=====Quick setup=====
https://raw.githubusercontent.com/Nyr/openvpn-install/master/openvpn-install.sh
===== Long Setup =====
==== This was my starting point: ====
https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-debian-10
====Here is my steps====
===Step 1 — Installing OpenVPN and EasyRSA===
sudo apt install openvpn
wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.8/EasyRSA-3.0.8.tgz
aunpack ./EasyRSA-3.0.8.tgz
===Step 2 — Configuring the EasyRSA Variables and Building the CA===
cd ./EasyRSA-3.0.8/
cp vars.example vars
vim ./vars
Uncomment these lines and update the highlighted values to whatever you’d prefer, but do not leave them blank:
. . .
set_var EASYRSA_REQ_COUNTRY "US"
set_var EASYRSA_REQ_PROVINCE "NewYork"
set_var EASYRSA_REQ_CITY "New York City"
set_var EASYRSA_REQ_ORG "DigitalOcean"
set_var EASYRSA_REQ_EMAIL "admin@example.com"
set_var EASYRSA_REQ_OU "Community"
===Step 3 — Creating the Server Certificate, Key, and Encryption Files===
./easyrsa init-pki
"... Your newly created PKI dir is: /home/vissie/EasyRSA-3.0.8/pki"
./easyrsa build-ca
"Pick a password"
"name the server"
"... Your new CA certificate file for publishing is at:
/home/vissie/EasyRSA-3.0.8/pki/ca.crt
cp ./pki/ca.crt /etc/openvpn/
./easyrsa gen-req server nopass
sudo cp ./pki/private/server.key /etc/openvpn/
./easyrsa sign-req server server
sudo cp ./pki/issued/server.crt /etc/openvpn/
sudo cp ./pki/ca.crt /etc/openvpn/
./easyrsa gen-dh
sudo openvpn --genkey --secret ta.key
sudo cp ./ta.key /etc/openvpn/
sudo cp ./pki/dh.pem /etc/openvpn/
===Step 4 — Generating a Client Certificate and Key Pair===
cd ~
mkdir -p ~/client-configs/keys
chmod -R 700 ~/client-configs
cd ~/EasyRSA-3.0.8/
./easyrsa gen-req vissie nopass
cp ./pki/private/vissie.key ~/client-configs/keys/
./easyrsa sign-req client vissie
'Yes'
'Password'
cp ./pki/issued/vissie.crt ~/client-configs/keys/
sudo cp ~/EasyRSA-3.0.8/ta.key ~/client-configs/keys/
sudo cp /etc/openvpn/ca.crt ~/client-configs/keys/
===Step 5 — Configuring the OpenVPN Service===
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
sudo gzip -d /etc/openvpn/server.conf.gz
sudo vim /etc/openvpn/server.conf
...
tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC
# Below this, add an auth directive
auth SHA256
#If necessary, change the file name by removing the 2048 so it aligns with the key you generated in the previous step:
dh dh.pem
user nobody
group nogroup
#Find the redirect-gateway
push "redirect-gateway def1 bypass-dhcp"
#Just below this, find the dhcp-option section. Again, remove the “;” from in front of both of the lines to uncomment them:
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
# Optional!
port 11
# Optional!
proto tcp
#If you do switch the protocol to TCP, you will need to change the explicit-exit-notify directive’s value from 1 to 0
explicit-exit-notify 0
...
===Step 6 — Adjusting the Server Networking Configuration===
sudo vim /etc/sysctl.conf
...
net.ipv4.ip_forward=1
...
sudo sysctl -p
ip route | grep default
#Your public interface is the string found within this command’s output that follows the word “dev”. For example, this result shows the interface named eth0:
#Output
#default via 203.0.113.1 dev eth0 proto static
sudo apt install ufw
sudo vim /etc/ufw/before.rules
# UFW rules are typically added using the ufw command. Rules listed in the before.rules file, though, are read and put into place before the conventional UFW rules are loaded.
# Towards the top of the file, add the highlighted lines below. This will set the default policy for the POSTROUTING chain in the nat table and masquerade any traffic coming
# from the VPN. Remember to replace eth0 in the -A POSTROUTING line below with the interface you found in the above command:
#
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
# ufw-before-input
# ufw-before-output
# ufw-before-forward
#
# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to eth0 (change to the interface you discovered!)
-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
COMMIT
# END OPENVPN RULES
# Don't delete these required lines, otherwise there will be errors
*filter
. . .
sudo vim /etc/default/ufw
...
DEFAULT_FORWARD_POLICY="ACCEPT"
...
sudo ufw allow 1194/udp
sudo ufw allow OpenSSH
===Step 7 — Starting and Enabling the OpenVPN Service===
sudo systemctl start openvpn@server
sudo systemctl status openvpn@server
sudo systemctl enable openvpn@server
===Step 8 — Creating the Client Configuration Infrastructure===
mkdir -p ~/client-configs/files
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client-configs/base.conf
vim ~/client-configs/base.conf
...
remote my.server.com 1194
proto udp
# Downgrade privileges after initialization (non-Windows only)
user nobody
group nogroup
#ca ca.crt
#cert client.crt
#key client.key
#tls-auth ta.key 1
cipher AES-256-CBC
auth SHA256
key-direction 1
# Finally, add a few commented out lines. Although you can include these directives in every client configuration file, you only need to enable them for Linux clients
# that ship with an /etc/openvpn/update-resolv-conf file. This script uses the resolvconf utility to update DNS information for Linux clients.
# script-security 2
# up /etc/openvpn/update-resolv-conf
# down /etc/openvpn/update-resolv-conf
...
vim ~/client-configs/make_config.sh
#!/bin/bash
# First argument: Client identifier
KEY_DIR=/home/sammy/client-configs/keys
OUTPUT_DIR=/home/sammy/client-configs/files
BASE_CONFIG=/home/sammy/client-configs/base.conf
cat ${BASE_CONFIG} \
<(echo -e '') \
${KEY_DIR}/ca.crt \
<(echo -e '\n') \
${KEY_DIR}/${1}.crt \
<(echo -e '\n') \
${KEY_DIR}/${1}.key \
<(echo -e '\n') \
${KEY_DIR}/ta.key \
<(echo -e '') \
> ${OUTPUT_DIR}/${1}.ovpn
chmod 700 ~/client-configs/make_config.sh
===Step 9 — Generating Client Configurations===
cd ~/client-configs
sudo ./make_config.sh vissie
ls ~/client-configs/files
===Step 10 — Installing the Client Configuration===
sudo apt install openvpn
# Check to see if your distribution includes an /etc/openvpn/update-resolv-conf script:
ls /etc/openvpn
update-resolv-conf
#Next, edit the OpenVPN client configuration file you transfered:
vim client1.ovpn
...
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
...
==== Here is my notes: ====
Use dig command for determining my public IP address:
sudo apt-get install dnsutils
dig +short myip.opendns.com @resolver1.opendns.com
On step 3, I got an permision denied error onL
echo 1 > /proc/sys/net/ipv4/ip_forward
So rather I did:
In a nutshell, to enable IP forwarding, you can just put the following in /etc/sysctl.conf:
net.ipv4.ip_forward = 1
sudo sysctl -p
Plus I did both ipv4 and ipv6. Not knowing if that was correct. But it made sense to me that it would be.
For step 4 I had to use my actual network interface in the before,rule, not eth0.
For Step 5, sudo did NOT work. I had to BE root.
You might have the following issue :
**************************************************************
No /etc/openvpn/easy-rsa/openssl.cnf file could be found
Further invocations will fail
**************************************************************
In this case, just create a symbolic link :
ln -s openssl-1.0.0.cnf openssl.cnf
And then clean everything :
I just did a install on Debian Jessie. I had the same issues. Seemingly the service started, no visual errors, but openvpn was not running. a
sudo netstat -uapn | grep openvpn
came up blank. After hours of trouble shooting I eventually came upon this way of starting the service
systemctl start openvpn@server.service.
This failed! Now I had a error.
journalctl -xn
showed me a error on TUN/TAP.
I had a issue with a ta-key. I just disabled that:
If you do not have a ta.key, of course tls-auth will fail. You may:
drop the tls-auth instruction altogether. This is not a major dent in your security: the Manual in fact states:
This feature by itself does not improve the TLS auth in any way, although it offers a 2nd line of defense if a future flaw is discovered in a particular TLS cipher-suite or
implementation (such as CVE-2014-0160, Heartbleed, where the tls-auth key provided protection against attackers who did not have a copy). However, it offers no protection at
all in the event of a complete cryptographic break that can allow decryption of a cipher-suite's traffic.
or you may now generate the ta-key:
openvpn --genkey --secret /etc/openvpn/easy-rsa/keys/ta.key
it is not too late for this.
Some more hours later I realised, that due to the fact that I was on a VPS, I had no TUN/TAP access from my provider as a default! I had to enable it via a console option.
I did that, the server rebooted. And now I have my openVPN.
So, 10 points to the author on a great setup guide! Thx dude.
I hope this little bit of info helps someone.
===== Tips =====
==== View connected users ====
sudo cat /etc/openvpn/openvpn-status.log
==== Logs ====
If you’re customizing rules for your own installation and breaking things on your server and clients to catch errors to match, you probably want to change your logging method in /etc/openvpn/server.conf from log /var/log/openvpn.log to log-append /var/log/openvpn.log and restart OpenVPN to keep your logs from being blown away when you stop and start. Then switch it back to log after you’re done.
==== Connection issues ====
Please remember, if your VPN is up, but there is no traffic going to the internet, make sure that UFW is running and that the rules is setup correctly.
===== New notes for Debian 9 (Stretch) =====
apt-get install openvpn easy-rsa