Install and Configure an OpenVPN on Debian 9 In 5 Minutes

ADVERTISEMENTS



Set up OpenVPN on Debian 9 In 5 Minutes

I am a new Debian Linux version 9 server user. How do I setup an OpenVPN Server on Debian Linux version 9.x or 8.x server to shield my browsing activity from bad guys on public Wi-Fi, and more? How can I Setup a VPN with OpenVPN on Debian 9 Stretch Linux server hosted at AWS cloud?OpenVPN is a free and open source VPN (virtual private network) software for Debian Linux 9. It implements OSI layer 2 or 3 secure network extension using the SSL/TLS protocol. A VPN allows you to connect securely to an insecure public network such as wifi network at the airport or hotel. VPN is also required to access your corporate or enterprise or home server resources. You can bypass geo-blocked site and increase your privacy or safety online.This tutorialconfiguration.

The steps are as follows:

Find and note down your public IP address Download openvpn-install.sh script Run openvpn-install.sh to install OpenVPN server Connect an OpenVPN server using IOS/Android/Linux/Windows client Verify your connectivity

Step 1 – Find your public IP address

Use any one of the following command to find out your IPv4 public address. If your interface name is eth0 or eth1, type the following ip command:

$ ip addr show eth0

OR

$ ip addr show eth1

Or use the host command or dig command as follows:

$ host myip.opendns.com resolver1.opendns.com

OR

$ dig TXT +short o-o.myaddr.l.google.com @ns1.google.com



Note down the public IP address 104.237.156.154 i.e. public ip address of your OpenVPN server.

Step 2 – Update your system and install ufw

Type the apt-get command/apt command to update your system:

$ sudo apt-get update

$ sudo apt-get upgrade

Sample outputs:

Reading package lists... Done Building dependency tree Reading state information... Done Calculating upgrade... Done The following packages will be upgraded: libc-bin libc-l10n libc6 libexpat1 linux-image-4.9.0- 3 -amd64 locales multiarch-support 7 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. Need to get 46.6 MB of archives. After this operation, 0 B of additional disk space will be used. Do you want to continue? [ Y/n ] y Get: 1 http://security.debian.org/debian-security stretch/updates/main amd64 libc6 amd64 2.24 - 11 +deb9u1 [ 2,695 kB ] Get: 2 http://security.debian.org/debian-security stretch/updates/main amd64 libc-bin amd64 2.24 - 11 +deb9u1 [ 778 kB ] Get: 3 http://security.debian.org/debian-security stretch/updates/main amd64 multiarch-support amd64 2.24 - 11 +deb9u1 [ 200 kB ] Get: 4 http://security.debian.org/debian-security stretch/updates/main amd64 libc-l10n all 2.24 - 11 +deb9u1 [ 820 kB ] Get: 5 http://security.debian.org/debian-security stretch/updates/main amd64 locales all 2.24 - 11 +deb9u1 [ 3,290 kB ] Get: 6 http://security.debian.org/debian-security stretch/updates/main amd64 libexpat1 amd64 2.2.0- 2 +deb9u1 [ 83.4 kB ] Get: 7 http://security-cdn.debian.org stretch/updates/main amd64 linux-image-4.9.0- 3 -amd64 amd64 4.9.30- 2 +deb9u2 [ 38.7 MB ] Fetched 46.6 MB in 2s ( 15.5 MB/s ) Reading changelogs... Done Preconfiguring packages ... ( Reading database ... 28439 files and directories currently installed. ) Preparing to unpack .../libc6_2.24- 11 +deb9u1_amd64.deb ... Unpacking libc6:amd64 ( 2.24 - 11 +deb9u1 ) over ( 2.24 - 11 ) ... Setting up libc6:amd64 ( 2.24 - 11 +deb9u1 ) ... ( Reading database ... 28439 files and directories currently installed. ) Preparing to unpack .../libc-bin_2.24- 11 +deb9u1_amd64.deb ... Unpacking libc-bin ( 2.24 - 11 +deb9u1 ) over ( 2.24 - 11 ) ... Setting up libc-bin ( 2.24 - 11 +deb9u1 ) ... Updating /etc/nsswitch.conf to current default. ( Reading database ... 28439 files and directories currently installed. ) Preparing to unpack .../multiarch-support_2.24- 11 +deb9u1_amd64.deb ... Unpacking multiarch-support ( 2.24 - 11 +deb9u1 ) over ( 2.24 - 11 ) ... Setting up multiarch-support ( 2.24 - 11 +deb9u1 ) ... ( Reading database ... 28439 files and directories currently installed. ) Preparing to unpack .../libc-l10n_2.24- 11 +deb9u1_all.deb ... Unpacking libc-l10n ( 2.24 - 11 +deb9u1 ) over ( 2.24 - 11 ) ... Preparing to unpack .../locales_2.24- 11 +deb9u1_all.deb ... Unpacking locales ( 2.24 - 11 +deb9u1 ) over ( 2.24 - 11 ) ... Preparing to unpack .../libexpat1_2.2.0- 2 +deb9u1_amd64.deb ... Unpacking libexpat1:amd64 ( 2.2.0- 2 +deb9u1 ) over ( 2.2.0- 2 ) ... Preparing to unpack .../linux-image-4.9.0- 3 -amd64_4.9.30- 2 +deb9u2_amd64.deb ... Unpacking linux-image-4.9.0- 3 -amd64 ( 4.9.30- 2 +deb9u2 ) over ( 4.9.30- 2 ) ... Setting up libexpat1:amd64 ( 2.2.0- 2 +deb9u1 ) ... Processing triggers for libc-bin ( 2.24 - 11 +deb9u1 ) ... Setting up libc-l10n ( 2.24 - 11 +deb9u1 ) ... Processing triggers for man-db ( 2.7.6.1- 2 ) ... Setting up linux-image-4.9.0- 3 -amd64 ( 4.9.30- 2 +deb9u2 ) ... /etc/kernel/postinst.d/initramfs-tools: update-initramfs: Generating /boot/initrd.img-4.9.0- 3 -amd64 /etc/kernel/postinst.d/zz-update-grub: Generating grub configuration file ... Found linux image: /boot/vmlinuz-4.9.0- 3 -amd64 Found initrd image: /boot/initrd.img-4.9.0- 3 -amd64 done Setting up locales ( 2.24 - 11 +deb9u1 ) ... Generating locales ( this might take a while ) ... en_US.UTF- 8 ... done Generation complete. Reading package lists... Done Building dependency tree Reading state information... Done Calculating upgrade... Done The following packages will be upgraded: libc-bin libc-l10n libc6 libexpat1 linux-image-4.9.0-3-amd64 locales multiarch-support 7 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. Need to get 46.6 MB of archives. After this operation, 0 B of additional disk space will be used. Do you want to continue? [Y/n] y Get:1 http://security.debian.org/debian-security stretch/updates/main amd64 libc6 amd64 2.24-11+deb9u1 [2,695 kB] Get:2 http://security.debian.org/debian-security stretch/updates/main amd64 libc-bin amd64 2.24-11+deb9u1 [778 kB] Get:3 http://security.debian.org/debian-security stretch/updates/main amd64 multiarch-support amd64 2.24-11+deb9u1 [200 kB] Get:4 http://security.debian.org/debian-security stretch/updates/main amd64 libc-l10n all 2.24-11+deb9u1 [820 kB] Get:5 http://security.debian.org/debian-security stretch/updates/main amd64 locales all 2.24-11+deb9u1 [3,290 kB] Get:6 http://security.debian.org/debian-security stretch/updates/main amd64 libexpat1 amd64 2.2.0-2+deb9u1 [83.4 kB] Get:7 http://security-cdn.debian.org stretch/updates/main amd64 linux-image-4.9.0-3-amd64 amd64 4.9.30-2+deb9u2 [38.7 MB] Fetched 46.6 MB in 2s (15.5 MB/s) Reading changelogs... Done Preconfiguring packages ... (Reading database ... 28439 files and directories currently installed.) Preparing to unpack .../libc6_2.24-11+deb9u1_amd64.deb ... Unpacking libc6:amd64 (2.24-11+deb9u1) over (2.24-11) ... Setting up libc6:amd64 (2.24-11+deb9u1) ... (Reading database ... 28439 files and directories currently installed.) Preparing to unpack .../libc-bin_2.24-11+deb9u1_amd64.deb ... Unpacking libc-bin (2.24-11+deb9u1) over (2.24-11) ... Setting up libc-bin (2.24-11+deb9u1) ... Updating /etc/nsswitch.conf to current default. (Reading database ... 28439 files and directories currently installed.) Preparing to unpack .../multiarch-support_2.24-11+deb9u1_amd64.deb ... Unpacking multiarch-support (2.24-11+deb9u1) over (2.24-11) ... Setting up multiarch-support (2.24-11+deb9u1) ... (Reading database ... 28439 files and directories currently installed.) Preparing to unpack .../libc-l10n_2.24-11+deb9u1_all.deb ... Unpacking libc-l10n (2.24-11+deb9u1) over (2.24-11) ... Preparing to unpack .../locales_2.24-11+deb9u1_all.deb ... Unpacking locales (2.24-11+deb9u1) over (2.24-11) ... Preparing to unpack .../libexpat1_2.2.0-2+deb9u1_amd64.deb ... Unpacking libexpat1:amd64 (2.2.0-2+deb9u1) over (2.2.0-2) ... Preparing to unpack .../linux-image-4.9.0-3-amd64_4.9.30-2+deb9u2_amd64.deb ... Unpacking linux-image-4.9.0-3-amd64 (4.9.30-2+deb9u2) over (4.9.30-2) ... Setting up libexpat1:amd64 (2.2.0-2+deb9u1) ... Processing triggers for libc-bin (2.24-11+deb9u1) ... Setting up libc-l10n (2.24-11+deb9u1) ... Processing triggers for man-db (2.7.6.1-2) ... Setting up linux-image-4.9.0-3-amd64 (4.9.30-2+deb9u2) ... /etc/kernel/postinst.d/initramfs-tools: update-initramfs: Generating /boot/initrd.img-4.9.0-3-amd64 /etc/kernel/postinst.d/zz-update-grub: Generating grub configuration file ... Found linux image: /boot/vmlinuz-4.9.0-3-amd64 Found initrd image: /boot/initrd.img-4.9.0-3-amd64 done Setting up locales (2.24-11+deb9u1) ... Generating locales (this might take a while)... en_US.UTF-8... done Generation complete.

I need to reboot the box as Linux kernel was installed. Type the following reboot command:

$ sudo reboot

Install ufw ( Uncomplicated Firewall )

You must set up a OpenVPN Server on Debian 9 along with firewall to secure and hardened OpenVPN Server on Debian 9. Hence, to install ufw on a Debian 9/8, type the following apt-get command/apt command:

$ sudo apt-get install ufw

Sample outputs:

Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: ufw 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 164 kB of archives. After this operation, 848 kB of additional disk space will be used. Get: 1 http://mirrors.linode.com/debian stretch/main amd64 ufw all 0.35 - 4 [ 164 kB ] Fetched 164 kB in 0s ( 13.1 MB/s ) Preconfiguring packages ... Selecting previously unselected package ufw. ( Reading database ... 28439 files and directories currently installed. ) Preparing to unpack .../archives/ufw_0.35- 4 _all.deb ... Unpacking ufw ( 0.35 - 4 ) ... Setting up ufw ( 0.35 - 4 ) ... Creating config file /etc/ufw/before.rules with new version Creating config file /etc/ufw/before6.rules with new version Creating config file /etc/ufw/after.rules with new version Creating config file /etc/ufw/after6.rules with new version Created symlink /etc/systemd/system/multi-user.target.wants/ufw.service ? /lib/systemd/system/ufw.service. Processing triggers for systemd ( 232 - 25 ) ... Processing triggers for man-db ( 2.7.6.1- 2 ) ... Processing triggers for rsyslog ( 8.24.0- 1 ) ... Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: ufw 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 164 kB of archives. After this operation, 848 kB of additional disk space will be used. Get:1 http://mirrors.linode.com/debian stretch/main amd64 ufw all 0.35-4 [164 kB] Fetched 164 kB in 0s (13.1 MB/s) Preconfiguring packages ... Selecting previously unselected package ufw. (Reading database ... 28439 files and directories currently installed.) Preparing to unpack .../archives/ufw_0.35-4_all.deb ... Unpacking ufw (0.35-4) ... Setting up ufw (0.35-4) ... Creating config file /etc/ufw/before.rules with new version Creating config file /etc/ufw/before6.rules with new version Creating config file /etc/ufw/after.rules with new version Creating config file /etc/ufw/after6.rules with new version Created symlink /etc/systemd/system/multi-user.target.wants/ufw.service ? /lib/systemd/system/ufw.service. Processing triggers for systemd (232-25) ... Processing triggers for man-db (2.7.6.1-2) ... Processing triggers for rsyslog (8.24.0-1) ...

You must open required ports such as SSH port 22, 80, 443 and so on:

$ sudo ufw allow 22

$ sudo ufw allow 80

$ sudo ufw allow 443

Enable the firewall, run:

$ sudo ufw enable

Command may disrupt existing ssh connections. Proceed with operation ( y|n ) ? y Firewall is active and enabled on system startup Command may disrupt existing ssh connections. Proceed with operation (y|n)? y Firewall is active and enabled on system startup

Verify firewall rules

$ sudo ufw status

Sample outputs:

Status: active To Action From -- ------ ---- 22 ALLOW Anywhere 80 ALLOW Anywhere 443 ALLOW Anywhere 22 (v6) ALLOW Anywhere (v6) 80 (v6) ALLOW Anywhere (v6) 443 (v6) ALLOW Anywhere (v6)

How To Set Up an OpenVPN Server on Debian 9

We are going to set up an OpenVPN server using an easy to use openvpn-install.sh.

Step 3 – Download openvpn-install.sh script

Type the following wget command:

$ wget https://git.io/vpn -O openvpn-install.sh

Sample outputs:

-- 2019 -03-08 16 : 39 : 32 -- https://git.io/vpn Resolving git.io ( git.io ) ... 52.73.9.93, 52.73.94.166, 52.7.169.168, ... Connecting to git.io ( git.io ) |52.73.9.93|: 443 ... connected. HTTP request sent, awaiting response... 302 Found Location: https://raw.github.com/Nyr/openvpn-install/master/openvpn-install.sh [ following ] -- 2019 -03-08 16 : 39 : 33 -- https://raw.github.com/Nyr/openvpn-install/master/openvpn-install.sh Resolving raw.github.com ( raw.github.com ) ... 151.101.8.133 Connecting to raw.github.com ( raw.github.com ) |151.101.8.133|: 443 ... connected. HTTP request sent, awaiting response... 301 Moved Permanently Location: https://raw.githubusercontent.com/Nyr/openvpn-install/master/openvpn-install.sh [ following ] -- 2019 -03-08 16 : 39 : 34 -- https://raw.githubusercontent.com/Nyr/openvpn-install/master/openvpn-install.sh Resolving raw.githubusercontent.com ( raw.githubusercontent.com ) ... 151.101.8.133 Connecting to raw.githubusercontent.com ( raw.githubusercontent.com ) |151.101.8.133|: 443 ... connected. HTTP request sent, awaiting response... 200 OK Length: 14712 ( 14K ) [ text/plain ] Saving to: �openvpn-install.sh� openvpn-install.sh 100 % [ ===================================== > ] 14.37K --.-KB/s in 0.04s 2019 -03-08 16 : 39 : 34 ( 338 KB/s ) - �openvpn-install.sh� saved [ 14712/14712 ]

Run openvpn-install.sh script to install and configure OpenVPN server automatically for you:

$ sudo bash openvpn-install.sh

When prompted set IP address to 104.237.156.154 (replace 104.237.156.154 with your actual IP address) and Port to 1194 (or 443 if you are not using a web server). Use Google or OpenDNS DNS servers with the vpn. Next, type client name (such as iPhone, Nexus6, LinuxRouter, BackupServer etc). Finally, press [Enter] key to install and setup OpenVPN on your system:



$ cat /etc/rc.local

#!/bin/sh -e iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT iptables -I INPUT -p udp --dport 1194 -j ACCEPT iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to 104.237.156.154 exit 0

That is all. Your OpenVPN server has been configured and ready to use. You can see added firewall rules /etc/rc.local file using cat command Sample outputs:

You can view your openvpn server config file generated by the script as follows (do not edit this file by hand):

$ sudo more /etc/openvpn/server.conf

$ sudo vi -M /etc/openvpn/server.conf

Sample outputs:

port 1194 proto udp dev tun sndbuf 0 rcvbuf 0 ca ca.crt cert server.crt key server.key dh dh.pem auth SHA512 tls-auth ta.key 0 topology subnet server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 173.230.155.5" push "dhcp-option DNS 173.255.212.5" push "dhcp-option DNS 173.255.219.5" push "dhcp-option DNS 173.255.241.5" push "dhcp-option DNS 173.255.243.5" push "dhcp-option DNS 173.255.244.5" push "dhcp-option DNS 173.230.145.5" push "dhcp-option DNS 173.230.147.5" push "dhcp-option DNS 74.207.241.5" push "dhcp-option DNS 74.207.242.5" keepalive 10 120 cipher AES-256-CBC comp-lzo user nobody group nogroup persist-key persist-tun status openvpn-status.log verb 3 crl-verify crl.pem

How do I start/stop/restart OpenVPN server on a Debian Linux 9.x/8.x LTS?

Type the following command stop the OpenVPN service:

$ sudo systemctl stop openvpn@server

Type the following command start the OpenVPN service:

$ sudo systemctl start openvpn@server

Type the following command restart the OpenVPN service:

$ sudo systemctl restart openvpn@server

Step 4 – Client configuration

On server your will find a client configuration file called ~/macos-vpn-client.ovpn. All you have to do is copy this file to your local desktop using the scp and provide this file to your OpenVPN client to connect:

$ scp vivek@104.237.156.154:~/macos-vpn-client.ovpn .

Next, you need to download OpenVPN client as per your operating system:

MacOS/OS X OpenVPN client configuration

First install OpenVPN macos client. Next, double click on macos-vpn-client.ovpn file and it will open in your tunnelblick client > Click on the “Only me” to install it.



MacOS client to verify that your public IP changed to the VPN server IP

$ dig TXT +short o-o.myaddr.l.google.com @ns1.google.com

"104.237.156.154"

Once installed click on Connect button and you will be online. Use the following command on(type on your Linux/Unix/MacOS desktop):Sample outputs:

You can ping to OpenVPN server private IP:

$ ping 10.8.0.1

Sample outputs:

PING 10.8.0.1 (10.8.0.1): 56 data bytes 64 bytes from 10.8.0.1: icmp_seq=0 ttl=64 time=287.760 ms 64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=283.046 ms 64 bytes from 10.8.0.1: icmp_seq=2 ttl=64 time=278.271 ms 64 bytes from 10.8.0.1: icmp_seq=3 ttl=64 time=283.679 ms ^C --- 10.8.0.1 ping statistics --- 4 packets transmitted, 4 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 278.271/283.189/287.760/3.367 ms

Linux OpenVPN client configuration

Install the openvpn client on RHEL/CentOS Linux using yum command:

$ sudo yum install openvpn

OR, Install the openvpn client on a Debian/Ubuntu Linux Linux using apt command:

$ sudo apt install openvpn

Next, copy macos-vpn-client.ovpn as follows:

$ sudo cp macos-vpn-client.ovpn /etc/openvpn/client.conf

Test connectivity from the CLI:

$ sudo openvpn --client --config /etc/openvpn/client.conf

Your Linux system will automatically connect when computer restart using /etc/init.d/openvpn script:

$ sudo /etc/init.d/openvpn start

For systemd based system, use the following command:

$ sudo systemctl start openvpn@client

Test the connectivity:

$ ping 10.8.0.1 # Ping to OpenVPN server gateway

$ ip route # Make sure routing setup

$ dig TXT +short o-o.myaddr.l.google.com @ns1.google.com # Make sure your public IP set to OpenVPN server

FreeBSD OpenVPN client configuration

First, install the openvpn client, enter:

$ sudo pkg install openvpn

Next, copy macos-vpn-client.ovpn as follows:

$ mkdir -p /usr/local/etc/openvpn/

$ sudo cp macos-vpn-client.ovpn /usr/local/etc/openvpn/client.conf

Edit /etc/rc.conf and add the following:

openvpn_enable="YES" openvpn_configfile="/usr/local/etc/openvpn/client.conf"

Start the OpenVPN service:

$ sudo /usr/local/etc/rc.d/openvpn start

Verify it:

$ ping 10.8.0.1 #Ping to OpenVPN server gateway

$

$ netstat -nr #Make sure routing setup

$

$ drill myip.opendns.com @resolver1.opendns.com #Make sure your public IP set to OpenVPN server

References

OpenVPN project here

OpenVPN road warrior installer Linux here

And there you have it, OpenVPN server installed in five minutes to increase your privacy on your very own Debian 9.x/8.x server hosted in the cloud.

