How To set up OpenVPN on Debian 11 Bullseye


Here's a how to about setting up a OpenVPN server under Debian 11 Bullseye.

Network diagram

OpenVPN windows client/debian server architecture
  • OpenVPN Server :
    • OS : Debian GNU/Linux 11 (Bullseye)
    • Role : OpenVPN Server + Gateway
    • IP :

Server (Debian)


  • Install openvpn package :
root@host:~# apt install openvpn
  • Go to /etc/openvpn/ directory :
root@host:~# cd /etc/openvpn/
  • Make OpenVPN start at boot
root@host:~# sed -i 's/#AUTOSTART="all"/AUTOSTART="all"/' /etc/default/openvpn ; systemctl daemon-reload


  • Initialize the pki
root@host:~# /usr/share/easy-rsa/easyrsa clean-all
root@host:~# /usr/share/easy-rsa/easyrsa init-pki
  • Type yes to initialize :

You are about to remove the EASYRSA_PKI at: /etc/openvpn/pki
and initialize a fresh PKI here.

Type the word 'yes' to continue, or any other input to abort.
  Confirm removal: yes
  • Build the certificate authority in /etc/openvpn/pki/ca.crt :
root@host:~# /usr/share/easy-rsa/easyrsa build-ca nopass
  • Don't mind about random number generator error :
Using SSL: openssl OpenSSL 1.1.1i  8 Dec 2020
Generating RSA private key, 2048 bit long modulus (2 primes)
e is 65537 (0x010001)
Can't load /etc/openvpn/pki/.rnd into RNG
140321173181760:error:2406F079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:98:Filename=/etc/openvpn/pki/.rnd
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:openvpn-host

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:

Server certificates

  • Generate certificate and key for server :
root@host:~# /usr/share/easy-rsa/easyrsa build-server-full server nopass
  • Generate Diffie Hellman parameters in /etc/openvpn/pki/dh.pem
root@host:~# /usr/share/easy-rsa/easyrsa gen-dh

Client certificates

  • Create client01 certificate :

Client certificates are inside /etc/openvpn/pki/private/ and /etc/openvpn/pki/issued/ directories.

root@host:~# /usr/share/easy-rsa/easyrsa build-client-full client01 nopass
  • Create 10 clients certificates with one command :
root@host:~# for i in $(seq -w 1 10);do /usr/share/easy-rsa/easyrsa build-client-full client"$i" nopass; done


port 1194
proto udp
dev tun

ca /etc/openvpn/pki/ca.crt # generated keys
cert /etc/openvpn/pki/issued/server.crt
key /etc/openvpn/pki/private/server.key # keep secret
dh /etc/openvpn/pki/dh.pem

server # internal tun0 connection IP
ifconfig-pool-persist ipp.txt

keepalive 10 120

comp-lzo # Compression - must be turned on at both end

push "dhcp-option DNS"
push "dhcp-option DOMAIN std.local"
push "route"

status /var/log/openvpn-status.log

verb 3 # verbose mode


  • Enable OpenVPN Server service :
root@host:~# systemctl enable openvpn-server@.service
  • Start OpenVPN Server service :
root@host:~# systemctl start openvpn@server.service

Router mode

Router mode will allow us to make the network reachable from the client side.


A simple netfilter rule to allow vpn clients to access to the entire network :

  • List network interfaces
root@host:~# ip addr sh
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 01:02:a0:21:fd:54 brd ff:ff:ff:ff:ff:ff
    inet OPENVPN_IP brd X.X.X.X scope global wan
       valid_lft forever preferred_lft forever
    inet6 fe80::ff:fe5d:f333/64 scope link 
       valid_lft forever preferred_lft forever
3: enp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 11:a2:a9:21:fd:54 brd ff:ff:ff:ff:ff:ff
    inet brd X.X.X.X scope global wan
       valid_lft forever preferred_lft forever
    inet6 fe80::6a05:caff:fe39:c153/64 scope link 
       valid_lft forever preferred_lft forever
  • Set iptables with correct network interface
root@host:~# iptables -t nat -A POSTROUTING -s -o enp2s0 -j MASQUERADE

Gateway mode

  • Edit /etc/sysctl.conf file and add :
  • And Run this command to take this into account :
root@host:~# sysctl -p /etc/sysctl.conf

Windows client configuration

  • Files to get :
    • ca.crt : /etc/openvpn/pki/ca.crt
    • client01.crt : /etc/openvpn/pki/issued/client01.crt
    • client01.key : /etc/openvpn/pki/private/client01.key
  • Client files :
openvpn files on a windows host
  • C:\Program Files\OpenVPN\config\TEST.ovpn

dev tun

proto udp

remote OPENVPN_IP 1194

resolv-retry infinite

ca ca.crt
cert client01.crt
key client01.key


verb 3
Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Contact :