DebianDebian Based

How To Install OpenVPN Server on Debian 13

r00t
7 minutes read

Install OpenVPN Server on Debian 13

Setting up your own VPN server gives you complete control over your online privacy and security. OpenVPN stands as one of the most trusted open-source VPN solutions available today, offering robust SSL/TLS encryption that protects your data from prying eyes. Whether you need secure remote access to your home network, want to protect your browsing on public Wi-Fi, or require encrypted communication for your small business, hosting an OpenVPN server on Debian 13 (Trixie) provides a reliable, cost-effective solution. This comprehensive guide walks you through every step of installing and configuring OpenVPN on Debian 13, from initial setup to creating client connections.

Prerequisites and Requirements

Before diving into the installation process, ensure your system meets the necessary requirements. You’ll need a Debian 13 server with root or sudo privileges. A minimum of 1GB RAM and at least 10GB of available storage works for most small to medium deployments.

Your server should have a static IP address or a properly configured domain name pointing to it. Basic familiarity with Linux command-line operations will help you navigate this tutorial smoothly. You’ll also need to ensure that UDP port 1194 (OpenVPN’s default) can accept incoming connections through your firewall.

Having a non-root user account with sudo privileges is essential for security best practices. Finally, make sure your system packages are current before beginning the installation.

Updating System and Installing OpenVPN

Start by refreshing your package repositories to ensure you’re installing the latest versions of all software.

sudo apt update
sudo apt upgrade -y

These commands update the package lists and upgrade any outdated packages on your system. The -y flag automatically confirms any prompts during the upgrade process.

Now install OpenVPN and Easy-RSA, which manages your Public Key Infrastructure:

sudo apt install openvpn easy-rsa -y

The installation completes in just a few moments. OpenVPN provides the VPN functionality, while Easy-RSA simplifies the creation and management of certificates and keys that secure your VPN connections.

Verify the installation succeeded by checking the OpenVPN version:

openvpn --version

This command displays the installed version information, confirming OpenVPN is ready to configure.

Setting Up Public Key Infrastructure (PKI)

The PKI forms the security backbone of your OpenVPN server, handling all encryption certificates and keys.

Initialize PKI Directory

Create a dedicated directory for Easy-RSA and initialize the PKI structure:

sudo make-cadir /etc/openvpn/easy-rsa
cd /etc/openvpn/easy-rsa
sudo ./easyrsa init-pki

This creates a fresh PKI environment in the /etc/openvpn/easy-rsa/pki/ directory. The initialization establishes the folder structure needed for certificate management.

Build Certificate Authority (CA)

Your Certificate Authority acts as the trusted root for all certificates. Generate it with:

sudo ./easyrsa build-ca nopass

When prompted, enter a Common Name for your CA, such as “OpenVPN-CA”. The nopass option creates a CA without password protection, which simplifies automation but requires strict file permission controls. Store your CA certificate and key securely – they’re the foundation of your VPN’s security.

Generate Server Certificate and Key

Create the server’s certificate and private key:

sudo ./easyrsa build-server-full server nopass

This command generates both the certificate and key for your OpenVPN server. The server certificate identifies your VPN server to connecting clients, while the private key must remain confidential.

Create Diffie-Hellman Parameters

Diffie-Hellman parameters enable secure key exchange between server and clients:

sudo ./easyrsa gen-dh

Generating 2048-bit DH parameters typically takes several minutes. For enhanced security, consider 4096-bit parameters, though generation time increases significantly. The DH file ensures that session keys remain secure even if the server’s private key is later compromised.

Generate TLS Authentication Key

Add an extra security layer with a TLS authentication key:

sudo openvpn --genkey secret /etc/openvpn/easy-rsa/pki/ta.key

This key protects against denial-of-service attacks and port scanning. All connecting clients must possess this key, creating an additional authentication factor beyond certificates.

Configuring OpenVPN Server

Now create the main server configuration file that defines how your VPN operates.

Create Server Configuration File

Generate the server configuration:

sudo nano /etc/openvpn/server.conf

Add the following configuration, adjusting paths and settings to match your environment:

port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server.crt
key /etc/openvpn/easy-rsa/pki/private/server.key
dh /etc/openvpn/easy-rsa/pki/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
cipher AES-256-GCM
auth SHA256
tls-auth /etc/openvpn/easy-rsa/pki/ta.key 0
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1

This configuration establishes several critical settings. The server listens on UDP port 1194 and creates a TUN device for routing traffic. It assigns VPN clients IP addresses from the 10.8.0.0/24 subnet. The push directives configure client routing and DNS settings. AES-256-GCM cipher provides strong encryption with good performance.

Create the log directory:

sudo mkdir -p /var/log/openvpn

Security and Performance Options

The configuration includes several security enhancements. Running as user nobody and group nogroup limits potential damage if the OpenVPN process is compromised. The persist-key and persist-tun options prevent rereading keys and recreating the TUN device during service restarts, improving reliability.

The cipher AES-256-GCM setting employs authenticated encryption, protecting against tampering. SHA256 authentication provides strong cryptographic hashing. These settings balance security and performance effectively for most use cases.

Network Configuration Settings

The redirect-gateway directive routes all client traffic through the VPN tunnel, ensuring complete protection. DNS push options configure clients to use Google’s public DNS servers, though you can substitute your preferred DNS providers.

For optimal performance with multiple connections, consider increasing buffer sizes:

sndbuf 393216
rcvbuf 393216
push "sndbuf 393216"
push "rcvbuf 393216"

These settings can significantly improve throughput, especially on high-bandwidth connections.

Configuring Firewall and IP Forwarding

Your server needs to forward traffic between the VPN and your network.

Enable IP Forwarding

Create a sysctl configuration file:

sudo nano /etc/sysctl.d/99-ipforward.conf

Add this line:

net.ipv4.ip_forward=1

Apply the change immediately:

sudo sysctl -p /etc/sysctl.d/99-ipforward.conf

IP forwarding allows your server to route packets between interfaces, essential for VPN functionality.

Configure NFTables for NAT

Debian 13 uses nftables for firewall management. Set up masquerading so VPN clients can access external networks:

sudo nft add table ip NAT
sudo nft add chain ip NAT my_masquerade '{ type nat hook postrouting priority 100; }'
sudo nft add rule NAT my_masquerade ip saddr 10.8.0.0/24 oifname eth0 masquerade

Replace eth0 with your actual network interface name. Check your interface with ip addr show.

Make these rules persistent by saving them:

sudo nft list ruleset > /etc/nftables.conf
sudo systemctl enable nftables

UFW Firewall Configuration

If you’re using UFW instead, configure it appropriately:

sudo ufw allow 1194/udp
sudo ufw allow OpenSSH
sudo ufw enable

Edit UFW’s before rules to add masquerading:

sudo nano /etc/ufw/before.rules

Add before the *filter line:

*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT

Starting and Managing OpenVPN Service

Enable and start your OpenVPN server:

sudo systemctl enable openvpn@server
sudo systemctl start openvpn@server

Check the service status:

sudo systemctl status openvpn@server

A successful start shows “active (running)” in green. Verify the TUN interface was created:

ip addr show tun0

You should see the TUN interface with the 10.8.0.1 IP address. Monitor the log file for any issues:

sudo tail -f /var/log/openvpn/openvpn.log

The logs provide real-time information about connection attempts and server operations.

Creating Client Certificates and Configuration

Each VPN client needs its own certificate for authentication.

Generate Client Certificates

Create a certificate for your first client:

cd /etc/openvpn/easy-rsa
sudo ./easyrsa build-client-full client1 nopass

Replace client1 with a meaningful name for each user or device. Generate separate certificates for each client – never reuse certificates, as this compromises security and makes revocation difficult.

Prepare Client Configuration Files

Create a client configuration template:

nano ~/client1.ovpn

Add this configuration:

client
dev tun
proto udp
remote YOUR_SERVER_IP 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
tls-auth ta.key 1
cipher AES-256-GCM
auth SHA256
verb 3

Replace YOUR_SERVER_IP with your server’s public IP address or domain name. This configuration matches your server settings, ensuring compatibility.

Transfer Files to Client

Clients need four files:

  • ca.crt
  • client1.crt
  • client1.key
  • ta.key

Copy these securely using SCP:

scp /etc/openvpn/easy-rsa/pki/ca.crt user@client-ip:~/
scp /etc/openvpn/easy-rsa/pki/issued/client1.crt user@client-ip:~/
scp /etc/openvpn/easy-rsa/pki/private/client1.key user@client-ip:~/
scp /etc/openvpn/easy-rsa/pki/ta.key user@client-ip:~/

Never transfer these files over unencrypted channels. Consider creating a unified .ovpn file that embeds all certificates for easier client setup.

Client Connection Testing

On Linux clients, install OpenVPN:

sudo apt install openvpn

Place configuration and certificate files in /etc/openvpn/client/, then connect:

sudo openvpn --config client1.ovpn

Successful connection displays “Initialization Sequence Completed”. Test connectivity by pinging the server’s VPN IP:

ping 10.8.0.1

For Windows clients, install OpenVPN GUI and import the .ovpn file. Mobile platforms use the OpenVPN Connect app available in their respective app stores.

Common Issues and Troubleshooting

Connection timeouts usually indicate firewall problems. Verify your router forwards port 1194 to your server. Check that firewall rules permit OpenVPN traffic on both server and client.

Certificate verification failures stem from mismatched or expired certificates. Ensure clients use certificates signed by the correct CA. Time synchronization matters – significant clock differences between client and server cause verification failures.

TLS handshake errors typically result from configuration mismatches. Client and server must agree on protocol (UDP/TCP), cipher, and authentication settings. Device mode mismatches (TUN vs TAP) prevent connections.

“Address already in use” errors indicate port conflicts. Check if another process uses port 1194 with sudo netstat -tulpn | grep 1194. Protocol mismatches occur when client uses TCP but server expects UDP.

Compression setting inconsistencies prevent connections. Disable compression on both sides or ensure identical settings. DNS resolution problems occur when pushed DNS servers are unreachable. Test DNS with nslookup google.com from the client.

Enable verbose logging (verb 5) temporarily for detailed troubleshooting information. Examine both server and client logs simultaneously when diagnosing connection issues. Test basic connectivity with ping and traceroute commands.

Testing and Verification

Confirm your VPN works correctly through systematic testing. Check your IP address from the client perspective by visiting a site like whatismyipaddress.com – it should show your VPN server’s IP, not your client’s real IP.

Test DNS resolution through the VPN tunnel:

nslookup google.com

The response should come from your pushed DNS servers. Access resources on your internal network from VPN clients to verify routing works properly. Run speed tests to ensure acceptable performance for your use case.

Monitor connection stability over several hours. Check the status log periodically:

sudo cat /var/log/openvpn/openvpn-status.log

This file shows connected clients, connection times, and data transfer statistics. Verify encryption is active by examining connection details in verbose mode.

Congratulations! You have successfully installed OpenVPN. Thanks for using this tutorial for installing the latest version of the OpenVPN server on Debian 13 “Trixie” system. For additional help or useful information, we recommend you check the official OpenVPN website.

VPS Manage Service Offer
If you don’t have time to do all of this stuff, or if this is not your area of expertise, we offer a service to do “VPS Manage Service Offer”, starting from $10 (Paypal payment). Please contact us to get the best deal!
Tags
r00t
7 minutes read
Photo of r00t

r00t

r00t is an experienced Linux enthusiast and technical writer with a passion for open-source software. With years of hands-on experience in various Linux distributions, r00t has developed a deep understanding of the Linux ecosystem and its powerful tools. He holds certifications in SCE and has contributed to several open-source projects. r00t is dedicated to sharing her knowledge and expertise through well-researched and informative articles, helping others navigate the world of Linux with confidence.
Copyright © 2026 idroot.us | All Rights Reserved | Follow us for more Linux tutorials!
Back to top button