Setting up an OpenVPN server on Debian 11 can be done in just a few minutes by following these steps:
- Install OpenVPN:
sudo apt update
sudo apt install openvpn
- Generate the necessary encryption keys and certificates:
sudo easyrsa init-pki
sudo easyrsa build-ca
sudo easyrsa build-server-full server nopass
This will create the necessary keys and certificates in the /etc/openvpn/easy-rsa/pki directory.
- Create the server configuration file:
sudo nano /etc/openvpn/server.conf
- Add the following contents to the file, replacing the IP address with the IP of your server:
port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server.crt
key /etc/openvpn/easy-rsa/pki/private/server.key
dh /etc/openvpn/easy-rsa/pki/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
- Enable IP forwarding:
sudo nano /etc/sysctl.conf
and add or uncomment the following line:
net.ipv4.ip_forward=1
- Enable the OpenVPN service:
sudo systemctl start openvpn@server
- Enable the OpenVPN service to start automatically at boot time:
sudo systemctl enable openvpn
- Configure the firewall to allow OpenVPN traffic, you can use
ufwfor that. - Create a client configuration file, you can use a
.ovpnextension for it.
sudo nano /etc/openvpn/client.ovpn
- Add the following contents to the file, replacing the IP address with the IP of your server:
client
dev tun
proto udp
remote <your server IP> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
verb 3
<ca>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
</key>
You can copy the ca, cert and key from the server’s /etc/openvpn/easy-rsa/pki directory.
You should now have a working OpenVPN server