How To Install Setup OpenVPN on Debian 6.0 Squeeze with Certificate Authentication

In this how to, I am going to share how to install setup OpenVPN on Debian 6.0 Squeeze. I am going to use certificate as an authentication mechanism. This how to has been tested on Windows 7 as OpenVPN client.

First, we must ensure everything are up to date by running the following commands: -

apt-get update
apt-get upgrade --show-upgraded

Next, start installing OpenVPN and udev dependency by running the following command: -

apt-get install openvpn udev

Now, copy the ‘easy-rsa’ encryption-related tools by running the following command: -

cp -R /usr/share/doc/openvpn/examples/easy-rsa /etc/openvpn

Lets configure the public key infrastructure for OpenVPN. You need configure some variables near end of the /etc/openvpn/easy-rsa/2.0/vars file to reflect your configuration like below: -

export KEY_CITY="Kuala Lumpur"
export KEY_ORG="My Organization"
export KEY_EMAIL=""

Run the following commands below in sequence to initialize the certificate authority and the public key infrastructure: -

cd /etc/openvpn/easy-rsa/2.0
. /etc/openvpn/easy-rsa/2.0/vars
. /etc/openvpn/easy-rsa/2.0/clean-all
. /etc/openvpn/easy-rsa/2.0/build-ca

Next, generate private key for the server by running the following command: -

. /etc/openvpn/easy-rsa/2.0/build-key-server server

You can change the server to your OpenVPN server hostname. The above script will prompt for information and the Common Name for this key will be server. You can leave blank for challenge password. Lastly, you must answer yes to sign the certificate.

Next, you can generate certificate and private key for OpenVPN client by running the following command: -

. /etc/openvpn/easy-rsa/2.0/build-key client1

Note, client1 above is the name of OpenVPN client. You can replace client1 to match each of your client by repeat the step above to create additional certificate and private key.

Next, generate Diffie Hellman Parameters which govern the method of key exchange and authentication used by OpenVPN server by running the following command: -

. /etc/openvpn/easy-rsa/2.0/build-dh

Next, copy the certificate, key and Diffie Hellman Parameters files to /etc/openvpn directory by running the following commands: -

cd /etc/openvpn/easy-rsa/2.0/keys
cp ca.crt ca.key dh1024.pem server.crt server.key /etc/openvpn

Now, copy the following certificate and key files from /etc/openvpn/easy-rsa/2.0/keys directory using WinSCP to client Windows system: -


Basically, below is my OpenVPN server configuration located at /etc/openvpn/server.conf directory: -

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
cipher AES-256-CBC
status openvpn-status.log
verb 3
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
push "redirect-gateway def1"
push "dhcp-option DNS"
push "dhcp-option DNS"
keepalive 5 30

Next, download OpenVPN client Windows installer. After download completed, install the OpenVPN client. Then, you can proceed to create a client1.ovpn file and copy ca.crt client1.crt client1.key to store in C:\Program Files\OpenVPN\config directory. Below is my OpenVPN client configuration in client1.ovpn for Windows 7: -

dev tun
proto udp
remote your.openvpn.server 1194
resolv-retry infinite
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
cipher AES-256-CBC
verb 3

By having push redirect-gateway def1 in /etc/openvpn/server.conf file, this will enable full encrypted tunneling of client traffic through OpenVPN. You need to uncomment the following line in /etc/sysctl.conf file to enable IPv4 routing feature: -


However, the feature will commit if you reboot the system but you can commit it by running the following command: -

sysctl -p

You need to configure iptables to enable traffic forwarding through OpenVPN. Run the following commands: -

touch /usr/local/bin/
chmod +x /usr/local/bin/

Now, add the below at /usr/local/bin/ file: -



iptables -t filter -F
iptables -t nat -F

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s $oclient -j ACCEPT
iptables -A FORWARD -j REJECT

iptables -t nat -A POSTROUTING -s $oclient -o eth0 -j SNAT --to your.openvpn.server.ip

Note, if the above POSTROUTING rule doesn’t work, probably you are using OpenVZ and you need to change eth0 to venet0 or you need to change to below: -

iptables -t nat -A POSTROUTING -s $oclient -j MASQUERADE

Next, put a line /usr/local/bin/ into /etc/rc.local before exit 0 to ensure the iptables rules is created every reboot or power up.

Nevertheless, you can remove OpenVPN client user access by running the following commands: -

. /etc/openvpn/easy-rsa/2.0/vars
. /etc/openvpn/easy-rsa/2.0/revoke-full client1

Note, you need to replace client1 to which user you target to remove.

Finally, with all the configuration above I hope you are able to use and enjoy your encrypted traffic over OpenVPN. Thank you.

About wingloon

I am Linux engineer attempting to decode my knowledge through blogging in the World Wide Web. I will share my knowledge as much as possible about Linux (what I know best) and technology in general to all my readers.