OpenVPN is a free and open source VPN solution. VPN solution. As a result VPN allow to secure your data communications. It implements OSI layer 2 or 3 secure network extension using the SSL/TLS protocol. A VPN allows your yo connect securely to an insecure public network such as WiFi network at the airport or hotel. Almost companies also use VPN to access corporate or enterprise or home server resources. You can bypasss geo-blocked site and increase your privacy or safety online.
Step 1: Find your public IP address
Use the following command to find out your network interface, type the following ip command:
ip -br addr show
as explained below
-br Print only basic information in a tabular format for better readability
addr address object on this device
show print information about address object.
Output:
lo UNKNOWN 127.0.0.1/8 ::1/128 ens3 UP XXX.XXX.XXX.XXX/32 XXX.XXX.XXX.XXX/8 XXXX:XXXX:XXXX:XXXX::1/128 XXXX::XXX:XXXX:XXXX:XXXX/64
Use the following command to find out your IPv4 public address. If your interface name is ens3, type the following ip command:
ip addr show ens3
Note down the public IP address XXX.XXX.XXX.XXX i.e. public ip address of your OpenVPN server.
Step 2: Update your system and install ufw
Type the apt-get command / apt command to update your system:
apt-get update && apt-get upgrade
Install ufw (Uncomplicated Firewall)
You must set up a OpenVPN Server on Debian 10 along with firewall to secure and hardened OpenVPN Server on Debian 10. Use the following command to install ufw on a Debian 10,9,8, type the following apt-get command / apt command:
apt-get install ufw
Sample outputs:
Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: ufw 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 164 kB of archives. After this operation, 852 kB of additional disk space will be used. Get:1 http://debian.mirror.serveriai.lt/debian buster/main amd64 ufw all 0.36-1 [164 kB] Fetched 164 kB in 0s (3237 kB/s) apt-listchanges: Can't set locale; make sure $LC_* and $LANG are correct! perl: warning: Setting locale failed. perl: warning: Please check that your locale settings: LANGUAGE = (unset), LC_ALL = (unset), LC_TIME = "lt_LT.UTF-8", LC_MONETARY = "lt_LT.UTF-8", LC_ADDRESS = "lt_LT.UTF-8", LC_TELEPHONE = "lt_LT.UTF-8", LC_NAME = "lt_LT.UTF-8", LC_MEASUREMENT = "lt_LT.UTF-8", LC_IDENTIFICATION = "lt_LT.UTF-8", LC_NUMERIC = "lt_LT.UTF-8", LC_PAPER = "lt_LT.UTF-8", LANG = "en_US.UTF-8" are supported and installed on your system. perl: warning: Falling back to a fallback locale ("en_US.UTF-8"). locale: Cannot set LC_ALL to default locale: No such file or directory Preconfiguring packages ... Selecting previously unselected package ufw. (Reading database ... 96901 files and directories currently installed.) Preparing to unpack .../archives/ufw_0.36-1_all.deb ... Unpacking ufw (0.36-1) ... Setting up ufw (0.36-1) ... locale: Cannot set LC_ALL to default locale: No such file or directory Creating config file /etc/ufw/before.rules with new version Creating config file /etc/ufw/before6.rules with new version Creating config file /etc/ufw/after.rules with new version Creating config file /etc/ufw/after6.rules with new version Created symlink /etc/systemd/system/multi-user.target.wants/ufw.service → /lib/systemd/system/ufw.service. Processing triggers for man-db (2.8.5-2) ... Processing triggers for rsyslog (8.1901.0-1) ... Processing triggers for systemd (241-7~deb10u1) ...
You must open required ports such as SSH port 22, 80, 443 and so on:
ufw allow 22 ufw allow 80 ufw allow 443
Enable the firewall, run:
ufw enable
Sample outputs:
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y Firewall is active and enabled on system startup
Verify firewall rules
ufw status
Sample outputs:
Status: active To Action From -- ------ ---- 9922 ALLOW Anywhere 80 ALLOW Anywhere 443 ALLOW Anywhere 9922 (v6) ALLOW Anywhere (v6) 80 (v6) ALLOW Anywhere (v6) 443 (v6) ALLOW Anywhere (v6)
Step 3: Download openvpn-install.sh script
Type the following wget command:
wget https://git.io/vpn -O openvpn-install.sh
Sample outputs:
--2019-09-25 21:08:20-- https://git.io/vpn Resolving git.io (git.io)... 52.206.196.238, 52.20.12.96, 3.214.169.236, ... Connecting to git.io (git.io)|52.206.196.238|:443... connected. HTTP request sent, awaiting response... 302 Found Location: https://raw.github.com/Nyr/openvpn-install/master/openvpn-install.sh [following] --2019-09-25 21:08:21-- https://raw.github.com/Nyr/openvpn-install/master/openvpn-install.sh Resolving raw.github.com (raw.github.com)... 151.101.112.133 Connecting to raw.github.com (raw.github.com)|151.101.112.133|:443... connected. HTTP request sent, awaiting response... 301 Moved Permanently Location: https://raw.githubusercontent.com/Nyr/openvpn-install/master/openvpn-install.sh [following] --2019-09-25 21:08:21-- https://raw.githubusercontent.com/Nyr/openvpn-install/master/openvpn-install.sh Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.112.133 Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.112.133|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 14955 (15K) [text/plain] Saving to: ‘openvpn-install.sh’ openvpn-install.sh 100%[================================================================================================================>] 14.60K --.-KB/s in 0.02s 2019-09-25 21:08:21 (660 KB/s) - ‘openvpn-install.sh’ saved [14955/14955]
Run openvpn-install.sh script to install and configure OpenVPN server automatically for you:
chmod +x openvpn-install.sh && ./openvpn-install.sh
When prompted set IP address to XXX.XXX.XXX.XXX (replace XXX.XXX.XXX.XXX with your actual IP address) and Port to 1194 (or 443 if you are not using a web server). Use Google or OpenDNS DNS servers with the vpn. Next, type client name. Finally, press [Enter] key to install and setup OpenVPN on your system.
Sample outputs:
Welcome to this OpenVPN "road warrior" installer! I need to ask you a few questions before starting the setup. You can leave the default options and just press enter if you are ok with them. First, provide the IPv4 address of the network interface you want OpenVPN listening to. IP address: XXX.XXX.XXX.XXX Which protocol do you want for OpenVPN connections? 1) UDP (recommended) 2) TCP Protocol [1-2]: 1 What port do you want OpenVPN listening to? Port: 1194 Which DNS do you want to use with the VPN? 1) Current system resolvers 2) 1.1.1.1 3) Google 4) OpenDNS 5) Verisign DNS [1-5]: 1 Finally, tell me your name for the client certificate. Please, use one word only, no special characters. Client name: PRADO Okay, that was all I needed. We are ready to set up your OpenVPN server now. Press any key to continue...
That is all. Your OpenVPN server has been configured and ready to use. You can see added firewall rules /etc/rc.local file using cat command:
cat /etc/rc.local
Sample outputs:
#!/bin/bash iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT iptables -I INPUT -p udp --dport 1194 -j ACCEPT iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to XXX.XXX.XXX.XXX exit 0
You can view your openvpn server config file generated by the script as follows (do not edit this file by hand):
more /etc/openvpn/server/server.conf vi -M /etc/openvpn/server/server.conf
Sample outputs:
port 1194 proto udp dev tun sndbuf 0 rcvbuf 0 ca ca.crt cert server.crt key server.key dh dh.pem auth SHA512 tls-auth ta.key 0 topology subnet server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 194.135.89.143" push "dhcp-option DNS 194.135.85.143" keepalive 10 120 cipher AES-256-CBC user nobody group nogroup persist-key persist-tun status openvpn-status.log verb 3 crl-verify crl.pem
How do I start / stop / restart OpenVPN server on a Debian Linux 10.x / 9.x / 8.x LTS?
Type the following command stop the OpenVPN service:
systemctl stop openvpn@server
Type the following command start the OpenVPN service:
systemctl start openvpn@server
Type the following command restart the OpenVPN service:
systemctl restart openvpn@server
Linux OpenVPN client configuration
Install the openvpn client on CentOS Linux using yum command:
yum install openvpn
OR, Install the openvpn client on a Debian / Ubuntu Linux using apt command:
apt-get install openvpn
Next, copy PRADO.ovpn as follows:
cp PRADO.ovpn /etc/openvpn/client.conf
Test connectivity from the CLI:
openvpn --client --config /etc/openvpn/client.conf
Your Linux system will automatically connect when computer restart using /etc/init.d/openvpn script:
/etc/init.d/openvpn start
For systemd based system, use the following command:
systemctl start openvpn@client
Test the connectivity:
ping 10.8.0.1 # Ping to OpenVPN server gateway ip route # Make sure routing setup dig TXT +short o-o.myaddr.l.google.com @ns1.google.com # Make sure your public IP set to OpenVPN server