Install and Configure an OpenVPN on Debian 9 In 5 Minutes
OpenVPN is a free and open source VPN (virtual private network) software for Debian Linux 9. It implements OSI layer 2 or 3 secure network extension using the SSL/TLS protocol. A VPN allows you to connect securely to an insecure public network such as wifi network at the airport or hotel. VPN is also required to access your corporate or enterprise or home server resources. You can bypass geo-blocked site and increase your privacy or safety online.
This tutorial provides step-by-step instructions for configuring an OpenVPN “road warrior” server on Debian Linux v8.x/9.x including ufw/iptables firewall configuration.
Set up OpenVPN on Debian 9 In 5 Minutes
The steps are as follows:
- Find and note down your public IP address
- Download openvpn-install.sh script
- Run openvpn-install.sh to install OpenVPN server
- Connect an OpenVPN server using IOS/Android/Linux/Windows client
- Verify your connectivity
Step 1 – Find your public IP address
Use any one of the following command to find out your IPv4 public address. If your interface name is eth0 or eth1, type the following ip command:$ ip addr show eth0
OR$ ip addr show eth1
Or use the host command or dig command as follows:$ host myip.opendns.com resolver1.opendns.com
OR$ dig TXT +short o-o.myaddr.l.google.com @ns1.google.com
Note down the public IP address 104.237.156.154 i.e. public ip address of your OpenVPN server.
Step 2 – Update your system and install ufw
Type the apt-get command/apt command to update your system:$ sudo apt-get update
$ sudo apt-get upgrade
Sample outputs:
Reading package lists... Done Building dependency tree Reading state information... Done Calculating upgrade... Done The following packages will be upgraded: libc-bin libc-l10n libc6 libexpat1 linux-image-4.9.0-3-amd64 locales multiarch-support 7 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. Need to get 46.6 MB of archives. After this operation, 0 B of additional disk space will be used. Do you want to continue? [Y/n] y Get:1 http://security.debian.org/debian-security stretch/updates/main amd64 libc6 amd64 2.24-11+deb9u1 [2,695 kB] Get:2 http://security.debian.org/debian-security stretch/updates/main amd64 libc-bin amd64 2.24-11+deb9u1 [778 kB] Get:3 http://security.debian.org/debian-security stretch/updates/main amd64 multiarch-support amd64 2.24-11+deb9u1 [200 kB] Get:4 http://security.debian.org/debian-security stretch/updates/main amd64 libc-l10n all 2.24-11+deb9u1 [820 kB] Get:5 http://security.debian.org/debian-security stretch/updates/main amd64 locales all 2.24-11+deb9u1 [3,290 kB] Get:6 http://security.debian.org/debian-security stretch/updates/main amd64 libexpat1 amd64 2.2.0-2+deb9u1 [83.4 kB] Get:7 http://security-cdn.debian.org stretch/updates/main amd64 linux-image-4.9.0-3-amd64 amd64 4.9.30-2+deb9u2 [38.7 MB] Fetched 46.6 MB in 2s (15.5 MB/s) Reading changelogs... Done Preconfiguring packages ... (Reading database ... 28439 files and directories currently installed.) Preparing to unpack .../libc6_2.24-11+deb9u1_amd64.deb ... Unpacking libc6:amd64 (2.24-11+deb9u1) over (2.24-11) ... Setting up libc6:amd64 (2.24-11+deb9u1) ... (Reading database ... 28439 files and directories currently installed.) Preparing to unpack .../libc-bin_2.24-11+deb9u1_amd64.deb ... Unpacking libc-bin (2.24-11+deb9u1) over (2.24-11) ... Setting up libc-bin (2.24-11+deb9u1) ... Updating /etc/nsswitch.conf to current default. (Reading database ... 28439 files and directories currently installed.) Preparing to unpack .../multiarch-support_2.24-11+deb9u1_amd64.deb ... Unpacking multiarch-support (2.24-11+deb9u1) over (2.24-11) ... Setting up multiarch-support (2.24-11+deb9u1) ... (Reading database ... 28439 files and directories currently installed.) Preparing to unpack .../libc-l10n_2.24-11+deb9u1_all.deb ... Unpacking libc-l10n (2.24-11+deb9u1) over (2.24-11) ... Preparing to unpack .../locales_2.24-11+deb9u1_all.deb ... Unpacking locales (2.24-11+deb9u1) over (2.24-11) ... Preparing to unpack .../libexpat1_2.2.0-2+deb9u1_amd64.deb ... Unpacking libexpat1:amd64 (2.2.0-2+deb9u1) over (2.2.0-2) ... Preparing to unpack .../linux-image-4.9.0-3-amd64_4.9.30-2+deb9u2_amd64.deb ... Unpacking linux-image-4.9.0-3-amd64 (4.9.30-2+deb9u2) over (4.9.30-2) ... Setting up libexpat1:amd64 (2.2.0-2+deb9u1) ... Processing triggers for libc-bin (2.24-11+deb9u1) ... Setting up libc-l10n (2.24-11+deb9u1) ... Processing triggers for man-db (2.7.6.1-2) ... Setting up linux-image-4.9.0-3-amd64 (4.9.30-2+deb9u2) ... /etc/kernel/postinst.d/initramfs-tools: update-initramfs: Generating /boot/initrd.img-4.9.0-3-amd64 /etc/kernel/postinst.d/zz-update-grub: Generating grub configuration file ... Found linux image: /boot/vmlinuz-4.9.0-3-amd64 Found initrd image: /boot/initrd.img-4.9.0-3-amd64 done Setting up locales (2.24-11+deb9u1) ... Generating locales (this might take a while)... en_US.UTF-8... done Generation complete. |
I need to reboot the box as Linux kernel was installed. Type the following reboot command:$ sudo reboot
Install ufw ( Uncomplicated Firewall )
You must set up a OpenVPN Server on Debian 9 along with firewall to secure and hardened OpenVPN Server on Debian 9. Hence, to install ufw on a Debian 9/8, type the following apt-get command/apt command:$ sudo apt-get install ufw
Sample outputs:
Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: ufw 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 164 kB of archives. After this operation, 848 kB of additional disk space will be used. Get:1 http://mirrors.linode.com/debian stretch/main amd64 ufw all 0.35-4 [164 kB] Fetched 164 kB in 0s (13.1 MB/s) Preconfiguring packages ... Selecting previously unselected package ufw. (Reading database ... 28439 files and directories currently installed.) Preparing to unpack .../archives/ufw_0.35-4_all.deb ... Unpacking ufw (0.35-4) ... Setting up ufw (0.35-4) ... Creating config file /etc/ufw/before.rules with new version Creating config file /etc/ufw/before6.rules with new version Creating config file /etc/ufw/after.rules with new version Creating config file /etc/ufw/after6.rules with new version Created symlink /etc/systemd/system/multi-user.target.wants/ufw.service ? /lib/systemd/system/ufw.service. Processing triggers for systemd (232-25) ... Processing triggers for man-db (2.7.6.1-2) ... Processing triggers for rsyslog (8.24.0-1) ... |
You must open required ports such as SSH port 22, 80, 443 and so on:$ sudo ufw allow 22
$ sudo ufw allow 80
$ sudo ufw allow 443
Enable the firewall, run:$ sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y Firewall is active and enabled on system startup |
Verify firewall rules$ sudo ufw status
Sample outputs:
Status: active To Action From -- ------ ---- 22 ALLOW Anywhere 80 ALLOW Anywhere 443 ALLOW Anywhere 22 (v6) ALLOW Anywhere (v6) 80 (v6) ALLOW Anywhere (v6) 443 (v6) ALLOW Anywhere (v6)
How To Set Up an OpenVPN Server on Debian 9
We are going to set up an OpenVPN server using an easy to use openvpn-install.sh.
Step 3 – Download openvpn-install.sh script
Type the following wget command:$ wget https://git.io/vpn -O openvpn-install.sh
Sample outputs:
--2019-03-08 16:39:32-- https://git.io/vpn Resolving git.io (git.io)... 52.73.9.93, 52.73.94.166, 52.7.169.168, ... Connecting to git.io (git.io)|52.73.9.93|:443... connected. HTTP request sent, awaiting response... 302 Found Location: https://raw.github.com/Nyr/openvpn-install/master/openvpn-install.sh [following] --2019-03-08 16:39:33-- https://raw.github.com/Nyr/openvpn-install/master/openvpn-install.sh Resolving raw.github.com (raw.github.com)... 151.101.8.133 Connecting to raw.github.com (raw.github.com)|151.101.8.133|:443... connected. HTTP request sent, awaiting response... 301 Moved Permanently Location: https://raw.githubusercontent.com/Nyr/openvpn-install/master/openvpn-install.sh [following] --2019-03-08 16:39:34-- https://raw.githubusercontent.com/Nyr/openvpn-install/master/openvpn-install.sh Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.8.133 Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.8.133|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 14712 (14K) [text/plain] Saving to: �openvpn-install.sh� openvpn-install.sh 100%[=====================================>] 14.37K --.-KB/s in 0.04s 2019-03-08 16:39:34 (338 KB/s) - �openvpn-install.sh� saved [14712/14712] |
Run openvpn-install.sh script to install and configure OpenVPN server automatically for you:$ sudo bash openvpn-install.sh
When prompted set IP address to 104.237.156.154 (replace 104.237.156.154 with your actual IP address) and Port to 1194 (or 443 if you are not using a web server). Use Google or OpenDNS DNS servers with the vpn. Next, type client name (such as iPhone, Nexus6, LinuxRouter, BackupServer etc). Finally, press [Enter] key to install and setup OpenVPN on your system:
Fig.02: Setting up OpenVPN on my Debian 9 box
$ cat /etc/rc.localSample outputs:
#!/bin/sh -e iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT iptables -I INPUT -p udp --dport 1194 -j ACCEPT iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to 104.237.156.154 exit 0
You can view your openvpn server config file generated by the script as follows (do not edit this file by hand):$ sudo more /etc/openvpn/server.conf
$ sudo vi -M /etc/openvpn/server.conf
Sample outputs:
port 1194 proto udp dev tun sndbuf 0 rcvbuf 0 ca ca.crt cert server.crt key server.key dh dh.pem auth SHA512 tls-auth ta.key 0 topology subnet server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 173.230.155.5" push "dhcp-option DNS 173.255.212.5" push "dhcp-option DNS 173.255.219.5" push "dhcp-option DNS 173.255.241.5" push "dhcp-option DNS 173.255.243.5" push "dhcp-option DNS 173.255.244.5" push "dhcp-option DNS 173.230.145.5" push "dhcp-option DNS 173.230.147.5" push "dhcp-option DNS 74.207.241.5" push "dhcp-option DNS 74.207.242.5" keepalive 10 120 cipher AES-256-CBC comp-lzo user nobody group nogroup persist-key persist-tun status openvpn-status.log verb 3 crl-verify crl.pem
How do I start/stop/restart OpenVPN server on a Debian Linux 9.x/8.x LTS?
Type the following command stop the OpenVPN service:$ sudo systemctl stop openvpn@server
Type the following command start the OpenVPN service:$ sudo systemctl start openvpn@server
Type the following command restart the OpenVPN service:$ sudo systemctl restart openvpn@server
Step 4 – Client configuration
On server your will find a client configuration file called ~/macos-vpn-client.ovpn. All you have to do is copy this file to your local desktop using the scp and provide this file to your OpenVPN client to connect:$ scp vivek@104.237.156.154:~/macos-vpn-client.ovpn .
Next, you need to download OpenVPN client as per your operating system:
- Apple iOS OpenVPN app
- Google Android mobile OpenVPN app
- Apple MacOS (OS X) OpenVPN client
- MS-Windows 7/8/10 OpenVPN client
MacOS/OS X OpenVPN client configuration
First install OpenVPN macos client. Next, double click on macos-vpn-client.ovpn file and it will open in your tunnelblick client > Click on the “Only me” to install it.
Fig.03: MacOS / OS X openvpn client configuration
$ dig TXT +short o-o.myaddr.l.google.com @ns1.google.comSample outputs:
"104.237.156.154"
You can ping to OpenVPN server private IP:$ ping 10.8.0.1
Sample outputs:
PING 10.8.0.1 (10.8.0.1): 56 data bytes 64 bytes from 10.8.0.1: icmp_seq=0 ttl=64 time=287.760 ms 64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=283.046 ms 64 bytes from 10.8.0.1: icmp_seq=2 ttl=64 time=278.271 ms 64 bytes from 10.8.0.1: icmp_seq=3 ttl=64 time=283.679 ms ^C --- 10.8.0.1 ping statistics --- 4 packets transmitted, 4 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 278.271/283.189/287.760/3.367 ms
Linux OpenVPN client configuration
Install the openvpn client on RHEL/CentOS Linux using yum command:$ sudo yum install openvpn
OR, Install the openvpn client on a Debian/Ubuntu Linux Linux using apt command:$ sudo apt install openvpn
Next, copy macos-vpn-client.ovpn as follows:$ sudo cp macos-vpn-client.ovpn /etc/openvpn/client.conf
Test connectivity from the CLI:$ sudo openvpn --client --config /etc/openvpn/client.conf
Your Linux system will automatically connect when computer restart using /etc/init.d/openvpn script:$ sudo /etc/init.d/openvpn start
For systemd based system, use the following command:$ sudo systemctl start openvpn@client
Test the connectivity:$ ping 10.8.0.1 # Ping to OpenVPN server gateway
$ ip route # Make sure routing setup
$ dig TXT +short o-o.myaddr.l.google.com @ns1.google.com # Make sure your public IP set to OpenVPN server
FreeBSD OpenVPN client configuration
First, install the openvpn client, enter:$ sudo pkg install openvpn
Next, copy macos-vpn-client.ovpn as follows:$ mkdir -p /usr/local/etc/openvpn/
$ sudo cp macos-vpn-client.ovpn /usr/local/etc/openvpn/client.conf
Edit /etc/rc.conf and add the following:
openvpn_enable="YES" openvpn_configfile="/usr/local/etc/openvpn/client.conf"
Start the OpenVPN service:$ sudo /usr/local/etc/rc.d/openvpn start
Verify it:$ ping 10.8.0.1 #Ping to OpenVPN server gateway
$
$ netstat -nr #Make sure routing setup
$
$ drill myip.opendns.com @resolver1.opendns.com #Make sure your public IP set to OpenVPN server
https://www.cyberciti.biz/faq/install-configure-openvpn-server-on-debian-9-linux/