How To Install OpenVPN on Debian 10 (Tutorial)

Protect your browsing data: Install OpenVPN on Debian 10

There are literally lists of reasons why you might want to use a VPN, but keeping your data safe is #1 on our list.

And while there are some paid VPN services out there that are pretty easy on your wallet...

If you're trying to keep your data safe then why would you trust it to a uber-secretive company that may-or-may-not have connections to data mining operations?

Answer: You shouldn't.

Especially when it's so easy and affordable to set up your own fast VPN on your SSD Nodes VPS.

So today, we're going to show you how to install OpenVPN on Debian 10 to keep your data truly safe.

Looking for a different Linux distro? Click any of the tutorials below: 👉How to install OpenVPN on Ubuntu 18.04 👉How to install OpenVPN on Ubuntu 16.04 👉How to install OpenVPN on Centos 7

Prerequisites to install OpenVPN on Debian 10

• Two VPS running Debian 10, one to host the OpenVPN service and another to serve as your Certificate Authority (CA). It is not recommended to use your OpenVPN Server as your CA, this opens up your VPN to security vulnerabilities.
• A regular (non-root) account with sudo privileges. See our SSH keys tutorial for more information.

NOTE: If you disable password authentication while configuring these servers, you may run into difficulties when transferring files between them later on in this guide. To resolve this issue, you can re-enable password authentication on each server. Or, you can generate an SSH keypair for each server, then add the OpenVPN server’s public SSH key to the CA machine’s authorized_keys file and vice versa.

[cta_inline]

Step 1: Install OpenVPN and EasyRSA

Let’s start by updating our apt cache and installing openvpn.

$ sudo apt-get update
$ sudo apt-get install openvpn

OpenVPN uses SSL/TLS for authentication and key exchange to encrypt traffic between the server and clients. To issue trusted certificates, you will set up your simple certificate authority (CA). To do this, we will download the latest version of EasyRSA, which we will use to build our CA public key infrastructure (PKI), from the project’s official GitHub repository.

NOTE:It is recommended that you keep the CA server turned off when not being used to sign keys as a further precautionary measure.

To begin building the CA and PKI infrastructure, use wget to download the latest version of EasyRSA on both your CA machine and your OpenVPN server.

wget -P ~/ https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.6/EasyRSA-unix-v3.0.6.tgz

Then extract the tarball:

cd ~
tar xvf EasyRSA-unix-v3.0.6.tgz

You have successfully installed all the required software on your server and CA machine. Continue to configure the variables used by EasyRSA and to set up a CA directory, from which you will generate the keys and certificates needed for your server and clients to access the VPN.

Step 2: Set up the Certificate Authority

EasyRSA comes packaged with a configuration file that can be edited to define several variables for your CA.

On your CA machine, navigate to the EasyRSA directory:

cd ~/EasyRSA-v3.0.6/

We can utilize the easy-rsa template by making a copy of an existing vars.example file in this directory and renaming it vars:

cp vars.example vars

We need to edit some of the variables that help decide how to create the certificates. Use nano — or another favorite editor—to open the file. We’ll be editing some variables toward the end of the file.

nano vars

Find the settings that set field defaults for new certificates. It will look something like this:

#set_var EASYRSA_REQ_COUNTRY    "US"
#set_var EASYRSA_REQ_PROVINCE   "California"
#set_var EASYRSA_REQ_CITY       "San Francisco"
#set_var EASYRSA_REQ_ORG        "Copyleft Certificate Co"
#set_var EASYRSA_REQ_EMAIL      "[email protected]"
#set_var EASYRSA_REQ_OU         "My Organizational Unit"

Uncomment these lines and update the highlighted values to whatever you'd prefer, but do not leave them blank:

set_var EASYRSA_REQ_COUNTRY    "US"
set_var EASYRSA_REQ_PROVINCE   "NewYork"
set_var EASYRSA_REQ_CITY       "New York City"
set_var EASYRSA_REQ_ORG        "SSDNodes"
set_var EASYRSA_REQ_EMAIL      "[email protected]"
set_var EASYRSA_REQ_OU         "Marketing"

Save and close the file after editing.

Inside the EasyRSA directory is a script called easyrsa which is used to perform a variety of tasks involved with building and managing the CA. Run this script with the init-pki option to initiate the public key infrastructure on the CA server:

./easyrsa init-pki

After this, call the easyrsa script again, following it with the build-ca option. This builds the CA and creates two important files — ca.crt and ca.key — which make up the public and private sides of an SSL certificate.

If you don’t want to be prompted for a password every time you interact with your CA, you can run the build-ca command with the nopass option:

./easyrsa build-ca nopass

In the output, you’ll be asked to confirm the common name for your CA:

The common name is the name used to refer to this machine in the context of the certificate authority. You can enter any string of characters for the CA’s common name but, for simplicity’s sake, press ENTER to accept the default name.

With that, your CA is in place and it’s ready to start signing certificate