How To Install Setup OpenVPN on Debian 6.0 Squeeze with Certificate Authentication

In this how to, I am going to share how to install setup OpenVPN on Debian 6.0 Squeeze. I am going to use certificate as an authentication mechanism. This how to has been tested on Windows 7 as OpenVPN client.

First, we must ensure everything are up to date by running the following commands: -

apt-get update
apt-get upgrade --show-upgraded

Next, start installing OpenVPN and udev dependency by running the following command: -

apt-get install openvpn udev

Now, copy the ‘easy-rsa’ encryption-related tools by running the following command: -

cp -R /usr/share/doc/openvpn/examples/easy-rsa /etc/openvpn

Lets configure the public key infrastructure for OpenVPN. You need configure some variables near end of the /etc/openvpn/easy-rsa/2.0/vars file to reflect your configuration like below: -

export KEY_COUNTRY="MY"
export KEY_PROVINCE="WP"
export KEY_CITY="Kuala Lumpur"
export KEY_ORG="My Organization"
export KEY_EMAIL="vpnadmin@myorg.com"

Run the following commands below in sequence to initialize the certificate authority and the public key infrastructure: -

cd /etc/openvpn/easy-rsa/2.0
. /etc/openvpn/easy-rsa/2.0/vars
. /etc/openvpn/easy-rsa/2.0/clean-all
. /etc/openvpn/easy-rsa/2.0/build-ca

Next, generate private key for the server by running the following command: -

. /etc/openvpn/easy-rsa/2.0/build-key-server server

You can change the ‘server’ to your OpenVPN server hostname. The above script will prompt for information and the Common Name for this key will be ‘server’. You can leave blank for challenge password. Lastly, you must answer ‘yes’ to sign the certificate.

Next, you can generate certificate and private key for OpenVPN client by running the following command: -

. /etc/openvpn/easy-rsa/2.0/build-key client1

Note, ‘client1′ above is the name of OpenVPN client. You can replace ‘client1′ to match each of your client by repeat the step above to create additional certificate and private key.

Next, generate ‘Diffie Hellman Parameters’ which govern the method of key exchange and authentication used by OpenVPN server by running the following command: -

. /etc/openvpn/easy-rsa/2.0/build-dh

Next, copy the certificate, key and ‘Diffie Hellman Parameters’ files to /etc/openvpn directory by running the following commands: -

cd /etc/openvpn/easy-rsa/2.0/keys
cp ca.crt ca.key dh1024.pem server.crt server.key /etc/openvpn

Now, copy the following certificate and key files from /etc/openvpn/easy-rsa/2.0/keys directory using WinSCP to client Windows system: -

ca.crt
client1.crt
client1.key

Basically, below is my OpenVPN server configuration located at /etc/openvpn/server.conf directory: -

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 10.8.0.0 255.255.255.0
cipher AES-256-CBC
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
push "redirect-gateway def1"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 5 30

Next, download OpenVPN client Windows installer. After download completed, install the OpenVPN client. Then, you can proceed to create a client1.ovpn file and copy ‘ca.crt client1.crt client1.key’ to store in C:\Program Files\OpenVPN\config directory. Below is my OpenVPN client configuration in client1.ovpn for Windows 7: -

client
dev tun
proto udp
remote your.openvpn.server 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
cipher AES-256-CBC
comp-lzo
verb 3

By having ‘push redirect-gateway def1′ in /etc/openvpn/server.conf file, this will enable full encrypted tunneling of client traffic through OpenVPN. You need to uncomment the following line in /etc/sysctl.conf file to enable IPv4 routing feature: -

net.ipv4.ip_forward=1

However, the feature will commit if you reboot the system but you can commit it by running the following command: -

sysctl -p

You need to configure iptables to enable traffic forwarding through OpenVPN. Run the following commands: -

touch /usr/local/bin/firewall.sh
chmod +x /usr/local/bin/firewall.sh

Now, add the below at /usr/local/bin/firewall.sh file: -

#!/bin/bash

oclient="10.8.0.0/24"

iptables -t filter -F
iptables -t nat -F

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s $oclient -j ACCEPT
iptables -A FORWARD -j REJECT

iptables -t nat -A POSTROUTING -s $oclient -o eth0 -j SNAT --to your.openvpn.server.ip

Note, if the above POSTROUTING rule doesn’t work, probably you are using OpenVZ and you need to change ‘eth0′ to ‘venet0′ or you need to change to below: -

iptables -t nat -A POSTROUTING -s $oclient -j MASQUERADE

Next, put a line /usr/local/bin/firewall.sh into /etc/rc.local before ‘exit 0′ to ensure the iptables rules is created every reboot or power up.

Nevertheless, you can remove OpenVPN client user access by running the following commands: -

. /etc/openvpn/easy-rsa/2.0/vars
. /etc/openvpn/easy-rsa/2.0/revoke-full client1

Note, you need to replace ‘client1′ to which user you target to remove.

Finally, with all the configuration above I hope you are able to use and enjoy your encrypted traffic over OpenVPN. Thank you.

About wingloon

I am Linux engineer attempting to decode my knowledge through blogging in the World Wide Web. I will share my knowledge as much as possible about Linux (what I know best) and technology in general to all my readers.