Debian 10 Set Up OpenVPN Server In 5 Minutes

ADVERTISEMENTS



Procedure: Debian 10 Set Up OpenVPN Server In 5 Minutes

I am a new Debian Linux 10 server user. How do I set up an OpenVPN Server on Debian Linux version 10 server to shield my browsing activity from bad guys on public Wi-Fi, and more?OpenVPN is a full-featured SSL VPN (virtual private network). It implements OSI layer 2 or 3 secure network extension using the SSL/TLS protocol. It is an open source software and distributed under the GNU GPL. A VPN allows you to connect securely to an insecure public network such as wifi network at the airport or hotel. VPN is also required to access your corporate or enterprise or home server resources. You can bypass the geo-blocked site and increase your privacy or safety online. This tutorial provides step-by-step instructions for configuring an OpenVPN server on Debian Linux 10 server.

The steps are as follows:

Step 1 – Update your system

Run the apt command :

{vivek@deb10:~ }$ sudo apt update

{vivek@deb10:~ }$ sudo apt upgrade

Step 2 – Find and note down your IP address

Use the ip command as follows:

{vivek@deb10:~ }$ ip a

{vivek@deb10:~ }$ ip a show eth0



Another option is to run the following dig command/host command to find out your public IP address from Linux command line:

{vivek@deb10:~ }$ dig +short myip.opendns.com @resolver1.opendns.com

OR

{vivek@deb10:~ }$ dig TXT +short o-o.myaddr.l.google.com @ns1.google.com | awk -F'"' '{ print $2}'

A note about IP address

Most cloud servers have two types of IP address:

Public static IP address directly assigned to your box and routed from the Internet. For example, Linode, Digital Ocean, and others gives you direct public IP address. Private static IP address directly attached to your server and your server is behind NAT with public IP address. For example, AWS EC2/Lightsail give you this kind of NAT public IP address.

The script will automatically detect your networking setup. All you have to do is provide correct IP address when asked for it.

Step 3 – Download and run debian10-vpn.sh script

I am going to use the wget command:

{vivek@deb10:~ }$ wget https://raw.githubusercontent.com/Angristan/openvpn-install/master/openvpn-install.sh -O debian10-vpn.sh



Setup permissions using the chmod command {vivek@deb10:~ }$ chmod +x debian10-vpn.sh

One can view the script using a text editor such as vim/vi :

{vivek@deb10:~ }$ vi debian10-vpn.sh

Run debian10-vpn.sh to install OpenVPN server

Now all you have to do is:

{vivek@deb10:~ }$ sudo ./debian10-vpn.sh

Sample session from AWS EC2/Lightsail where my cloud server is behind NAT:



Sample session from Linode/DO server where cloud server has direct public IPv4 address:



To avoid problem always choose DNS as 1.1.1.1 or Google DNS. Those are fast DNS server and reached from anywhere on the Internet. Okay, that was all script needed. We are ready to setup your OpenVPN server now. You will be able to generate a client at the end of the installation as follows:



How do I start/stop/restart OpenVPN server on Debian 10 ?

{vivek@deb10:~ }$ sudo systemctl stop openvpn@server # <--- stop server

{vivek@deb10:~ }$ sudo systemctl start openvpn@server # <--- start server

{vivek@deb10:~ }$ sudo systemctl restart openvpn@server # <--- restart server

{vivek@deb10:~ }$ sudo systemctl status openvpn@server # <--- get server status



Step 4 – Connect an OpenVPN server using IOS/Android/Linux/Windows client

On server your will find a client configuration file called ~/linuxDesktop.ovpn. All you have to do is copy this file to your local desktop using the scp command:

{vivek@deb10:~ }$ scp vivek@:~/linuxDesktop.ovpn .

OR

{vivek@deb10:~ }$ scp root@:~/linuxDesktop.ovpn .

Next, provide this file to your OpenVPN client to connect:

Linux Desktop: OpenVPN client configuration

First, install the openvpn client for your desktop, enter:

{vivek@deb10:~ }$ sudo yum install openvpn

OR

{vivek@deb10:~ }$ sudo apt install openvpn

Next, copy linuxDesktop.ovpn as follows:

{vivek@deb10:~ }$ sudo cp linuxDesktop.ovpn /etc/openvpn/client/

'linuxDesktop.ovpn' -> '/etc/openvpn/client/linuxDesktop.ovpn'

Test connectivity from the CLI:

{vivek@deb10:~ }$ sudo openvpn --client --config /etc/openvpn/client/linuxDesktop.ovpn

Sample outputs:

Sat Jul 13 21 : 56 :07 2019 Unrecognized option or missing or extra parameter ( s ) in /etc/openvpn/client/linuxDesktop.ovpn: 17 : block-outside-dns ( 2.4.7 ) Sat Jul 13 21 : 56 :07 2019 OpenVPN 2.4.7 x86_64-redhat-linux-gnu [ SSL ( OpenSSL ) ] [ LZO ] [ LZ4 ] [ EPOLL ] [ PKCS11 ] [ MH/PKTINFO ] [ AEAD ] built on Feb 20 2019 Sat Jul 13 21 : 56 :07 2019 library versions: OpenSSL 1.1.1c FIPS 28 May 2019 , LZO 2.08 Sat Jul 13 21 : 56 :07 2019 Outgoing Control Channel Encryption: Cipher 'AES- 256 -CTR' initialized with 256 bit key Sat Jul 13 21 : 56 :07 2019 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication Sat Jul 13 21 : 56 :07 2019 Incoming Control Channel Encryption: Cipher 'AES- 256 -CTR' initialized with 256 bit key Sat Jul 13 21 : 56 :07 2019 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication Sat Jul 13 21 : 56 :07 2019 TCP/UDP: Preserving recently used remote address: [ AF_INET ] 172.105.51.63: 1194 Sat Jul 13 21 : 56 :07 2019 Socket Buffers: R = [ 212992->212992 ] S = [ 212992->212992 ] Sat Jul 13 21 : 56 :07 2019 UDP link local: ( not bound ) Sat Jul 13 21 : 56 :07 2019 UDP link remote: [ AF_INET ] 172.105.51.63: 1194 Sat Jul 13 21 : 56 :07 2019 TLS: Initial packet from [ AF_INET ] 172.105.51.63: 1194 , sid = 0efbc848 675b12c1 Sat Jul 13 21 : 56 :07 2019 VERIFY OK: depth = 1, CN=cn_46pSC1RkaXtUzj8E Sat Jul 13 21 : 56 :07 2019 VERIFY KU OK Sat Jul 13 21 : 56 :07 2019 Validating certificate extended key usage Sat Jul 13 21 : 56 :07 2019 ++ Certificate has EKU ( str ) TLS Web Server Authentication, expects TLS Web Server Authentication Sat Jul 13 21 : 56 :07 2019 VERIFY EKU OK Sat Jul 13 21 : 56 :07 2019 VERIFY X509NAME OK: CN = server_CfvC2CLjZBl46fYN Sat Jul 13 21 : 56 :07 2019 VERIFY OK: depth = 0, CN=server_CfvC2CLjZBl46fYN Sat Jul 13 21 : 56 :07 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 256 bit EC, curve: prime256v1 Sat Jul 13 21 : 56 :07 2019 [ server_CfvC2CLjZBl46fYN ] Peer Connection Initiated with [ AF_INET ] 172.105.51.63: 1194 Sat Jul 13 21 : 56 :08 2019 SENT CONTROL [ server_CfvC2CLjZBl46fYN ] : 'PUSH_REQUEST' ( status = 1 ) Sat Jul 13 21 : 56 :08 2019 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 1.0.0.1,dhcp-option DNS 1.1.1.1,redirect-gateway def1 bypass-dhcp,route-gateway 10.8.0.1,topology subnet,ping 10 ,ping-restart 120 ,ifconfig 10.8.0.2 255.255.255.0,peer-id 0 ,cipher AES- 128 -GCM' Sat Jul 13 21 : 56 :08 2019 OPTIONS IMPORT: timers and/or timeouts modified Sat Jul 13 21 : 56 :08 2019 OPTIONS IMPORT: --ifconfig/up options modified Sat Jul 13 21 : 56 :08 2019 OPTIONS IMPORT: route options modified Sat Jul 13 21 : 56 :08 2019 OPTIONS IMPORT: route-related options modified Sat Jul 13 21 : 56 :08 2019 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Sat Jul 13 21 : 56 :08 2019 OPTIONS IMPORT: peer-id set Sat Jul 13 21 : 56 :08 2019 OPTIONS IMPORT: adjusting link_mtu to 1624 Sat Jul 13 21 : 56 :08 2019 OPTIONS IMPORT: data channel crypto options modified Sat Jul 13 21 : 56 :08 2019 Outgoing Data Channel: Cipher 'AES- 128 -GCM' initialized with 128 bit key Sat Jul 13 21 : 56 :08 2019 Incoming Data Channel: Cipher 'AES- 128 -GCM' initialized with 128 bit key Sat Jul 13 21 : 56 :08 2019 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE = wlp1s0 HWADDR=b4:6b:fc:32:7a:12 Sat Jul 13 21 : 56 :08 2019 TUN/TAP device tun0 opened Sat Jul 13 21 : 56 :08 2019 TUN/TAP TX queue length set to 100 Sat Jul 13 21 : 56 :08 2019 /sbin/ip link set dev tun0 up mtu 1500 Sat Jul 13 21 : 56 :08 2019 /sbin/ip addr add dev tun0 10.8.0.2/ 24 broadcast 10.8.0.255 Sat Jul 13 21 : 56 :08 2019 /sbin/ip route add 172.105.51.63/ 32 via 192.168.1.1 Sat Jul 13 21 : 56 :08 2019 /sbin/ip route add 0.0.0.0/ 1 via 10.8.0.1 Sat Jul 13 21 : 56 :08 2019 /sbin/ip route add 128.0.0.0/ 1 via 10.8.0.1 Sat Jul 13 21 : 56 :08 2019 Initialization Sequence Completed Sat Jul 13 21:56:07 2019 Unrecognized option or missing or extra parameter(s) in /etc/openvpn/client/linuxDesktop.ovpn:17: block-outside-dns (2.4.7) Sat Jul 13 21:56:07 2019 OpenVPN 2.4.7 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019 Sat Jul 13 21:56:07 2019 library versions: OpenSSL 1.1.1c FIPS 28 May 2019, LZO 2.08 Sat Jul 13 21:56:07 2019 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key Sat Jul 13 21:56:07 2019 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication Sat Jul 13 21:56:07 2019 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key Sat Jul 13 21:56:07 2019 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication Sat Jul 13 21:56:07 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]172.105.51.63:1194 Sat Jul 13 21:56:07 2019 Socket Buffers: R=[212992->212992] S=[212992->212992] Sat Jul 13 21:56:07 2019 UDP link local: (not bound) Sat Jul 13 21:56:07 2019 UDP link remote: [AF_INET]172.105.51.63:1194 Sat Jul 13 21:56:07 2019 TLS: Initial packet from [AF_INET]172.105.51.63:1194, sid=0efbc848 675b12c1 Sat Jul 13 21:56:07 2019 VERIFY OK: depth=1, CN=cn_46pSC1RkaXtUzj8E Sat Jul 13 21:56:07 2019 VERIFY KU OK Sat Jul 13 21:56:07 2019 Validating certificate extended key usage Sat Jul 13 21:56:07 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Sat Jul 13 21:56:07 2019 VERIFY EKU OK Sat Jul 13 21:56:07 2019 VERIFY X509NAME OK: CN=server_CfvC2CLjZBl46fYN Sat Jul 13 21:56:07 2019 VERIFY OK: depth=0, CN=server_CfvC2CLjZBl46fYN Sat Jul 13 21:56:07 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 256 bit EC, curve: prime256v1 Sat Jul 13 21:56:07 2019 [server_CfvC2CLjZBl46fYN] Peer Connection Initiated with [AF_INET]172.105.51.63:1194 Sat Jul 13 21:56:08 2019 SENT CONTROL [server_CfvC2CLjZBl46fYN]: 'PUSH_REQUEST' (status=1) Sat Jul 13 21:56:08 2019 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 1.0.0.1,dhcp-option DNS 1.1.1.1,redirect-gateway def1 bypass-dhcp,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-128-GCM' Sat Jul 13 21:56:08 2019 OPTIONS IMPORT: timers and/or timeouts modified Sat Jul 13 21:56:08 2019 OPTIONS IMPORT: --ifconfig/up options modified Sat Jul 13 21:56:08 2019 OPTIONS IMPORT: route options modified Sat Jul 13 21:56:08 2019 OPTIONS IMPORT: route-related options modified Sat Jul 13 21:56:08 2019 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Sat Jul 13 21:56:08 2019 OPTIONS IMPORT: peer-id set Sat Jul 13 21:56:08 2019 OPTIONS IMPORT: adjusting link_mtu to 1624 Sat Jul 13 21:56:08 2019 OPTIONS IMPORT: data channel crypto options modified Sat Jul 13 21:56:08 2019 Outgoing Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key Sat Jul 13 21:56:08 2019 Incoming Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key Sat Jul 13 21:56:08 2019 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=wlp1s0 HWADDR=b4:6b:fc:32:7a:12 Sat Jul 13 21:56:08 2019 TUN/TAP device tun0 opened Sat Jul 13 21:56:08 2019 TUN/TAP TX queue length set to 100 Sat Jul 13 21:56:08 2019 /sbin/ip link set dev tun0 up mtu 1500 Sat Jul 13 21:56:08 2019 /sbin/ip addr add dev tun0 10.8.0.2/24 broadcast 10.8.0.255 Sat Jul 13 21:56:08 2019 /sbin/ip route add 172.105.51.63/32 via 192.168.1.1 Sat Jul 13 21:56:08 2019 /sbin/ip route add 0.0.0.0/1 via 10.8.0.1 Sat Jul 13 21:56:08 2019 /sbin/ip route add 128.0.0.0/1 via 10.8.0.1 Sat Jul 13 21:56:08 2019 Initialization Sequence Completed

Your Linux system will automatically connect when computer restart using openvpn script/service:

{vivek@deb10:~ }$ sudo systemctl start openvpn@client #

Step 5 - Verify/test the connectivity

Execute the following commands after connecting to OpenVPN server from your Linux desktop:

{vivek@deb10:~ }$ ping 10.8.0.1 #Ping to the OpenVPN server gateway

{vivek@deb10:~ }$ ip route #Make sure routing setup working

{vivek@deb10:~ }$ dig TXT +short o-o.myaddr.l.google.com @ns1.google.com #Must return public IP address of OpenVPN server

172.105.51.63

Step 6 - Add/delete/revoke VPN users

Now that OpenVPN is already installed and running, it is time to add a new user or delete existing VPN users. We can do this smoothly by running the debian10-vpn.sh script again. Type the following command on youe OpenVPN Debian Linux v10 server:

ssh vivek@my-debian-10-server

sudo ./debian10-vpn.sh



A note about trouble shooting OpenVPN server and client issues

Check OpenVPN server for errors:

{vivek@deb10:~ }$ journalctl --identifier ovpn-server



{vivek@deb10:~ }$ sudo iptables -t nat -L -n -v

{vivek@deb10:~ }$ sysctl net.ipv4.ip_forward

{vivek@deb10:~ }$ sudo sh /etc/rc.local

{vivek@deb10:~ }$ sudo sysctl -w net.ipv4.ip_forward=1

{vivek@deb10:~ }$ netstat -tulpn | grep :1194 ## 1194 is the openvpn server port ##

{vivek@deb10:~ }$ ss -tulpn | grep :1194 ## 1194 is the openvpn server port ##

{vivek@deb10:~ }$ ps aux | grep openvpn ## is the openvpn server running? ##

{vivek@deb10:~ }$ ps -C openvpn ## is the openvpn server running? ##

{vivek@deb10:~ }$ pidof openvpn ## find the openvpn server PID ##

{vivek@deb10:~ }$ sudo systemctl restart openvpn@server

{vivek@deb10:~ }$ sudo systemctl status openvpn@server

{vivek@deb10:~ }$ nc -vu 1194

Connection to 1194 port [udp/openvpn] succeeded!

Conclusion

Is firewall rule setup correctly on your server? Use the iptables command and sysctl command commands to verify NAT rule setup on your server:Insert the rules if not inserted from /etc/rc.localIs OpenVPN server running and port is open? Use the ss command or netstat command and pidof command /ps command:If not running, restart the OpenVPN server:Look out for errors:Can the Linux desktop client connect to the OpenVPN server machine? First you need to run a simple test to see if the OpenVPN server port (UDP 1194) accepts connections:If not connected it means either a Linux desktop firewall or your router is blocking access to server. Make sure both client and server using same protocol and port, e.g. UDP port 1194.

Congratulations. You successfully set up an OpenVPN server on Debian Linux 10 server running in the cloud. See the OpenVPN website here and script page here for additional information.

