How To Install OpenVPN Server on Debian 12

OpenVPN is a powerful and versatile open-source Virtual Private Network (VPN) solution that provides secure, encrypted connections between remote computers and networks. It’s widely used by businesses, organizations, and individuals to protect their online activities and access resources securely over the internet. Debian 12, also known as “Bookworm,” is a stable and reliable Linux distribution that serves as an excellent platform for hosting an OpenVPN server.

In this comprehensive guide, we’ll walk you through the process of installing and configuring an OpenVPN server on Debian 12. Whether you’re looking to secure your remote workforce, bypass geo-restrictions, or simply enhance your online privacy, this tutorial will help you set up a robust VPN solution on one of the most trusted Linux distributions available.

Table of Contents

Prerequisites

Before we begin the installation process, ensure that you have the following prerequisites in place:

A Debian 12 server with root access or sudo privileges
At least 1GB of RAM and 10GB of disk space
A static IP address for your server
Basic knowledge of Linux command-line operations
Access to the server via SSH

It’s also recommended to have a domain name pointed to your server’s IP address, although this is not strictly necessary. Having a domain name can simplify the process of setting up SSL/TLS certificates for enhanced security.

Updating and Upgrading Debian 12

Before installing OpenVPN, it’s crucial to ensure that your Debian 12 system is up to date. This step helps prevent potential conflicts and ensures you have the latest security patches. Open a terminal and run the following commands:

sudo apt update
sudo apt upgrade -y

These commands will update the package lists and upgrade all installed packages to their latest versions. The -y flag automatically answers “yes” to any prompts during the upgrade process.

Installing OpenVPN

Now that your system is up to date, let’s proceed with installing OpenVPN and its dependencies. Debian 12 includes OpenVPN in its default repositories, making the installation process straightforward.

To install OpenVPN and the required packages, run the following command:

sudo apt install openvpn easy-rsa -y

This command installs OpenVPN along with Easy-RSA, a key management tool that we’ll use to generate certificates and keys for our VPN server and clients.

After the installation is complete, verify that OpenVPN was installed correctly by checking its version:

openvpn --version

This should display the installed version of OpenVPN, confirming a successful installation.

Configuring OpenVPN Server

With OpenVPN installed, we can now proceed to configure the server. This process involves several steps, including setting up configuration files, generating encryption keys and certificates, and configuring network settings.

Setting up server configuration files

First, let’s create a directory for our OpenVPN configuration files:

sudo mkdir -p /etc/openvpn/server

Next, copy the sample server configuration file to our new directory:

sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf /etc/openvpn/server/server.conf

Now, open the server configuration file in a text editor:

sudo nano /etc/openvpn/server/server.conf

Make the following changes to the configuration file:

Uncomment the line push "redirect-gateway def1 bypass-dhcp" to route all client traffic through the VPN
Uncomment the lines for DNS servers, e.g., push "dhcp-option DNS 208.67.222.222" and push "dhcp-option DNS 208.67.220.220"
Change dh dh2048.pem to dh dh.pem
Uncomment the user nobody and group nogroup lines for better security

Save the file and exit the text editor.

Generating encryption keys and certificates

Now we’ll use Easy-RSA to generate the necessary encryption keys and certificates. First, copy the Easy-RSA template files to a new directory:

sudo mkdir /etc/openvpn/easy-rsa
sudo cp -r /usr/share/easy-rsa/* /etc/openvpn/easy-rsa/

Navigate to the new directory and initialize the PKI (Public Key Infrastructure):

cd /etc/openvpn/easy-rsa
sudo ./easyrsa init-pki

Next, generate the Certificate Authority (CA) certificate:

sudo ./easyrsa build-ca nopass

Generate the server certificate and key:

sudo ./easyrsa gen-req server nopass
sudo ./easyrsa sign-req server server

Generate Diffie-Hellman parameters:

sudo ./easyrsa gen-dh

Finally, generate a TLS-Auth key:

sudo openvpn --genkey --secret /etc/openvpn/server/ta.key

Configuring network settings

To enable IP forwarding, which allows the server to route traffic between clients and the internet, edit the sysctl.conf file:

sudo nano /etc/sysctl.conf

Add or uncomment the following line:

net.ipv4.ip_forward=1

Save the file and apply the changes:

sudo sysctl -p

Setting Up Firewall Rules

Proper firewall configuration is crucial for securing your OpenVPN server. We’ll use UFW (Uncomplicated Firewall) to set up the necessary rules.

First, install UFW if it’s not already installed:

sudo apt install ufw -y

Allow SSH connections to ensure you don’t lock yourself out of the server:

sudo ufw allow ssh

Allow OpenVPN traffic:

sudo ufw allow 1194/udp

Enable IP masquerading to allow clients to access the internet through the VPN:

sudo nano /etc/ufw/before.rules

Add the following lines at the top of the file, before the *filter line:

# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to eth0 (change eth0 if your primary interface has a different name)
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT

Save the file and exit. Now, enable the firewall:

sudo ufw enable

Starting and Enabling OpenVPN Service

With the configuration and firewall rules in place, we can now start the OpenVPN service and enable it to start automatically on boot:

sudo systemctl start openvpn@server
sudo systemctl enable openvpn@server

Verify that the service is running:

sudo systemctl status openvpn@server

You should see output indicating that the service is active and running.

Creating Client Configuration Files

To allow clients to connect to your OpenVPN server, you need to create client configuration files. First, generate a client certificate and key:

cd /etc/openvpn/easy-rsa
sudo ./easyrsa gen-req client1 nopass
sudo ./easyrsa sign-req client client1

Next, create a base client configuration file:

sudo nano /etc/openvpn/client-template.txt

Add the following content, adjusting the server IP address or domain name as necessary:

client
dev tun
proto udp
remote your_server_ip_or_domain 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
auth SHA256
key-direction 1
verb 3

Save the file and exit. Now, create a script to generate client configuration files:

sudo nano /etc/openvpn/make_client_config.sh

Add the following content:

#!/bin/bash

# First argument: Client identifier

KEY_DIR=/etc/openvpn/easy-rsa/pki
OUTPUT_DIR=/etc/openvpn/clients
BASE_CONFIG=/etc/openvpn/client-template.txt

cat ${BASE_CONFIG} \
    <(echo -e '') \
    ${KEY_DIR}/ca.crt \
    <(echo -e '\n') \
    ${KEY_DIR}/issued/${1}.crt \
    <(echo -e '\n') \
    ${KEY_DIR}/private/${1}.key \
    <(echo -e '\n') \
    /etc/openvpn/server/ta.key \
    <(echo -e '') \
    > ${OUTPUT_DIR}/${1}.ovpn

Save the file, make it executable, and create the output directory:

sudo chmod 700 /etc/openvpn/make_client_config.sh
sudo mkdir -p /etc/openvpn/clients

To generate a client configuration file, run:

sudo /etc/openvpn/make_client_config.sh client1

This will create a file named client1.ovpn in the /etc/openvpn/clients directory.

Connecting Clients to the OpenVPN Server

To connect clients to your OpenVPN server, follow these steps:

Install an OpenVPN client on the device you want to connect from. Popular options include:
- OpenVPN Connect (official client for Windows, macOS, iOS, and Android)
- OpenVPN for Linux (available in most distribution repositories)
Transfer the client configuration file (e.g., client1.ovpn) to the client device securely, using SCP or SFTP.
Import the configuration file into your OpenVPN client software.
Connect to the VPN server using the imported profile.

Once connected, your client device should have a new IP address assigned by the VPN server, and all internet traffic should be routed through the VPN connection.

Troubleshooting Common Issues

If you encounter issues while setting up or using your OpenVPN server, consider the following troubleshooting steps:

Connection problems

Verify that the OpenVPN service is running on the server.
Check firewall rules to ensure that port 1194 (UDP) is open.
Confirm that the client configuration file contains the correct server IP address or domain name.
Try connecting using the server’s IP address instead of its domain name to rule out DNS issues.

Authentication errors

Double-check that the client certificate and key were generated correctly.
Verify that the server and client clocks are synchronized.
Ensure that the client configuration file includes the correct, and sections.

Performance issues

Consider changing the VPN protocol from UDP to TCP if you experience packet loss.
Adjust the MTU (Maximum Transmission Unit) settings if you encounter fragmentation issues.
Monitor server resources to ensure you have sufficient CPU and memory available.

Congratulations! You have successfully installed OpenVPN. Thanks for using this tutorial for installing the latest version of the OpenVPN server on Debian 12 “Bookworm”. For additional help or useful information, we recommend you check the official OpenVPN website.

VPS Manage Service Offer

If you don’t have time to do all of this stuff, or if this is not your area of expertise, we offer a service to do “VPS Manage Service Offer”, starting from $10 (Paypal payment). Please contact us to get the best deal!