OpenVPN is a powerful and flexible VPN solution that allows you to secure your internet connection and access remote networks. This guide will walk you through the steps to deploy and configure OpenVPN on a Debian server.

Prerequisites

• A Debian server with root access
• An SSH client to connect to your server
• Basic knowledge of Linux command line

Step 1: Update Your System

Before installing any new software, it’s a good practice to update your package list and upgrade the existing packages. Run the following commands:

sudo apt update
sudo apt upgrade -y

Step 2: Install OpenVPN

Install OpenVPN and the Easy-RSA package, which will help you set up your own Certificate Authority (CA) and generate SSL/TLS certificates and keys:

sudo apt install openvpn easy-rsa -y

Step 3: Set Up the CA Directory

Make a directory for the CA and navigate to it:

make-cadir ~/openvpn-ca
cd ~/openvpn-ca

Step 4: Configure the CA Variables

Edit the vars file to customize the CA configuration:

nano vars

Find and modify the following lines to suit your organization:

export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="MyOrg"
export KEY_EMAIL="[email protected]"
export KEY_OU="MyOrgUnit"

Save and close the file (Ctrl+X, Y, Enter).

Step 5: Build the CA

Initialize the PKI and build the CA:

source vars
./clean-all
./build-ca

Step 6: Create the Server Certificate, Key, and Encryption Files

Build the server certificate and key:

./build-key-server server

Generate Diffie-Hellman parameters:

./build-dh

Generate an HMAC signature to strengthen the server’s TLS integrity verification capabilities:

openvpn --genkey --secret keys/ta.key

Step 7: Configure the OpenVPN Server

Copy the sample OpenVPN configuration file to the /etc/openvpn directory and edit it:

sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
cd /etc/openvpn
sudo gzip -d server.conf.gz
sudo nano server.conf

Make the following changes in the server.conf file:

• Uncomment tls-auth ta.key 0 # This file is secret and add key-direction 0 below it.
• Uncomment user nobody and group nogroup.

Step 8: Start and Enable the OpenVPN Service

Start the OpenVPN service and enable it to start on boot:

sudo systemctl start openvpn@server
sudo systemctl enable openvpn@server

Check the status to ensure it is running correctly:

sudo systemctl status openvpn@server

Step 9: Configure the Client

On the client machine, install OpenVPN and configure it to connect to the server. Copy the necessary files from the server to the client and edit the client configuration file:

sudo apt install openvpn
scp -r your_user@your_server_ip:/etc/openvpn/easy-rsa/keys/{ca.crt,client.crt,client.key,ta.key} /etc/openvpn/
sudo nano /etc/openvpn/client.conf

In the client.conf file, add the following:

client
dev tun
proto udp
remote your_server_ip 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
tls-auth ta.key 1
key-direction 1
cipher AES-256-CBC
verb 3

Conclusion

You have now successfully deployed and configured OpenVPN on a Debian server. This setup ensures secure connections between your client and server, safeguarding your data from potential threats. For additional security, consider setting up further configurations and access controls based on your specific needs.