How To set up OpenVPN on Debian 10 Buster

Intro

Here's a how to about setting up a OpenVPN server under Debian 10 Buster.

Network diagram

• OpenVPN Server :
  • OS : Debian GNU/Linux 10 (Buster)
  • Role : OpenVPN Server + Gateway
  • IP : 192.168.0.254

Server configuration

Installation

root@host:~# apt install openvpn

root@host:~# cd /etc/openvpn/

• Initialize the pki

root@host:~# /usr/share/easy-rsa/easyrsa clean-all

root@host:~# /usr/share/easy-rsa/easyrsa init-pki

• Build the certificate authority in /etc/openvpn/pki/ca.crt

root@host:~# /usr/share/easy-rsa/easyrsa build-ca nopass

• Generate certificate and key for server

root@host:~# /usr/share/easy-rsa/easyrsa build-server-full server nopass

• Generate Diffie Hellman parameters in /etc/openvpn/pki/dh.pem

root@host:~# /usr/share/easy-rsa/easyrsa gen-dh

• To avoid "Please enter password with the systemd-tty-ask-password-agent" message, add password certificate previously set into /etc/openvpn/auth

root@host:~# echo "MyPass" >> /etc/openvpn/auth; chmod 400 /etc/openvpn/auth

• create client01 certificates

root@host:~# /usr/share/easy-rsa/easyrsa build-client-full client01 nopass

Create 10 clients certificates with one command

root@host:~# for i in $(seq -w 1 10);do /usr/share/easy-rsa/easyrsa build-client-full client"$i" nopass; done

Make OpenVPN start at boot

root@host:~# sed -i 's/#AUTOSTART="all"/AUTOSTART="all"/' /etc/default/openvpn

/etc/openvpn/server.conf

port 1194
proto udp
dev tun

ca /etc/openvpn/pki/ca.crt # generated keys
cert /etc/openvpn/pki/issued/server.crt
key /etc/openvpn/pki/private/server.key # keep secret
dh /etc/openvpn/pki/dh.pem

server 10.50.8.0 255.255.255.0 # internal tun0 connection IP
ifconfig-pool-persist ipp.txt

keepalive 10 120

comp-lzo # Compression - must be turned on at both end
persist-key
persist-tun

push "dhcp-option DNS 192.168.0.200"
push "dhcp-option DOMAIN domain.local"
push "route 192.168.1.0 255.255.255.0"

status /var/log/openvpn-status.log
askpass auth #avoid "Please enter password with the systemd-tty-ask-password-agent" error

verb 3 # verbose mode

iptables

A simple netfilter rule to allow vpn clients to access to the entire network :

• List network interfaces

root@host:~# ip addr sh

• Set iptables with correct network interface

root@host:~# iptables -t nat -A POSTROUTING -s 10.50.8.0/24 -o ens192 -j MASQUERADE

Gateway mode

• /etc/sysctl.conf

net.ipv4.ip_forward = 1

• Run

root@host:~# sysctl -p /etc/sysctl.conf

Windows client configuration

• Client files

• C:\Program Files\OpenVPN\config\TEST.ovpn

client

dev tun

proto udp

remote OPENVPN_IP 1194

resolv-retry infinite
nobind
persist-key
persist-tun

ca ca.crt
cert client01.crt
key client01.key

comp-lzo

verb 3

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Contact :