How to install and configure OpenVPN on Debian 10

OpenVPN is a free and open source VPN solution. VPN solution. As a result VPN allow to secure your data communications. It implements OSI layer 2 or 3 secure network extension using the SSL/TLS protocol. A VPN allows your yo connect securely to an insecure public network such as WiFi network at the airport or hotel. Almost companies also use VPN to access corporate or enterprise or home server resources. You can bypasss geo-blocked site and increase your privacy or safety online.

Step 1: Find your public IP address

Use the following command to find out your network interface, type the following ip command:

ip -br addr show

as explained below

-br Print only basic information in a tabular format for better readability

addr address object on this device

show print information about address object.

Output:

lo               UNKNOWN        127.0.0.1/8 ::1/128 
ens3             UP             XXX.XXX.XXX.XXX/32 XXX.XXX.XXX.XXX/8 XXXX:XXXX:XXXX:XXXX::1/128 XXXX::XXX:XXXX:XXXX:XXXX/64 

Use the following command to find out your IPv4 public address. If your interface name is ens3, type the following ip command:

ip addr show ens3

Note down the public IP address XXX.XXX.XXX.XXX i.e. public ip address of your OpenVPN server.

Step 2: Update your system and install ufw

Type the apt-get command / apt command to update your system:

apt-get update && apt-get upgrade

Install ufw (Uncomplicated Firewall)
You must set up a OpenVPN Server on Debian 10 along with firewall to secure and hardened OpenVPN Server on Debian 10. Use the following command to install ufw on a Debian 10,9,8, type the following apt-get command / apt command:

apt-get install ufw

Sample outputs:

Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following NEW packages will be installed:
  ufw
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 164 kB of archives.
After this operation, 852 kB of additional disk space will be used.
Get:1 http://debian.mirror.serveriai.lt/debian buster/main amd64 ufw all 0.36-1 [164 kB]
Fetched 164 kB in 0s (3237 kB/s)
apt-listchanges: Can't set locale; make sure $LC_* and $LANG are correct!
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
	LANGUAGE = (unset),
	LC_ALL = (unset),
	LC_TIME = "lt_LT.UTF-8",
	LC_MONETARY = "lt_LT.UTF-8",
	LC_ADDRESS = "lt_LT.UTF-8",
	LC_TELEPHONE = "lt_LT.UTF-8",
	LC_NAME = "lt_LT.UTF-8",
	LC_MEASUREMENT = "lt_LT.UTF-8",
	LC_IDENTIFICATION = "lt_LT.UTF-8",
	LC_NUMERIC = "lt_LT.UTF-8",
	LC_PAPER = "lt_LT.UTF-8",
	LANG = "en_US.UTF-8"
    are supported and installed on your system.
perl: warning: Falling back to a fallback locale ("en_US.UTF-8").
locale: Cannot set LC_ALL to default locale: No such file or directory
Preconfiguring packages ...
Selecting previously unselected package ufw.
(Reading database ... 96901 files and directories currently installed.)
Preparing to unpack .../archives/ufw_0.36-1_all.deb ...
Unpacking ufw (0.36-1) ...
Setting up ufw (0.36-1) ...
locale: Cannot set LC_ALL to default locale: No such file or directory

Creating config file /etc/ufw/before.rules with new version

Creating config file /etc/ufw/before6.rules with new version

Creating config file /etc/ufw/after.rules with new version

Creating config file /etc/ufw/after6.rules with new version
Created symlink /etc/systemd/system/multi-user.target.wants/ufw.service → /lib/systemd/system/ufw.service.
Processing triggers for man-db (2.8.5-2) ...
Processing triggers for rsyslog (8.1901.0-1) ...
Processing triggers for systemd (241-7~deb10u1) ...

You must open required ports such as SSH port 22, 80, 443 and so on:

ufw allow 22
ufw allow 80
ufw allow 443

Enable the firewall, run:

ufw enable

Sample outputs:

Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup

Verify firewall rules

ufw status

Sample outputs:

Status: active

To                         Action      From
--                         ------      ----
9922                       ALLOW       Anywhere                  
80                         ALLOW       Anywhere                  
443                        ALLOW       Anywhere                  
9922 (v6)                  ALLOW       Anywhere (v6)             
80 (v6)                    ALLOW       Anywhere (v6)             
443 (v6)                   ALLOW       Anywhere (v6)   

Step 3: Download openvpn-install.sh script

Type the following wget command:

wget https://git.io/vpn -O openvpn-install.sh

Sample outputs:

--2019-09-25 21:08:20--  https://git.io/vpn
Resolving git.io (git.io)... 52.206.196.238, 52.20.12.96, 3.214.169.236, ...
Connecting to git.io (git.io)|52.206.196.238|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://raw.github.com/Nyr/openvpn-install/master/openvpn-install.sh [following]
--2019-09-25 21:08:21--  https://raw.github.com/Nyr/openvpn-install/master/openvpn-install.sh
Resolving raw.github.com (raw.github.com)... 151.101.112.133
Connecting to raw.github.com (raw.github.com)|151.101.112.133|:443... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://raw.githubusercontent.com/Nyr/openvpn-install/master/openvpn-install.sh [following]
--2019-09-25 21:08:21--  https://raw.githubusercontent.com/Nyr/openvpn-install/master/openvpn-install.sh
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.112.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.112.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 14955 (15K) [text/plain]
Saving to: ‘openvpn-install.sh’

openvpn-install.sh                                 100%[================================================================================================================>]  14.60K  --.-KB/s    in 0.02s   

2019-09-25 21:08:21 (660 KB/s) - ‘openvpn-install.sh’ saved [14955/14955]

Run openvpn-install.sh script to install and configure OpenVPN server automatically for you:

chmod +x openvpn-install.sh && ./openvpn-install.sh

When prompted set IP address to XXX.XXX.XXX.XXX (replace XXX.XXX.XXX.XXX with your actual IP address) and Port to 1194 (or 443 if you are not using a web server). Use Google or OpenDNS DNS servers with the vpn. Next, type client name. Finally, press [Enter] key to install and setup OpenVPN on your system.

Sample outputs:

Welcome to this OpenVPN "road warrior" installer!

I need to ask you a few questions before starting the setup.
You can leave the default options and just press enter if you are ok with them.

First, provide the IPv4 address of the network interface you want OpenVPN
listening to.
IP address: XXX.XXX.XXX.XXX

Which protocol do you want for OpenVPN connections?
   1) UDP (recommended)
   2) TCP
Protocol [1-2]: 1

What port do you want OpenVPN listening to?
Port: 1194

Which DNS do you want to use with the VPN?
   1) Current system resolvers
   2) 1.1.1.1
   3) Google
   4) OpenDNS
   5) Verisign
DNS [1-5]: 1

Finally, tell me your name for the client certificate.
Please, use one word only, no special characters.
Client name: PRADO

Okay, that was all I needed. We are ready to set up your OpenVPN server now.
Press any key to continue...

That is all. Your OpenVPN server has been configured and ready to use. You can see added firewall rules /etc/rc.local file using cat command:

cat /etc/rc.local

Sample outputs:

#!/bin/bash

iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -I INPUT -p udp --dport 1194 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to XXX.XXX.XXX.XXX

exit 0

You can view your openvpn server config file generated by the script as follows (do not edit this file by hand):

more /etc/openvpn/server/server.conf
vi -M /etc/openvpn/server/server.conf

Sample outputs:

port 1194
proto udp
dev tun
sndbuf 0
rcvbuf 0
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-auth ta.key 0
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 194.135.89.143"
push "dhcp-option DNS 194.135.85.143"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify crl.pem

How do I start / stop / restart OpenVPN server on a Debian Linux 10.x / 9.x / 8.x LTS?
Type the following command stop the OpenVPN service:

systemctl stop [email protected]

Type the following command start the OpenVPN service:

systemctl start [email protected]

Type the following command restart the OpenVPN service:

systemctl restart [email protected]

Linux OpenVPN client configuration
Install the openvpn client on CentOS Linux using yum command:

yum install openvpn

OR, Install the openvpn client on a Debian / Ubuntu Linux using apt command:

apt-get install openvpn

Next, copy PRADO.ovpn as follows:

cp PRADO.ovpn /etc/openvpn/client.conf

Test connectivity from the CLI:

openvpn --client --config /etc/openvpn/client.conf

Your Linux system will automatically connect when computer restart using /etc/init.d/openvpn script:

/etc/init.d/openvpn start

For systemd based system, use the following command:

systemctl start [email protected]

Test the connectivity:

ping 10.8.0.1 # Ping to OpenVPN server gateway
ip route # Make sure routing setup
dig TXT +short o-o.myaddr.l.google.com @ns1.google.com # Make sure your public IP set to OpenVPN server

Leave a Reply

Your email address will not be published.