How To Install OpenVPN Server on Debian 11

Install OpenVPN Server on Debian 11

In this tutorial, we will show you how to install OpenVPN Server on Debian 11. For those of you who didn’t know, OpenVPN is a service used to create Virtual Private Networks. That is, it allows you to link two nodes that are connected over the Internet but not in the same place. All the devices connected to a virtual private network act as if they’re linked to your local area network. The packets sent through the VPN tunnel are encrypted with 256 bit AES encryption making data theft impossible.

This article assumes you have at least basic knowledge of Linux, know how to use the shell, and most importantly, you host your site on your own VPS. The installation is quite simple and assumes you are running in the root account, if not you may need to add ‘sudo‘ to the commands to get root privileges. I will show you through the step-by-step installation of the OpenVPN Server on a Debian 11 (Bullseye).

Install OpenVPN Server on Debian 11 Bullseye

Step 1. Before we install any software, it’s important to make sure your system is up to date by running the following apt commands in the terminal:

sudo apt update
sudo apt upgrade

Step 2. Installing OpenVPN Server on Debian 11.

Now we download the script installer OpenVPN server from GitHub using curl command:

curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh

After downloaded, execute permissions to the script and then run it:

chmod +x openvpn-install.sh
sudo ./openvpn-install.sh

You will be prompted to enter some information:

Welcome to the OpenVPN installer!
The git repository is available at: https://github.com/angristan/openvpn-install

I need to ask you a few questions before starting the setup.
You can leave the default options and just press enter if you are ok with them.

I need to know the IPv4 address of the network interface you want OpenVPN listening to.
Unless your server is behind NAT, it should be your public IPv4 address.
IP address:

We will be asked if we want to enable IPv6 which is disabled by default:

Checking for IPv6 connectivity...

Your host appears to have IPv6 connectivity.

Do you want to enable IPv6 support (NAT)? [y/n]: y

By default, OpenVPN uses port 1194, If you want to use a specific port, press 2 and then press:

What port do you want OpenVPN to listen to?
   1) Default: 1194
   2) Custom
   3) Random [49152-65535]
Port choice [1-3]: 1

Next, set the protocol that OpenVPN will use:

What protocol do you want OpenVPN to use?
UDP is faster. Unless it is not available, you shouldn't use TCP.
   1) UDP
   2) TCP
Protocol [1-2]: 2

Now you have to select a DNS provider:

What DNS resolvers do you want to use with the VPN?
   1) Current system resolvers (from /etc/resolv.conf)
   2) Self-hosted DNS Resolver (Unbound)
   3) Cloudflare (Anycast: worldwide)
   4) Quad9 (Anycast: worldwide)
   5) Quad9 uncensored (Anycast: worldwide)
   6) FDN (France)
   7) DNS.WATCH (Germany)
   8) OpenDNS (Anycast: worldwide)
   9) Google (Anycast: worldwide)
   10) Yandex Basic (Russia)
   11) AdGuard DNS (Anycast: worldwide)
   12) NextDNS (Anycast: worldwide)
   13) Custom
DNS [1-12]: 9

Now you will be asked if you want to use Compression. You will be informed there that it is not recommended but it is your choice:

Do you want to use compression? It is not recommended since the VORACLE attack make use of it.
Enable compression? [y/n]: n

If you really know how to manipulate OpenVPN you can customize the encryption options. If you don’t, don’t do it:

Do you want to customize encryption settings?
Unless you know what you're doing, you should stick with the default parameters provided by the script.
Note that whatever you choose, all the choices presented in the script are safe. (Unlike OpenVPN's defaults)
See https://github.com/angristan/openvpn-install#security-and-encryption to learn more.

Customize encryption settings? [y/n]: n

Then the whole installation process will start. After that, add a new client you will see the following output screen where you will have to define the Client Name:

Okay, that was all I needed. We are ready to setup your OpenVPN server now.
You will be able to generate a client at the end of the installation.
Press any key to continue...

Tell me a name for the client.
The name must consist of alphanumeric character. It may also include an underscore or a dash.
Client name: idroot

Next, you will be asked if you want to protect the configuration file with a password:

Do you want to protect the configuration file with a password?
(e.g. encrypt the private key with a password)
   1) Add a passwordless client
   2) Use a password for the client
Select an option [1-2]: 1

Finally, you will be informed that the process has been successful:

Client idroot added.

The configuration file has been written to /home/user/idroot.ovpn.
Download the .ovpn file and import it in your OpenVPN client.

Once complete setup installation, you have to do is download the idroot.ovpn file and copy it to the client so that it can connect from the GUI of your connection manager or via the terminal using the command below:

openvpn [openvpnfile]

Step 3. Configure Firewall.

By default, OpenVPN uses port 1194, you must open required ports 1194:

sudo ufw allow 1194
sudo ufw enable

Congratulations! You have successfully installed OpenVPN. Thanks for using this tutorial for installing the latest version of the OpenVPN server on Debian 11 Bullseye. For additional help or useful information, we recommend you check the official OpenVPN website.

VPS Manage Service Offer
If you don’t have time to do all of this stuff, or if this is not your area of expertise, we offer a service to do “VPS Manage Service Offer”, starting from $10 (Paypal payment). Please contact us to get the best deal!