A Virtual Private Network (VPN) server installed on a remote server creates an encrypted tunnel between your local machine/device and the remote server. In this way, you can surf the Internet with the IP of the remote server, as if you were physically present in your server’s physical location. VPNs can also be used to create encrypted data channels between two business locations, etc. However in general, you will want to use a VPN in the following three common situations:
- You want to access the Internet from an unsecure public network, such as from the Wi-Fi connection of a cafe, restaurant, hotel lobby, airport, railway station, etc. To make sure that nobody can intercept your traffic and credentials when logging in to HTTP websites, you’ll want to connect to a VPN. This way all the data traffic between you and the remote server will be encrypted.
- You have access to an Internet banking account offered by your bank. You decide to leave your country and spend some time abroad. When you try to access your online banking account from outside your country, you find that your bank’s software blocks all IPs geolocated outside your country. Instead of calling the bank, complaining and listening to your bank’s excuses, etc., you can just access your bank’s site through a VPN. This way the bank will see that your IP is located in your home country and will let you log in. This is legal, because you have all the rights to log in to your Internet banking account and it’s not your fault that the bank’s software is not capable and flexible enough to deal with this kind of situations. This implies that your VPN server is installed on a server physically located in a datacenter inside your home country.
- You want to access a website/service which requires you to be located in your home country, while you are abroad. Using a VPN you can sign up or log in to that website/service as if you were physically located in your home country. This implies that your VPN server is installed on a server physically located in a datacenter inside your home country.
Install OpenVPN from the Debian repository:
apt-get install openvpn
We’ll configure OpenVPN for IPv4 only because IPv6 connectivity can create problems such as DNS leaks in certain situations, at least with the current version of OpenVPN.
An OpenVPN connection consists of two channels between the server and the clients: the Control Channel and the Data Channel. A client connects to the server by initiating a TLS session over the control channel, in which credentials are exchanged between server and clients to establish the data channel. The data channel is the encrypted pipeline in which all traffic between server and clients is then transmitted.
Create a new user for the OpenVPN daemon to run as, after startup. Forcing OpenVPN to run under its own account is a good way to isolate it from the rest of the system. Here we’ll call the new user openvpn_server
:
adduser --system --shell /bin/false --no-create-home openvpn_server
Next, you need to create the /etc/openvpn/server.conf
configuration file. OpenVPN already has many sample configuration files. Copy the sample server.conf
file into the /etc/openvpn
directory:
cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf /etc/openvpn
Run the make-cadir
command to create a certificates directory and to copy all the necessary files from /usr/share/easy-rsa
to the new directory, /etc/openvpn/easy-rsa
:
make-cadir /etc/openvpn/easy-rsa
Switch to the new directory:
cd /etc/openvpn/easy-rsa
Edit the /etc/openvpn/easy-rsa/vars
file:
nano /etc/openvpn/easy-rsa/vars
Uncomment the following lines and change the default parameters between the quotation marks, to make them look like this:
set_var EASYRSA_REQ_COUNTRY "US"
set_var EASYRSA_REQ_PROVINCE ""
set_var EASYRSA_REQ_CITY ""
set_var EASYRSA_REQ_ORG ""
set_var EASYRSA_REQ_EMAIL "me@example.net"
set_var EASYRSA_REQ_OU ""
Also, uncomment the following lines and change the values as follows:
set_var EASYRSA_CA_EXPIRE 54750
set_var EASYRSA_CERT_EXPIRE 54750
Next, edit the /etc/openvpn/server.conf
file:
nano /etc/openvpn/server.conf
Modify the lines for the location of the certificate and key files and of the Diffie Hellman parameter file, to make them look like the lines in blue from below. mail.
example.com
is the hostname of your server:
# Any X509 key management system can be used.
# OpenVPN can also use a PKCS #12 formatted key file
# (see "pkcs12" directive in man page).
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/mail.example.com.crt
key /etc/openvpn/easy-rsa/pki/private/mail.example.com.key # This file should be kept secret
# Diffie hellman parameters.
# Generate your own with:
# openssl dhparam -out dh2048.pem 2048
dh /etc/openvpn/dh2048.pem
Set OpenVPN to push a gateway configuration so that all the clients will send Internet traffic through it:
# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# or bridge the TUN/TAP interface to the internet
# in order for this to work properly).
push "redirect-gateway def1 bypass-dhcp"
Push DNS resolvers to client devices. Client-side DNS settings are ideal for preventing DNS leaks. OpenDNS DNS IPs are provided by default but you can change this to other DNS IPs:
# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses. CAVEAT:
# http://openvpn.net/faq.html#dhcpcaveats
# The addresses below refer to the public
# DNS servers provided by opendns.com.
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
Require a matching HMAC signature for all packets involved in the TLS handshake between the server and connecting clients. Packets without this signature will be dropped. Change this line:
tls-auth ta.key 0 # This file is secret
to make it look like this:
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0 # This file is secret
Also, change the data channel’s authentication digest to SHA-512 (a SHA-2 hash function). Search for the cipher AES-256-CBC
line and right below it add auth SHA512
, like this:
cipher AES-256-CBC
auth SHA512
Also restrict the VPN’s control channel to strong cipher suites. It is recommended to be as restrictive as possible here, but not all cipher suites can be used with all versions of OpenVPN. Add the following tls-cipher
line right below the auth SHA512
line mentioned above, like this:
cipher AES-256-CBC
auth SHA512
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA
The default cipher suite used for the control channel is one agreed on by both server and client during the TLS handshake. The agreement is based on what is supported by their respective OpenSSL versions.
Also enable compression like this:
# For compression compatible with older clients use comp-lzo
# If you enable it here, you must also
# enable it in the client config file.
comp-lzo
Uncomment the user
and group
lines and make them look like below. This tells the OpenVPN daemon to drop root
privileges and switch to the openvpn_server
user after startup.
# It's a good idea to reduce the OpenVPN
# daemon's privileges after initialization.
#
# You can uncomment this out on
# non-Windows systems.
user openvpn_server
group nogroup
Change logging verbosity to 0:
# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 0
30.1. Generate the Diffie-Hellman PEM file
The Diffie-Hellman parameter is a piece of randomly generated data used when establishing forward secrecy during the creation of a client’s session key. Create the file by running:
openssl dhparam 2048 > /etc/openvpn/dh2048.pem
The output will look like this:
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
............................................................................................+........................
Generating the Diffie-Hellman parameter will take about 1 minute or less to complete. The resulting file will be /etc/openvpn/dh2048.pem
, where 2048
indicates the bit length of the Diffie-Hellman parameter.
The Diffie-Hellman PEM file can be arbitrarily deleted and regenerated without needing to change server or client settings.
30.2. Generate the HMAC key file
First create the keys
directory:
cd /etc/openvpn/easy-rsa
mkdir keys
Generate the HMAC key file:
openvpn --genkey secret /etc/openvpn/easy-rsa/keys/ta.key
30.3. Server Credentials
It’s necessary to run the next commands while in the /etc/openvpn/easy-rsa
directory, therefore navigate there:
cd /etc/openvpn/easy-rsa
30.3.1. Create the root certificate or Certificate Authority file
A root certificate, sometimes caled a Certificate Authority, is the certificate that will be used to generate the client key pairs. First create the pki
directory by running:
./easyrsa init-pki
Create the Certificate Authority file by running:
./easyrsa build-ca
You will be prompted to enter a CA Key Passphrase, two times. Enter a passphrase and write it down in a secure place. When you will be prompted to enter the ‘Common Name’, enter the hostname of your server (the content of the /etc/hostname
file): mail.example.com
, and press Enter. The Certificate Authority file /etc/openvpn/easy-rsa/pki/ca.crt
will be created.
Generate the server certificate and key by running:
./easyrsa build-server-full mail.example.com nopass
The nopass
option disables password for the key file.You will be prompted to enter the CA Key Passphrase that you saved earlier. The command will generate two important files: the server’s key:
/etc/openvpn/easy-rsa/pki/private/mail.example.com.key
and the server’s certificate:
/etc/openvpn/easy-rsa/pki/issued/mail.example.com.crt
30.4. Client credentials
You have to generate a unique set of credentials for each client that will connect to the VPN server. You can repeat this step for any client that you need to create credentials for.
All clients should have a unique name. Change client1
in the following lines to a descriptive name of your choice that you will be able to associate with the client:
./easyrsa build-client-full client1 nopass
After you enter the CA Key Passphrase created earlier, the command will generate the client’s key:
/etc/openvpn/easy-rsa/pki/private/client1.key
and the client’s certificate:
/etc/openvpn/easy-rsa/pki/issued/client1.crt
30.4.1. Client configuration file
Each client needs a configuration file defining the OpenVPN server’s settings for it. You can’t save this configuration file in /etc/openvpn
, because the server.conf
file is located there. You will have to store it in the /etc/openvpn/easy-rsa/keys/client1
folder along with the other client files, even if this file doesn’t need to be kept secret. First create a directory for the credentials of client1
:
makedir /etc/openvpn/easy-rsa/keys/client1
Copy the client.conf
template from the /usr/share/doc/openvpn/examples/sample-config-files
directory to the /etc/openvpn/easy-rsa/keys/client1
directory. Clients usually require an .ovpn
file instead of a .conf
file, therefore, change the file extension when copying the file:
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/easy-rsa/keys/client1/client.ovpn
Open the /etc/openvpn/easy-rsa/keys/client1/client.ovpn
file for editing:
nano /etc/openvpn/easy-rsa/keys/client1/client.ovpn
Update the remote
line with the IP address of the server:
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote 123.123.123.123 1194
Replace 123.123.123.123
with the public IP of your server. A hostname would work too but for security reasons it’s recommended to connect by IP and bypass the DNS lookup.
Tell the client-side OpenVPN service to drop root
priviledges by specifying a user and a group. This is for non-Windows client machines only. If you use Windows, here you should comment out the user and group parameters by placing a semicolon in front of them.
# Downgrade privileges after initialization (non-Windows only)
user nobody
group nogroup
Further down in the file, edit the ca
, cert
and key
lines to reflect the names and locations on the client device. If you use Linux, the paths will be as shown below:
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/client1.crt
key /etc/openvpn/keys/client1.key
If you use Windows, the paths will be completely different, namely:
ca ca.crt
cert client1.crt
key client1.key
Tell the client to use the HMAC key generated earlier:
# If a tls-auth key is used on the server
# then every client must also have the key.
tls-auth /etc/openvpn/keys/ta.key 1
If you use Windows, instead of the line from above you will enter:
tls-auth ta.key 1
Also enable compression like this:
# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo
Since the VPN server was told to force certain cryptographic settings in its config file, the clients must have the same settings. Add the following two lines right below cipher AES-256-CBC
, like this:
cipher AES-256-CBC
auth SHA512
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA
If you use Windows, add this parameter at the end of the file, to prevent password caching:
auth-nocache
Copy all the files necessary for client1
in the /etc/openvpn/easy-rsa/keys/client1
directory:
cp /etc/openvpn/easy-rsa/pki/ca.crt /etc/openvpn/easy-rsa/keys/client1
cp /etc/openvpn/easy-rsa/pki/issued/client1.crt /etc/openvpn/easy-rsa/keys/client1
cp /etc/openvpn/easy-rsa/pki/private/client1.key /etc/openvpn/easy-rsa/keys/client1
cp /etc/openvpn/easy-rsa/keys/ta.key /etc/openvpn/easy-rsa/keys/client1
30.4.2. Pack all the necessary client files into a tarball to transfer them
The specific files are:
/etc/openvpn/easy-rsa/keys/client1/ca.crt
/etc/openvpn/easy-rsa/keys/client1/client1.crt
/etc/openvpn/easy-rsa/keys/client1/client1.key
/etc/openvpn/easy-rsa/keys/client1/client.ovpn
/etc/openvpn/easy-rsa/keys/client1/ta.key
To create the archive necessary to transfer the required files to the client machine, run the following command:
cd /etc/openvpn/easy-rsa/keys
tar czf /etc/openvpn/client1.tar.gz client1
30.5. Open the port in the firewall
Open the necessary port in the firewall using ufw
:
ufw allow 1194/udp
Since you don’t need IPv6 for OpenVPN, you can delete the allow rule for port 1194/udp
for IPv6. Run:
ufw status numbered
The output of this command will look like this:
...
[15] 1194/udp (v6) ALLOW IN Anywhere (v6)
...
In this case, the number of the rule that has to be deleted is 15
. To remove the rule run:
ufw delete 15
Replace 15
with your number.
It’s assumed that you already have the HTTP and HTTPS ports (80 and 443) opened in the firewall.
The kernel must be told that it can forward incoming IPv4 traffic. Edit the /etc/sysctl.d/99-sysctl.conf
file:
nano /etc/sysctl.d/99-sysctl.conf
Add the following line at the end of the file:
net.ipv4.ip_forward=1
Activate the sysctl
change:
sysctl -p
The ufw
forwarding policy needs to be set as well. You’ll do this in the /etc/default/ufw
file:
nano /etc/default/ufw
Look for the following line:
DEFAULT_FORWARD_POLICY="DROP"
This must be changed from DROP
to ACCEPT
. It should look like this:
DEFAULT_FORWARD_POLICY="ACCEPT"
Next, you will add additional ufw
rules for network address translation and IP masquerading of connected clients:
nano /etc/ufw/before.rules
Add the lines between # START OPENVPN RULES
and # END OPENVPN RULES
, like this:
#
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
# ufw-before-input
# ufw-before-output
# ufw-before-forward
#
# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to eth0
-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
COMMIT
# END OPENVPN RULES
Replace eth0
with the actual name of your server’s network interface, given by the ifconfig
command.
Restart ufw
in order to apply the new changes:
systemctl restart ufw
Enable and restart the openvpn
service:
systemctl enable openvpn
systemctl restart openvpn
If you run ifconfig
, the output should show a new network interface called tun0
, created by OpenVPN:
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.8.0.1 netmask 255.255.255.255 destination 10.8.0.2
...
30.6. Transfer client credentials to the client machine
If you use a Linux client machine follow the instructions from below.
You can transfer the /etc/openvpn/client1.tar.gz archive containing all the needed client credentials to the client machine using a FTP client like FileZilla. You can also transfer it by using the Secure Copy Protocol (SCP): on the client Linux computer open a terminal and run:
scp -P 6283 username@123.123.123.123:/etc/openvpn/client1.tar.gz /tmp
Where 6283
is the custom SSH port of the remote Debian server, 123.123.123.123
is its public IP address and username
is the username of the SSH user. This command will download the archive in the /tmp directory.
We won’t describe how to transfer the client credentials to a Windows or macOS client machine or how to configure such a machine to connect to OpenVPN. The whole point of this guide is to help users preserve their digital freedom. Whoever uses Windows or macOS instead of Linux on their computers, willingly give up a substantial portion of their digital freedom.
30.7.Configure a Linux client machine to use OpenVPN
The following settings are intended for a Debian 11 client (with the Mate desktop environment), but they can be adapted to other distributions. Configure VPN connections using the same method you would use to configure ethernet or wireless connections. These steps assume you are using Network Manager for your network management.
Install the network-manager-openvpn
and network-manager-openvpn-gnome
packages. This will also install the necessary dependencies, including the openvpn
package:
apt-get update
apt-get install network-manager-openvpn network-manager-openvpn-gnome
Enable the openvpn
service, so that it starts at system startup, then start it:
systemctl enable openvpn
systemctl start openvpn
Create a keys
directory in /etc/openvpn
:
mkdir /etc/openvpn/keys
Then extract the /tmp/client1.tar.gz
archive (that has been downloaded earlier to /tmp
), in the newly created directory:
tar xf /tmp/client1.tar.gz -C /etc/openvpn/keys
The client.ovpn
file has to be placed in the /etc/openvpn
directory, so, move it there:
mv /etc/openvpn/keys/client.ovpn /etc/openvpn
Go to the Main Menu > System > Control Center > click on ‘Advanced Network Configuration’, select Ethernet, then click on the + sign at the bottom of the window to add a new connection. In the ‘Choose a Connection Type’ window, select OpenVPN from the drop-down list:

Click ‘Create…’ .

In the new window, on the ‘VPN’ tab, in the ‘Gateway’ field, enter the public IPv4 address of your remote Debian server, in the ‘Type’ drop-down list choose ‘Certificates (TLS)’, then in the ‘CA certificate’ field, click on the folder icon and choose from your computer the /etc/openvpn/keys/ca.crt
file, in the ‘User certificate’ field choose /etc/openvpn/keys/client1.crt
, in the ‘User private key’ choose /etc/openvpn/keys/client1.key
, then, on the same tab click the ‘Advanced’ button.

On the general tab enable LZO compression by checking the ‘Data compression’ checkbox and selecting ‘LZO’ in the corresponding drop-down list. Next, click on the ‘Security’ tab.

On the ‘Security’ tab, in the ‘Cipher’ field choose AES-256-CBC and in the ‘HMAC Authentication’ field choose SHA-512, as shown above. Then click on the ‘TLS Authentication’ tab.

On the TLS Authentication tab, in the ‘Server Certificate Check’ field, choose ‘Verify whole subject exactly’, in the ‘Subject Match’ field enter CN=mail.example.com
, where mail.example.com
is the content of the remote server’s /etc/hostname
file. Check the ‘Verify peer (server) certificate usage signature’ checkbox and select ‘Server’ next to ‘Remote peer certificate TLS type:’. Also, under ‘Additional TLS authentication or encryption’, in the ‘Mode’ field choose ‘TLS-Auth’, in the ‘Key File’ click on the folder icon and choose from your computer the /etc/openvpn/keys/ta.key
file and in the ‘Key Direction’ field choose 1, click OK, then click on the ‘IPv4 Settings’ tab.

On the ‘IPv4 Settings’ tab, in the ‘Method’ field choose ‘Automatic (VPN) addresses only’ and in the ‘DNS servers’ field enter the IP addresses of the DNS servers that you configured in the /etc/openvpn/server.conf
file, on the push dhcp-option
line, separated by comma. Here we use the OpenDNS servers: 208.67.222.222
and 208.67.220.220
. Then click on the ‘IPv6 Settings’ tab.

On the ‘IPv6 Settings’ tab, in the ‘Method’ field choose ‘Ignore’, since you won’t use IPv6, then click ‘Save’.
Next, disable IPv6 for the main wired/wireless connection of the client Linux machine: go to the Main Menu > System > Control Center > click on ‘Advanced Network Configuration’, under Ethernet select ‘Wired connection 1’, then click on the small ‘Edit the selected connection’ button at the bottom of the window. Then click on the ‘IPv6 Settings’ tab.

On the ‘IPv6 Settings’ tab, next to ‘Method’ choose ‘Ignore’.
Restart the networking service:
systemctl restart networking
Remember also to disable the WebRTC (Web Real-Time Communication) service in the browser that you are going to use to connect to your OpenVPN server, because if enabled, WebRTC can send some information about LAN IPs over the Internet betraying the real IP of the client machine. Since WebRTC is enabled by default in all major browsers, and since it is needed in order to use other components of the RED SCARF Suite, such as SIP Trip Phone or Roundpin, it’s recommended to have a separate browser with WebRTC disabled, that you’ll use for browsing through VPN, while all the other browsers can have WebRTC enabled. A good choice for such a browser that you can use for surfing through VPN is GNU IceCat (https://ftp.gnu.org/gnu/gnuzilla/), which is a customized version of Firefox. To make IceCat really usable you should disable all the extensions that are installed and enabled by default and then install only uBlock Origin from https://addons.mozilla.org/en-US/firefox/search/?platform=linux&q=ublock .
30.7.1. Disable the WebRTC service in Firefox/IceCat
To disable the WebRTC service in IceCat/Firefox, type about:config
in the address bar of your browser, click ‘I accept the risk’, then search for media.peerconnection.enabled
. Double click on it to set it to false
.
30.7.2. Disable the WebRTC service in Opera
Install the ‘WebRTC Leak Prevent’ extension and in its Options, select: ‘Disable non-proxied UDP (force Proxy)’.
30.7.3. Connect the client machine to the OpenVPN server
Click on the ‘Ethernet network connection’ icon in the taskbar, then hover over ‘VPN Connections’ and click on ‘VPN Connection 1’. A system notification will announce you that the VPN connection has been established successfully. From this point, when you open a browser, you will automatically connect through the VPN. If you access sites like https://www.whatsmyip.org/ you will see that your IP address is seen on the Internet as that of your server and not that of your client machine.
You can check if you have DNS leaks by running the test on https://www.dnsleaktest.com/ . When the test finishes, if you don’t find the name of the ISP of your client machine in the list of results, it means that there are no DNS leaks. You can still have ‘WebRTC leaks’. To check for this, you can access https://ipleak.net/ . In the “Your IP addresses – WebRTC detection” section, it should say: “No leak, RTCPeerConnection not available”. When you have WebRTC leaks, your client machine’s IPv6 may be detected and listed. That is why it’s so important to disable WebRTC in the browser and to disable IPv6 connectivity on the client machine.
30.7.4. Reenable IPv6 on the client machine when needed
When you don’t use your VPN connection, if you want to have IPv6 connectivity on your client machine again, you can reenable it as follows: go to the Main Menu > System > Control Center > click on ‘Advanced Network Configuration’, under Ethernet select ‘Wired connection 1’, then click on the small ‘Edit the selected connection’ button at the bottom of the window. Then click on the ‘IPv6 Settings’ tab. On the ‘IPv6 Settings’ tab, next to ‘Method’ choose ‘Automatic’, then click ‘Save’.
Restart the networking service:
systemctl restart networking
30.8. Revoke a VPN Client Certificate
To remove a client device’s access to the VPN you have to revoke its certificate. First navigate to /etc/openvpn/easy-rsa
:
cd /etc/openvpn/easy-rsa
Then run:
./easyrsa revoke client1
where client1
is the name of the client whose certificate you want to revoke. You will be asked to confirm and then you’ll have to enter the CA Key Passphrase. The command will revoke the certificate and will delete the /etc/openvpn/easy-rsa/pki/private/client1.key
file and the /etc/openvpn/easy-rsa/pki/issued/client1.crt
file.
Next, generate a new Certificate Revocation List (CRL) by running:
./easyrsa gen-crl
Enter again the CA Key Passphrase and press Enter.
30.9. Upgrading OpenVPN
Since OpenVPN has been installed from the official Debian repository, to upgrade it, all you need to do is to run apt-get update && apt-get dist-upgrade
with a specific frequency, as described in the Maintenance steps chapter. This command will upgrade OpenVPN if there is a new version available. Also, during these upgrades, the configuration changes implemented as described above, will be preserved.