Here's a how to about setting up a OpenVPN server under Debian 10 Buster.
root@host:~# apt install openvpn
root@host:~# cd /etc/openvpn/
root@host:~# /usr/share/easy-rsa/easyrsa clean-all
root@host:~# /usr/share/easy-rsa/easyrsa init-pki
root@host:~# /usr/share/easy-rsa/easyrsa build-ca nopass
root@host:~# /usr/share/easy-rsa/easyrsa build-server-full server nopass
root@host:~# /usr/share/easy-rsa/easyrsa gen-dh
root@host:~# echo "MyPass" >> /etc/openvpn/auth; chmod 400 /etc/openvpn/auth
root@host:~# /usr/share/easy-rsa/easyrsa build-client-full client01 nopass
root@host:~# for i in $(seq -w 1 10);do /usr/share/easy-rsa/easyrsa build-client-full client"$i" nopass; done
root@host:~# sed -i 's/#AUTOSTART="all"/AUTOSTART="all"/' /etc/default/openvpn
port 1194 proto udp dev tun ca /etc/openvpn/pki/ca.crt # generated keys cert /etc/openvpn/pki/issued/server.crt key /etc/openvpn/pki/private/server.key # keep secret dh /etc/openvpn/pki/dh.pem server 10.50.8.0 255.255.255.0 # internal tun0 connection IP ifconfig-pool-persist ipp.txt keepalive 10 120 comp-lzo # Compression - must be turned on at both end persist-key persist-tun push "dhcp-option DNS 192.168.0.200" push "dhcp-option DOMAIN domain.local" push "route 192.168.1.0 255.255.255.0" status /var/log/openvpn-status.log askpass auth #avoid "Please enter password with the systemd-tty-ask-password-agent" error verb 3 # verbose mode
A simple netfilter rule to allow vpn clients to access to the entire network :
root@host:~# ip addr sh
root@host:~# iptables -t nat -A POSTROUTING -s 10.50.8.0/24 -o ens192 -j MASQUERADE
net.ipv4.ip_forward = 1
root@host:~# sysctl -p /etc/sysctl.conf
client
dev tun
proto udp
remote OPENVPN_IP 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client01.crt
key client01.key
comp-lzo
verb 3
Contact :