Install and setup OpenVPN on Debian

by Pierre-Yves Landuré — last modified Mar 02, 2018 08:35

OpenVPN allow to create Virtual Private Networks protected by a OpenSSL encryption. It is a great alternative to PPtP (Microsoft) or IPSec technologies. Available on many Operating Systems (Microsoft Windows, GNU / Linux, Apple MacOS X, ...), it is a simple way to create a VPN between heterogeneous computers.

This howto is tested on:

Debian 6.0 Squeeze
Debian 7.0 Wheezy

Prerequisites

This how-to recommends:

the Bind DNS server, as described by Setup a Bind DNS server on Debian.
the backport of openvpn package in version 2.3.2 (and of iproute and iproute2) from Debian Testing, as described by Backport a Debian package from testing to stable (fix the problems between a 2.3.2 client and a 2.2 server).

Installation

Install the software:

command apt-get install openvpn openssl module-init-tools zip dos2unix git

Initialize the tun module:

command modprobe tun

Load the module at system startup:

if [ -z "$(command grep '^tun$' '/etc/modules')" ]; then
  command echo '# Needed by OpenVPN
tun' >> '/etc/modules'
fi

If needed, create the associated device file:

if [ ! -e '/dev/net/tun' ]; then
  command mkdir --parent '/dev/net'
  command mknod '/dev/net/tun' c 10 200
fi

Install Easy-RSA v3:

command git clone 'https://github.com/OpenVPN/easy-rsa' '/etc/openvpn/easy-rsa'

Install openvpn-tools:

command wget 'https://raw.github.com/biapy/howto.biapy.com/master/openvpn/openvpn-tools' \
    --quiet --no-check-certificate --output-document='/usr/local/bin/openvpn-tools'
command chmod +x '/usr/local/bin/openvpn-tools'

If needed, install the 'update-resolv-conf' script:

if [ ! -e '/etc/openvpn/update-resolv-conf' ]; then
  command wget 'https://raw.github.com/biapy/howto.biapy.com/master/openvpn/update-resolv-conf' \
    --quiet --no-check-certificate --output-document='/etc/openvpn/update-resolv-conf'
  command chmod +x '/etc/openvpn/update-resolv-conf'
fi

Initialize the SSL certificates defaults:

command openvpn-tools initialize

Setup the logs rotation:

echo "/var/log/openvpn/*.log {
  daily
  missingok
  rotate 10
  compress
  delaycompress
  notifempty
  create 600 root root
  postrotate
    /etc/init.d/openvpn restart > /dev/null
  endscript
}" > "/etc/logrotate.d/openvpn"

Administration

VPN network creation

Create a VPN instance:

command openvpn-tools --create="domain.vpn"

where:

domain.vpn is the VPN instance name / local network domain name.

By default, the server is created on the 1194 UDP port. If this port is not available, another port is chosen randomly.

VPN network removal

Remove a VPN server:

command openvpn-tools --destroy="domain.vpn"

Client addition

Add a client to the VPN network:

command openvpn-tools --domain="domain.vpn" --add="client-alias"

Clients are created with a fixed IP address.

The tool create archives containing client configurations for Unix (Ubuntu, MacOS X, etc...), iPhone, and Microsoft Windows. To setup the client, simply copy the archive to the client Operating System, and decompress it to a suitable location.

The archive also contains a hosts.txt file which content can be inserted as is in the client system hosts file.

Client removal

Remove access to the VPN network for a client:

command openvpn-tools --domain="domain.vpn" --remove="client-alias"

Other options

Communication between clients

Enable the direct communication between VPN network clients:

command openvpn-tools --domain="domain.vpn" --c2c='y'

Access to VPN server local network

Enable the client access to server local network:

command openvpn-tools --domain="domain.vpn" --nat='y'

Internet access through VPN network

Enable the forced use of Internet access through the VPN network for the clients:

command openvpn-tools --domain="domain.vpn" --gateway='y'

Setup a DNS server for the VPN network

This setup is experimental. It can cause trouble on Unix clients.

Enable the DNS resolution of VPN network clients hosts names with the DNS server software Bind:

command openvpn-tools --domain="domain.vpn" --bind='y'

Disable the DNS resolution for the VPN network:

command openvpn-tools --domain="domain.vpn" --bind='n'

If you encounter Internet domain names resolution problems on VPN clients, follow the "Redirections" section of the howto Setup a Bind DNS server on Debian.

Clients setup

Windows

The Microsoft Windows client software is available in OpenVPN official homepage downloads.

To install OpenVPN on Windows for a user without administration rights, you may need to run it using the command "runas /user:admin_account". The "/savecred" option of this command allow to use the admin_account without giving its password to the computer users.

Mac OS X

OpenVPN need Tun Tap - Virtual network interfaces for Mac OS X software to work.

If the command line is a problem for you, try TunnelBlick OpenVPN graphical user interface.

iPhone

The "OpenVPN Connect" client is available on the AppStore. Copy the configuration files (extracted from the corresponding archive) on the iPhone with iTunes.

References

These books can help you:

Thanks

Thanks to OpenVPN developers.
Thanks to Charles Duffy for the script client.up.
Thanks to Felix Knecht for his help.
Thanks to Alex Nogard (en / fr) for Install OpenVPN on Raspberry PI (Debian Wheezy) (en).
Thanks to Cabusar (fr) for Openvpn, route et nat (fr).