Installing OpenVPN v2.3+ on debian

Version 3

KEYSERVERNAME=mykeyserver

apt-get update
apt-get -y --force-yes install openvpn udev
cd /usr/share/doc/openvpn/examples/easy-rsa/2.0

vim vars
*change export KEY_SIZE=1024 to export KEY_SIZE=2048*

chmod u+x vars
chmod u+x clean-all
chmod u+x build-ca

source ./vars
./clean-all
./build-dh
./pkitool --initca
./pkitool --server $KEYSERVERNAME

cp keys/ca.crt /etc/openvpn
cp keys/ca.key /etc/openvpn
cp keys/dh2048.pem /etc/openvpn
cp keys/$KEYSERVERNAME.crt /etc/openvpn
cp keys/$KEYSERVERNAME.key /etc/openvpn

gunzip -d /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz
cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf /etc/openvpn
vim /etc/openvpn/server.conf
*update the filenames for crt and key*
*change dh dh1024.pem to dh dh2048.pem*

/etc/init.d/openvpn restart

*for every client you want to add, create a key/cert*

source ./vars
KEY_CN=client1
./pkitool client1

Version 1

KEYSERVERNAME=mykeyserver

apt-get update
apt-get -y --force-yes install openvpn udev easy-rsa
mkdir -p /etc/openvpn/easy-rsa/2.0
cp -r /usr/share/easy-rsa /etc/openvpn/easy-rsa/2.0
cd /etc/openvpn/easy-rsa/2.0
mv easy-rsa/* /etc/openvpn/easy-rsa/2.0
rmdir easy-rsa
chmod u+x vars
chmod u+x clean-all
chmod u+x build-ca
./vars
./clean-all
source ./vars
./clean-all
./build-ca

./build-key-server $KEYSERVERNAME

./build-dh
./build-key client

cp /etc/openvpn/easy-rsa/2.0/keys/ca.crt /etc/openvpn
cp /etc/openvpn/easy-rsa/2.0/keys/ca.key /etc/openvpn
cp /etc/openvpn/easy-rsa/2.0/keys/dh2048.pem /etc/openvpn
cp /etc/openvpn/easy-rsa/2.0/keys/$KEYSERVERNAME.crt /etc/openvpn
cp /etc/openvpn/easy-rsa/2.0/keys/$KEYSERVERNAME.key /etc/openvpn

gunzip -d /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz
cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf /etc/openvpn
vim /etc/openvpn/server.conf
*update the filenames for crt and key*

/etc/init.d/openvpn restart

mkdir -p ~/vpnclient
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/vpnclient/client.ovpn
cp /etc/openvpn/easy-rsa/2.0/keys/client.key ~/vpnclient
cp /etc/openvpn/easy-rsa/2.0/keys/client.crt ~/vpnclient

Version 2

Different directory for when easy-rsa comes bundled. Doesn’t try to install it seperately. Also sets 2048bit pem because the default seems to be 1024

KEYSERVERNAME=mykeyserver

apt-get update
apt-get -y --force-yes install openvpn udev
cd /usr/share/doc/openvpn/examples/easy-rsa/2.0

vim vars
*change export KEY_SIZE=1024 to export KEY_SIZE=2048*

chmod u+x vars
chmod u+x clean-all
chmod u+x build-ca
./vars
./clean-all
source ./vars
./clean-all
./build-ca

./build-key-server $KEYSERVERNAME

./build-dh
./build-key client

cp keys/ca.crt /etc/openvpn
cp keys/ca.key /etc/openvpn
cp keys/dh2048.pem /etc/openvpn
cp keys/$KEYSERVERNAME.crt /etc/openvpn
cp keys/$KEYSERVERNAME.key /etc/openvpn

gunzip -d /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz
cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf /etc/openvpn
vim /etc/openvpn/server.conf
*update the filenames for crt and key*
*change dh dh1024.pem to dh dh2048.pem*

/etc/init.d/openvpn restart

mkdir -p ~/vpnclient
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/vpnclient/client.ovpn
cp keys/ca.crt ~/vpnclient
cp keys/client.crt ~/vpnclient
cp keys/client.key ~/vpnclient

If you want to use the internet through the VPN, make the following adjustments:


vim /etc/openvpn/server.conf
*uncomment push "redirect-gateway def1 bypass-dhcp"*
*add push "dhcp-option DNS 8.8.8.8"*

vim /etc/sysctl.conf
*uncomment net.ipv4.ip_forward=1*
sysctl -p

*run this, and also run it on server boot*
iptables -t nat -A POSTROUTING -j SNAT -s 10.8.0.0/16 --to-source PUBLIC_SERVER_IP_HERE

Leave a Reply

Your email address will not be published. Required fields are marked *