The World According To Vissie

https://raw.githubusercontent.com/Nyr/openvpn-install/master/openvpn-install.sh

https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-debian-10

Step 1 — Installing OpenVPN and EasyRSA

sudo apt install openvpn
wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.8/EasyRSA-3.0.8.tgz
aunpack ./EasyRSA-3.0.8.tgz

Step 2 — Configuring the EasyRSA Variables and Building the CA

cd ./EasyRSA-3.0.8/
cp vars.example vars
vim ./vars

Uncomment these lines and update the highlighted values to whatever you’d prefer, but do not leave them blank:
. . .

set_var EASYRSA_REQ_COUNTRY    "US"
set_var EASYRSA_REQ_PROVINCE   "NewYork"
set_var EASYRSA_REQ_CITY       "New York City"
set_var EASYRSA_REQ_ORG        "DigitalOcean"
set_var EASYRSA_REQ_EMAIL      "admin@example.com"
set_var EASYRSA_REQ_OU         "Community"

Step 3 — Creating the Server Certificate, Key, and Encryption Files

./easyrsa init-pki
"... Your newly created PKI dir is: /home/vissie/EasyRSA-3.0.8/pki"
./easyrsa build-ca
"Pick a password"
"name the server"
"... Your new CA certificate file for publishing is at:
/home/vissie/EasyRSA-3.0.8/pki/ca.crt"
./easyrsa gen-req server nopass
sudo cp ./pki/private/server.key /etc/openvpn/
./easyrsa sign-req server server
./easyrsa gen-dh
sudo openvpn --genkey --secret ta.key
sudo cp ./ta.key /etc/openvpn/
sudo cp ./pki/dh.pem /etc/openvpn/

Step 4 — Generating a Client Certificate and Key Pair

cd ~
mkdir -p ~/client-configs/keys
chmod -R 700 ~/client-configs
cd ~/EasyRSA-3.0.8/
./easyrsa gen-req vissie nopass
cp ./pki/private/vissie.key ~/client-configs/keys/
./easyrsa sign-req client vissie
'Yes'
'Password'
cp ./pki/issued/vissie.crt ~/client-configs/keys/
sudo cp ~/EasyRSA-3.0.8/ta.key ~/client-configs/keys/

Use dig command for determining my public IP address:

sudo apt-get install dnsutils
dig +short myip.opendns.com @resolver1.opendns.com

On step 3, I got an permision denied error onL

echo 1 > /proc/sys/net/ipv4/ip_forward

So rather I did:

In a nutshell, to enable IP forwarding, you can just put the following in /etc/sysctl.conf:

net.ipv4.ip_forward = 1
sudo sysctl -p

Plus I did both ipv4 and ipv6. Not knowing if that was correct. But it made sense to me that it would be.

For step 4 I had to use my actual network interface in the before,rule, not eth0.

For Step 5, sudo did NOT work. I had to BE root.

You might have the following issue : No /etc/openvpn/easy-rsa/openssl.cnf file could be found Further invocations will fail In this case, just create a symbolic link :

ln -s openssl-1.0.0.cnf openssl.cnf

And then clean everything :

I just did a install on Debian Jessie. I had the same issues. Seemingly the service started, no visual errors, but openvpn was not running. a

sudo netstat -uapn | grep openvpn

came up blank. After hours of trouble shooting I eventually came upon this way of starting the service

systemctl start openvpn@server.service.

This failed! Now I had a error.

journalctl -xn

showed me a error on TUN/TAP.

I had a issue with a ta-key. I just disabled that: If you do not have a ta.key, of course tls-auth will fail. You may:

drop the tls-auth instruction altogether. This is not a major dent in your security: the Manual in fact states: This feature by itself does not improve the TLS auth in any way, although it offers a 2nd line of defense if a future flaw is discovered in a particular TLS cipher-suite or implementation (such as CVE-2014-0160, Heartbleed, where the tls-auth key provided protection against attackers who did not have a copy). However, it offers no protection at all in the event of a complete cryptographic break that can allow decryption of a cipher-suite's traffic. or you may now generate the ta-key:

openvpn –genkey –secret /etc/openvpn/easy-rsa/keys/ta.key it is not too late for this.

Some more hours later I realised, that due to the fact that I was on a VPS, I had no TUN/TAP access from my provider as a default! I had to enable it via a console option.

I did that, the server rebooted. And now I have my openVPN.

So, 10 points to the author on a great setup guide! Thx dude.

I hope this little bit of info helps someone.

sudo cat /etc/openvpn/openvpn-status.log

If you’re customizing rules for your own installation and breaking things on your server and clients to catch errors to match, you probably want to change your logging method in /etc/openvpn/server.conf from log /var/log/openvpn.log to log-append /var/log/openvpn.log and restart OpenVPN to keep your logs from being blown away when you stop and start. Then switch it back to log after you’re done.

Please remember, if your VPN is up, but there is no traffic going to the internet, make sure that UFW is running and that the rules is setup correctly.

apt-get install openvpn easy-rsa