Skip navigation

The Debian Project

Howto configure OpenVPN

This HOWTO document is very small but contains everything you need for setting up a VPN server with clients under Debian GNU/Linux etch.

VPN refers to Virtual Private Network and is a private network that uses the Internet or Ethernet as transport layer. It is configured as an encrypted point-to-point network connection between two hosts, the client and the server. This connection uses the insecure Internet as transport medium and provides a secured network.

One of the easiest ways to configure a private network is to use OpenVPN and OpenSSL for encryption. Clients exist not only for GNU/Linux and Unix but also for Windows and MacOS. This document covers Debian GNU/Linux, thus you first need to install the openvpn package on the server and client.

Setting up the VPN Server

  1. Copy /usr/share/doc/openvpn/examples/easy-rsa/2.0/openssl.cnf to /etc/openvpn.
  2. Copy /usr/share/doc/openvpn/examples/easy-rsa/2.0/vars to /etc/openvpn.
  3. Adjust the EASY_RSA at the beginning into 
    export EASY_RSA="/etc/openvpn"
    and add to the end 
    export EASY_RSA="/usr/share/doc/openvpn/examples/easy-rsa/2.0"
    Also adjust the line 
    export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
    to point to the OpenVPN config directory directly 
    export KEY_CONFIG="/etc/openvpn/openssl.cnf"
  4. mkdir /etc/openvpn/keys
  5. touch /etc/openvpn/keys/index.txt
  6. echo 00 > /etc/openvpn/keys/serial
  7. Adjust defaults to your needs if they should require modification
  8. Change directory to /usr/share/doc/openvpn/examples/easy-rsa/2.0
  9. Source the vars ( . /etc/openvpn/vars)
  10. Build Diffie-Hellman parameters with ./build-dh
  11. Build CA with ./build-ca
  12. Build server key with ./build-key-server server
  13. Configure server in /etc/openvpn/server.conf 
    port 1194
proto udp
dev tun
ca keys/ca.crt
cert keys/server.crt
key keys/server.key  # This file should be kept secret
dh keys/dh1024.pem
server 10.8.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt
keepalive 10 120
push "route 192.168.200.0 255.255.255.0"
persist-key
persist-tun
status openvpn-status.log
verb 0
  14. This will cause OpenVPN to listen on UDP port 1194, use the given keys and certificates, use 10.8.0.0/24 as base network for this VPN (new clients will be assigned 4-IP-blocks starting with 0, the first being the server), a route for network 192.168.200.0 will be pushed to the clients so this network is routed via this VPN connection.
  15. Restart the server with /etc/init.d/openvpn restart

Setting up the VPN Client

  1. Build client key on the server with ./build-key finlandia
  2. Copy the ca.crt, finlandia.crt and finlandia.key files from /etc/openvpn/keys to the client
  3. Configure OpenVPN on the client in /etc/openvpn/vpn.ovpn 
    client
dev tun
proto udp
remote PUBLIC-INTERFACE-OF-VPN-SERVER.TLD 1194
resolv-retry infinite
ns-cert-type server
nobind
tun-mtu 1500

persist-key
persist-tun
ca gma/ca.crt
cert finlandia.crt
key finlandia.key
verb 0
keepalive 10 120
  4. Start the client with openvpn finlandia.ovpn

Bridge configuration

© Infodrom Oldenburg  Datenschutz, page source history
Last modified: April 22, 2016