30. Install OpenVPN

by Double Bastion - Updated February 23, 2022

A Virtual Private Network (VPN) server installed on a remote server creates an encrypted tunnel between your local machine/device and the remote server. In this way, you can surf the Internet with the IP of the remote server, as if you were physically present in your server’s physical location. VPNs can also be used to create encrypted data channels between two business locations, etc. However in general, you will want to use a VPN in the following three common situations:

  • You want to access the Internet from an unsecure public network, such as from the Wi-Fi connection of a cafe, restaurant, hotel lobby, airport, railway station, etc. To make sure that nobody can intercept your traffic and credentials when logging in to HTTP websites, you’ll want to connect to a VPN. This way all the data traffic between you and the remote server will be encrypted.
  • You have access to an Internet banking account offered by your bank. You decide to leave your country and spend some time abroad. When you try to access your online banking account from outside your country, you find that your bank’s software blocks all IPs geolocated outside your country. Instead of calling the bank, complaining and listening to your bank’s excuses, etc., you can just access your bank’s site through a VPN. This way the bank will see that your IP is located in your home country and will let you log in. This is legal, because you have all the rights to log in to your Internet banking account and it’s not your fault that the bank’s software is not capable and flexible enough to deal with this kind of situations. This implies that your VPN server is installed on a server physically located in a datacenter inside your home country.
  • You want to access a website/service which requires you to be located in your home country, while you are abroad. Using a VPN you can sign up or log in to that website/service as if you were physically located in your home country. This implies that your VPN server is installed on a server physically located in a datacenter inside your home country.

Install OpenVPN from the Debian repository:

apt-get install openvpn

We’ll configure OpenVPN for IPv4 only because IPv6 connectivity can create problems such as DNS leaks in certain situations, at least with the current version of OpenVPN.

An OpenVPN connection consists of two channels between the server and the clients: the Control Channel and the Data Channel. A client connects to the server by initiating a TLS session over the control channel, in which credentials are exchanged between server and clients to establish the data channel. The data channel is the encrypted pipeline in which all traffic between server and clients is then transmitted.

Create a new user for the OpenVPN daemon to run as, after startup. Forcing OpenVPN to run under its own account is a good way to isolate it from the rest of the system. Here we’ll call the new user openvpn_server:

adduser --system --shell /bin/false --no-create-home openvpn_server

Next, you need to create the /etc/openvpn/server.conf configuration file. OpenVPN already has many sample configuration files. Copy the sample server.conf file into the /etc/openvpn directory:

cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf /etc/openvpn

Run the make-cadir command to create a certificates directory and to copy all the necessary files from /usr/share/easy-rsa to the new directory, /etc/openvpn/easy-rsa:

make-cadir /etc/openvpn/easy-rsa

Switch to the new directory:

cd /etc/openvpn/easy-rsa

Edit the /etc/openvpn/easy-rsa/vars file:

nano /etc/openvpn/easy-rsa/vars

Uncomment the following lines and change the default parameters between the quotation marks, to make them look like this:

set_var EASYRSA_REQ_ORG	        ""
set_var EASYRSA_REQ_EMAIL	"me@example.net"
set_var EASYRSA_REQ_OU		""

Also, uncomment the following lines and change the values as follows:

set_var EASYRSA_CA_EXPIRE      54750
set_var EASYRSA_CERT_EXPIRE    54750

Next, edit the /etc/openvpn/server.conf file:

nano /etc/openvpn/server.conf

Modify the lines for the location of the certificate and key files and of the Diffie Hellman parameter file, to make them look like the lines in blue from below. mail.example.com is the hostname of your server:

# Any X509 key management system can be used.
# OpenVPN can also use a PKCS #12 formatted key file
# (see "pkcs12" directive in man page).
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/mail.example.com.crt
key /etc/openvpn/easy-rsa/pki/private/mail.example.com.key  # This file should be kept secret

# Diffie hellman parameters.
# Generate your own with:
#   openssl dhparam -out dh2048.pem 2048
dh /etc/openvpn/dh2048.pem

Set OpenVPN to push a gateway configuration so that all the clients will send Internet traffic through it:

# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# or bridge the TUN/TAP interface to the internet
# in order for this to work properly).
push "redirect-gateway def1 bypass-dhcp"

Push DNS resolvers to client devices. Client-side DNS settings are ideal for preventing DNS leaks. OpenDNS DNS IPs are provided by default but you can change this to other DNS IPs:

# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses.  CAVEAT:
# http://openvpn.net/faq.html#dhcpcaveats
# The addresses below refer to the public
# DNS servers provided by opendns.com.
push "dhcp-option DNS"
push "dhcp-option DNS"

Require a matching HMAC signature for all packets involved in the TLS handshake between the server and connecting clients. Packets without this signature will be dropped. Change this line:

tls-auth ta.key 0 # This file is secret

to make it look like this:

tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0 # This file is secret

Also, change the data channel’s authentication digest to SHA-512 (a SHA-2 hash function). Search for the cipher AES-256-CBC line and right below it add auth SHA512, like this:

cipher AES-256-CBC
auth SHA512

Also restrict the VPN’s control channel to strong cipher suites. It is recommended to be as restrictive as possible here, but not all cipher suites can be used with all versions of OpenVPN. Add the following tls-cipher line right below the auth SHA512 line mentioned above, like this:

cipher AES-256-CBC
auth SHA512

The default cipher suite used for the control channel is one agreed on by both server and client during the TLS handshake. The agreement is based on what is supported by their respective OpenSSL versions.

Also enable compression like this:

# For compression compatible with older clients use comp-lzo
# If you enable it here, you must also
# enable it in the client config file.

Uncomment the user and group lines and make them look like below. This tells the OpenVPN daemon to drop root privileges and switch to the openvpn_server user after startup.

# It's a good idea to reduce the OpenVPN
# daemon's privileges after initialization.
# You can uncomment this out on
# non-Windows systems.
user openvpn_server
group nogroup

Change logging verbosity to 0:

# Set the appropriate level of log
# file verbosity.
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 0

30.1. Generate the Diffie-Hellman PEM file

The Diffie-Hellman parameter is a piece of randomly generated data used when establishing forward secrecy during the creation of a client’s session key. Create the file by running:

openssl dhparam 2048 > /etc/openvpn/dh2048.pem

The output will look like this:

Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time

Generating the Diffie-Hellman parameter will take about 1 minute or less to complete. The resulting file will be /etc/openvpn/dh2048.pem, where 2048 indicates the bit length of the Diffie-Hellman parameter.

The Diffie-Hellman PEM file can be arbitrarily deleted and regenerated without needing to change server or client settings.

30.2. Generate the HMAC key file

First create the keys directory:

cd /etc/openvpn/easy-rsa
mkdir keys

Generate the HMAC key file:

openvpn --genkey secret /etc/openvpn/easy-rsa/keys/ta.key

30.3. Server Credentials

It’s necessary to run the next commands while in the /etc/openvpn/easy-rsa directory, therefore navigate there:

cd /etc/openvpn/easy-rsa

30.3.1. Create the root certificate or Certificate Authority file

A root certificate, sometimes caled a Certificate Authority, is the certificate that will be used to generate the client key pairs. First create the pki directory by running:

./easyrsa init-pki

Create the Certificate Authority file by running:

./easyrsa build-ca

You will be prompted to enter a CA Key Passphrase, two times. Enter a passphrase and write it down in a secure place. When you will be prompted to enter the ‘Common Name’, enter the hostname of your server (the content of the /etc/hostname file): mail.example.com, and press Enter. The Certificate Authority file /etc/openvpn/easy-rsa/pki/ca.crt will be created.

Generate the server certificate and key by running:

./easyrsa build-server-full mail.example.com nopass

The nopass option disables password for the key file.You will be prompted to enter the CA Key Passphrase that you saved earlier. The command will generate two important files: the server’s key:


and the server’s certificate:


30.4. Client credentials

You have to generate a unique set of credentials for each client that will connect to the VPN server. You can repeat this step for any client that you need to create credentials for.

All clients should have a unique name. Change client1 in the following lines to a descriptive name of your choice that you will be able to associate with the client:

./easyrsa build-client-full client1 nopass

After you enter the CA Key Passphrase created earlier, the command will generate the client’s key:


and the client’s certificate:


30.4.1. Client configuration file

Each client needs a configuration file defining the OpenVPN server’s settings for it. You can’t save this configuration file in /etc/openvpn, because the server.conf file is located there. You will have to store it in the /etc/openvpn/easy-rsa/keys/client1 folder along with the other client files, even if this file doesn’t need to be kept secret. First create a directory for the credentials of client1:

makedir /etc/openvpn/easy-rsa/keys/client1

Copy the client.conf template from the /usr/share/doc/openvpn/examples/sample-config-files directory to the /etc/openvpn/easy-rsa/keys/client1 directory. Clients usually require an .ovpn file instead of a .conf file, therefore, change the file extension when copying the file:

cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/easy-rsa/keys/client1/client.ovpn

Open the /etc/openvpn/easy-rsa/keys/client1/client.ovpn file for editing:

nano /etc/openvpn/easy-rsa/keys/client1/client.ovpn

Update the remote line with the IP address of the server:

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote  1194

Replace with the public IP of your server. A hostname would work too but for security reasons it’s recommended to connect by IP and bypass the DNS lookup.

Tell the client-side OpenVPN service to drop root priviledges by specifying a user and a group. This is for non-Windows client machines only. If you use Windows, here you should comment out the user and group parameters by placing a semicolon in front of them.

# Downgrade privileges after initialization (non-Windows only)
user nobody
group nogroup

Further down in the file, edit the ca, cert and key lines to reflect the names and locations on the client device. If you use Linux, the paths will be as shown below:

# SSL/TLS parms.
# See the server config file for more
# description.  It's best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/client1.crt
key /etc/openvpn/keys/client1.key

If you use Windows, the paths will be completely different, namely:

ca ca.crt
cert client1.crt
key client1.key

Tell the client to use the HMAC key generated earlier:

# If a tls-auth key is used on the server
# then every client must also have the key.
tls-auth /etc/openvpn/keys/ta.key 1

If you use Windows, instead of the line from above you will enter:

tls-auth ta.key 1

Also enable compression like this:

# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.

Since the VPN server was told to force certain cryptographic settings in its config file, the clients must have the same settings. Add the following two lines right below cipher AES-256-CBC , like this:

cipher AES-256-CBC
auth SHA512

If you use Windows, add this parameter at the end of the file, to prevent password caching:


Copy all the files necessary for client1 in the /etc/openvpn/easy-rsa/keys/client1 directory:

cp /etc/openvpn/easy-rsa/pki/ca.crt /etc/openvpn/easy-rsa/keys/client1
cp /etc/openvpn/easy-rsa/pki/issued/client1.crt /etc/openvpn/easy-rsa/keys/client1
cp /etc/openvpn/easy-rsa/pki/private/client1.key /etc/openvpn/easy-rsa/keys/client1
cp /etc/openvpn/easy-rsa/keys/ta.key /etc/openvpn/easy-rsa/keys/client1

30.4.2. Pack all the necessary client files into a tarball to transfer them

The specific files are:






To create the archive necessary to transfer the required files to the client machine, run the following command:

cd /etc/openvpn/easy-rsa/keys
tar czf /etc/openvpn/client1.tar.gz client1

30.5. Open the port in the firewall

Open the necessary port in the firewall using ufw:

ufw allow 1194/udp

Since you don’t need IPv6 for OpenVPN, you can delete the allow rule for port 1194/udp for IPv6. Run:

ufw status numbered

The output of this command will look like this:

[15] 1194/udp (v6)          ALLOW IN    Anywhere (v6)

In this case, the number of the rule that has to be deleted is 15. To remove the rule run:

ufw delete 15

Replace 15 with your number.

It’s assumed that you already have the HTTP and HTTPS ports (80 and 443) opened in the firewall.

The kernel must be told that it can forward incoming IPv4 traffic. Edit the /etc/sysctl.d/99-sysctl.conf file:

nano /etc/sysctl.d/99-sysctl.conf

Add the following line at the end of the file:


Activate the sysctl change:

sysctl -p

The ufw forwarding policy needs to be set as well. You’ll do this in the /etc/default/ufw file:

nano /etc/default/ufw

Look for the following line:


This must be changed from DROP to ACCEPT. It should look like this:


Next, you will add additional ufw rules for network address translation and IP masquerading of connected clients:

nano /etc/ufw/before.rules

Add the lines between # START OPENVPN RULES and # END OPENVPN RULES , like this:

# rules.before
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
#   ufw-before-input
#   ufw-before-output
#   ufw-before-forward

# NAT table rules
# Allow traffic from OpenVPN client to eth0

Replace eth0 with the actual name of your server’s network interface, given by the ifconfig command.

Restart ufw in order to apply the new changes:

systemctl restart ufw

Enable and restart the openvpn service:

systemctl enable openvpn 
systemctl restart openvpn

If you run ifconfig, the output should show a new network interface called tun0, created by OpenVPN:

        inet  netmask  destination

30.6. Transfer client credentials to the client machine

If you use a Linux client machine follow the instructions from below.

You can transfer the /etc/openvpn/client1.tar.gz archive containing all the needed client credentials to the client machine using a FTP client like FileZilla. You can also transfer it by using the Secure Copy Protocol (SCP): on the client Linux computer open a terminal and run:

scp -P 6283 username@ /tmp

Where 6283 is the custom SSH port of the remote Debian server, is its public IP address and username is the username of the SSH user. This command will download the archive in the /tmp directory.

We won’t describe how to transfer the client credentials to a Windows or macOS client machine or how to configure such a machine to connect to OpenVPN. The whole point of this guide is to help users preserve their digital freedom. Whoever uses Windows or macOS instead of Linux on their computers, willingly give up a substantial portion of their digital freedom.

30.7.Configure a Linux client machine to use OpenVPN

The following settings are intended for a Debian 11 client (with the Mate desktop environment), but they can be adapted to other distributions. Configure VPN connections using the same method you would use to configure ethernet or wireless connections. These steps assume you are using Network Manager for your network management.

Install the network-manager-openvpn and network-manager-openvpn-gnome packages. This will also install the necessary dependencies, including the openvpn package:

apt-get update
apt-get install network-manager-openvpn network-manager-openvpn-gnome

Enable the openvpn service, so that it starts at system startup, then start it:

systemctl enable openvpn
systemctl start openvpn

Create a keys directory in /etc/openvpn:

mkdir /etc/openvpn/keys

Then extract the /tmp/client1.tar.gz archive (that has been downloaded earlier to /tmp), in the newly created directory:

tar xf /tmp/client1.tar.gz -C /etc/openvpn/keys

The client.ovpn file has to be placed in the /etc/openvpn directory, so, move it there:

mv /etc/openvpn/keys/client.ovpn /etc/openvpn

Go to the Main Menu > System > Control Center > click on ‘Advanced Network Configuration’, select Ethernet, then click on the + sign at the bottom of the window to add a new connection. In the ‘Choose a Connection Type’ window, select OpenVPN from the drop-down list:

Click ‘Create…’ .

In the new window, on the ‘VPN’ tab, in the ‘Gateway’ field, enter the public IPv4 address of your remote Debian server, in the ‘Type’ drop-down list choose ‘Certificates (TLS)’, then in the ‘CA certificate’ field, click on the folder icon and choose from your computer the /etc/openvpn/keys/ca.crt file, in the ‘User certificate’ field choose /etc/openvpn/keys/client1.crt, in the ‘User private key’ choose /etc/openvpn/keys/client1.key, then, on the same tab click the ‘Advanced’ button.

On the general tab enable LZO compression by checking the ‘Data compression’ checkbox and selecting ‘LZO’ in the corresponding drop-down list. Next, click on the ‘Security’ tab.

On the ‘Security’ tab, in the ‘Cipher’ field choose AES-256-CBC and in the ‘HMAC Authentication’ field choose SHA-512, as shown above. Then click on the ‘TLS Authentication’ tab.

On the TLS Authentication tab, in the ‘Server Certificate Check’ field, choose ‘Verify whole subject exactly’, in the ‘Subject Match’ field enter CN=mail.example.com, where mail.example.com is the content of the remote server’s /etc/hostname file. Check the ‘Verify peer (server) certificate usage signature’ checkbox and select ‘Server’ next to ‘Remote peer certificate TLS type:’. Also, under ‘Additional TLS authentication or encryption’, in the ‘Mode’ field choose ‘TLS-Auth’, in the ‘Key File’ click on the folder icon and choose from your computer the /etc/openvpn/keys/ta.key file and in the ‘Key Direction’ field choose 1, click OK, then click on the ‘IPv4 Settings’ tab.

On the ‘IPv4 Settings’ tab, in the ‘Method’ field choose ‘Automatic (VPN) addresses only’ and in the ‘DNS servers’ field enter the IP addresses of the DNS servers that you configured in the /etc/openvpn/server.conf file, on the push dhcp-option line, separated by comma. Here we use the OpenDNS servers: and Then click on the ‘IPv6 Settings’ tab.

On the ‘IPv6 Settings’ tab, in the ‘Method’ field choose ‘Ignore’, since you won’t use IPv6, then click ‘Save’.

Next, disable IPv6 for the main wired/wireless connection of the client Linux machine: go to the Main Menu > System > Control Center > click on ‘Advanced Network Configuration’, under Ethernet select ‘Wired connection 1’, then click on the small ‘Edit the selected connection’ button at the bottom of the window. Then click on the ‘IPv6 Settings’ tab.

On the ‘IPv6 Settings’ tab, next to ‘Method’ choose ‘Ignore’.

Restart the networking service:

systemctl restart networking

Remember also to disable the WebRTC (Web Real-Time Communication) service in the browser that you are going to use to connect to your OpenVPN server, because if enabled, WebRTC can send some information about LAN IPs over the Internet betraying the real IP of the client machine. Since WebRTC is enabled by default in all major browsers, and since it is needed in order to use other components of the RED SCARF Suite, such as SIP Trip Phone or Roundpin, it’s recommended to have a separate browser with WebRTC disabled, that you’ll use for browsing through VPN, while all the other browsers can have WebRTC enabled. A good choice for such a browser that you can use for surfing through VPN is GNU IceCat (https://ftp.gnu.org/gnu/gnuzilla/), which is a customized version of Firefox. To make IceCat really usable you should disable all the extensions that are installed and enabled by default and then install only uBlock Origin from https://addons.mozilla.org/en-US/firefox/search/?platform=linux&q=ublock .

30.7.1. Disable the WebRTC service in Firefox/IceCat

To disable the WebRTC service in IceCat/Firefox, type about:config in the address bar of your browser, click ‘I accept the risk’, then search for media.peerconnection.enabled . Double click on it to set it to false.

30.7.2. Disable the WebRTC service in Opera

Install the ‘WebRTC Leak Prevent’ extension and in its Options, select: ‘Disable non-proxied UDP (force Proxy)’.

30.7.3. Connect the client machine to the OpenVPN server

Click on the ‘Ethernet network connection’ icon in the taskbar, then hover over ‘VPN Connections’ and click on ‘VPN Connection 1’. A system notification will announce you that the VPN connection has been established successfully. From this point, when you open a browser, you will automatically connect through the VPN. If you access sites like https://www.whatsmyip.org/ you will see that your IP address is seen on the Internet as that of your server and not that of your client machine.

You can check if you have DNS leaks by running the test on https://www.dnsleaktest.com/ . When the test finishes, if you don’t find the name of the ISP of your client machine in the list of results, it means that there are no DNS leaks. You can still have ‘WebRTC leaks’. To check for this, you can access https://ipleak.net/ . In the “Your IP addresses – WebRTC detection” section, it should say: “No leak, RTCPeerConnection not available”. When you have WebRTC leaks, your client machine’s IPv6 may be detected and listed. That is why it’s so important to disable WebRTC in the browser and to disable IPv6 connectivity on the client machine.

30.7.4. Reenable IPv6 on the client machine when needed

When you don’t use your VPN connection, if you want to have IPv6 connectivity on your client machine again, you can reenable it as follows: go to the Main Menu > System > Control Center > click on ‘Advanced Network Configuration’, under Ethernet select ‘Wired connection 1’, then click on the small ‘Edit the selected connection’ button at the bottom of the window. Then click on the ‘IPv6 Settings’ tab. On the ‘IPv6 Settings’ tab, next to ‘Method’ choose ‘Automatic’, then click ‘Save’.

Restart the networking service:

systemctl restart networking

30.8. Revoke a VPN Client Certificate

To remove a client device’s access to the VPN you have to revoke its certificate. First navigate to /etc/openvpn/easy-rsa:

cd /etc/openvpn/easy-rsa

Then run:

./easyrsa revoke client1

where client1 is the name of the client whose certificate you want to revoke. You will be asked to confirm and then you’ll have to enter the CA Key Passphrase. The command will revoke the certificate and will delete the /etc/openvpn/easy-rsa/pki/private/client1.key file and the /etc/openvpn/easy-rsa/pki/issued/client1.crt file.

Next, generate a new Certificate Revocation List (CRL) by running:

./easyrsa gen-crl

Enter again the CA Key Passphrase and press Enter.

30.9. Upgrading OpenVPN

Since OpenVPN has been installed from the official Debian repository, to upgrade it, all you need to do is to run apt-get update && apt-get dist-upgrade with a specific frequency, as described in the Maintenance steps chapter. This command will upgrade OpenVPN if there is a new version available. Also, during these upgrades, the configuration changes implemented as described above, will be preserved.

You can send your questions and comments to: