OpenVPN Server build on Debian 11

Quote from : https://www.server-world.info/en/note?os=Debian_11&p=openvpn&f=1

[1]	Install OpenVPN.

root@dlp:~# apt -y install openvpn easy-rsa iptables

[2]	Create CA and Certificates.

root@dlp:~# cd /usr/share/easy-rsa# initialize root@dlp:/usr/share/easy-rsa# ./easyrsa init-pki init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /usr/share/easy-rsa/pki # create CA root@dlp:/usr/share/easy-rsa# ./easyrsa build-ca Using SSL: openssl OpenSSL 1.1.1k 25 Mar 2021 # set any pass-phrase Enter New CA Key Passphrase: Re-Enter New CA Key Passphrase: Generating RSA private key, 2048 bit long modulus (2 primes) …….+++++ …………………..+++++ e is 65537 (0x010001) You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.’, the field will be left blank. —– # set any name Common Name (eg: your user, host, or server name) [Easy-RSA CA]:Server-CA CA creation complete and you may now import and sign cert requests. Your new CA certificate file for publishing is at: /usr/share/easy-rsa/pki/ca.crt # create server certificates # any name is OK for [server1] name # (it is set for file name of certs or commonName) root@dlp:/usr/share/easy-rsa# ./easyrsa build-server-full server1 nopass Using SSL: openssl OpenSSL 1.1.1k 25 Mar 2021 Generating a RSA private key ……+++++ …………………+++++ writing new private key to ‘/usr/share/easy-rsa/pki/easy-rsa-1222.5qztus/tmp.OXJSCa’ —– Using configuration from /usr/share/easy-rsa/pki/easy-rsa-1222.5qztus/tmp.B2bZfO # answer with pass-phrase set on CA Enter pass phrase for /usr/share/easy-rsa/pki/private/ca.key: Check that the request matches the signature Signature ok The Subject’s Distinguished Name is as follows commonName :ASN.1 12:’server1′ Certificate is to be certified until Dec 26 05:16:27 2023 GMT (825 days) Write out database with 1 new entries Data Base Updated # create client certificates # any name is OK for [client1] name # (it is set for file name of certs or commonName) root@dlp:/usr/share/easy-rsa# ./easyrsa build-client-full client1 nopass Using SSL: openssl OpenSSL 1.1.1k 25 Mar 2021 Generating a RSA private key ………….+++++ …………….+++++ writing new private key to ‘/usr/share/easy-rsa/pki/easy-rsa-1302.I8x7Jq/tmp.fQMVRq’ —– Using configuration from /usr/share/easy-rsa/pki/easy-rsa-1302.I8x7Jq/tmp.XD1zES # answer with pass-phrase set on CA Enter pass phrase for /usr/share/easy-rsa/pki/private/ca.key: Check that the request matches the signature Signature ok The Subject’s Distinguished Name is as follows commonName :ASN.1 12:’client1′ Certificate is to be certified until Dec 26 05:18:02 2023 GMT (825 days) Write out database with 1 new entries Data Base Updated # generate Diffie Hellman ( DH ) parameter root@dlp:/usr/share/easy-rsa# ./easyrsa gen-dh Using SSL: openssl OpenSSL 1.1.1k 25 Mar 2021 Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time …………++*++*++*++* DH parameters of size 2048 created at /usr/share/easy-rsa/pki/dh.pem # create TLS-Auth key root@dlp:/usr/share/easy-rsa# openvpn –genkey secret ./pki/ta.key# copy generated certs root@dlp:/usr/share/easy-rsa# cp -pR /usr/share/easy-rsa/pki/{issued,private,ca.crt,dh.pem,ta.key} /etc/openvpn/server/

[3]	Configure OpenVPN. It based on the environment Firewalld is running because of using ruoting rules.

# copy sample configuration root@dlp:~# cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf /etc/openvpn/server/root@dlp:~# vi /etc/openvpn/server/server.conf# line 32 : change if need (listening port of OpenVPN) port 1194# line 35 : change if need (use udp on this example) ;proto tcp proto udp# line 53 : change if need (use tun on this example) ;dev tap dev tun# line 78 : specify certificates ca ca.crt cert issued/server1.crt key private/server1.key# line 85 : specify DH file dh dh.pem# line 101 : specify network to be used on VPN # any network are OK except your local network server 192.168.100.0 255.255.255.0# line 142 : uncomment and change to your local network push “route 10.0.0.0 255.255.255.0″# line 231 : keepalive settings keepalive 10 120# line 244 : specify TLS-Auth key tls-auth ta.key 0# line 263 : uncomment (enable compress) comp-lzo# line 281 : enable persist options persist-key persist-tun# line 306 : specify log level (0 – 9, 9 means debug lebel) verb 3root@dlp:~# vi /etc/openvpn/server/add-bridge.sh# create new #!/bin/bash # network interface which can connect to local network IF=enp1s0 # interface VPN tunnel uses # for the case of this example like specifying [tun] on the config, generally this param is [tun0] VPNIF=tun0 echo 1 > /proc/sys/net/ipv4/ip_forward iptables -A FORWARD -i ${VPNIF} -j ACCEPT iptables -t nat -A POSTROUTING -o ${IF} -j MASQUERADE root@dlp:~# vi /etc/openvpn/server/remove-bridge.sh# create new #!/bin/bash # network interface which can connect to local network IF=enp1s0 # interface VPN tunnel uses # for the case of this example like specifying [tun] on the config, generally this param is [tun0] VPNIF=tun0 echo 0 > /proc/sys/net/ipv4/ip_forward iptables -D FORWARD -i ${VPNIF} -j ACCEPT iptables -t nat -D POSTROUTING -o ${IF} -j MASQUERADE root@dlp:~# chmod 700 /etc/openvpn/server/{add-bridge.sh,remove-bridge.sh} root@dlp:~# vi /lib/systemd/system/openvpn-server@.service# add into [Service] section [Service] ….. ….. ExecStartPost=/etc/openvpn/server/add-bridge.sh ExecStopPost=/etc/openvpn/server/remove-bridge.sh root@dlp:~# systemctl daemon-reload root@dlp:~# systemctl enable –now openvpn-server@server