BLOG
Install and configure OpenVPN server on Debian
OpenVPN is a virtual private network (VPN) system that implements techniques to create secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It implements both client and server applications. Wikipedia.
Encryption: OpenVPN uses the OpenSSL library to provide encryption of both the data and control channels. It lets OpenSSL do all the encryption and authentication work, allowing OpenVPN to use all the ciphers available in the OpenSSL package. It can also use the HMAC packet authentication feature to add an additional layer of security to the connection (referred to as an "HMAC Firewall" by the creator). It can also use hardware acceleration to get better encryption performance. Support for mbed TLS is available starting from version 2.3.
Authentication: OpenVPN has several ways to authenticate peers with each other. OpenVPN offers pre-shared keys, certificate-based, and username/password-based authentication. Preshared secret key is the easiest, and certificate-based is the most robust and feature-rich. In version 2.0 username/password authentications can be enabled, both with or without certificates. However, to make use of username/password authentications, OpenVPN depends on third-party modules.
Networking: OpenVPN can run over User Datagram Protocol (UDP) or Transmission Control Protocol (TCP) transports, multiplexing created SSL tunnels on a single TCP/UDP port (RFC 3948 for UDP).
1. Enabling IP forwarding to forward network packets properly
IP forwarding is the ability for an operating system to accept incoming network packets on one interface, recognize that it is not meant for the system itself, but that it should be passed on to another network, and then forwards it accordingly. This is what you need when you have for example a system setup that is sitting between two different networks and needs to pass traffic between them. OpenVPN documentation.
Open /etc/sysctl.conf file and add following line for enable packet forwarding:
Close file with CTRL+X and press Y button on keyboard, then press ENTER. Now we are need apply settings without reboot:
IP forwarding is the ability for an operating system to accept incoming network packets on one interface, recognize that it is not meant for the system itself, but that it should be passed on to another network, and then forwards it accordingly. This is what you need when you have for example a system setup that is sitting between two different networks and needs to pass traffic between them. OpenVPN documentation.
Open /etc/sysctl.conf file and add following line for enable packet forwarding:
net.ipv4.ip_forward=1
Close file with CTRL+X and press Y button on keyboard, then press ENTER. Now we are need apply settings without reboot:
sudo sysctl -p
2. Upgrade packages database and install OpenVPN
Download package information from all configured sources and install OpenVPN via this command:
Download package information from all configured sources and install OpenVPN via this command:
sudo apt update && sudo apt install openvpn -y
3. Generate server side certificate and key file
Easy-RSA is a CLI utility to build and manage a PKI CA. In laymen's terms, this means to create a root certificate authority, and request and sign certificates, including intermediate CAs and certificate revocation lists (CRL).
Copy samples from /usr/share/easy-rsa:
Navigate in /etc/openvpn/easy-rsa path:
Rename vars.example file:
Open vars script:
Add and modify following code lines:
Easy-RSA is a CLI utility to build and manage a PKI CA. In laymen's terms, this means to create a root certificate authority, and request and sign certificates, including intermediate CAs and certificate revocation lists (CRL).
Copy samples from /usr/share/easy-rsa:
sudo cp -r /usr/share/easy-rsa /etc/openvpn/
Navigate in /etc/openvpn/easy-rsa path:
cd /etc/openvpn/easy-rsa
Rename vars.example file:
sudo mv vars.example vars
Open vars script:
sudo nano vars
Add and modify following code lines:
set_var EASYRSA_CERT_EXPIRE 3650
set_var EASYRSA_CRL_DAYS 3650
set_var EASYRSA_REQ_COUNTRY "US"
set_var EASYRSA_REQ_PROVINCE "California"
set_var EASYRSA_REQ_CITY "San Francisco"
set_var EASYRSA_REQ_ORG "Copyleft Certificate Co"
set_var EASYRSA_REQ_EMAIL "me@example.net"
set_var EASYRSA_REQ_OU "My Organizational Unit"
A public key infrastructure (PKI) is a set of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption. The purpose of a PKI is to facilitate the secure electronic transfer of information for a range of network activities such as e-commerce, internet banking and confidential email. It is required for activities where simple passwords are an inadequate authentication method and more rigorous proof is required to confirm the identity of the parties involved in the communication and to validate the information being transferred.
Now initialize PKI:
Output:
Now initialize PKI:
sudo ./easyrsa init-pki
Output:
* Notice:
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is:
* /etc/openvpn/easy-rsa/pki
In cryptography, a certificate authority or certification authority (CA) is an entity that stores, signs, and issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate. This allows others (relying parties) to rely upon signatures or on assertions made about the private key that corresponds to the certified public key. A CA acts as a trusted third party—trusted both by the subject (owner) of the certificate and by the party relying upon the certificate. The format of these certificates is specified by the X.509 or EMV standard.
One particularly common use for certificate authorities is to sign certificates used in HTTPS, the secure browsing protocol for the World Wide Web. Another common use is in issuing identity cards by national governments for use in electronically signing documents.
Build CA certificate without password:
sudo ./easyrsa build-ca nopass
Output:
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.1.1d 10 Sep 2019
Generating RSA private key, 2048 bit long modulus (2 primes)
.....................................+++++
.....................................................................+++++
e is 65537 (0x010001)
Can't load /etc/openvpn/easy-rsa/pki/.rnd into RNG
139837318657152:error:2406F079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:98:Filename=/etc/openvpn/easy-rsa/pki/.rnd
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa/pki/ca.crt
Generate server side key:
sudo ./easyrsa gen-req server nopass
Output:
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.1.1d 10 Sep 2019
Generating a RSA private key
..........................................................................+++++
..........+++++
writing new private key to '/etc/openvpn/easy-rsa/pki/private/server.key.f0sP1mT7RR'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]:
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/pki/reqs/server.req
key: /etc/openvpn/easy-rsa/pki/private/server.key
Sign server certificate:
sudo ./easyrsa sign-req server server
Output:
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.1.1d 10 Sep 2019
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate for 1080 days:
subject=
commonName = server
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /etc/openvpn/easy-rsa/pki/safessl-easyrsa.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'server'
Certificate is to be certified until Oct 4 13:08:07 2023 GMT (1080 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa/pki/issued/server.crt
Diffie–Hellman key exchange is a mathematical method of securely exchanging cryptographic keys over a public channel and was one of the first public-key protocols as conceived by Ralph Merkle and named after Whitfield Diffie and Martin Hellman. DH is one of the earliest practical examples of public key exchange implemented within the field of cryptography. Published in 1976 by Diffie and Hellman, this is the earliest publicly known work that proposed the idea of a private key and a corresponding public key.
Build Diffie-Hellman key:
Output:
Build Diffie-Hellman key:
sudo ./easyrsa gen-dh
Output:
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.1.1d 10 Sep 2019
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
...................+.................................................................................................................................
DH parameters of size 2048 created at /etc/openvpn/easy-rsa/pki/dh.pem
In cryptography, an HMAC (sometimes expanded as either keyed-hash message authentication code or hash-based message authentication code) is a specific type of message authentication code (MAC) involving a cryptographic hash function and a secret cryptographic key. As with any MAC, it may be used to simultaneously verify both the data integrity and authenticity of a message. An HMAC is a type of keyed hash function that can also be used in a key derivation scheme or a key stretching scheme.
HMAC can provide authentication using a shared secret instead of using digital signatures with asymmetric cryptography. It trades off the need for a complex public key infrastructure by delegating the key exchange to the communicating parties, who are responsible for establishing and using a trusted channel to agree on the key prior to communication.
Generate a HMAC signature:
Copy all certificates and keys to /etc/openvpn directory:
HMAC can provide authentication using a shared secret instead of using digital signatures with asymmetric cryptography. It trades off the need for a complex public key infrastructure by delegating the key exchange to the communicating parties, who are responsible for establishing and using a trusted channel to agree on the key prior to communication.
Generate a HMAC signature:
sudo openvpn --genkey secret ta.key
Copy all certificates and keys to /etc/openvpn directory:
sudo cp ta.key pki/ca.crt pki/private/server.key pki/issued/server.crt pki/dh.pem /etc/openvpn/
4. Configure OpenVPN server
Create server.conf file:
Add following configurations:
Create server.conf file:
sudo nano /etc/openvpn/server.conf
Add following configurations:
port 1194
proto udp
dev tun
server 10.8.0.0 255.255.255.0
topology subnet
ifconfig-pool-persist /etc/openvpn/ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 10 120
cipher AES-256-GCM
user nobody
group nogroup
persist-key
persist-tun
status /etc/openvpn/openvpn-status.log
log /etc/openvpn/openvpn.log
verb 3
# Enable this setting if you already generated crl.pem file
# crl-verify /etc/openvpn/crl.pem
# Enable this setting if you want set static IP address for clients
# client-config-dir /etc/openvpn/ccd
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh.pem
tls-auth /etc/openvpn/ta.key 0
This step needs if you want set static IP for client. Put configuration below in file /etc/openvpn/ccd/client_name:
ifconfig-push 10.8.0.100 255.255.255.0
Start OpenVPN service:
sudo systemctl start openvpn@server
Enable autorun:
sudo systemctl enable openvpn@server
Check status:
sudo systemctl status openvpn@server
Output:
● openvpn@server.service - OpenVPN connection to server
Loaded: loaded (/lib/systemd/system/openvpn@.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2020-10-19 10:01:03 EDT; 18min ago
Docs: man:openvpn(8)
https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
https://community.openvpn.net/openvpn/wiki/HOWTO
Main PID: 484 (openvpn)
Status: "Initialization Sequence Completed"
Tasks: 1 (limit: 2356)
Memory: 2.8M
CGroup: /system.slice/system-openvpn.slice/openvpn@server.service
└─484 /usr/sbin/openvpn --daemon ovpn-server --status /run/openvpn/server.status 10 --cd /etc/openvpn --config /etc/openvpn/server.conf --writepid /run/openvpn/server.pid
Oct 19 10:01:03 public systemd[1]: Starting OpenVPN connection to server...
Oct 19 10:01:03 public systemd[1]: Started OpenVPN connection to server.
5. Configure UFW firewall:
Uncomplicated Firewall (UFW) is a program for managing a netfilter firewall designed to be easy to use. It uses a command-line interface consisting of a small number of simple commands, and uses iptables for configuration. UFW is available by default in all Ubuntu installations since 8.04 LTS. UFW has been available by default in all Debian installations since 10.
Enable UFW and add a rule to accept OpenVPN traffic:
Open UFW configuration file:
Change "DEFAULT_FORWARD_POLICY" from "DROP" to "ACCEPT":
Add additional UFW rules for NAT and IP Masquerading of connected clients:
Configure area between "START OPENVPN RULES" and "END OPENVPN RULES" in file like below:
Uncomplicated Firewall (UFW) is a program for managing a netfilter firewall designed to be easy to use. It uses a command-line interface consisting of a small number of simple commands, and uses iptables for configuration. UFW is available by default in all Ubuntu installations since 8.04 LTS. UFW has been available by default in all Debian installations since 10.
Enable UFW and add a rule to accept OpenVPN traffic:
sudo ufw enable
sudo ufw allow 1194
Open UFW configuration file:
sudo nano /etc/default/ufw
Change "DEFAULT_FORWARD_POLICY" from "DROP" to "ACCEPT":
DEFAULT_FORWARD_POLICY="ACCEPT"Save file and exit
Add additional UFW rules for NAT and IP Masquerading of connected clients:
sudo nano /etc/ufw/before.rules
Configure area between "START OPENVPN RULES" and "END OPENVPN RULES" in file like below:
#Replace subnet value and your ethernet interface name.
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
# ufw-before-input
# ufw-before-output
# ufw-before-forward
#
# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to eth0
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT
# END OPENVPN RULES
# Don't delete these required lines, otherwise there will be errors
*filter
6. Generate client certificate and key
Generate client side certificate and key:
Output:
Sign client certificate:
Output:
Generate client side certificate and key:
sudo ./easyrsa gen-req client_name nopass
Output:
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.1.1c 28 May 2019
Generating a RSA private key
..........................................+++++
...............+++++
writing new private key to '/etc/openvpn/easy-rsa/pki/private/client.key.wU45j6E0Dt'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [client]:
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/pki/reqs/client.req
key: /etc/openvpn/easy-rsa/pki/private/client.key
Sign client certificate:
sudo ./easyrsa sign-req client client_name
Output:
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.1.1c 28 May 2019
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a client certificate for 1080 days:
subject=
commonName = client
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /etc/openvpn/easy-rsa/pki/safessl-easyrsa.cnf
Enter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'client'
Certificate is to be certified until Sep 5 12:28:25 2022 GMT (1080 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa/pki/issued/client.crt
Windows and Linux clients:
client
dev tun
proto udp
remote X.X.X.X 1194
resolv-retry infinite
nobind
persist-key
persist-tun
keepalive 10 60
cipher AES-256-CBC
ca ca.crt
cert client.crt
key client.key
tls-auth ta.key 1
Android clients:
key-direction 1
client
dev tun
proto udp
remote X.X.X.X 1194
cipher AES-256-CBC
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
</key>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-auth>
8. Revoke client certificate
For revoke some client use this commands:
cd /etc/openvpn/easy-rsaThis command generate CRL file /etc/openvpn/easy-rsa/pki/crl.pem.
sudo ./easyrsa revoke client_name
sudo ./easyrsa gen-crl
Copy crl.pem in /etc/openvpn:
sudo cp pki/crl.prm /etc/openvpn
Open server.conf file:
sudo nano /etc/openvpn/server.conf
Add this line:
crl-verify /etc/openvpn/crl.pem
Source materials:
OpenVPN documentation
Wikipedia
Support me on Patreon
