This tutorial shows you how to set up and configure OpenVPN server on debian 6.
- You need a user with sudo access to open an SSH connection on your cloud server.
- Terminal program if you are on Mac
- PuTTY for Windows
Here we will be considering Mac.
Open up your terminal screen and login using the ssh command:
Enter your password and make the connection.
Before installing OpenVPN, we need to update the packages on our system. That can be done using the command:
sudo apt-get update
I assume that Debian’s package manager apt is already present. Now download all updates for any packages that require it.
sudo apt-get upgrade
Once you are done with this step, we can start installing openVPN.
sudo apt-get install openvpn udev
After it gets installed, you need to proceed with the configuration. Copy all the files for encryption from their default directory to the one for cloud server to read:
sudo cp -r /usr/share/doc/openvpn/examples/easy-rsa /etc/openvpn
Now, you can start generating the RSA algorithm files for VPN. You will need to enter in certain values while generating keys. Make sure you note them down as it has to be included in the certificates too.
Go to the following directory to start generating RSA files:
cd /etc/openvpn/easy-rsa/2.0/ sudo ./vars sudo ./clean-all sudo ./build-ca
Once the certificate is generated, you can make the private key for server. Type in the following command:
sudo . /etc/openvpn/easy-rsa/2.0/build-key-server server
In this command, you should replace server with the name of your OpenVPN server.
Now, generate the Diffie Hellman key exchange parameters using the command:
sudo . /etc/openvpn/easy-rsa/2.0/build-dh
You need to generate keys for each of the client this installation of OpenVPN hosts. Here, I will be sharing the command for a single client. However, you should repeat the step for each client this installation will host. Also make sure the key identifier for each client is unique.
sudo . /etc/openvpn/easy-rsa/2.0/build-key client
Move the files for server certificates and keys to /etc/openvpn directory. Here, I have used server.crt and server.key for the certificates and keys. Make sure you replace them with the file names that you have used.
sudo cp /etc/openvpn/easy-rsa/2.0/keys/ca.crt /etc/openvpn sudo cp /etc/openvpn/easy-rsa/2.0/keys/ca.key /etc/openvpn sudo cp /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem /etc/openvpn sudo cp /etc/openvpn/easy-rsa/2.0/keys/server.crt /etc/openvpn sudo cp /etc/openvpn/easy-rsa/2.0/keys/server.key /etc/openvpn
In case if you want to remove some client’s access to VPN, you can do that using the following commands:
sudo . /etc/openvpn/easy-rsa/2.0/vars sudo . /etc/openvpn/easy-rsa/2.0/revoke-full client1
Here, I have used client1 for simplicity. You should replace it with the name of the client to be removed.
Let’s go ahead and configure the OpenVPN server and client.
Retrieve the files using the following commands:
sudo gunzip -d /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf /etc/openvpn sudo cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/ cd
You will have to modify or replace the client configuration file and other values to match with your requirement.
First of all, change the ‘remote’ option to connect to your cloud server’s IP address on whichever port you have configured the OpenVPN.
Now, change the ‘cert’ and ‘key’ values to reflect the names of actual certificates and keys. Once you are done with the changes, save and exit the file.
Copy the client configuration file from /etc/openvpn/easy-rsa/2.0/keys to the local machine of clients. The client configuration files will already have the client keys and certificates in it.
Now, you will need to make a few more changes to the server configuration file. Change the ‘cert’ and ‘key’ options to match the certificate and key that server is using.
sudo nano /etc/openvpn/server.conf
Restart the OpenVPN.
sudo /etc/init.d/openvpn restart
Now you are done. You have got a working OpenVPN installed on your debian 6.