Setting OpenVPN Debian

1. https://tecadmin.net/install-openvpn-debian-10/
2.  
3. ======
4. SERVER
5. ======
6.  
7. $ apt-get update -y
8. $ apt-get upgrade -y
9. $ apt-get install openvpn -y
10. $ cp -r /usr/share/easy-rsa /etc/openvpn/
11. $ cd /etc/openvpn/easy-rsa
12. $ nano vars
13. change it
14. $ ./easyrsa init-pki
15. $ ./easyrsa build-ca
16. you will need a passphrase
17. then you'll have ca.key and ca.crt
18. $ ./easyrsa gen-req tecadmin-server nopass
19. now you have certificates files tecadmin-server.req and tecadmin-server.key
20. $ ./easyrsa sign-req server tecadmin-server
21. now you have certificate signed tecadmin-server.crt
22. $ openssl verify -CAfile pki/ca.crt pki/issued/tecadmin-server.crt
23. pki/issued/tecadmin-server.crt: OK
24. $ ./easyrsa gen-dh
25. you'll have diffie-helman key dh.pem
26. $ cp pki/ca.crt /etc/openvpn/server/
27. $ cp pki/dh.pem /etc/openvpn/server/
28. $ cp pki/private/tecadmin-server.key /etc/openvpn/server/
29. $ cp pki/issued/tecadmin-server.crt /etc/openvpn/server/
30. $ ./easyrsa gen-req client nopass
31. you'll have client.req and client.key
32. $ ./easyrsa sign-req client client
33. you'll have signed certificate client.crt
34. $ cp pki/ca.crt /etc/openvpn/client/
35. $ cp pki/issued/client.crt /etc/openvpn/client/
36. $ cp pki/private/client.key /etc/openvpn/client/
37. $ nano /etc/openvpn/server.conf
38. #I commented redirect-gateway def1 because I don't want my server become a proxy of my client.
39. #I just want them to connect and able to call each other.
40.  
41. #####
42. port 1194
43. proto udp
44. dev tun
45. ca /etc/openvpn/server/ca.crt
46. cert /etc/openvpn/server/tecadmin-server.crt
47. key /etc/openvpn/server/tecadmin-server.key
48. dh /etc/openvpn/server/dh.pem
49. server 10.8.0.0 255.255.255.0
50. #push "redirect-gateway def1"
51.  
52. push "dhcp-option DNS 208.67.222.222"
53. push "dhcp-option DNS 208.67.220.220"
54. duplicate-cn
55. cipher AES-256-CBC
56. tls-version-min 1.2
57. tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
58. auth SHA512
59. auth-nocache
60. keepalive 20 60
61. persist-key
62. persist-tun
63. compress lz4
64. daemon
65. user nobody
66. group nogroup
67. log-append /var/log/openvpn.log
68. verb 3
69. #####
70.  
71. $ systemctl start openvpn@server
72. $ systemctl enable openvpn@server
73. $ systemctl status openvpn@server
74. $ ip a show tun0
75.  
76. Finish.
77. You will need to call these to fill some values on client.ovpn on client.
78. $ cat pki/ca.crt
79. $ cat pki/issued/client.crt
80. $ cat pki/private/client.key
81.  
82. ======
83. CLIENT
84. ======
85.  
86. $ apt-get install openvpn -y
87. $ nano client.ovpn
88.  
89. #####
90. client
91. dev tun
92. proto udp
93. remote vpn-server-ip 1194
94. ca ca.crt
95. cert client.crt
96. key client.key
97. cipher AES-256-CBC
98. auth SHA512
99. auth-nocache
100. tls-version-min 1.2
101. tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
102. resolv-retry infinite
103. compress lz4
104. nobind
105. persist-key
106. persist-tun
107. mute-replay-warnings
108. verb 3
109. <ca>
110. -----BEGIN CERTIFICATE-----
111. ...
112. -----END CERTIFICATE-----
113. </ca>
114. <cert>
115. -----BEGIN CERTIFICATE-----
116. ...
117. -----END CERTIFICATE-----
118. </cert>
119. <key>
120. -----BEGIN PRIVATE KEY-----
121. .....
122. -----END PRIVATE KEY-----
123. </key>
124. #####
125.  
126. $ openvpn --config client.ovpn