A Virtual Private Network (VPN) server installed on a remote server creates an encrypted tunnel between your local machine/device and the remote server. In this way, you can surf the Internet with the IP of the remote server, as if you were physically present in your server’s physical location. VPNs can also be used to create encrypted data channels between two business locations, etc. However in general, you will want to use a VPN in the following three common situations:
- You want to access the Internet from an unsecure public network, such as from the Wi-Fi connection of a cafe, restaurant, hotel lobby, airport, railway station, etc. To make sure that nobody can intercept your traffic and credentials when logging in to HTTP websites, you’ll want to connect to a VPN. This way all the data traffic between you and the remote server will be encrypted.
- You have access to an Internet banking account offered by your bank. You decide to leave your country and spend some time abroad. When you try to access your online banking account from outside your country, you find that your bank’s software blocks all IPs geolocated outside your country. Instead of calling the bank, complaining and listening to your bank’s excuses, etc., you can just access your bank’s site through a VPN. This way the bank will see that your IP is located in your home country and will let you log in. This is legal, because you have all the rights to log in to your Internet banking account and it’s not your fault that the bank’s software is not capable and flexible enough to deal with this kind of situations. This implies that your VPN server is installed on a server physically located in a datacenter inside your home country.
- You want to access a website/service which requires you to be located in your home country, while you are abroad. Using a VPN you can sign up or log in to that website/service as if you were physically located in your home country. This implies that your VPN server is installed on a server physically located in a datacenter inside your home country.
Install OpenVPN from the Debian repository:
apt-get install openvpnWe’ll configure OpenVPN for IPv4 only because IPv6 connectivity can create problems such as DNS leaks in certain situations, at least with the current version of OpenVPN.
An OpenVPN connection consists of two channels between the server and the clients: the Control Channel and the Data Channel. A client connects to the server by initiating a TLS session over the control channel, in which credentials are exchanged between server and clients to establish the data channel. The data channel is the encrypted pipeline in which all traffic between server and clients is then transmitted.
Create a new user for the OpenVPN daemon to run as, after startup. Forcing OpenVPN to run under its own account is a good way to isolate it from the rest of the system. Here we’ll call the new user openvpn_server:
adduser --system --shell /bin/false --no-create-home openvpn_serverNext, you need to create the /etc/openvpn/server.conf configuration file. OpenVPN already has many sample configuration files. Copy the sample server.conf file into the /etc/openvpn directory:
cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf /etc/openvpnRun the make-cadir command to create a certificates directory and to copy all the necessary files from /usr/share/easy-rsa to the new directory, /etc/openvpn/easy-rsa:
make-cadir /etc/openvpn/easy-rsaSwitch to the new directory:
cd /etc/openvpn/easy-rsaEdit the /etc/openvpn/easy-rsa/vars file:
nano /etc/openvpn/easy-rsa/varsUncomment the following lines and change the default parameters between the quotation marks, to make them look like this:
set_var EASYRSA_REQ_COUNTRY "US"
set_var EASYRSA_REQ_PROVINCE ""
set_var EASYRSA_REQ_CITY ""
set_var EASYRSA_REQ_ORG ""
set_var EASYRSA_REQ_EMAIL "me@example.net"
set_var EASYRSA_REQ_OU ""Also, uncomment the following lines and change the values as follows:
set_var EASYRSA_CA_EXPIRE 54750
set_var EASYRSA_CERT_EXPIRE 54750Next, edit the /etc/openvpn/server.conf file:
nano /etc/openvpn/server.confModify the lines for the location of the certificate and key files and of the Diffie Hellman parameter file, to make them look like the lines in blue from below. mail.example.com is the hostname of your server:
# Any X509 key management system can be used.
# OpenVPN can also use a PKCS #12 formatted key file
# (see "pkcs12" directive in man page).
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/mail.example.com.crt
key /etc/openvpn/easy-rsa/pki/private/mail.example.com.key # This file should be kept secret
# Diffie hellman parameters.
# Generate your own with:
# openssl dhparam -out dh2048.pem 2048
dh /etc/openvpn/dh2048.pemSet OpenVPN to push a gateway configuration so that all the clients will send Internet traffic through it:
# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# or bridge the TUN/TAP interface to the internet
# in order for this to work properly).
push "redirect-gateway def1 bypass-dhcp"Push DNS resolvers to client devices. Client-side DNS settings are ideal for preventing DNS leaks. OpenDNS DNS IPs are provided by default but you can change this to other DNS IPs:
# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses. CAVEAT:
# http://openvpn.net/faq.html#dhcpcaveats
# The addresses below refer to the public
# DNS servers provided by opendns.com.
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
Require a matching HMAC signature for all packets involved in the TLS handshake between the server and connecting clients. Packets without this signature will be dropped. Change this line:
tls-auth ta.key 0 # This file is secretto make it look like this:
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0 # This file is secretAlso, change the data channel’s authentication digest to SHA-512 (a SHA-2 hash function). Search for the block starting with # Select a cryptographic cipher. Below this block you should have the following lines:
data-ciphers AES-256-CBC
auth SHA512Also restrict the VPN’s control channel to strong cipher suites. It is recommended to be as restrictive as possible here, but not all cipher suites can be used with all versions of OpenVPN. Add the following tls-cipher line right below the auth SHA512 line mentioned above, like this:
data-ciphers AES-256-CBC
auth SHA512
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHAThe default cipher suite used for the control channel is one agreed on by both server and client during the TLS handshake. The agreement is based on what is supported by their respective OpenSSL versions.
Also enable compression like this:
# For compression compatible with older clients use comp-lzo
# If you enable it here, you must also
# enable it in the client config file.
comp-lzoUncomment the user and group lines and make them look like below. This tells the OpenVPN daemon to drop root privileges and switch to the openvpn_server user after startup.
# It's a good idea to reduce the OpenVPN
# daemon's privileges after initialization.
#
# You can uncomment this out on
# non-Windows systems.
user openvpn_server
group nogroupChange logging verbosity to 0:
# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 030.1. Generate the Diffie-Hellman PEM file
The Diffie-Hellman parameter is a piece of randomly generated data used when establishing forward secrecy during the creation of a client’s session key. Create the file by running:
openssl dhparam 2048 > /etc/openvpn/dh2048.pemThe output will look like this:
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
............................................................................................+........................Generating the Diffie-Hellman parameter will take about 1 minute or less to complete. The resulting file will be /etc/openvpn/dh2048.pem, where 2048 indicates the bit length of the Diffie-Hellman parameter.
The Diffie-Hellman PEM file can be arbitrarily deleted and regenerated without needing to change server or client settings.
30.2. Generate the HMAC key file
First create the keys directory:
cd /etc/openvpn/easy-rsa
mkdir keysGenerate the HMAC key file:
openvpn --genkey secret /etc/openvpn/easy-rsa/keys/ta.key30.3. Server Credentials
It’s necessary to run the next commands while in the /etc/openvpn/easy-rsa directory, therefore navigate there:
cd /etc/openvpn/easy-rsa30.3.1. Create the root certificate or Certificate Authority file
A root certificate, sometimes caled a Certificate Authority, is the certificate that will be used to generate the client key pairs. First create the pki directory by running:
./easyrsa init-pkiCreate the Certificate Authority file by running:
./easyrsa build-caYou will be prompted to enter a CA Key Passphrase, two times. Enter a passphrase and write it down in a secure place. Enter the same passphrase when asked for the ‘PEM pass phrase’. When you will be prompted to enter the ‘Common Name’, enter the hostname of your server (the content of the /etc/hostname file): mail.example.com, and press Enter. The Certificate Authority file /etc/openvpn/easy-rsa/pki/ca.crt will be created.
Generate the server certificate and key by running:
./easyrsa build-server-full mail.example.com nopassThe nopass option disables password for the key file.You will be prompted to enter the CA Key Passphrase that you saved earlier. The command will generate two important files: the server’s key:
/etc/openvpn/easy-rsa/pki/private/mail.example.com.key
and the server’s certificate:
/etc/openvpn/easy-rsa/pki/issued/mail.example.com.crt
30.4. Client credentials
You have to generate a unique set of credentials for each client that will connect to the VPN server. You can repeat this step for any client that you need to create credentials for.
All clients should have a unique name. Change client1 in the following lines to a descriptive name of your choice that you will be able to associate with the client:
./easyrsa build-client-full client1 nopassAfter you enter the CA Key Passphrase created earlier, the command will generate the client’s key:
/etc/openvpn/easy-rsa/pki/private/client1.key
and the client’s certificate:
/etc/openvpn/easy-rsa/pki/issued/client1.crt
30.4.1. Client configuration file
Each client needs a configuration file defining the OpenVPN server’s settings for it. You can’t save this configuration file in /etc/openvpn, because the server.conf file is located there. You will have to store it in the /etc/openvpn/easy-rsa/keys/client1 folder along with the other client files, even if this file doesn’t need to be kept secret. First create a directory for the credentials of client1:
makedir /etc/openvpn/easy-rsa/keys/client1Copy the client.conf template from the /usr/share/doc/openvpn/examples/sample-config-files directory to the /etc/openvpn/easy-rsa/keys/client1 directory. Clients usually require an .ovpn file instead of a .conf file, therefore, change the file extension when copying the file:
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/easy-rsa/keys/client1/client.ovpnOpen the /etc/openvpn/easy-rsa/keys/client1/client.ovpn file for editing:
nano /etc/openvpn/easy-rsa/keys/client1/client.ovpnUpdate the remote line with the IP address of the server:
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote 123.123.123.123 1194Replace 123.123.123.123 with the public IP of your server. A hostname would work too but for security reasons it’s recommended to connect by IP and bypass the DNS lookup.
Tell the client-side OpenVPN service to drop root priviledges by specifying a user and a group. This is for non-Windows client machines only. If you use Windows, here you should comment out the user and group parameters by placing a semicolon in front of them.
# Downgrade privileges after initialization (non-Windows only)
user nobody
group nogroupFurther down in the file, edit the ca, cert and key lines to reflect the names and locations on the client device. If you use Linux, the paths will be as shown below:
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/client1.crt
key /etc/openvpn/keys/client1.keyIf you use Windows, the paths will be completely different, namely:
ca ca.crt
cert client1.crt
key client1.keyTell the client to use the HMAC key generated earlier:
# If a tls-auth key is used on the server
# then every client must also have the key.
tls-auth /etc/openvpn/keys/ta.key 1If you use Windows, instead of the line from above you will enter:
tls-auth ta.key 1Also enable compression like this:
# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzoSince the VPN server was told to force certain cryptographic settings in its config file, the clients must have the same settings. Below the block starting with # Select a cryptographic cipher. you should have the following lines:
data-ciphers AES-256-CBC
auth SHA512
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHAIf you use Windows, add this parameter at the end of the file, to prevent password caching:
auth-nocacheCopy all the files necessary for client1 in the /etc/openvpn/easy-rsa/keys/client1 directory:
cp /etc/openvpn/easy-rsa/pki/ca.crt /etc/openvpn/easy-rsa/keys/client1
cp /etc/openvpn/easy-rsa/pki/issued/client1.crt /etc/openvpn/easy-rsa/keys/client1
cp /etc/openvpn/easy-rsa/pki/private/client1.key /etc/openvpn/easy-rsa/keys/client1
cp /etc/openvpn/easy-rsa/keys/ta.key /etc/openvpn/easy-rsa/keys/client130.4.2. Pack all the necessary client files into a tarball to transfer them
The specific files are:
/etc/openvpn/easy-rsa/keys/client1/ca.crt
/etc/openvpn/easy-rsa/keys/client1/client1.crt
/etc/openvpn/easy-rsa/keys/client1/client1.key
/etc/openvpn/easy-rsa/keys/client1/client.ovpn
/etc/openvpn/easy-rsa/keys/client1/ta.key
To create the archive necessary to transfer the required files to the client machine, run the following command:
cd /etc/openvpn/easy-rsa/keys
tar czf /etc/openvpn/client1.tar.gz client130.5. Open the port in the firewall
Open the necessary port in the firewall using ufw:
ufw allow 1194/udpSince you don’t need IPv6 for OpenVPN, you can delete the allow rule for port 1194/udp for IPv6. Run:
ufw status numberedThe output of this command will look like this:
...
[15] 1194/udp (v6) ALLOW IN Anywhere (v6)
...In this case, the number of the rule that has to be deleted is 15. To remove the rule run:
ufw delete 15Replace 15 with your number.
It’s assumed that you already have the HTTP and HTTPS ports (80 and 443) opened in the firewall.
The kernel must be told that it can forward incoming IPv4 traffic. Edit the /etc/sysctl.d/99-sysctl.conf file:
nano /etc/sysctl.d/99-sysctl.confAdd the following line at the end of the file:
net.ipv4.ip_forward=1Activate the sysctl change:
sysctl -pThe ufw forwarding policy needs to be set as well. You’ll do this in the /etc/default/ufw file:
nano /etc/default/ufwLook for the following line:
DEFAULT_FORWARD_POLICY="DROP"This must be changed from DROP to ACCEPT. It should look like this:
DEFAULT_FORWARD_POLICY="ACCEPT"Next, you will add additional ufw rules for network address translation and IP masquerading of connected clients:
nano /etc/ufw/before.rulesAdd the lines between # START OPENVPN RULES and # END OPENVPN RULES , like this:
#
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
# ufw-before-input
# ufw-before-output
# ufw-before-forward
#
# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to eth0
-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
COMMIT
# END OPENVPN RULESReplace eth0 with the actual name of your server’s network interface, given by the ifconfig command.
Restart ufw in order to apply the new changes:
systemctl restart ufwEnable and restart the openvpn service:
systemctl enable openvpn
systemctl restart openvpnIf you run ifconfig, the output should show a new network interface called tun0, created by OpenVPN:
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.8.0.1 netmask 255.255.255.255 destination 10.8.0.2
...30.6. Transfer client credentials to the client machine
If you use a Linux client machine follow the instructions from below.
You can transfer the /etc/openvpn/client1.tar.gz archive containing all the needed client credentials to the client machine using a FTP client like FileZilla. You can also transfer it by using the Secure Copy Protocol (SCP): on the client Linux computer open a terminal and run:
scp -P 6283 username@123.123.123.123:/etc/openvpn/client1.tar.gz /tmpWhere 6283 is the custom SSH port of the remote Debian server, 123.123.123.123 is its public IP address and username is the username of the SSH user. This command will download the archive in the /tmp directory.
We won’t describe how to transfer the client credentials to a Windows or macOS client machine or how to configure such a machine to connect to OpenVPN. The whole point of this guide is to help users preserve their digital freedom. Who uses Windows or macOS instead of Linux on his computers, willingly gives up a substantial portion of his digital freedom.
30.7.Configure a Linux client machine to use OpenVPN
The following settings are intended for a Debian 12 client (with the Mate desktop environment), but they can be adapted to other distributions. Configure VPN connections using the same method you would use to configure ethernet or wireless connections. These steps assume you are using Network Manager for your network management.
Install the network-manager-openvpn and network-manager-openvpn-gnome packages. This will also install the necessary dependencies, including the openvpn package:
apt-get update
apt-get install network-manager-openvpn network-manager-openvpn-gnomeEnable the openvpn service, so that it starts at system startup, then start it:
systemctl enable openvpn
systemctl start openvpnCreate a keys directory in /etc/openvpn:
mkdir /etc/openvpn/keysThen extract the client1.tar.gz archive (that has been downloaded earlier to /tmp), in the newly created directory and place the files directly in the ‘keys’ directory:
tar xf /tmp/client1.tar.gz -C /etc/openvpn/keys
mv /etc/openvpn/keys/client1/* /etc/openvpn/keys
rm -r /etc/openvpn/keys/client1The client.ovpn file has to be placed in the /etc/openvpn directory, so, move it there:
mv /etc/openvpn/keys/client.ovpn /etc/openvpnGo to the Main Menu > System > Control Center > click on ‘Advanced Network Configuration’, select Ethernet, then click on the + sign at the bottom of the window to add a new connection. In the ‘Choose a Connection Type’ window, select OpenVPN from the drop-down list:
Click ‘Create…’ .
In the new window, on the ‘VPN’ tab, in the ‘Gateway’ field, enter the public IPv4 address of your remote Debian server, in the ‘Type’ drop-down list choose ‘Certificates (TLS)’, then in the ‘CA certificate’ field, click on the folder icon and choose from your computer the /etc/openvpn/keys/ca.crt file, in the ‘User certificate’ field choose /etc/openvpn/keys/client1.crt, in the ‘User private key’ choose /etc/openvpn/keys/client1.key, then, on the same tab click the ‘Advanced’ button.
On the general tab enable LZO compression by checking the ‘Data compression’ checkbox and selecting ‘LZO’ in the corresponding drop-down list. Next, click on the ‘Security’ tab.
On the ‘Security’ tab, in the ‘Cipher’ field choose AES-256-CBC and in the ‘HMAC Authentication’ field choose SHA-512, as shown above. Then click on the ‘TLS Authentication’ tab.
On the TLS Authentication tab, in the ‘Server Certificate Check’ field, choose ‘Verify whole subject exactly’, in the ‘Subject Match’ field enter CN=mail.example.com, where mail.example.com is the content of the remote server’s /etc/hostname file. Check the ‘Verify peer (server) certificate usage signature’ checkbox and select ‘Server’ next to ‘Remote peer certificate TLS type:’. Also, under ‘Additional TLS authentication or encryption’, in the ‘Mode’ field choose ‘TLS-Auth’, in the ‘Key File’ click on the folder icon and choose from your computer the /etc/openvpn/keys/ta.key file and in the ‘Key Direction’ field choose 1, click OK, then click on the ‘IPv4 Settings’ tab.
On the ‘IPv4 Settings’ tab, in the ‘Method’ field choose ‘Automatic (VPN) addresses only’ and in the ‘DNS servers’ field enter the IP addresses of the DNS servers that you configured in the /etc/openvpn/server.conf file, on the push dhcp-option line, separated by comma. Here we use the OpenDNS servers: 208.67.222.222 and 208.67.220.220. Then click on the ‘IPv6 Settings’ tab.
On the ‘IPv6 Settings’ tab, in the ‘Method’ field choose ‘Ignore’, since you won’t use IPv6, then click ‘Save’.
Next, disable IPv6 for the main wired/wireless connection of the client Linux machine: go to the Main Menu > System > Control Center > click on ‘Advanced Network Configuration’, under Ethernet select ‘Wired connection 1’, then click on the small ‘Edit the selected connection’ button at the bottom of the window. Then click on the ‘IPv6 Settings’ tab.
On the ‘IPv6 Settings’ tab, next to ‘Method’ choose ‘Ignore’.
Restart the networking service:
systemctl restart networkingRemember also to disable the WebRTC (Web Real-Time Communication) service in the browser that you are going to use to connect to your OpenVPN server, because if enabled, WebRTC can send some information about LAN IPs over the Internet betraying the real IP of the client machine. Since WebRTC is enabled by default in all major browsers, and since it is needed in order to use other components of the RED SCARF Suite, such as SIP Trip Phone or Roundpin, it’s recommended to have a separate browser with WebRTC disabled, that you’ll use for browsing through VPN, while all the other browsers can have WebRTC enabled.
30.7.1. Disable the WebRTC service in Firefox
To disable the WebRTC service in Firefox, type about:config in the address bar of your browser, click ‘I accept the risk’, then search for media.peerconnection.enabled . Double click on it to set it to false.
30.7.2. Disable the WebRTC service in Opera
Install the ‘WebRTC Leak Prevent’ extension and in its Options, select: ‘Disable non-proxied UDP (force Proxy)’.
30.7.3. Connect the client machine to the OpenVPN server
Click on the ‘Ethernet network connection’ icon in the taskbar, then hover over ‘VPN Connections’ and click on ‘VPN Connection 1’. A system notification will announce you that the VPN connection has been established successfully. From this point, when you open a browser, you will automatically connect through the VPN. If you access sites like https://www.whatsmyip.org/ you will see that your IP address is seen on the Internet as that of your server and not that of your client machine.
You can check if you have DNS leaks by running the test on https://www.dnsleaktest.com/ . When the test finishes, if you don’t find the name of the ISP of your client machine in the list of results, it means that there are no DNS leaks. You can still have ‘WebRTC leaks’. To check for this, you can access https://ipleak.net/ . In the “Your IP addresses – WebRTC detection” section, it should say: “No leak, RTCPeerConnection not available”. When you have WebRTC leaks, your client machine’s IPv6 may be detected and listed. That is why it’s so important to disable WebRTC in the browser and to disable IPv6 connectivity on the client machine.
30.7.4. Reenable IPv6 on the client machine when needed
When you don’t use your VPN connection, if you want to have IPv6 connectivity on your client machine again, you can reenable it as follows: go to the Main Menu > System > Control Center > click on ‘Advanced Network Configuration’, under Ethernet select ‘Wired connection 1’, then click on the small ‘Edit the selected connection’ button at the bottom of the window. Then click on the ‘IPv6 Settings’ tab. On the ‘IPv6 Settings’ tab, next to ‘Method’ choose ‘Automatic’, then click ‘Save’.
Restart the networking service:
systemctl restart networking30.8. Revoke a VPN Client Certificate
To remove a client device’s access to the VPN you have to revoke its certificate. First navigate to /etc/openvpn/easy-rsa:
cd /etc/openvpn/easy-rsaThen run:
./easyrsa revoke client1where client1 is the name of the client whose certificate you want to revoke. You will be asked to confirm and then you’ll have to enter the CA Key Passphrase. The command will revoke the certificate and will delete the /etc/openvpn/easy-rsa/pki/private/client1.key file and the /etc/openvpn/easy-rsa/pki/issued/client1.crt file.
Next, generate a new Certificate Revocation List (CRL) by running:
./easyrsa gen-crlEnter again the CA Key Passphrase and press Enter.
30.9. Upgrading OpenVPN
Since OpenVPN has been installed from the official Debian repository, to upgrade it, all you need to do is to run apt-get update && apt-get dist-upgrade with a specific frequency, as described in the Maintenance steps chapter. This command will upgrade OpenVPN if there is a new version available. Also, during these upgrades, the configuration changes implemented as described above, will be preserved.
