How To set up OpenVPN on Debian 10 Buster


Here's a how to about setting up a OpenVPN server under Debian 10 Buster.

Network diagram

Server configuration


root@host:~# apt install openvpn
root@host:~# cd /etc/openvpn/
root@host:~# /usr/share/easy-rsa/easyrsa clean-all
root@host:~# /usr/share/easy-rsa/easyrsa init-pki

root@host:~# /usr/share/easy-rsa/easyrsa build-ca nopass
root@host:~# /usr/share/easy-rsa/easyrsa build-server-full server nopass
root@host:~# /usr/share/easy-rsa/easyrsa gen-dh
root@host:~# echo "MyPass" >> /etc/openvpn/auth; chmod 400 /etc/openvpn/auth
root@host:~# /usr/share/easy-rsa/easyrsa build-client-full client01 nopass

Create 10 clients certificates with one command

root@host:~# for i in $(seq -w 1 10);do /usr/share/easy-rsa/easyrsa build-client-full client"$i" nopass; done

Make OpenVPN start at boot

root@host:~# sed -i 's/#AUTOSTART="all"/AUTOSTART="all"/' /etc/default/openvpn


port 1194
proto udp
dev tun

ca /etc/openvpn/pki/ca.crt # generated keys
cert /etc/openvpn/pki/issued/server.crt
key /etc/openvpn/pki/private/server.key # keep secret
dh /etc/openvpn/pki/dh.pem

server # internal tun0 connection IP
ifconfig-pool-persist ipp.txt

keepalive 10 120

comp-lzo # Compression - must be turned on at both end

push "dhcp-option DNS"
push "dhcp-option DOMAIN domain.local"
push "route"

status /var/log/openvpn-status.log
askpass auth #avoid "Please enter password with the systemd-tty-ask-password-agent" error

verb 3 # verbose mode


A simple netfilter rule to allow vpn clients to access to the entire network :

root@host:~# ip addr sh
root@host:~# iptables -t nat -A POSTROUTING -s -o ens192 -j MASQUERADE

Gateway mode

net.ipv4.ip_forward = 1
root@host:~# sysctl -p /etc/sysctl.conf

Windows client configuration


dev tun

proto udp

remote OPENVPN_IP 1194

resolv-retry infinite

ca ca.crt
cert client01.crt
key client01.key


verb 3
Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Contact :