Install OpenVPN Server on Debian 8

Requirements to install OpenVPN on Debian 8

  • Update and upgrade Debian 8 #apt-get update -y && apt-get upgrade -y
  • TUN/TAP must ENABLE at VPS control panel/client area
  • Do not reboot until OpenVPN clients added and successfully started, otherwise have to start from beginning
  • Install and Configure iptables Firewall below
  • Check if Universal TUN/TAP device driver exist on Kernel
#grep tun /var/log/kern.log
May  1 03:42:53 ubuntu16 kernel: [    1.147941] tun: Universal TUN/TAP device driver, 1.6
May  1 03:42:53 ubuntu16 kernel: [    1.149404] tun: (C) 1999-2004 Max Krasnyansky <[email protected]>

First find the public network interface (eth0, venet0, wlp11s0, etc)

#ifconfig
eth0      Link encap:Ethernet  HWaddr 05:54:51:9f:cd:5a
          inet addr:120.x.x.x  Bcast:120.x.x.x  Mask:255.255.255.0

Public interface is “eth0”. Then runfollowing iptables v4 rules below

/sbin/iptables -F && /sbin/iptables -X \
&& /sbin/iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP \
&& /sbin/iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP \
&& /sbin/iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP \
&& /sbin/iptables -I INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT \
&& /sbin/iptables -A INPUT -i lo -j ACCEPT && /sbin/iptables -A OUTPUT -o lo -j ACCEPT \
&& /sbin/iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT \
&& /sbin/iptables -A INPUT -p tcp -m tcp --dport 1194 -j ACCEPT \
&& /sbin/iptables -A INPUT -p udp -m udp --dport 1194 -j ACCEPT \
&& /sbin/iptables -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT \
&& /sbin/iptables -A INPUT -p udp -m udp --dport 53 -j ACCEPT \
&& /sbin/iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT \
&& /sbin/iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT \
&& /sbin/iptables -A INPUT -i tun0 -j ACCEPT \
&& /sbin/iptables -A FORWARD -i tun0 -j ACCEPT \
&& /sbin/iptables -A OUTPUT -o tun0 -j ACCEPT \
&& /sbin/iptables -A FORWARD -i tun0 -o eth0 -s 10.8.0.0/24 -j ACCEPT \
&& /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT \
&& /sbin/iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE \
&& /sbin/iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT \
&& /sbin/iptables -P OUTPUT ACCEPT \
&& /sbin/iptables -P INPUT DROP
apt-get install iptables-persistent

Add NAT rules at iptables, set permanenty by add iptables rules to rc.local

#nano /etc/rc.local

Inser iptables rules below (above exit 0)

/sbin/iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
/sbin/iptables -A FORWARD -j REJECT
/sbin/iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

Enable Packet Forwarding

Tell the server to forward traffic from client services out to internet, edit /etc/sysctl.conf, uncomment net.ipv4.ip_forward, then restart server

#vim /etc/sysctl.conf
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1
#/etc/init.d/networking restart

Install OpenVPN server  and easy-RSA for encryption

#apt-get install openvpn easy-rsa

Configure OpenVPN server configuration

Extracted conf file to /etc/openvpn/server.conf  (Keep name server.conf)

#gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf
#vim /etc/openvpn/server.conf

Secure server with higher-level encryption to dh2048.pem

# dh dh1024.pem
dh dh2048.pem

Adjust the Port and Protocol
By default port 1194 UDP protocol, change to TCP and change the explicit-exit-notify directive’s value from 1 to 0. Otherwise TCP will cause errors

#vim /etc/openvpn/server.conf
port 1194
proto tcp
explicit-exit-notify 0

Redirect all traffic to the proper location. Uncomment push “redirect-gateway def1 bypass-dhcp” so the VPN server passes on clients’ web traffic

push "redirect-gateway def1 bypass-dhcp"

Set the server to use OpenDNS for DNS resolution to prevent DNS requests from leaking outside the VPN connection. Uncomment push “dhcp-option DNS 208.67.222.222” and push “dhcp-option DNS 208.67.220.220”.

# DNS servers provided by opendns.com.
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"

Define permissions in server.conf to user nobody and group nogroup:

# non-Windows systems.
user nobody
group nogroup

Configure and Build the Certificate Authority

OpenVPN uses certificates to encrypt traffic. Setup and generate our own Certificate Authority (CA). OpenVPN supports bidirectional authentication based on certificates, meaning that the client must authenticate the server certificate and the server must authenticate the client certificate before mutual trust is established. We will use Easy RSA’s scripts to do this.

First copy over the Easy-RSA generation scripts.

#cp -r /usr/share/easy-rsa/ /etc/openvpn

Then, create a directory to house the key.

#mkdir /etc/openvpn/easy-rsa/keys

Next, we will set parameters for our certificate.

#vim /etc/openvpn/easy-rsa/vars

The variables can changed according to our preference.

export KEY_COUNTRY="US"
export KEY_PROVINCE="TX"
export KEY_CITY="Dallas"
export KEY_ORG="My Company Name"
export KEY_EMAIL="[email protected]"
export KEY_OU="MYOrganizationalUnit"

In the same vars file, also edit this one line shown below.

For simplicity, we will use server as the key name. If you want to use a different name, you would also need to update the OpenVPN configuration files that reference server.key and server.crt.

Below, in the same file, we will specify the correct certificate. Look for the line, right after the previously modified block that reads.
Change “export KEY_NAME” default value of EasyRSA to your desired server name. This tutorial will use the name “server”

# X509 Subject Field
export KEY_NAME="server"

Next, we will generate the Diffie-Helman parameters using a built-in OpenSSL tool called dhparam. The -out flag specifies where to save the new parameters.

#openssl dhparam -out /etc/openvpn/dh2048.pem 2048

Our certificate is now generated, and it’s time to generate a key.

First, we will switch into the easy-rsa directory.

#cd /etc/openvpn/easy-rsa

Now, we can begin setting up the CA itself. First, initialize the Public Key Infrastructure (PKI). Pay attention to the dot (.) and space in front of ./vars command. That signifies the current working directory (source).

#. ./vars

The following warning will be printed. Do not worry, as the directory specified in the warning is empty. NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys.
Next, we’ll clear all other keys that may interfere with our installation.

#./clean-all

Finally, we will build the CA using an OpenSSL command. This command will prompt you for a confirmation of “Distinguished Name” variables that were entered earlier. Press ENTER to accept existing values.

#./build-ca

Press ENTER to pass each prompt (all values has been set in vars file)

The Certificate Authority is now setup.

ERROR ON DEBIAN 9 ./build-ca

grep: /etc/openvpn/easy-rsa/openssl.cnf: No such file or directory
pkitool: KEY_CONFIG (set by the ./vars script) is pointing to the wrong
version of openssl.cnf: /etc/openvpn/easy-rsa/openssl.cnf
The correct version should have a comment that says: easy-rsa version 2.x

SOLUTIONS –>  #ln -s openssl-1.0.0.cnf openssl.cnf

Generate a Certificate and Key for the Server

Still working from /etc/openvpn/easy-rsa, build your key with the server name specified earlier as KEY_NAME in your configuration file.

#cd /etc/openvpn/easy-rsa
#./build-key-server server

Again, output will ask for confirmation of the Distinguished Name. Hit ENTER to accept defined, default values. This time, there will be two additional prompts.

A challenge password []:
An optional company name []:

Both should be left blank, so just press ENTER to pass through.
Two additional queries at the end require a positive (y) response:

Sign the certificate? [y/n]
1 out of 1 certificate requests certified, commit? [y/n]
You will then be prompted with the following, indicating success.
Output
Write out database with 1 new entries
Data Base Updated

Move the Server Certificates and Keys
We will now copy the certificate and key to /etc/openvpn, as OpenVPN will search in that directory for the server’s CA, certificate, and key.

#cp /etc/openvpn/easy-rsa/keys/{server.crt,server.key,ca.crt} /etc/openvpn

You can verify the copy was successful with:

#ls -la /etc/openvpn

You should see the certificate and key files (server.crt,server.key,ca.crt)
At this point, the OpenVPN server is ready to go. Start it and check the status.

#service openvpn start

Check if openvpn successfully with ifconfig and tun0 interface exist

#ifconfig
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

ERROR DEBIAN 9 WARNING: cannot stat file ‘ta.key’: No such file or directory (errno=2)

systemctl status openvpn@server
Jun 30 19:43:38 debian-s-1vcpu-1gb-sgp1-01 systemd[1]: Starting OpenVPN connection to server...
Jun 30 19:43:38 debian-s-1vcpu-1gb-sgp1-01 ovpn-server[2595]: WARNING: cannot stat file 'ta.key': No such file or directory (errno=2)

SOLUTIONS edit /etc/openvpn/server.conf, comment “tls-auth ta.key 0”

#vim /etc/openvpn/server.conf
# The second parameter should be '0'
# on the server and '1' on the clients.
#tls-auth ta.key 0 # This file is secret
#systemctl restart openvpn@server
systemctl status openvpn@server

Generate Certificates and Keys for Clients

In this step, we use the server’s CA to generate certificates and keys for each client device which will be connecting to the VPN.

Client Key and Certificate Building

It’s ideal for each client connecting to the VPN to have its own unique certificate and key. Note: By default, OpenVPN does not allow simultaneous connections to the server from clients using the same certificate and key. (See duplicate-cn in /etc/openvpn/server.conf.).

To create separate authentication credentials for each device, you should complete this step for each device, change the name client1 to client2, etc

#cd /etc/openvpn/easy-rsa
#./build-key client1

You’ll be asked to change or confirm the Distinguished Name variables, which should be left blank, just press ENTER to accept the defaults.

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

As before, these two confirmations at the end of the build process require a (y) response:

Sign the certificate? [y/n]
1 out of 1 certificate requests certified, commit? [y/n]

You will then receive the following output, confirming successful key build.

Write out database with 1 new entries.
Data Base Updated

Then, we’ll copy the generated key to the Easy-RSA keys directory that we created earlier. Note that we change the extension from .conf to .ovpn. This is to match convention.

#cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/easy-rsa/keys/client1.ovpn

You can repeat this section again for each client, replacing client1 with the appropriate client name throughout.

Note: The name of your duplicated client1.ovpn doesn’t need to be related to the client device. The client-side OpenVPN application will use the filename as an identifier for the VPN connection itself. Instead, you should duplicate client1.ovpn to whatever you want the VPN’s name tag to be in your operating system. For example: work.ovpn will be identified as work, school.ovpn as school, etc.

We need to modify each client file to include the IP address of the OpenVPN server so it knows what to connect to. Open client1.ovpn, and edit “remote your_server_ip 1194” to “remote  192.168.0.1 1194”

#vim /etc/openvpn/easy-rsa/keys/client1.ovpn
# to load balance between the servers.
remote 192.168.0.1 1194

Next, uncomment “user nobody and group nogroup” by deleting #. Note: This doesn’t apply to Windows so you can skip it.

# Downgrade privileges after initialization (non-Windows only)
user nobody
group no group

Protocol

port 1194
proto tcp
explicit-exit-notify 0

Comment tls-auth ta.key 1

# If a tls-auth key is used on the server
# then every client must also have the key.
# tls-auth ta.key 1

Creating a Unified OpenVPN Profile for Client Devices

There are several methods for managing the client files but the easiest uses a unified profile. This is created by modifying the client1.ovpn template file to include the server’s Certificate Authority, and the client’s certificate and its key. Once merged, only the single client1.ovpn profile needs to be imported into the client’s OpenVPN application.

The area given below needs the three lines shown to be commented out so we can instead include the certificate and key directly in the client1.ovpn file. It should look like this when done:

#vim /etc/openvpn/easy-rsa/keys/client1.ovpn
# SSL/TLS parms.
# . . .
;ca ca.crt
;cert client.crt
;key client.key

Save the changes and exit. We will add the certificates by code.

First, add the Certificate Authority.

#echo '' >> /etc/openvpn/easy-rsa/keys/client1.ovpn
#cat /etc/openvpn/ca.crt >> /etc/openvpn/easy-rsa/keys/client1.ovpn
#echo '' >> /etc/openvpn/easy-rsa/keys/client1.ovpn

Second, add the certificate.

#echo '' >> /etc/openvpn/easy-rsa/keys/client1.ovpn
#cat /etc/openvpn/easy-rsa/keys/client1.crt >> /etc/openvpn/easy-rsa/keys/client1.ovpn
#echo '' >> /etc/openvpn/easy-rsa/keys/client1.ovpn

Third and finally, add the key.

#echo '' >> /etc/openvpn/easy-rsa/keys/client1.ovpn
#cat /etc/openvpn/easy-rsa/keys/client1.key >> /etc/openvpn/easy-rsa/keys/client1.ovpn
#echo '' >> /etc/openvpn/easy-rsa/keys/client1.ovpn

We now have a unified client profile. Using scp, you can then copy the client1.ovpn file to your second system.

Open and edit client1.ovpn with notepad

add <ca></ca><cert></cert><key></key> on each ca, crt and key (bottom)

Download client1.ovpn, on use OpenVPN app to connect by import the client1.ovpn

Add new open vpn client

#cd /etc/openvpn/easy-rsa
#./build-key newclient
#cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/easy-rsa/keys/newclient.ovpn

and follow the instructions until  open and edit newclient.ovpn

add <ca></ca><cert></cert><key></key> on each ca, crt and key (bottom)

Another way to Transferring Certificates and Keys to Client Devices

Recall from the steps above that we created the client certificates and keys, and that they are stored on the OpenVPN server in the /etc/openvpn/easy-rsa/keys directory.

For each client we need to transfer the client certificate, key, and profile template files to a folder on our local computer or another client device.

In this example, our client1 device requires its certificate and key, located on the server in:

  • /etc/openvpn/easy-rsa/keys/client1.crt
  • /etc/openvpn/easy-rsa/keys/client1.key

The ca.crt and client1.ovpn files are the same for all clients. Download these two files as well; note that the ca.crt file is in a different directory than the others.

  • /etc/openvpn/easy-rsa/keys/client1.ovpn
  • /etc/openvpn/ca.crt

While the exact applications used to accomplish this transfer will depend on your choice and device’s operating system, you want the application to use SFTP (SSH file transfer protocol) or SCP (Secure Copy) on the backend. This will transport your client’s VPN authentication files over an encrypted connection.

Here is an example SCP command using our client1 example. It places the file client1.key into the Downloads directory on the local computer.

scp root@your-server-ip:/etc/openvpn/easy-rsa/keys/client1.key Downloads/

At the end of this section, make sure you have these four files on your client device:

  • client1.crt
  • client1.key
  • client1.ovpn
  • ca.crt

ERROR

After installation test client to connect at first time, connect success but can’t browsing Internet, try restart server then connect client again

bisa ping ip address tapi tidak bisa ping name ie google.com <– Cek NAT apakah sudah benear2

ERROR AGEMENT: >STATE:1540202737,WAIT,,,,,,

Check firewall apakah port 1194 udah di open

Port (1194) di openvpn server.conf  HARUS SAMA dengan di client1.ovpn

Pilihan TCP atau UDP yang di pakai openvpn server.conf  HARUS SAMA di client1.ovpn