Friday, December 13 2019

How to up OpenVPN server and client on Debian 10 Buster in 5 min

This fast method how to setup OpenVPN server and example for client.

For more information about OpenVPN please check official Documentation.

 

1. Installation of packages on server

apt-get install openvpn easy-rsa

2. Now we will make PKI repository:

make-cadir /etc/openvpn/easy-rsa

Now change variables for generate crtificates by easyrsa tool:

nano /etc/openvpn/easy-rsa/vars

Change default values (uncomments line to activate):

set_var EASYRSA_REQ_COUNTRY     "US"
set_var EASYRSA_REQ_PROVINCE    "California"
set_var EASYRSA_REQ_CITY        "San Francisco"
set_var EASYRSA_REQ_ORG "Copyleft Certificate Co"
set_var EASYRSA_REQ_EMAIL       "me@example.net"
set_var EASYRSA_REQ_OU          "My Organizational Unit"

Now is all ready for init. pki repository:

cd /etc/openvpn/easy-rsa
./easyrsa init-pki
./easyrsa build-ca nopass

Generate DH file:

./easyrsa gen-dh

Create certificate and key for server:

./easyrsa gen-req server nopass
./easyrsa sign-req server server

Create certificate and key for client1:

./easyrsa gen-req client1 nopass
./easyrsa sign-req client client1

3. Create server configuration file:

nano /etc/openvpn/server.conf

port 1194
proto udp
dev tun

ca      /etc/openvpn/easy-rsa/pki/ca.crt
cert    /etc/openvpn/easy-rsa/pki/issued/server.crt
key     /etc/openvpn/easy-rsa/pki/private/server.key
dh      /etc/openvpn/easy-rsa/pki/dh.pem

server 10.9.8.0 255.255.255.0
duplicate-cn

keepalive 10 120

cipher AES-256-CBC
auth SHA256

comp-lzo
persist-key
persist-tun

status /var/log/openvpn/status.log
verb 3  # verbose mode
client-to-client

4. Now enable OpenVPN service and start:

systemctl enable openvpn
systemctl start openvpn

 

5. Installation of packages on client

apt-get install openvpn

6. Copy ca.crt, client1.crt and client1.key to /etc/openvpn

scp Your_Server_IP:/etc/openvpn/easy-rsa/pki/ca.crt /etc/openvpn
scp Your_Server_IP:/etc/openvpn/easy-rsa/pki/issued/client1.crt /etc/openvpn
scp Your_Server_IP:/etc/openvpn/easy-rsa/pki/private/client1.key /etc/openvpn

Set rw permission to owner only for file client1.key:

cd /etc/openvpn
chmod 600 client1.key

7. Create client configuration file:

nano /etc/openvpn/tun0.conf

Change IP with server IP:

client
dev tun
port 1194
proto udp

remote Your_Server_IP 1194
nobind

ca      /etc/openvpn/ca.crt
cert    /etc/openvpn/client1.crt
key     /etc/openvpn/client1.key

comp-lzo
persist-key
persist-tun

verb 3

 

6. Now enable OpenVPN service and start:

systemctl enable openvpn
systemctl start openvpn

 

 

 

 

 

Page top