It provides encryption and anonymity, and protects your online activities, online shopping, sending emails, and also helps to keep your Web browsing anonymous. In this tutorial, we will show you how to install and configure the OpenVPN server and Client on Debian 10 server.
Getting Started
Before starting, it is a good idea to update your system’s packages to the latest version. Run the following command to update and upgrade your system’s packages: Once your system is up-to-date, you can proceed to the next step.
Step 1 – Enable IP Forwarding
Next, you will need to enable IP forwarding in your system. IP forwarding allows your operating system to accept the incoming network packets and forward it to the other network if the destination is on another network. To enable the IP forwarding, edit the file /etc/sysctl.conf: Add the following line: Save the file when you are finished. Then, run the following command to apply the changes:
Step 2 – Install OpenVPN Server
By default, the OpenVPN package is available in the Debian 10 default repository. You can install it with the following command: Once the installation has been completed, you will also need to copy the easy-rsa directory for managing SSL certificates. Run the following command to copy easy-rsa directory from /usr/share directory to /etc/openvpn directory.
Step 3 – Setup Certificate Authority
Easy RSA uses a set of scripts to generate keys and certificates. First, you will need to configure the Certificate Authority on your system. To do so, change the directory to /etc/openvpn/easy-rsa and create a new Easy RSA’s configuration file: Add the following lines including your country, city, and preferred email address: Save the file when you are finished. Next, run the following command to initiate the PKI directory. Output: Next, build the CA certificates with the following command: You should get the following output: The above command will generate two files named ca.key and ca.crt. These certificates will be used to sign your server and clients’ certificates.
Step 4 – Generate Server Certificate Files
Next, you will need to generate a keypair and certificate request for your server. Run the following command to generate the server key named tecadmin-server: You should get the following output:
Step 5 – Sign the Server Key Using CA
Next, you will need to sign the tecadmin-server key using your CA certificate: Run the following command to sign the server key: You should get the following output: Next, verify the generated certificate file with the following command: If everything is fine, you should get the following output: Next, run the following command to generate a strong Diffie-Hellman key to use for the key exchange: You should get the following output: After creating all certificate files, copy them to the /etc/openvpn/server/ directory:
Step 6 – Generate Client Certificate and Key File
Next, you will need to generate the key and certificate file for the client. First, run the following command to build the client key file: You should see the following output: Next, sign the client key using your CA certificate: You should get the following output: Next, copy all client certificate and key file to the /etc/openvpn/client/ directory:
Step 7 – Configure OpenVPN Server
Next, create a new OpenVPN configuration file inside /etc/openvpn/ directory: Add the following lines: Save the file when you are finished.
Step 8 – Start OpenVPN Service
OpenVPN is now installed and configured. You can now start the OpenVPN service and enable it to start after the system reboot using the following command: Run the following command to verify the status of OpenVPN service: You should get the following output: Once the OpenVPN service started successfully, it will create a new network interface named tun0. You can check it with the following command: You should get the new interface tun0 in the following output:
Step 9 – Generate Client Configuration
Next, create a new OpenVPN client configuration file named client.ovpn. You will require this file to connect your OpenVPN server from the client system. Add the following lines: Save the file when you are finished.
Step 10 – Configure Routing using UFW
By default, the UFW firewall is not installed in Debian 10. You can install it with the following command: After installing the UFW firewall, you will need to add firewall rules to enable masquerading so that your VPN clients access to the Internet. First, you will need to configure UFW to accept the forwarded packets. You can do it by editing the file /etc/default/ufw: Change the following line: Save and close the file. Then, open the /etc/ufw/before.rules file: Add the following lines at the end of the file: Save the file when you are finished. Note: Replace ens3 with the name of your public network interface. Next, allow the default OpenVPN port 1194 and OpenSSH with the following command: Next, reload the UFW firewall using the following command:
Step 11 – Connect OpenVPN from Client
First, log in to the client machine and install the OpenVPN package with the following command: Next, you will need to download the OpenVPN client configuration files from the OpenVPN server to the client machine. On the client machine, run the following command to download all the client configuration file: Once downloaded, change the directory to the client and run the following command to connect to the OpenVPN server: You should see the following output: After a successfull connection, OpenVPN will assign an IP address to your system. You can check it with the following command: Output: You can also check the OpenVPN server log to verify the connection status: You should see the following output:
Conclusion
Congratulations! you have successfully installed and configured the OpenVPN server and Client on Debian 10 server. You can now access the internet securely and protect your identity.