Installing OpenVPN on Debian GNU/Linux

Some time ago in a previous handbook I’ve posted about how to install and configure OpenVPN on FreeBSD.

In this post we are going to see how to install a routed OpenVPN server on a GNU/Linux system. The target system we install OpenVPN will be Debian GNU/Linux.

Here’s a very simple illustration of our setup:

[ Internet ] <---> [ Gateway ] <---> [ OpenVPN server]

And some information about our hosts and networks:

10.1.16.0/20 - internal network
10.1.16.1 - Gateway and DNS server in the internal network
10.1.16.2 - OpenVPN server in the internal network
10.1.32.0/20 - Subnet for our OpenVPN clients

Now that we have all the needed information lets go ahead and install OpenVPN.

To better distinguish our firewall and OpenVPN servers I use a prefix openvpn# and firewall# for all commands used in this post for the firewall and OpenVPN servers respectively.

At the end of this post we will see what iptables(8) rules we need to apply on our firewall and OpenVPN server for passing traffic through.

Installing OpenVPN

Now, lets install OpenVPN:

openvpn# apt-get install openvpn

Configuring OpenVPN

Installation is done, now we need to configure our OpenVPN. Below you will find a fully working configuration file for a routed OpenVPN server.

# MS Fix for Apps like Remote Desktop
mssfix 1400 
 
# Local ip to listen on
local 10.1.16.2

# Listen on UDP port 1194
port 1194
proto udp
 
# Use routed VPN
dev tun

# SSL/TLS root certificate (ca), certificate
# (cert), and private key (key).
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/vpn.example.org.crt
key /etc/openvpn/easy-rsa/keys/vpn.example.org.key # This file should be kept secret

# Diffie hellman parameters.
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
 
# OpenVPN IP Pool for clients
# Server will use 10.1.32.1 address
# Clients will be assigned addresses from the
# 10.1.32.0/20 subnet
server 10.1.32.0 255.255.240.0
 
# Maintain a record of client <-> virtual IP address
ifconfig-pool-persist ipp.txt
 
# Push routes to the clients
push "route 10.1.16.0 255.255.240.0"
push "route 10.1.32.0 255.255.240.0"

# Configure all clients to redirect their
# default network gateway through the VPN 
#push "redirect-gateway def1 bypass-dhcp"
 
# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses.  CAVEAT:
# http://openvpn.net/faq.html#dhcpcaveats
push "dhcp-option DNS 10.1.16.1"
push "dhcp-option DOMAIN example.org"

keepalive 10 120
 
# Blowfish encryption (default)
cipher BF-CBC 
 
# Enable compression on the VPN link.
comp-lzo
 
# The maximum number of concurrently connected clients
max-clients 100
 
# User and group the OpenVPN daemon runs as
user nobody
group nogroup
	
persist-key
persist-tun
 
# Output a short status file showing
# current connections, truncated
# and rewritten every minute.
status /var/log/openvpn-status.log
 
# Append log file to /var/log/openvpn.log
log-append /var/log/openvpn.log

# Verbosity level 
verb 3
mute 20

You can copy-paste the above configuration file, adjust your network settings and save it under /etc/openvpn/server.conf.

Certificate creation for server and clients

Next we will create the server’s and client’s certificates using the easy-rsa scripts that come with the OpenVPN package. First lets get the easy-rsa scripts.

openvpn# cd /etc/openvpn
openvpn# mkdir easy-rsa
openvpn# cp -a /usr/share/doc/openvpn/examples/easy-rsa/2.0/*  easy-rsa/

The /etc/openvpn/easy-rsa/vars file contains some default values that will be used by the easy-rsa scripts during certificate creation, so you might want to do some changes there first. Once ready source the file and lets create the root certificate.

openvpn# cd /etc/openvpn/easy-rsa
openvpn# source vars

Create the root certificate (CA) by executing the command below:

openvpn# ./build-ca

Generate the server’s key:

openvpn# ./build-key-server vpn.example.org

Create the Diffie-Hellman parameters:

openvpn# ./build-dh

That was for the server part. Now lets add a client’s certificate as well:

openvpn# ./build-key client.example.org

The above command will create the clients certificate files. Once that is done you should securely send these files to the client in order to connect to the OpenVPN server:

ca.crt
client.example.crt
client.example.key

Configuring routes

We also need to configure a route between our OpenVPN clients and the firewall we have. The below command adds a route on the firewall server (10.1.16.1) to the OpenVPN client’s subnet (10.1.32.0/20) to go through the OpenVPN server (10.1.16.2).

firewall# route add -net 10.1.32.0/20 gw 10.1.16.2

It would be good to have this route added automatically after a reboot, and a good place for it would be to add a post-up clause in your interfaces file, similar to this one:

auto eth0
iface eth0 inet static
  address 10.1.16.1
  network 10.1.16.0
  netmask 255.255.240.0
  gateway <my-external-gw>
  post-up route add -net 10.1.32.0/20 gw 10.1.16.2
  pre-down route del -net 10.1.32.0 gw 10.1.16.2

Starting up the OpenVPN server

Now that we are ready, we can start up our OpenVPN server, by executing the command below:

openvpn# service openvpn start

If you have any issues starting up OpenVPN, please check the log file at /var/log/openvpn.log.

Configuring your OpenVPN client

You can find a working client configuration file at the link below, which you can use for your clients

OpenVPN client configuration

Firewall rules with iptables(8) for OpenVPN

Please check the post below for more information on setting up firewall rules with iptables(8) for your OpenVPN server.

Firewall rules with iptables for OpenVPN

Written on November 28, 2012