Getting Started
You will need to open an SSH connection on your cloud server as the root user or an SSH connection to a user with sudo access. This guide assumes a user with sudo access. However you can set things up using root just by stripping the 'sudo' from the start of each command. If your system is running on Linux or Mac, you can use SSH with the Terminal program. If you are using Windows, you can use SSH with PuTTY. Once you have the Terminal opened, assuming you're using a Linux/Mac system, you can login by typing the following command:ssh username@ipaddress
Enter the password when you’re asked to, and you’re ready to start setting up OpenVPN.
Install OpenVPN and generate necessary files
Before we start installing OpenVPN and its prerequisites, we should make sure all of the packages on our system are up to date. We can do that with the following command:
sudo apt-get update
This should have apt, Debian’s package manager. Download all the updates for any packages that have them.
sudo apt-get upgrade
After our system has downloaded all its updates, we can finally install OpenVPN.
sudo apt-get install openvpn udev
Once the installation is done, you are ready to begin configuring OpenVPN. To begin, you should copy all the files for encryption from their default directory into the directory they should be in for the cloud server to read them.
sudo cp -r /usr/share/doc/openvpn/examples/easy-rsa /etc/openvpn
Now that you’ve done that, you can begin generating the RSA algorithm files for your VPN. You will be asked to provide various values when you’re generating these keys. You can set these to whatever you would like to, but bear in mind that they will be included in the certificates you generate.
To begin, access into the following directory:
cd /etc/openvpn/easy-rsa/2.0/
Then generate the RSA files:
source ./vars
sudo ./clean-all
sudo ./build-ca
After the certificate is generated, you can make the private key for the server. To do this, type the following command, and change ‘server’ to what you’d like the name of your OpenVPN server to be. This script will also ask you for information.
sudo . /etc/openvpn/easy-rsa/2.0/build-key-server server
Generate the Diffie Hellman key exchange parameters.
sudo . /etc/openvpn/easy-rsa/2.0/build-dh
Now generate the keys for each client this installation of OpenVPN will host. You should do this step for each client this installation will host, making sure each client’s key identifier is unique.
sudo . /etc/openvpn/easy-rsa/2.0/build-key client
Move the files for the server certificates and keys to the /etc/openvpn directory now. Replace server.crt and server.key with the file names that you used.
sudo cp /etc/openvpn/easy-rsa/2.0/keys/ca.crt /etc/openvpn
sudo cp /etc/openvpn/easy-rsa/2.0/keys/ca.key /etc/openvpn
sudo cp /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem /etc/openvpn
sudo cp /etc/openvpn/easy-rsa/2.0/keys/server.crt /etc/openvpn
sudo cp /etc/openvpn/easy-rsa/2.0/keys/server.key /etc/openvpn
If you need to remove someone’s access to the VPN, just send the following two commands. Replacing ‘client’ with the name of the client to be removed.
sudo . /etc/openvpn/easy-rsa/2.0/vars sudo . /etc/openvpn/easy-rsa/2.0/revoke-full client1
Configure OpenVPN
Now that you have generated the files for our configuration, you can go ahead and configure your OpenVPN server and client. To retrieve the files, execute the following commands:
sudo gunzip -d /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf /etc/openvpn
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/
cd
You should modify the client configuration file to match what you’d like it to do. You can also modify several values in the following file to match what you’d like. In order to do this, you first change the ‘remote’ option so it can connect to your cloud server’s IP address on whichever port you configured your OpenVPN to run on. Then change the ‘cert’ and ‘key’ values to reflect the names of your own certificate and key. After these values have been edited you can save the file by typing in Ctrl+X, type ‘y’, then hit Enter.
Now copy the client configuration file, along with the client keys and certificates located in /etc/openvpn/easy-rsa/2.0/keys to the local machines of the clients.
nano ~/client.conf
After you’ve done this, you just need to make a few changes to your server configuration file before we finalize. Change the files that the ‘cert’ and ‘key’ options point to in the following file to match the certificate and key that your server is using.
sudo nano /etc/openvpn/server.conf
After that’s finished, you’re ready to go! Just restart OpenVPN and you’ve got a working OpenVPN installation on Debian 6!
sudo /etc/init.d/openvpn restart
Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Become a contributor for community
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
DigitalOcean Documentation
Full documentation for every DigitalOcean product.
Resources for startups and SMBs
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
Get our newsletter
Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.
New accounts only. By submitting your email you agree to our Privacy Policy
The developer cloud
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Get started for free
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.
Is this the same to install in a Ubuntu box? I’ve been stuck when generating the RSA files.
grep: /etc/openvpn/easy-rsa/2.0/openssl.cnf: No such file or directory pkitool: KEY_CONFIG (set by the ./vars script) is pointing to the wrong version of openssl.cnf: /etc/openvpn/easy-rsa/2.0/openssl.cnf The correct version should have a comment that says: easy-rsa version 2.x
Filipe Kiss: the directory in ubuntu is /etc/openvpn/easy-rsa2/
sorry I think I got that wrong.
./vars permission denied
tried it both on Ubuntu 12.04LTS x64 and Debian 7 x64
damn… I was trying to make vars executable using “-x” instead of “+x”, in any case it should be added to the tutorial.
Thats Trash!
@Robin: Is there anything I can help you with?
I got stuck in sudo ./vars it says sudo: vars: command not found
you ‘. vars’ or ‘source ./vars’.
it just loads variables into the environment, it doesn’t actually execute anything, per se.
Before the configuration, don’t forget to install the pkcs15-tool include in opensc library with this command: apt-get install opensc And edit the file ./vars with your correct informations.
And create the keys folder …
If you are loged as root from the folder /etc/openvpn/easy-rsa/2.0/ type the command: “source ./vars” instead of ./vars …
@DigitalOcean please see @do’s @dragan’s comments.
I don’t know why this tutorial has so many bugs. Could you please fix it ?
@as: What do you mean?
In order to work and with dns you must install dnsmasq. Also need some iptable rules…Post and that part
@:/etc/openvpn/easy-rsa/2.0# source ./vars NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/2.0/keys
why?
@erik.hennerfors: It’s not an error – it’s just warning you that if you run ./clean_all it will delete everything in the keys directory.
how about the firewall rules ?
Yup, what about firewall rules? I configured all as described. I can connect to my server without troubles. But internet doesn’t work - i need some forward rule for iptables.
@ozgur: @core.hor: Check out the last section of <a href=“https://gist.github.com/padde/5689930#enable-routing-web-traffic-through-vpn”>https://gist.github.com/padde/5689930#enable-routing-web-traffic-through-vpn</a>. Let me know if that helps.
@Kamal many thanks for link. I didn’t tried it, but i found another solution, that works for me:
iptables --flush iptables --table nat --flush iptables --delete-chain iptables --table nat delete-chain #forwarding and masquearading iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE iptables --append FORWARD --in-interface tun0 -j ACCEPT #packet forwarding enable echo 1 > /proc/sys/net/ipv4/ip_forward
i tend to agree with robin: it’s a little vague. i wasn’t able to get it to work on the server following your guide. i found this one that seems to work a little better at:
at least i was able to get the server up and running and the client kind of sorta working using it’s instructions. john
i have done everything but when i restart the openvpn daemon, it failed… i went and saw the daemon log and it gave this error:
Cannot open file key file ‘ta.key’: No such file or directory (errno=2)
how do i resolve this? i googled a bit it asked me generate a ta.key file… but i have no idea in which directory it lies… HELP ME!!
@sk_90_y: What’s the output of <pre>grep -ri ta /etc/openvpn/server.conf</pre>
I haven’t got this working for me when I hit the
sudo ./varsstep. It keeps asking for me to make sure I source the vars file first.I find this tutorial helpful, but there is a bit more details here: http://www.openlogic.com/wazi/bid/188052/From-Zero-to-OpenVPN-in-30-Minutes
My VPN clients are all gentoo based, here is how to make the VPN connection start on boot (gentoo specific): http://lpig.wordpress.com/2011/02/11/gentoo-as-a-openvpn-client/
For the ./vars issue, I found a solution here, and it also works in my case.
You may want to add to the guide that vars, clean-all and build-ca are not executable. Naturally you just have to run “sudo chmod +x vars clean-all build-ca” after cd’ing to /etc/openvpn/easy-rsa/2.0/.
This might be relevant and helpful for those having issues loading the tun device / tun kernel module: modprobe tun - ERROR: could not insert ‘tun’: Unknown symbol in module
Hi, i’m getting this error when I try to start openvpn service:
To get this working with all my traffic (inc web browsing) I had to:
Edit my server.conf by uncommenting push “redirect-gateway def1 bypass-dhcp” as well as push “dhcp-option DNS <ip>” push “dhcp-option DNS <ip>”
Install dnsmasq change DEFAULT_FORWARD_POLICY to ACCEPT in /etc/default/ufw uncomment net.ipv4.ip_forward=1 in /etc/ufw/sysctl.conf
add
nat Table rules
*nat :POSTROUTING ACCEPT [0:0]
Forward traffic from wlan0 through eth0
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
don’t delete the ‘COMMIT’ line or these nat table rules won’t be processed
COMMIT
to /etc/ufw/before.rules (very top of file)
allow 1194/udp in ufw.
restart firewall and networking and all worked finally :|
running Debian 7 x64
cp: cannot stat ‘/usr/share/doc/openvpn/examples/easy-rsa’: No such file or directory
I’m getting this error. :/
all command work normally except “/etc/init.d/openvpn restart” I am using WD MyCloud EX2Ultra and try to install openvpn service on it. some command need to change like “apt-get” transfer to “opkg”.
This comment has been deleted