt-get install openvpn

Next we want to create a configuration file, we'll use and adapt the sample config file

cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
cd /etc/openvpn/
gunzip server.conf.gz

By default, the OpenVPN server will hand out IP's in the subnet, if you want to change this, edit the config as follows (I'll change to

nano server.conf

# Find server and change to

Save and exit (Ctrl + X, Y)

Next we want to create our keys and certificates, assuming we're still cd'd into /etc/openvpn

mkdir easy-rsa/keys -p
cd easy-rsa/
cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* ./

At the bottom of the file vars are some variable that we probably want to change - they set the defaults used in config generation

nano vars

# Set these to suit
export KEY_CITY="Ipswich"
export KEY_ORG="myserver"
export KEY_EMAIL=""

Save and exit

Key Generation

Now we're going to load the config variables, clean out any existing keys and generate some new ones

# Load the vars and clear out existing keys
. vars && ./clean-all

# Create the Certificate Authority

# Create the server certificate - we're calling our server 'server' - original huh?
./build-key-server server

# Build the key exchange files

# Now we're going to generate a key for a client called laptop
./build-key laptop

# Finally, put the server keys in the openvpn directory cd keys
cp server.crt server.key dh1024.pem /etc/openvpn


Note: If you decided that you wanted to call your server something more interesting that server, you'll need to adjust the config, as below

nano /etc/openvpn/server.conf
# Find any instance of server.crt or server.key and replace with your servername (i.e. bigiron.crt)

Enabling NAT

We (presumably) want VPN clients to be able to access more than the VPN server, so we'll add a quick firewall rule to sort out NAT

iptables -t nat -A POSTROUTING -s -o venet0 -j MASQUERADE


Enable the Service

Now we're going to start OpenVPN

service openvpn start


If OpenVPN Fails to start

There might be any number of reasons why the service fails to start, but the place to find out is /var/log/syslog. If you see something like the below

Note: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2)

Then you don't have TUN/TAP support. You probably either need to load the module (modprobe tun) or need to recompile to include support. One big exception, is if your server is a VPS - If it's using OpenVZ then there's likely a Solus control panel for it - you'll need to enable TUN/TAP there (assuming your host has given you the option)


Starting at Boot

We've now successfully started openvpn, so lets get it to start at boot

update-rc.d openvpn defaults


Configuring a client

We now have a functioning OpenVPN server but nothing to connect to it. During the key generation stage we created a key for a client we simply called laptop. We'll now configure it

First, we need to securely copy the key files to laptop - these things give entry to your VPN, so don't do something stupid like emailing or using plain FTP!

The files we need are;

  • laptop.crt
  • laptop.key
  • ca.crt

The simplest way is with scp;

ben@laptop:~ mkdir VPNs
ben@laptop:~ scp root@myvpnserver://etc/openvpn/easy-rsa/keys/laptop.* ./ ben@laptop:~ scp root@myvpnserver://etc/openvpn/easy-rsa/keys/ca.crt ./

Now that we've got the keys (however you did it) we need to create an openvpn config file, it's a simple text file and there's a multitude of entries you can include (the OpenVPN Documentation is your friend) but we're going to keep it simple for now

Create the file vpnserver.conf with the following entries (don't forget to insert your VPN servers IP or FQDN

dev tun
port 1194
proto udp
remote [SERVER IP OR FQDN] 1194

ca ca.crt
cert laptop.crt
key laptop.key


Save and exit

For reference, the options we specified are as follows

  • dev The TUN/TAP virtual network device to use. We didn't specify a number, so it'll use the dynamic device
  • port The port on the server to connect to - actually a little redundant as we specify the port in remote but it doesn't harm
  • proto The protocol to use (we said UDP)
  • remote The remote server to connect to, optionally followed by a port number
  • nobind Don't bind to local address and port
  • ca The certificate authority keychain
  • cert Our authentication certificate
  • key The private key for our certificate
  • comp-lzo Use fast LZO compression
  • persist-key Don't re-read the key files, useful if you're planning on dropping OpenVPNs privileges down from root after start (though we haven't)
  • persist-tun Don't close and re-open the TUN/TAP device if the tunnel is being restarted

Connecting the Client

Connecting should now be as simple as

openvpn vpnserver.conf

Once the connection is established, you should be able to ping the VPN server on it's VPN IP (if you changed the subnet from adjust the following command to suit)

ping -c 3

With the config we used, most of our traffic won't go over the VPN, if you want to change this, then on the server you just need to edit the configuration to uncomment

push "redirect-gateway def1 bypass-dhcp"

and then restart OpenVPN


Adding Clients

Whilst we've got one client connected, it's almost certain we're going to want to add another at a later date. At that point, we connect to the VPN server and do the following

cd /etc/openvpn/easy-rsa
. vars
./build-key laptop2

and the go through the steps on configuring and connecting that client