Category: openvpn

Set up OpenVPN server on Debian 10

June 15, 2021 The Geek Decoder Leave a comment openvpn

Update and Install OpneVPN

$ sudo apt-get update -y
$ sudo apt-get upgrade -y
$sudo apt-get install openvpn -y

Download the latest version of EasyRSA from the Git repository using the following command:

$ wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.8/EasyRSA-3.0.8.tgz

extract the downloaded file using the following command:

$ tar -xvzf EasyRSA-3.0.8.tgz

Next, copy the extracted directory to the OpenVPN directory:

$ sudo cp -r EasyRSA-3.0.8 /etc/openvpn/easy-rsa

Next, you will need to build the Certificate Authority (CA) for OpenVPN.

First, change the directory to EasyRSA with the following command:

$ sudo cd /etc/openvpn/easy-rsa

Next, you will need to create a vars file inside this. A vars file is a simple file that Easy-RSA will source for configuration.

You can create it with the following command:

$ sudo nano vars

Add the following lines as per your needs:

Add the following lines as per your needs:

set_var EASYRSA_REQ_COUNTRY     "USA"
set_var EASYRSA_REQ_PROVINCE    "Texas"
set_var EASYRSA_REQ_CITY        "Buda"
set_var EASYRSA_REQ_ORG         "GEEKDECODER"
set_var EASYRSA_REQ_EMAIL    "admin@domain.com"
set_var EASYRSA_REQ_OU          "IT"

Save and close the file when you are finished.

Next, initiate the public key infrastructure with the following command:

$ sudo ./easyrsa init-pki

You should get the following output:

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa/pki

Next, you will need to run build-ca command to create ca.crt and ca.key file. You can run it with the following command:

$ sudo ./easyrsa build-ca nopass

You will be asked for several questions as shown below:

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.1.1f  31 Mar 2020

Enter New CA Key Passphrase: 
Re-Enter New CA Key Passphrase: 
Generating RSA private key, 2048 bit long modulus (2 primes)
...+++++
......................................................................+++++
e is 65537 (0x010001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:vpnserver

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa/pki/ca.crt

Next, you will need to use the gen-req command followed by common name to generate the server key.

$ sudo ./easyrsa gen-req vpnserver nopass

You should see the following output:

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.1.1f  31 Mar 2020
Generating a RSA private key
.......................................................+++++
....+++++
writing new private key to '/etc/openvpn/easy-rsa/pki/easy-rsa-1428.Angtmh/tmp.C9prw4'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [vpnserver]:

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/pki/reqs/vpnserver.req
key: /etc/openvpn/easy-rsa/pki/private/vpnserver.key

Next, you will need to sign the vpnserver key using your CA certificate. You can do it with the following command:

$ sudo ./easyrsa sign-req server vpnserver

You should get the following output:

Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'vpnserver'
Certificate is to be certified until Feb  6 14:38:52 2022 GMT (365 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/openvpn/easy-rsa/pki/issued/vpnserver.crt

Next, you will need to generate a strong Diffie-Hellman key to use for the key exchange. You can generate it with the following command:

$ sudo ./easyrsa gen-dh

Next, you will need to copy all certificate and key file to the /etc/openvpn/server/ directory. You can copy the using the following command:

$ sudo cp pki/ca.crt /etc/openvpn/server/
$ sudo cp pki/dh.pem /etc/openvpn/server/
$ sudo cp pki/private/vpnserver.key /etc/openvpn/server/
$ sudo cp pki/issued/vpnserver.crt /etc/openvpn/server/

Next, you will need to generate a certificate and key file for the client system.

You can create it with the following command:

$ sudo ./easyrsa gen-req vpnclient nopass

You should get the following output:

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.1.1f  31 Mar 2020
Generating a RSA private key
....+++++
.................................+++++
writing new private key to '/etc/openvpn/easy-rsa/pki/easy-rsa-1563.TeOf5v/tmp.i4YxLz'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [vpnclient]:

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/pki/reqs/vpnclient.req
key: /etc/openvpn/easy-rsa/pki/private/vpnclient.key

Next, sign the client key with the following command:

$ sudo ./easyrsa sign-req client vpnclient

You should get the following output:

Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'vpnclient'
Certificate is to be certified until Feb  6 14:43:18 2022 GMT (365 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/openvpn/easy-rsa/pki/issued/vpnclient.crt

Next, copy all client certificate and key to the /etc/openvpn/client/ directory.

$ sudo cp pki/ca.crt /etc/openvpn/client/
$ sudo cp pki/issued/vpnclient.crt /etc/openvpn/client/
$ sudo cp pki/private/vpnclient.key /etc/openvpn/client/

At this point, both server and client certificate and key are ready. Now, you will need to create an OpenVPN configuration file and define all certificates and keys.

$ sudo nano /etc/openvpn/server.conf

Add the following lines ( add in server_ip you ip for openvpn server):

port 1194
proto udp
dev tun
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/vpnserver.crt
key /etc/openvpn/server/vpnserver.key
dh /etc/openvpn/server/dh.pem
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
duplicate-cn
cipher AES-256-CBC
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
auth SHA512
auth-nocache
keepalive 20 60
persist-key
persist-tun
compress lz4
daemon
user nobody
group nogroup
log-append /var/log/openvpn.log
verb 3

Save and close the file then start the OpenVPN service and enable it to start at system reboot:

$ sudo systemctl start openvpn@server
$ sudo systemctl enable openvpn@server

If everything is fine, a new interface will be created. You can check it using the following command:

ip a show tun0

You should get the following output:

4: tun0:  mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    link/none 
    inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::153d:f29:39a2:571a/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever

IP forwarding allows your operating system to accept the incoming network packets and forward it to the other network. You can enable it with the following command:

$ sudo nano /etc/sysctl.conf

Uncomment or add the following line:

net.ipv4.ip_forward = 1

Save the file then apply the configuration changes with the following command:

sysctl -p

Next, you will need to install the OpenVPN client on another system and connect to the OpenVPN server.

First, install the OpenVPN with the following command:

apt-get install openvpn -y

Once installed, copy all Client certificate and key from the OpenVPN server to the Client machine. You can do it with the following command:

scp -r root@vpn-server-ip:/etc/openvpn/client .

Next, change the directory to client and create a Client configuration file:

cd client
nano client.ovpn

Add the following lines:

remote server_ip 1194
client
dev tun
proto udp
remote vpn-server-ip 1194
ca ca.crt
cert vpnclient.crt
key vpnclient.key
cipher AES-256-CBC
auth SHA512
auth-nocache
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
resolv-retry infinite
compress lz4
nobind
persist-key
persist-tun
mute-replay-warnings
verb 3

Save and close the file then connect to your OpenVPN server with the following command:

openvpn --config client.ovpn

Once the connection has been established, you should get the following output:

Sat Feb  6 14:53:50 2021 SENT CONTROL [vpnserver]: 'PUSH_REQUEST' (status=1)
Sat Feb  6 14:53:50 2021 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,route 10.8.0.1,topology net30,ping 20,ping-restart 60,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM'
Sat Feb  6 14:53:50 2021 OPTIONS IMPORT: timers and/or timeouts modified
Sat Feb  6 14:53:50 2021 OPTIONS IMPORT: --ifconfig/up options modified
Sat Feb  6 14:53:50 2021 OPTIONS IMPORT: route options modified

You can verify the OpenVPN interface on the client machine with the following command:

ip a show tun0

You should get the following output:

4: tun0:  mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    link/none 
    inet 10.8.0.6 peer 10.8.0.5/32 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::9206:94d7:8fb2:6b21/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever

 

dfdf