How To Install and Configure an OpenVPN Server on Debian 9 In 5 Minutes
I
am a new Debian Linux version 9 server user. How do I setup an OpenVPN Server on Debian Linux version 9.x or 8.x server to shield my browsing activity from bad guys on public Wi-Fi, and more?
OpenVPN is a free and open source VPN (virtual private network) software for Linux and Unix-like systems. It implements OSI layer 2 or 3 secure network extension using the SSL/TLS protocol. A VPN allows you to connect securely to an insecure public network such as wifi network at the airport or hotel. VPN is also required to access your corporate or enterprise or home server resources. You can bypass geo-blocked site and increase your privacy or safety online.
This tutorial provides step-by-step instructions for configuring an OpenVPN “road warrior” server on Debian Linux v8.x/9.x including ufw/iptables firewall configuration.
The steps are as follows:
Find and note down your public IP address
Download openvpn-install.sh script
Run openvpn-install.sh to install OpenVPN server
Connect an OpenVPN server using IOS/Android/Linux/Windows client
Verify your connectivity
Step 1 – Find your public IP address
Use any one of the following command to find out your IPv4 public address. If your internface name is eth0 or eth1, enter:
$ ip addr show eth0
OR
$ ip addr show eth1
Or use the host command or dig command as follows:
$ host myip.opendns.com resolver1.opendns.com
OR
$ dig TXT +short o-o.myaddr.l.google.com @ns1.google.com
Sample outputs:
Note down the public IP address 104.237.156.154 i.e. public ip address of your OpenVPN server.
Step 2 – Update your system and install ufw
Type the apt-get command/apt command to update your system:
$ sudo apt-get update
$ sudo apt-get upgrade
Sample outputs:
Reading package lists… Done
Building dependency tree
Reading state information… Done
Calculating upgrade… Done
The following packages will be upgraded:
libc-bin libc-l10n libc6 libexpat1 linux-image-4.9.0-3-amd64 locales
multiarch-support
7 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 46.6 MB of archives.
After this operation, 0 B of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://security.debian.org/debian-security stretch/updates/main amd64 libc6 amd64 2.24-11+deb9u1 [2,695 kB]
Get:2 http://security.debian.org/debian-security stretch/updates/main amd64 libc-bin amd64 2.24-11+deb9u1 [778 kB]
Get:3 http://security.debian.org/debian-security stretch/updates/main amd64 multiarch-support amd64 2.24-11+deb9u1 [200 kB]
Get:4 http://security.debian.org/debian-security stretch/updates/main amd64 libc-l10n all 2.24-11+deb9u1 [820 kB]
Get:5 http://security.debian.org/debian-security stretch/updates/main amd64 locales all 2.24-11+deb9u1 [3,290 kB]
Get:6 http://security.debian.org/debian-security stretch/updates/main amd64 libexpat1 amd64 2.2.0-2+deb9u1 [83.4 kB]
Get:7 http://security-cdn.debian.org stretch/updates/main amd64 linux-image-4.9.0-3-amd64 amd64 4.9.30-2+deb9u2 [38.7 MB]
Fetched 46.6 MB in 2s (15.5 MB/s)
Reading changelogs… Done
Preconfiguring packages …
(Reading database … 28439 files and directories currently installed.)
Preparing to unpack …/libc6_2.24-11+deb9u1_amd64.deb …
Unpacking libc6:amd64 (2.24-11+deb9u1) over (2.24-11) …
Setting up libc6:amd64 (2.24-11+deb9u1) …
(Reading database … 28439 files and directories currently installed.)
Preparing to unpack …/libc-bin_2.24-11+deb9u1_amd64.deb …
Unpacking libc-bin (2.24-11+deb9u1) over (2.24-11) …
Setting up libc-bin (2.24-11+deb9u1) …
Updating /etc/nsswitch.conf to current default.
(Reading database … 28439 files and directories currently installed.)
Preparing to unpack …/multiarch-support_2.24-11+deb9u1_amd64.deb …
Unpacking multiarch-support (2.24-11+deb9u1) over (2.24-11) …
Setting up multiarch-support (2.24-11+deb9u1) …
(Reading database … 28439 files and directories currently installed.)
Preparing to unpack …/libc-l10n_2.24-11+deb9u1_all.deb …
Unpacking libc-l10n (2.24-11+deb9u1) over (2.24-11) …
Preparing to unpack …/locales_2.24-11+deb9u1_all.deb …
Unpacking locales (2.24-11+deb9u1) over (2.24-11) …
Preparing to unpack …/libexpat1_2.2.0-2+deb9u1_amd64.deb …
Unpacking libexpat1:amd64 (2.2.0-2+deb9u1) over (2.2.0-2) …
Preparing to unpack …/linux-image-4.9.0-3-amd64_4.9.30-2+deb9u2_amd64.deb …
Unpacking linux-image-4.9.0-3-amd64 (4.9.30-2+deb9u2) over (4.9.30-2) …
Setting up libexpat1:amd64 (2.2.0-2+deb9u1) …
Processing triggers for libc-bin (2.24-11+deb9u1) …
Setting up libc-l10n (2.24-11+deb9u1) …
Processing triggers for man-db (2.7.6.1-2) …
Setting up linux-image-4.9.0-3-amd64 (4.9.30-2+deb9u2) …
/etc/kernel/postinst.d/initramfs-tools:
update-initramfs: Generating /boot/initrd.img-4.9.0-3-amd64
/etc/kernel/postinst.d/zz-update-grub:
Generating grub configuration file …
Found linux image: /boot/vmlinuz-4.9.0-3-amd64
Found initrd image: /boot/initrd.img-4.9.0-3-amd64
done
Setting up locales (2.24-11+deb9u1) …
Generating locales (this might take a while)…
en_US.UTF-8… done
Generation complete.
I need to reboot the box as Linux kernel was installed. Type the following reboot command:
$ sudo reboot
Install ufw ( Uncomplicated Firewall )
To install ufw on a Debian 9/8, type the following apt-get command
$ sudo apt-get install ufw
Sample outputs:
Reading package lists… Done
Building dependency tree
Reading state information… Done
The following NEW packages will be installed:
ufw
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 164 kB of archives.
After this operation, 848 kB of additional disk space will be used.
Get:1 http://mirrors.linode.com/debian stretch/main amd64 ufw all 0.35-4 [164 kB]
Fetched 164 kB in 0s (13.1 MB/s)
Preconfiguring packages …
Selecting previously unselected package ufw.
(Reading database … 28439 files and directories currently installed.)
Preparing to unpack …/archives/ufw_0.35-4_all.deb …
Unpacking ufw (0.35-4) …
Setting up ufw (0.35-4) …
Creating config file /etc/ufw/before.rules with new version
Creating config file /etc/ufw/before6.rules with new version
Creating config file /etc/ufw/after.rules with new version
Creating config file /etc/ufw/after6.rules with new version
Created symlink /etc/systemd/system/multi-user.target.wants/ufw.service ? /lib/systemd/system/ufw.service.
Processing triggers for systemd (232-25) …
Processing triggers for man-db (2.7.6.1-2) …
Processing triggers for rsyslog (8.24.0-1) …
You must open required ports such as SSH port 22, 80, 443 and so on:
$ sudo ufw allow 22
$ sudo ufw allow 80
$ sudo ufw allow 443
Enable the firewall, run:
$ sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup
Verify firewall rules
$ sudo ufw status
Sample outputs:
Status: active
To Action From
— —— —-
22 ALLOW Anywhere
80 ALLOW Anywhere
443 ALLOW Anywhere
22 (v6) ALLOW Anywhere (v6)
80 (v6) ALLOW Anywhere (v6)
443 (v6) ALLOW Anywhere (v6)
Step 3 – Download openvpn-install.sh script
Type the following wget command:
$ wget https://git.io/vpn -O openvpn-install.sh
Sample outputs:
–2017-06-29 20:19:41– https://git.io/vpn
Resolving git.io (git.io)… 23.23.159.159, 50.16.231.196, 23.23.154.116, …
Connecting to git.io (git.io)|23.23.159.159|:443… connected.
HTTP request sent, awaiting response… 302 Found
Location: https://raw.github.com/Nyr/openvpn-install/master/openvpn-install.sh [following]
–2017-06-29 20:19:41– https://raw.github.com/Nyr/openvpn-install/master/openvpn-install.sh
Resolving raw.github.com (raw.github.com)… 151.101.40.133
Connecting to raw.github.com (raw.github.com)|151.101.40.133|:443… connected.
HTTP request sent, awaiting response… 301 Moved Permanently
Location: https://raw.githubusercontent.com/Nyr/openvpn-install/master/openvpn-install.sh [following]
–2017-06-29 20:19:41– https://raw.githubusercontent.com/Nyr/openvpn-install/master/openvpn-install.sh
Resolving raw.githubusercontent.com (raw.githubusercontent.com)… 151.101.40.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.40.133|:443… connected.
HTTP request sent, awaiting response… 200 OK
Length: 14938 (15K) [text/plain]
Saving to: ‘openvpn-install.sh’
openvpn-install.sh 100%[===================>] 14.59K –.-KB/s in 0s
2017-06-29 20:19:41 (134 MB/s) – ‘openvpn-install.sh’ saved [14938/14938]
Run openvpn-install.sh script to install and configure OpenVPN server automatically for you:
$ sudo bash openvpn-install.sh
When prompted set IP address to 104.237.156.154 (replace 104.237.156.154 with your actual IP address) and Port to 1194 (or 443 if you are not using a web server). Use Google or OpenDNS DNS servers with the vpn. Next, type client name (such as iPhone, Nexus6, LinuxRouter, BackupServer etc). Finally, press [Enter] key to install and setup OpenVPN on your system:
Fig.02: Setting up OpenVPN on my Debian 9 box
That is all. Your OpenVPN server has been configured and ready to use. You can see added firewall rules /etc/rc.local file using cat command:
$ cat /etc/rc.local
Sample outputs:
#!/bin/sh -e
iptables -I FORWARD -m state –state RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -I INPUT -p udp –dport 1194 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT –to 104.237.156.154
exit 0
You can view your openvpn server config file generated by the script as follows (do not edit this file by hand):
$ sudo more /etc/openvpn/server.conf
$ sudo vi -M /etc/openvpn/server.conf
Sample outputs:
port 1194
proto udp
dev tun
sndbuf 0
rcvbuf 0
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-auth ta.key 0
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push redirect-gateway def1 bypass-dhcp
push dhcp-option DNS 173.230.155.5
push dhcp-option DNS 173.255.212.5
push dhcp-option DNS 173.255.219.5
push dhcp-option DNS 173.255.241.5
push dhcp-option DNS 173.255.243.5
push dhcp-option DNS 173.255.244.5
push dhcp-option DNS 173.230.145.5
push dhcp-option DNS 173.230.147.5
push dhcp-option DNS 74.207.241.5
push dhcp-option DNS 74.207.242.5
keepalive 10 120
cipher AES-256-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify crl.pem
How do I start/stop/restart OpenVPN server on a Debian Linux 9.x/8.x LTS?
Type the following command stop the OpenVPN service:
$ sudo systemctl stop openvpn@server
Type the following command start the OpenVPN service:
$ sudo systemctl start openvpn@server
Type the following command restart the OpenVPN service:
$ sudo systemctl restart openvpn@server
Step 4 – Client configuration
On server your will find a client configuration file called ~/macos-vpn-client.ovpn. All you have to do is copy this file to your local desktop using the scp and provide this file to your OpenVPN client to connect:
$ scp vivek@104.237.156.154:~/macos-vpn-client.ovpn .
Next, you need to download OpenVPN client as per your operating system:
Download OpenVPN client for Apple IOS version 6.x or above and install it.
Download OpenVPN client for Android and install it.
Download OpenVPN client for Apple MacOS (OS X) and install it.
Download OpenVPN client for Windows 7/8/10 and install it.
MacOS/OS X OpenVPN client configuration
First install OpenVPN macos client. Next, double click on macos-vpn-client.ovpn file and it will open in your tunnelblick client > Click on the “Only me” to install it.
Fig.03: MacOS / OS X openvpn client configuration
Once installed click on Connect button and you will be online. Use the following command on MacOS client to verify that your public IP changed to the VPN server IP (type on your Linux/Unix/MacOS desktop):
$ dig TXT +short o-o.myaddr.l.google.com @ns1.google.com
Sample outputs:
104.237.156.154
You can ping to OpenVPN server private IP:
$ ping 10.8.0.1
Sample outputs:
PING 10.8.0.1 (10.8.0.1): 56 data bytes
64 bytes from 10.8.0.1: icmp_seq=0 ttl=64 time=287.760 ms
64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=283.046 ms
64 bytes from 10.8.0.1: icmp_seq=2 ttl=64 time=278.271 ms
64 bytes from 10.8.0.1: icmp_seq=3 ttl=64 time=283.679 ms
^C
— 10.8.0.1 ping statistics —
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 278.271/283.189/287.760/3.367 ms
Linux OpenVPN client configuration
Install the openvpn client on RHEL/CentOS Linux using yum command:
$ sudo yum install openvpn
OR, Install the openvpn client on a Debian/Ubuntu Linux Linux using apt command:
$ sudo apt install openvpn
Next, copy macos-vpn-client.ovpn as follows:
$ sudo cp macos-vpn-client.ovpn /etc/openvpn/client.conf
Test connectivity from the CLI:
$ sudo openvpn –client –config /etc/openvpn/client.conf
Your Linux system will automatically connect when computer restart using /etc/init.d/openvpn script:
$ sudo /etc/init.d/openvpn start
For systemd based system, use the following command:
$ sudo systemctl start openvpn@client
Test the connectivity:
$ ping 10.8.0.1 # Ping to OpenVPN server gateway
$ ip route # Make sure routing setup
$ dig TXT +short o-o.myaddr.l.google.com @ns1.google.com # Make sure your public IP set to OpenVPN server
FreeBSD OpenVPN client configuration
First, install the openvpn client, enter:
$ sudo pkg install openvpn
Next, copy macos-vpn-client.ovpn as follows:
$ mkdir -p /usr/local/etc/openvpn/
$ sudo cp macos-vpn-client.ovpn /usr/local/etc/openvpn/client.conf
Edit /etc/rc.conf and add the following:
openvpn_enable= YES
openvpn_configfile= /usr/local/etc/openvpn/client.conf
Start the OpenVPN service:
$ sudo /usr/local/etc/rc.d/openvpn start
Verify it:
$ ping 10.8.0.1 #Ping to OpenVPN server gateway
$
$ netstat -nr #Make sure routing setup
$
$ drill myip.opendns.com @resolver1.opendns.com #Make sure your public IP set to OpenVPN server
References
OpenVPN project.
OpenVPN road warrior installer Linux.
And there you have it, OpenVPN server installed in five minutes to increase your privacy on your very own Debian 9.x/8.x server hosted in the cloud.
This entry is 4 of 5 in the OpenVPN Tutorial series. Keep reading the rest of the series:
How To Setup OpenVPN Server In 5 Minutes on Ubuntu Server
Install Pi-hole with an OpenVPN to block ads
How to update/upgrade Pi-hole with an OpenVPN
How to install an OpenVPN server on Debian 9/8
How to import a OpenVPN .ovpn file with Network Manager
