Openvpn client linux debian

• OpenVPN

OpenVPN is an SSL/TLS VPN solution. It is able to traverse NAT connections and firewalls. This page explains briefly how to configure a VPN with OpenVPN, from both server-side and client-side for different setups: from a simple raw connexion for testing purpose up to a TLS enabled connexion.

Install the openvpn package on both client and server.

To enable OpenVPN in the Gnome NetworkManager applet for the taskbar notification area, the additional package network-manager-openvpn-gnome has to be installed on the client:

Prerequisites

On the server’s firewall, open up UDP 1194 (default port).

Bear in mind that 90% of all connection problems encountered by new OpenVPN users are firewall-related.

Configuration

OpenVPN can authenticate users via user/pass, pre-shared key, certificates, etc.

Raw (unsecured) VPN connection for test

Server part

From a server shell, run

if your client has a static IP#; otherwise, run

You should see console output resembling

While openvpn is running, check your network configuration with ip a. Output should include

Note that, if you kill openvpn (e.g., with Control-c in its console), you will not see the above network interface.

Client part

You may also ping the server to test it can be reached: ping 10.9.8.1.

Static-Key VPN connection

Static-Key VPN server configuration

In the server’s /etc/openvpn directory, run the following command to generate a static key:

Copy this static key to the clients /etc/openvpn directory using a secure channel like scp or sftp.

On the server, create a new /etc/openvpn/tun0.conf file and add the following:

Where 10.9.8.x is your VPN subnetwork, 10.9.8.1 will be IP of the server, 10.9.8.2 is IP of client.

Static-Key VPN client configuration

On the client, copy /etc/openvpn/static.key from server and create a new /etc/openvpn/tun0.conf file and add the following:

Start OpenVPN by hand on both sides with the following command (verbose output at 6):

To verify that the VPN is running, you should be able to ping 10.9.8.2 from the server and 10.9.8.1 from the client.

TLS-enabled VPN connection

Starting with Jessie, easy-rsa is a separate package that should be pulled along with openvpn installation.

Init easy-rsa

To initialize the environment, just use the following command:

All the commands that are run from the easy-rsa dir. Refer to ./easyrsa help for a detailed description of the available commands.

Remember:

• only .key files should be kept confidential.
• .crt and .csr files can be sent over insecure channels such as plaintext email.
• do not need to copy a .key file between computers.
• each computer will have its own certificate/key pair.

Generate CA CERTIFICATE/KEY

Generate CERTIFICATE/KEY of the CERTIFICATE AUTHORITY (CA):

It will generate ca.crt and ca.key in /etc/openvpn/easy-rsa/ directories.

Generate CERTIFICATE/KEY of the server:

It will generate server.crt and server.key in /etc/openvpn/easy-rsa/pki/, and signed with your root certificate.

Generate DIFFIE-HELLMAN PARAMETERS

Generate BUILD DIFFIE-HELLMAN PARAMETERS (necessary for the server end of a SSL/TLS connection):

Generate Static Key for TLS authentication

If you already generated a static key, you may rename it to ta.key and move it to the /etc/openvpn/server folder. Else execute the following:

Generate CERTIFICATE/KEYs of the client(s)

Generate key for each client: Use one of the following two commands.

• You’ll be asked for «Enter PEM pass phrase», this is the passphrase you’ll need to login at the client.

Generate key with password (this protect the key and request the password every time that you connect to the server), for each client:

Install Client CERTIFICATE/KEYs

Copy the ca.crt, clientname.crt, clientname.key from Server to Client ‘s /etc/openvpn/easy-rsa/pki/ directories.

Check OpenVPN RSA Key for details.

VPN connection from command line

VPN Server configuration file

If the previous connection is successful, create the server configuration file /etc/openvpn/server.conf as follows:

Create log status file:

Note that the /etc/init.d/openvpn script launched by ‘service openvpn restart’ will start an openvpn server for every .conf file in /etc/openvpn/, so if you still have the tun0.conf file from above, rename it to something else than *.conf. This is because systemd wants only one openvpn server by default.

VPN Client configuration file

In client, create /etc/openvpn/client.conf as follows:

(note: you may use graphical vpn tool network-manager UI by providing the key and certificates)

VPN connection started as a Systemd service

At the root of /etc/openvpn/

By default, all configured VPNs in /etc/openvpn/ are started during system boot. Edit /etc/default/openvpn to start specific VPNs or to disable this behavior. You need to run systemctl daemon-reload once to enable new VPNs

in subfolders server and client

On Debian the systemd service expects the server and client configuration files to be, respectively, in /etc/openvpn/server and /etc/openvpn/client. Once you created the config file in the correct folder, you need to enable it. For example, suppose you created the configuration in /etc/openvpn/server/myserver.conf:

VPN connection started via interfaces file

openvpn ifupdown hooks are also available for starting/stopping tunnels using /etc/network/interfaces, e.g.:

See /usr/share/doc/openvpn/README.Debian.gz for more information.

Android / iOS devices certificate generation

OpenVPN Debian Server can be configured to use with Android / iOS devices.

on the Server

In Debian Server, create required certificates — we consider you installed via apt openvpn and created the easy-rsa folder as described above:

Modify below lines in /etc/openvpn/server.conf:

8.8.8.8 is Google DNS server. You may change to your preferred DNS server.

Test that the configuration works:

If it does, Ctrl-C out of this and restart OpenVPN server to use the new configuration:

Create client profile file /etc/openvpn/client.ovpn and attach certificates to it:

Modify below lines in client profile file /etc/openvpn/client.ovpn:

where ?YourServerIp and ?YourServerPort should be changed to your server. Three lines (#ca, #cert, #key) are commented as the required certificates were integrated into the ovpn file instead of being individual files.

e-mail or upload the client configuration file /etc/openvpn/$YOUR_CLIENT_NAME.ovpn to google drive in order to download to iPhone.

You’ll also want to run the server parts of the «Forward traffic via VPN» steps below.

on the Client

For iOS devices, install OpenVPN Connect client. Then transfer the client configuration file /etc/openvpn/$YOUR_CLIENT_NAME.ovpn to the device by e-mail or by Google Drive. Open the configuration file in Mail apps or Google Drive apps.

For Android devices, install OpenVPN Connect client. Then copy the client configuration file /etc/openvpn/$YOUR_CLIENT_NAME.ovpn to the storage of the device. Open the configuration file in OpenVPN apps.

Your phone OpenVPN client should take care of the client parts automatically.

Forward traffic to provide access to the Internet

on the Server

In Server enable runtime IP forwarding:

Edit /etc/sysctl.conf uncomment the following line to make it permanent:

Execute the following command in server for testing (Old way):

Execute the following command in server for testing (Starting with Bullseye):

You may also use the rc.firewall-iptables script from TLDP Masquerade as an alternative.

If everything is working fine, save the rules: Debian wiki iptables and nftables pages for details.

Manage the Public Key Infrastructure

?easy-rsa helps to manage the key of your PKI:

Generation of client & server certificates

revocaton of certificates

More info here: /usr/share/doc/easy-rsa/doc

For security purpose, it is advised to set up the PKI in a different server that the openvpn server.

Application to a VPN passing through a http proxy

This part describe how to configure a VPN to pass through a http proxy, which allow only trafic on port 443 (and 80). This use the http-proxy option of OpenVPN.

First of all, check that the port 443 isn’t already used by another service on your server.

Configure OpenVPN on server side by adding port 443 and proto tcp-server to the configuration file. This option works only with TCP as the tunnel carrier protocol

Configure OpenVPN on the client side by adding port 443, proto tcp-client and http-proxy 1.1.1.1 8080 to the configuration file.

Where 1.1.1.1 and 8080 are IP and port of your proxy.

1. Now you should launch OpenVPN on the server and next on the client.

Enable and use the Management Interface

Enable the option in server conf file by adding:

Connect to this interface:

This is useful for authentication (http-proxy) or killing an open session. More info

Источник

• openvpn for server and client

These notes cover the installation of OpenVPN on a Debian server and client. Once setup, all internet traffic, including browser traffic, from the client will travel via the VPN to the server. We do a quick «client baseline,» then the server config, then the client config, then testing.

These notes presume you are not ethernet bridging: i.e., these instructions are for dev tun not dev tap.

Client baseline

First, let’s be sure that you know the real IP#s of both your client and your server, and that your underlying networking is sound. Switch to your client and run the following diagnostics:

1. Your client’s ifconfig should not have an entry for tun0. E.g., from a workstation with both wired and wireless ethernet interface, you should see something like

2. From your ifconfig, note the IP# (or inet addr) of the ethernet interface you are using. This is your client’s IP#.

3. ping your server from your client using the server’s IP#. If this fails, you probably don’t actually know its IP#, and you must know it, so stop now and learn it.

4. ping your server from your client using IP#=10.8.0.1. This should fail, since you have not yet setup your VPN.

5. Check that DNS works from your client. Use www.whatismyip.com (or the IP-echo website you prefer), since you will access this website later. You should see something like

6. ping www.whatismyip.com (or the IP-echo website you prefer): this will later be used to establish validity of routing beyond your VPN. You should see something like

7. Trace the route to www.whatismyip.com (or the IP-echo website you prefer). You should see something like

The first IP# is your IP gateway (e.g., the modem/router on your client’s physical LAN). The last IP# must be that of your target IP-echo website (as noted by nslookup and ping). The number of lines of traceroute output (aka the number of «hops») is probably not relevant.

8. Open a web browser and access http://www.whatismyip.com (or the IP-echo website you prefer). It should return the client IP# as listed in your ifconfig.

Note that, in section=Client configuration (below), you’ll be installing some network-related packages. If you’re cautious (and that’s a good thing!), repeat these baseline diagnostics after installing those packages, to be extra-sure your client is still networking properly.

Server configuration

Switch to your server. First, install OpenVPN on it, with (e.g.)

Next, create the keys needed by both server and client.

In the vars file, edit the KEY_* entries at the bottom of the file, such as KEY_COUNTRY, KEY_ORG, KEY_EMAIL, etc. Next, source the vars file and then clean the directory.

Next build the certificates. For the ‘Common Name’ field, you can use anything to your liking. I used ‘OpenVPN-CA-rustybear’. For the Certificate Authority (build-ca), use ‘server’. For the client keys (build-key), use ‘client1’ or ‘client2’ or whatever you like, I used ‘client_kevin’.

Generate the Diffie Hellman parameters for the server.

When this is done, you will have a number of files in the keys/ subdirectory. Copy the keys listed below to the server’s /etc/openvpn directory.

And copy the keys needed for the client either directly to the client via scp or to a USB disk. The files needed by the client are ca.crt, client_kevin.crt, and client_kevin.key (or whatever you named the files when you generated them with the build-key script).

Switching to the client machine for just a moment, copy the client keys to the /etc/openvpn directory.

Next, back on the server, create the openvpn server config file. Start with the example in the docs.

Gunzip it if necessary then edit it. Here’s a simple but workable example:

Note the entries for push «dhcp-option DNS. The DNS servers you list must be accessible from your server and client. They will be pushed out to the client and can cause networking problems on the client if incorrect.

Now start the openvpn server with either of the following commands.

You will need to enable IP forwarding.

You can make this a permanent change by uncommenting the line:

in the file /etc/sysctl.conf.

You’ll also have to allow NAT forwarding through your firewall. This will most likely be accomplished with something like the following rule in iptables:

This assumes you have set up your openvpn server with the IP 10.8.0.0 in the server.conf file as described above.

Client configuration

Switch to your client. You’ll need to install two packages on it:

openvpn for OpenVPN (you guessed !-)

resolvconf. This is more problematic ( resolvconf can potentially conflict with other DNS-writing programs on your client) but we need it to make DNS work correctly on the client. If you’re cautious (and that’s a good thing!), read README.Debian in the OpenVPN docs and the README for resolvconf.

Install the packages with (e.g.)

In the server config above, you created keys for the client, which you should have already copied from the server to the client’s directory at /etc/openvpn. This includes the ca.crt file.

Next you need a client.conf file, a sample of which is found in the docs.

or feel free to use this simple but workable example . after you substitute

your server’s IP number for your.server.IP.number

your client name for client_kevin (unless you used that name when generating certificates and keys)

Some obvious things: You’ll want to use your server’s IP for the remote entry. List your client keys and the server CA. Uncomment the user and group entries.

Not so obvious are the last two lines. They call the script update-resolv-conf, which should be in your /etc/openvpn directory. The script will use resolvconf (which you installed above) and the DNS settings of your openvpn server, to rewrite your client’s resolv.conf file.

To start openvpn on the client, issue the command:

You’ll need the —script-security setting to get the update-resolv-conf script to execute. You can place this setting in the client.conf file if you like.

On both the server and the client, you can control whether your vpn is automatically started on machine startup by editing the AUTOSTART lines in the file /etc/default/openvpn.

Testing

Check your installation by

1. Start your server (as instructed above) if you have not already done so.

2. Start your client (as instructed above) if you have not already done so.

3. Run ifconfig on your client. You should see a new entry for tun0: i.e., in addition to the ifconfig entries you noted in your client baseline (above), you should now also see an entry like the following (possibly with slightly different inet addr)

4. ping your server from your client using the server’s real IP#: i.e., the one you listed in your client.conf in the line beginning with remote. This is just a sanity test: if this does not work, something is very wrong with your networking.

5. ping your server from your client using IP#=10.8.0.1. You should see something like

6. Check that DNS works from your client, using www.whatismyip.com (or the IP-echo website you prefer). You should see something like

7. ping www.whatismyip.com (or the IP-echo website you prefer) to establish validity of routing beyond your VPN. You should see output similar to those you got when you did this for your client baseline, though the response times will probably be longer. If instead you see something like

you have a routing problem at your server, which you need to fix.

7. Trace the new route to www.whatismyip.com, or the IP-echo website you prefer, or some other IP address beyond your VPN. You should see output not too different to those you got when you did this for your client baseline, though you will probably see more lines/hops. If instead you see something like

you have a routing problem at your server, which you need to fix.

Источник