The World According To Vissie

https://raw.githubusercontent.com/Nyr/openvpn-install/master/openvpn-install.sh

https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-debian-10

Step 1 — Installing OpenVPN and EasyRSA

sudo apt install openvpn
wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.8/EasyRSA-3.0.8.tgz
aunpack ./EasyRSA-3.0.8.tgz

Step 2 — Configuring the EasyRSA Variables and Building the CA

cd ./EasyRSA-3.0.8/
cp vars.example vars
vim ./vars

Uncomment these lines and update the highlighted values to whatever you’d prefer, but do not leave them blank:
. . .

set_var EASYRSA_REQ_COUNTRY    "US"
set_var EASYRSA_REQ_PROVINCE   "NewYork"
set_var EASYRSA_REQ_CITY       "New York City"
set_var EASYRSA_REQ_ORG        "DigitalOcean"
set_var EASYRSA_REQ_EMAIL      "admin@example.com"
set_var EASYRSA_REQ_OU         "Community"

Step 3 — Creating the Server Certificate, Key, and Encryption Files

./easyrsa init-pki
"... Your newly created PKI dir is: /home/vissie/EasyRSA-3.0.8/pki"
./easyrsa build-ca
"Pick a password"
"name the server"
"... Your new CA certificate file for publishing is at:
/home/vissie/EasyRSA-3.0.8/pki/ca.crt
cp ./pki/ca.crt /etc/openvpn/
./easyrsa gen-req server nopass
sudo cp ./pki/private/server.key /etc/openvpn/
./easyrsa sign-req server server
./easyrsa gen-dh
sudo openvpn --genkey --secret ta.key
sudo cp ./ta.key /etc/openvpn/
sudo cp ./pki/dh.pem /etc/openvpn/

Step 4 — Generating a Client Certificate and Key Pair

cd ~
mkdir -p ~/client-configs/keys
chmod -R 700 ~/client-configs
cd ~/EasyRSA-3.0.8/
./easyrsa gen-req vissie nopass
cp ./pki/private/vissie.key ~/client-configs/keys/
./easyrsa sign-req client vissie
'Yes'
'Password'
cp ./pki/issued/vissie.crt ~/client-configs/keys/
sudo cp ~/EasyRSA-3.0.8/ta.key ~/client-configs/keys/
sudo cp /etc/openvpn/ca.crt ~/client-configs/keys/

Step 5 — Configuring the OpenVPN Service

sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
sudo gzip -d /etc/openvpn/server.conf.gz
sudo vim /etc/openvpn/server.conf
...
tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC
# Below this, add an auth directive
auth SHA256
#If necessary, change the file name by removing the 2048 so it aligns with the key you generated in the previous step:
dh dh.pem
user nobody
group nogroup
#Find the redirect-gateway
push "redirect-gateway def1 bypass-dhcp"
#Just below this, find the dhcp-option section. Again, remove the “;” from in front of both of the lines to uncomment them:
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
# Optional!
port 443
# Optional!
proto tcp
#If you do switch the protocol to TCP, you will need to change the explicit-exit-notify directive’s value from 1 to 0
explicit-exit-notify 0
...

Step 6 — Adjusting the Server Networking Configuration

sudo vim /etc/sysctl.conf
...
net.ipv4.ip_forward=1
...
sudo sysctl -p
ip route | grep default
#Your public interface is the string found within this command’s output that follows the word “dev”. For example, this result shows the interface named eth0:
#Output
#default via 203.0.113.1 dev eth0 proto static

sudo apt install ufw
sudo vim /etc/ufw/before.rules

# UFW rules are typically added using the ufw command. Rules listed in the before.rules file, though, are read and put into place before the conventional UFW rules are loaded. 
# Towards the top of the file, add the highlighted lines below. This will set the default policy for the POSTROUTING chain in the nat table and masquerade any traffic coming 
# from the VPN. Remember to replace eth0 in the -A POSTROUTING line below with the interface you found in the above command:

/etc/ufw/before.rules # # rules.before # # Rules that should be run before the ufw command line added rules. Custom # rules should be added to one of these chains: # ufw-before-input # ufw-before-output # ufw-before-forward #

# START OPENVPN RULES # NAT table rules *nat :POSTROUTING ACCEPT [0:0] # Allow traffic from OpenVPN client to eth0 (change to the interface you discovered!) -A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE COMMIT # END OPENVPN RULES

# Don't delete these required lines, otherwise there will be errors *filter . . .

Use dig command for determining my public IP address:

sudo apt-get install dnsutils
dig +short myip.opendns.com @resolver1.opendns.com

On step 3, I got an permision denied error onL

echo 1 > /proc/sys/net/ipv4/ip_forward

So rather I did:

In a nutshell, to enable IP forwarding, you can just put the following in /etc/sysctl.conf:

net.ipv4.ip_forward = 1
sudo sysctl -p

Plus I did both ipv4 and ipv6. Not knowing if that was correct. But it made sense to me that it would be.

For step 4 I had to use my actual network interface in the before,rule, not eth0.

For Step 5, sudo did NOT work. I had to BE root.

You might have the following issue : No /etc/openvpn/easy-rsa/openssl.cnf file could be found Further invocations will fail In this case, just create a symbolic link :

ln -s openssl-1.0.0.cnf openssl.cnf

And then clean everything :

I just did a install on Debian Jessie. I had the same issues. Seemingly the service started, no visual errors, but openvpn was not running. a

sudo netstat -uapn | grep openvpn

came up blank. After hours of trouble shooting I eventually came upon this way of starting the service

systemctl start openvpn@server.service.

This failed! Now I had a error.

journalctl -xn

showed me a error on TUN/TAP.

I had a issue with a ta-key. I just disabled that: If you do not have a ta.key, of course tls-auth will fail. You may:

drop the tls-auth instruction altogether. This is not a major dent in your security: the Manual in fact states: This feature by itself does not improve the TLS auth in any way, although it offers a 2nd line of defense if a future flaw is discovered in a particular TLS cipher-suite or implementation (such as CVE-2014-0160, Heartbleed, where the tls-auth key provided protection against attackers who did not have a copy). However, it offers no protection at all in the event of a complete cryptographic break that can allow decryption of a cipher-suite's traffic. or you may now generate the ta-key:

openvpn –genkey –secret /etc/openvpn/easy-rsa/keys/ta.key it is not too late for this.

Some more hours later I realised, that due to the fact that I was on a VPS, I had no TUN/TAP access from my provider as a default! I had to enable it via a console option.

I did that, the server rebooted. And now I have my openVPN.

So, 10 points to the author on a great setup guide! Thx dude.

I hope this little bit of info helps someone.

sudo cat /etc/openvpn/openvpn-status.log

If you’re customizing rules for your own installation and breaking things on your server and clients to catch errors to match, you probably want to change your logging method in /etc/openvpn/server.conf from log /var/log/openvpn.log to log-append /var/log/openvpn.log and restart OpenVPN to keep your logs from being blown away when you stop and start. Then switch it back to log after you’re done.

Please remember, if your VPN is up, but there is no traffic going to the internet, make sure that UFW is running and that the rules is setup correctly.

apt-get install openvpn easy-rsa