rss logo
Computing
Home
How To
Music
The Band
Tracks
Misc
Links
🇫🇷 Fr

How To set up OpenVPN on Debian 9 Stretch

Intro

Here's a how to about making quickly a OpenVPN server under Debian 9 Stretch.

Network diagram

Server configuration

Installation

root@host:~# apt-get install openvpn
root@host:~# cd /etc/openvpn/ ; cp -R /usr/share/easy-rsa easy-rsa/; cd easy-rsa/ ; cp openssl-1.0.0.cnf openssl.cnf
root@host:~# vim vars
root@host:~# mkdir keys; touch keys/index.txt; echo 01 > keys/serial
root@host:~# . ./vars; ./clean-all; ./build-ca; ./build-key-server server; ./build-dh
root@host:~# openvpn --genkey --secret /etc/openvpn/easy-rsa/keys/ta.key

Create 10 clients

root@host:~# for i in $(seq -w 1 10);do ./build-key "$i"; done

autostart

root@host:~# sed -i 's/#AUTOSTART="all"/AUTOSTART="all"/' /etc/default/openvpn

/etc/openvpn/server.conf

port 1194
proto udp
dev tun

ca /etc/openvpn/easy-rsa/keys/ca.crt # generated keys
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key # keep secret
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
#key-direction 0

server 10.50.8.0 255.255.255.0 # internal tun0 connection IP
ifconfig-pool-persist ipp.txt

keepalive 10 120

comp-lzo # Compression - must be turned on at both end
persist-key
persist-tun

push "dhcp-option DNS 192.168.0.200"
push "dhcp-option DOMAIN domain.local"
push "route 192.168.1.0 255.255.255.0"
#push "redirect-gateway def1"

status /var/log/openvpn-status.log

verb 3 # verbose mode
#client-to-client

iptables

A simple netfilter rule to allow vpn clients to access to the entire network : 

root@host:~# iptables -t nat -A POSTROUTING -s 10.50.8.0/24 -o eth0 -j MASQUERADE

Gateway mode

net.ipv4.ip_forward = 1

Then reboot

Client01 configuration

client

dev tun

proto udp

remote X.X.X.X 1194

resolv-retry infinite

nobind

persist-key
persist-tun

ca ca.crt
cert client01.crt
key client01.key
tls-auth ta.key 1

ns-cert-type server

comp-lzo

verb 4
Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Contact :

contact mail address