Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- https://tecadmin.net/install-openvpn-debian-10/
- ======
- SERVER
- ======
- $ apt-get update -y
- $ apt-get upgrade -y
- $ apt-get install openvpn -y
- $ cp -r /usr/share/easy-rsa /etc/openvpn/
- $ cd /etc/openvpn/easy-rsa
- $ nano vars
- change it
- $ ./easyrsa init-pki
- $ ./easyrsa build-ca
- you will need a passphrase
- then you'll have ca.key and ca.crt
- $ ./easyrsa gen-req tecadmin-server nopass
- now you have certificates files tecadmin-server.req and tecadmin-server.key
- $ ./easyrsa sign-req server tecadmin-server
- now you have certificate signed tecadmin-server.crt
- $ openssl verify -CAfile pki/ca.crt pki/issued/tecadmin-server.crt
- pki/issued/tecadmin-server.crt: OK
- $ ./easyrsa gen-dh
- you'll have diffie-helman key dh.pem
- $ cp pki/ca.crt /etc/openvpn/server/
- $ cp pki/dh.pem /etc/openvpn/server/
- $ cp pki/private/tecadmin-server.key /etc/openvpn/server/
- $ cp pki/issued/tecadmin-server.crt /etc/openvpn/server/
- $ ./easyrsa gen-req client nopass
- you'll have client.req and client.key
- $ ./easyrsa sign-req client client
- you'll have signed certificate client.crt
- $ cp pki/ca.crt /etc/openvpn/client/
- $ cp pki/issued/client.crt /etc/openvpn/client/
- $ cp pki/private/client.key /etc/openvpn/client/
- $ nano /etc/openvpn/server.conf
- #I commented redirect-gateway def1 because I don't want my server become a proxy of my client.
- #I just want them to connect and able to call each other.
- #####
- port 1194
- proto udp
- dev tun
- ca /etc/openvpn/server/ca.crt
- cert /etc/openvpn/server/tecadmin-server.crt
- key /etc/openvpn/server/tecadmin-server.key
- dh /etc/openvpn/server/dh.pem
- server 10.8.0.0 255.255.255.0
- #push "redirect-gateway def1"
- push "dhcp-option DNS 208.67.222.222"
- push "dhcp-option DNS 208.67.220.220"
- duplicate-cn
- cipher AES-256-CBC
- tls-version-min 1.2
- tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
- auth SHA512
- auth-nocache
- keepalive 20 60
- persist-key
- persist-tun
- compress lz4
- daemon
- user nobody
- group nogroup
- log-append /var/log/openvpn.log
- verb 3
- #####
- $ systemctl start openvpn@server
- $ systemctl enable openvpn@server
- $ systemctl status openvpn@server
- $ ip a show tun0
- Finish.
- You will need to call these to fill some values on client.ovpn on client.
- $ cat pki/ca.crt
- $ cat pki/issued/client.crt
- $ cat pki/private/client.key
- ======
- CLIENT
- ======
- $ apt-get install openvpn -y
- $ nano client.ovpn
- #####
- client
- dev tun
- proto udp
- remote vpn-server-ip 1194
- ca ca.crt
- cert client.crt
- key client.key
- cipher AES-256-CBC
- auth SHA512
- auth-nocache
- tls-version-min 1.2
- tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
- resolv-retry infinite
- compress lz4
- nobind
- persist-key
- persist-tun
- mute-replay-warnings
- verb 3
- <ca>
- -----BEGIN CERTIFICATE-----
- ...
- -----END CERTIFICATE-----
- </ca>
- <cert>
- -----BEGIN CERTIFICATE-----
- ...
- -----END CERTIFICATE-----
- </cert>
- <key>
- -----BEGIN PRIVATE KEY-----
- .....
- -----END PRIVATE KEY-----
- </key>
- #####
- $ openvpn --config client.ovpn
Add Comment
Please, Sign In to add comment