This is an old revision of the document!
- vpnserver-debian
- Jonathan Haack
- Haack's Networking
- netcmnd@jonathanhaack.com
vpnserver-debian
This tutorial is for installing a simple openvpn server on a public facing VPS and/or self-hosted virtualization stack. In my case, I am using a slim Debian boot OS, with two zfs pools in RAID10 or two-way mirror setups. I use virsh primarily and/or virt-manager with qemu/kvm to manage the stack. The full setup can be found here vmserver. The point of setting up this openvpn server instance was to only expose port 1194 to the public, and turn off 80/443 (which I used for munin monitoring tool), and turn off 22 (which I used for shell access). I'm not really paranoid about key-based ssh access per se, but/and I figured there was also no need. As for the monitoring tools, I really did not want that information public, so there was a need there. Okay first update and install the package:
sudo apt update sudo apt upgrade sudo apt install openvpn
To keep easyrsa from writing over your configurations, most people copy the directory you intend to use away from it's default location:
cp -r /usr/share/easy-rsa /etc/
Navigate inside of the easy-rsa directory (the one you just made by copying) and start building the server by initializing the pki tool, building your certificate authority, generating diffyhelmen for strong key exchange, and then building the openvpn server itself which will leverage these:
cd /etc/easy-rsa/ ./easyrsa init-pki ./easyrsa build-ca nopass ./easyrsa gen-dh ./easyrsa build-server-full server nopass
To help thwart DDOS and/or UDP flooding, build a HMAC key as follows. Also, make sure to generate a revocation certificate so you can properly revoke previously signed certificates.
openvpn --genkey secret /etc/easy-rsa/pki/ta.key ./easyrsa gen-crl
Copy all the files and directories for keys/certs that you just generated into the openvpn server directory:
cp -p /etc/easy-rsa/pki/ca.crt /etc/openvpn/server/ cp -p /etc/easy-rsa/pki/dh.pem /etc/openvpn/server/ cp -p /etc/easy-rsa/pki/ta.key /etc/openvpn/server/ cp -p /etc/easy-rsa/pki/crl.pem /etc/openvpn/server/ cp -rp /etc/easy-rsa/pki/issued /etc/openvpn/server/ cp -rp /etc/easy-rsa/pki/private /etc/openvpn/server/
The server has everything it needs to operate, but you need to build a configuration file for it. The project provides a default template you can use as a starting point:
cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf /etc/openvpn/server/
Here's what my config looks like for comparison:
[[http://example.com|External Link]]
