How To set up OpenVPN on Debian 10 Buster

Intro

Here's a how to about setting a OpenVPN server under Debian 10.

Network diagram

Server configuration

Installation

root@host:~# apt install openvpn
root@host:~# cd /etc/openvpn/
root@host:~# /usr/share/easy-rsa/easyrsa clean-all
root@host:~# /usr/share/easy-rsa/easyrsa init-pki

root@host:~# /usr/share/easy-rsa/easyrsa build-ca nopass
root@host:~# /usr/share/easy-rsa/easyrsa build-server-full server nopass
root@host:~# /usr/share/easy-rsa/easyrsa gen-dh
root@host:~# echo "MyPass" >> /etc/openvpn/auth; chmod 400 /etc/openvpn/auth
root@host:~# /usr/share/easy-rsa/easyrsa build-client-full client01 nopass

Create 10 clients certificates in a time

root@host:~# for i in $(seq -w 1 10);do /usr/share/easy-rsa/easyrsa build-client-full client"$i" nopass; done

Make OpenVPN start at boot

root@host:~# sed -i 's/#AUTOSTART="all"/AUTOSTART="all"/' /etc/default/openvpn

/etc/openvpn/server.conf

port 1194
proto udp
dev tun

ca /etc/openvpn/pki/ca.crt # generated keys
cert /etc/openvpn/pki/issued/server.crt
key /etc/openvpn/pki/private/server.key # keep secret
dh /etc/openvpn/pki/dh.pem

server 10.50.8.0 255.255.255.0 # internal tun0 connection IP
ifconfig-pool-persist ipp.txt

keepalive 10 120

comp-lzo # Compression - must be turned on at both end
persist-key
persist-tun

push "dhcp-option DNS 192.168.0.200"
push "dhcp-option DOMAIN domain.local"
push "route 192.168.1.0 255.255.255.0"

status /var/log/openvpn-status.log
askpass auth #avoid "Please enter password with the systemd-tty-ask-password-agent" error

verb 3 # verbose mode

iptables

A simple netfilter rule to allow vpn clients to access to the entire network :

root@host:~# ip addr sh
root@host:~# iptables -t nat -A POSTROUTING -s 10.50.8.0/24 -o ens192 -j MASQUERADE

Gateway mode

net.ipv4.ip_forward = 1
root@host:~# sysctl -p /etc/sysctl.conf

Windows client configuration

client

dev tun

proto udp

remote OPENVPN_IP 1194

resolv-retry infinite
nobind
persist-key
persist-tun

ca ca.crt
cert client01.crt
key client01.key

comp-lzo

verb 3
Licence Creative Commons
This website http://shebangthedolphins.net is licensed to the public under a licence Creative Commons Attribution licence.
Contact :