Support Online
MirrorLooking Glass
GenixNodeGenixNode
Client Panel
Skip to main content

OpenVPN Server Installation and Configuration on Debian 11

What Will You Learn in This Guide?

In this comprehensive guide, you will learn how to set up a secure OpenVPN server on Debian 11, manage certificates with a separate CA (Certificate Authority), create Diffie-Hellman and TLS-Auth keys, generate the client side as a single .ovpn file, and complete the entire configuration completely.

🧠 Stage 1 — Technical Analysis (Summary)

AreaDescription
Main Technical TopicInstalling OpenVPN on Debian 11
Solved ProblemCreating an encrypted VPN tunnel from unsecured networks to private resources
Technologies UsedOpenVPN, Easy-RSA, PKI, TLS-Auth, AES-256-CBC, UFW NAT
User StepsSetup → CSR → CA signing → DH → TLS-Auth → Server.conf → NAT → Service → .ovpn

📋 Prerequisites

  • Debian 11 OpenVPN Server (db-vpn-01)
  • Debian 11 CA Server (db-ca-01)
  • sudo authorized user
  • Easy-RSA installation
  • UFW must be enabled

🚀 Step 1 — OpenVPN Installation

Install the OpenVPN package from Debian repositories:

sudo apt update
sudo apt install openvpn

🚀 Step 2 — Server Certificate, Key and DH/TLS-Auth Files

1️⃣ Creating a server CSR (Certificate Signing Request)


cd ~/easy-rsa
./easyrsa gen-req server nopass

This process creates a private key for the server and a certificate request waiting to be signed.

2️⃣ Move private key to OpenVPN directory


sudo cp pki/private/server.key /etc/openvpn/

3️⃣ Sending CSR to CA server


scp pki/reqs/server.req devuser@CA_IP:/tmp

🛡️ Step 3 — Signing a Certificate on the CA Server

Import CSR on CA side:


cd ~/easy-rsa
./easyrsa import-req /tmp/server.req server

Sign the server certificate:


./easyrsa sign-req server server

Import certificates back:


scp pki/issued/server.crt devuser@VPN_IP:/tmp
scp pki/ca.crt devuser@VPN_IP:/tmp

sudo cp /tmp/{server.crt,ca.crt} /etc/openvpn/

Diffie-Hellman key (DH)


cd ~/easy-rsa
./easyrsa gen-dh
sudo cp pki/dh.pem /etc/openvpn/

Generate a TLS-Auth key


sudo openvpn --genkey secret ta.key
sudo cp ta.key /etc/openvpn/

TLS-Auth protects the server against UDP attacks.

🚀 Step 4 — Client Certificate and Key

Indexing


mkdir -p ~/client-configs/keys
chmod -R 700 ~/client-configs

CSR creation


cd ~/easy-rsa
./easyrsa gen-req client1 nopass
cp pki/private/client1.key ~/client-configs/keys/
scp pki/reqs/client1.req devuser@CA_IP:/tmp

Signing on CA


./easyrsa import-req /tmp/client1.req client1
./easyrsa sign-req client client1

move back


scp pki/issued/client1.crt devuser@VPN_IP:/tmp
cp /tmp/client1.crt ~/client-configs/keys/
sudo cp /etc/openvpn/ca.crt ~/client-configs/keys/
sudo cp ~/easy-rsa/ta.key ~/client-configs/keys/

⚙️ Step 5 — OpenVPN Server Configuration

Move the sample configuration:


sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf /etc/openvpn/
sudo nano /etc/openvpn/server.conf

Mandatory Settings in Server.conf TLS-Auth key


tls-auth ta.key 0

Strong encryption


cipher AES-256-CBC
auth SHA256

DH file


dh dh.pem

Delegation


user nobody
group nogroup

Routing all traffic to VPN (optional)


push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"

🌐 Step 6 — IP Forwarding and NAT Setting (UFW)

Enable IP Forwarding


sudo nano /etc/sysctl.conf

Activate the following:


net.ipv4.ip_forward=1

Activate:


sudo sysctl -p

Find the network interface


ip route | grep default

It is usually eth0 or ens3.

Add UFW NAT rule


sudo nano /etc/ufw/before.rules

Add:


# START OPENVPN RULES
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT
# END OPENVPN RULES
Forward policy

sudo nano /etc/default/ufw

DEFAULT_FORWARD_POLICY="ACCEPT"

Open ports


sudo ufw allow 1194/udp
sudo ufw allow OpenSSH
sudo ufw disable
sudo ufw enable

▶️ Step 7 — Starting OpenVPN Service


sudo systemctl start openvpn@server
sudo systemctl enable openvpn@server
sudo systemctl status openvpn@server

🧩 Step 8 — Single-File Client Configuration

Create the base file:


cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client-configs/base.conf
nano ~/client-configs/base.conf

Edit:


remote VPN_IP 1194
user nobody
group nogroup
key-direction 1
cipher AES-256-CBC
auth SHA256

#ca ca.crt
#cert client.crt
#key client.key
#tls-auth ta.key 1

🔧 make_config.sh — Single .ovpn File Generator


nano ~/client-configs/make_config.sh

#!/bin/bash
KEY_DIR=/home/devuser/client-configs/keys
OUTPUT_DIR=/home/devuser/client-configs/files
BASE_CONFIG=/home/devuser/client-configs/base.conf

cat ${BASE_CONFIG} \
<(echo -e '<ca>') \
$&#123;KEY_DIR&#125;/ca.crt \
<(echo -e '</ca>\n<cert>') \
$&#123;KEY_DIR&#125;/$&#123;1&#125;.crt \
<(echo -e '</cert>\n<key>') \
$&#123;KEY_DIR&#125;/$&#123;1&#125;.key \
<(echo -e '</key>\n<tls-auth>') \
$&#123;KEY_DIR&#125;/ta.key \
<(echo -e '</tls-auth>') \
> $&#123;OUTPUT_DIR&#125;/$&#123;1&#125;.ovpn

Make it executable:


chmod 700 ~/client-configs/make_config.sh

📦 Step 9 — Creating a Client .ovpn File


cd ~/client-configs
sudo ./make_config.sh client1

To download:


sftp devuser@VPN_IP:client-configs/files/client1.ovpn ~/

❓ Frequently Asked Questions (FAQ)

1. Is OpenVPN UDP or TCP better?

UDP is faster, while TCP may be more stable on blocked networks.

2. Why should CA be kept on a separate server?

Stealing the CA key can bring down the entire VPN structure. Separate server adds security.

3. Is it safe to add all keys in .ovpn?

Yes, it is fully supported by OpenVPN.

  1. How do I block a client?

Cancel:


./easyrsa revoke client1
./easyrsa gen-crl

Put the CRL file on the server.

5. Can I make the port 443?

Yes, it is especially useful in restricted corporate networks.

🎯 Result You have now set up a fully featured OpenVPN server on Debian 11. All security settings, certificate signing processes and client creation steps are complete.