Installing OpenVPN on Debian GNU/Linux
Some time ago in a previous handbook I’ve posted about how to install and configure OpenVPN on FreeBSD.
In this post we are going to see how to install a routed OpenVPN server on a GNU/Linux system. The target system we install OpenVPN will be Debian GNU/Linux.
Here’s a very simple illustration of our setup:
[ Internet ] <---> [ Gateway ] <---> [ OpenVPN server]
And some information about our hosts and networks:
- 10.1.16.0/20 - internal network
- 10.1.16.1 - Gateway and DNS server in the internal network
- 10.1.16.2 - OpenVPN server in the internal network
- 10.1.32.0/20 - Subnet for our OpenVPN clients
Now that we have all the needed information lets go ahead and install OpenVPN.
To better distinguish our firewall and OpenVPN servers I use a prefix openvpn# and firewall# for all commands used in this post for the firewall and OpenVPN servers respectively.
At the end of this post we will see what
iptables(8) rules we need
to apply on our firewall and OpenVPN server for passing traffic
Now, lets install OpenVPN:
openvpn# apt-get install openvpn
Installation is done, now we need to configure our OpenVPN. Below you will find a fully working configuration file for a routed OpenVPN server.
# MS Fix for Apps like Remote Desktop mssfix 1400 # Local ip to listen on local 10.1.16.2 # Listen on UDP port 1194 port 1194 proto udp # Use routed VPN dev tun # SSL/TLS root certificate (ca), certificate # (cert), and private key (key). ca /etc/openvpn/easy-rsa/keys/ca.crt cert /etc/openvpn/easy-rsa/keys/vpn.example.org.crt key /etc/openvpn/easy-rsa/keys/vpn.example.org.key # This file should be kept secret # Diffie hellman parameters. dh /etc/openvpn/easy-rsa/keys/dh1024.pem # OpenVPN IP Pool for clients # Server will use 10.1.32.1 address # Clients will be assigned addresses from the # 10.1.32.0/20 subnet server 10.1.32.0 255.255.240.0 # Maintain a record of client <-> virtual IP address ifconfig-pool-persist ipp.txt # Push routes to the clients push "route 10.1.16.0 255.255.240.0" push "route 10.1.32.0 255.255.240.0" # Configure all clients to redirect their # default network gateway through the VPN #push "redirect-gateway def1 bypass-dhcp" # Certain Windows-specific network settings # can be pushed to clients, such as DNS # or WINS server addresses. CAVEAT: # http://openvpn.net/faq.html#dhcpcaveats push "dhcp-option DNS 10.1.16.1" push "dhcp-option DOMAIN example.org" keepalive 10 120 # Blowfish encryption (default) cipher BF-CBC # Enable compression on the VPN link. comp-lzo # The maximum number of concurrently connected clients max-clients 100 # User and group the OpenVPN daemon runs as user nobody group nogroup persist-key persist-tun # Output a short status file showing # current connections, truncated # and rewritten every minute. status /var/log/openvpn-status.log # Append log file to /var/log/openvpn.log log-append /var/log/openvpn.log # Verbosity level verb 3 mute 20
You can copy-paste the above configuration file, adjust your network
settings and save it under
Certificate creation for server and clients
Next we will create the server’s and client’s certificates using the easy-rsa scripts that come with the OpenVPN package. First lets get the easy-rsa scripts.
openvpn# cd /etc/openvpn openvpn# mkdir easy-rsa openvpn# cp -a /usr/share/doc/openvpn/examples/easy-rsa/2.0/* easy-rsa/
/etc/openvpn/easy-rsa/vars file contains some default values
that will be used by the
easy-rsa scripts during certificate
creation, so you might want to do some changes there first. Once ready
source the file and lets create the root certificate.
openvpn# cd /etc/openvpn/easy-rsa openvpn# source vars
Create the root certificate (CA) by executing the command below:
Generate the server’s key:
openvpn# ./build-key-server vpn.example.org
Create the Diffie-Hellman parameters:
That was for the server part. Now lets add a client’s certificate as well:
openvpn# ./build-key client.example.org
The above command will create the clients certificate files. Once that is done you should securely send these files to the client in order to connect to the OpenVPN server:
We also need to configure a route between our OpenVPN clients and the firewall we have. The below command adds a route on the firewall server (10.1.16.1) to the OpenVPN client’s subnet (10.1.32.0/20) to go through the OpenVPN server (10.1.16.2).
firewall# route add -net 10.1.32.0/20 gw 10.1.16.2
It would be good to have this route added automatically after a reboot, and a good place for it would be to add a post-up clause in your interfaces file, similar to this one:
auto eth0 iface eth0 inet static address 10.1.16.1 network 10.1.16.0 netmask 255.255.240.0 gateway <my-external-gw> post-up route add -net 10.1.32.0/20 gw 10.1.16.2 pre-down route del -net 10.1.32.0 gw 10.1.16.2
Starting up the OpenVPN server
Now that we are ready, we can start up our OpenVPN server, by executing the command below:
openvpn# service openvpn start
If you have any issues starting up OpenVPN, please check the log file
Configuring your OpenVPN client
You can find a working client configuration file at the link below, which you can use for your clients
Firewall rules with iptables(8) for OpenVPN
Please check the post below for more information on setting up
firewall rules with
iptables(8) for your OpenVPN server.