In Linux, we can do many things and one of them is to create our own VPN. To do this, we will use well-known tools like OpenVPN and our beloved Debian 11. So, in this post, you will learn how to install OpenVPN Server on Debian 11.
What is OpenVPN
In a nutshell, OpenVPN is a service used to create Virtual Private Networks. That is, it allows you to link two nodes that are connected over the Internet but not in the same place, as if it were a LAN.
OpenVPN has established itself as a de-facto standard in the open-source network space, with more than 3 million downloads since its creation. The service combines security with ease of use sheds OpenVPN’s lightweight design of many of the complexities that characterize other VPN implementations.
One thing I haven’t mentioned is that OpenVPN is completely open-source which allows us to audit its security and know-how reliable it is.
A common use of OpenVPN allows access to a company’s resources regardless of the location of the device. On the other hand, it is also used as a vital tool in telecommunications or academic situations.
While setting up a VPN is never an easy task, it’s actually not that complex thanks to OpenVPN’s architecture and community tools.
So, let’s get started.
Install OpenVPN Server on Debian 11
Thanks to the fantastic work done by the community we have a fully working and easy-to-use installation script.
With this script we can quickly:
- Installs and configures a ready-to-use OpenVPN server
- Iptables rules and forwarding managed in a seamless way
- If needed, the script can cleanly remove OpenVPN, including configuration and iptables rules
- Customisable encryption settings, enhanced default settings
- OpenVPN 2.4 features, mainly encryption improvements
- Variety of DNS resolvers to be pushed to the clients
- Choice to use a self-hosted resolver with Unbound (supports already existing Unbound installations)
- Choice between TCP and UDP
And a few other things. All really easy to use. Let’s go for it.
So, download the script by running
curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh
If you don’t have the curl
package installed, you can do it
sudo apt install curl
Assign execute permissions to the script and then run it
chmod +x openvpn-install.sh sudo ./openvpn-install.sh
You will see the following output. It will show the IP address of the server or we will have to define it. You will also be prompted to enter some information.
Welcome to the OpenVPN installer! The git repository is available at: https://github.com/angristan/openvpn-install I need to ask you a few questions before starting the setup. You can leave the default options and just press enter if you are ok with them. I need to know the IPv4 address of the network interface you want OpenVPN listening to. Unless your server is behind NAT, it should be your public IPv4 address. IP address:
We will then be asked if we want to enable IPv6 which is disabled by default.
Checking for IPv6 connectivity... Your host appears to have IPv6 connectivity. Do you want to enable IPv6 support (NAT)? [y/n]: y
By default, OpenVPN uses port 1194
which we can change on the next screen.
What port do you want OpenVPN to listen to? 1) Default: 1194 2) Custom 3) Random [49152-65535] Port choice [1-3]: 1
Continuing the configuration process
Also, we need to set the protocol that OpenVPN will use.
What protocol do you want OpenVPN to use? UDP is faster. Unless it is not available, you shouldn't use TCP. 1) UDP 2) TCP Protocol [1-2]: 1
OpenVPN requires a DNS server so in this screen you have to define one from the list.
What DNS resolvers do you want to use with the VPN? 1) Current system resolvers (from /etc/resolv.conf) 2) Self-hosted DNS Resolver (Unbound) 3) Cloudflare (Anycast: worldwide) 4) Quad9 (Anycast: worldwide) 5) Quad9 uncensored (Anycast: worldwide) 6) FDN (France) 7) DNS.WATCH (Germany) 8) OpenDNS (Anycast: worldwide) 9) Google (Anycast: worldwide) 10) Yandex Basic (Russia) 11) AdGuard DNS (Anycast: worldwide) 12) NextDNS (Anycast: worldwide) 13) Custom DNS [1-12]: 11
Now you will be asked if you want to use Compression. You will be informed there that it is not recommended but it is your choice.
Do you want to use compression? It is not recommended since the VORACLE attack make use of it. Enable compression? [y/n]: n
If you really know how to manipulate OpenVPN you can customize the encryption options. If you don’t, don’t do it.
Do you want to customize encryption settings? Unless you know what you're doing, you should stick with the default parameters provided by the script. Note that whatever you choose, all the choices presented in the script are safe. (Unlike OpenVPN's defaults) See https://github.com/angristan/openvpn-install#security-and-encryption to learn more. Customize encryption settings? [y/n]: n
Then the whole installation process will start. When it’s time to add a new client you will see the following output screen where you will have to define the Client Name.
Okay, that was all I needed. We are ready to setup your OpenVPN server now. You will be able to generate a client at the end of the installation. Press any key to continue... Tell me a name for the client. The name must consist of alphanumeric character. It may also include an underscore or a dash. Client name: imaginelinux
After this, you will be asked if you want to protect the configuration file with a password.
Do you want to protect the configuration file with a password? (e.g. encrypt the private key with a password) 1) Add a passwordless client 2) Use a password for the client Select an option [1-2]: 1
Then you will be informed that the process has been successful.
Client imaginelinux added. The configuration file has been written to /home/user/imaginelinux.ovpn. Download the .ovpn file and import it in your OpenVPN client.
Now all you have to do is download the imaginelinux.ovpn
file and copy it to the client so that it can connect from the GUI of your connection manager or via the terminal using the command
openvpn [openvpnfile]
Conclusion
In this post, you learned how to install OpenVPN on Debian 11 and configure it thanks to a script that makes everything easier. In this aspect, OpenVPN is very flexible and its usefulness is well proven.