How To Install OpenVPN on Debian 10 (Tutorial)
Protect your browsing data: Install OpenVPN on Debian 10There are literally lists of reasons why you might want to use a VPN, but keeping your data safe is #1 on our list. And while there are some paid VPN services out there that are pretty easy on your wallet... If you're trying to keep your data safe then why would you trust it to a uber-secretive company that may-or-may-not have connections to data mining operations? Answer: You shouldn't. Especially when it's so easy and affordable to set up your own fast VPN on your SSD Nodes VPS. So today, we're going to show you how to install OpenVPN on Debian 10 to keep your data truly safe. Looking for a different Linux distro? Click any of the tutorials below: 👉How to install OpenVPN on Ubuntu 18.04 👉How to install OpenVPN on Ubuntu 16.04 👉How to install OpenVPN on Centos 7
Prerequisites to install OpenVPN on Debian 10
- Two VPS running Debian 10, one to host the OpenVPN service and another to serve as your Certificate Authority (CA). It is not recommended to use your OpenVPN Server as your CA, this opens up your VPN to security vulnerabilities.
- A regular (non-root) account with sudo privileges. See our SSH keys tutorial for more information.
Step 1: Install OpenVPN and EasyRSALet’s start by updating our
aptcache and installing
OpenVPN uses SSL/TLS for authentication and key exchange to encrypt traffic between the server and clients. To issue trusted certificates, you will set up your simple certificate authority (CA). To do this, we will download the latest version of EasyRSA, which we will use to build our CA public key infrastructure (PKI), from the project’s official GitHub repository.
$ sudo apt-get update $ sudo apt-get install openvpn
NOTE:It is recommended that you keep the CA server turned off when not being used to sign keys as a further precautionary measure. To begin building the CA and PKI infrastructure, use
wgetto download the latest version of EasyRSA on both your CA machine and your OpenVPN server.
Then extract the tarball:
wget -P ~/ https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.6/EasyRSA-unix-v3.0.6.tgz
You have successfully installed all the required software on your server and CA machine. Continue to configure the variables used by EasyRSA and to set up a CA directory, from which you will generate the keys and certificates needed for your server and clients to access the VPN.
cd ~ tar xvf EasyRSA-unix-v3.0.6.tgz
Step 2: Set up the Certificate AuthorityEasyRSA comes packaged with a configuration file that can be edited to define several variables for your CA. On your CA machine, navigate to the EasyRSA directory:
We can utilize the
easy-rsatemplate by making a copy of an existing
vars.examplefile in this directory and renaming it
We need to edit some of the variables that help decide how to create the certificates. Use
cp vars.example vars
nano— or another favorite editor—to open the file. We’ll be editing some variables toward the end of the file.
Find the settings that set field defaults for new certificates. It will look something like this:
Uncomment these lines and update the highlighted values to whatever you'd prefer, but do not leave them blank:
#set_var EASYRSA_REQ_COUNTRY "US" #set_var EASYRSA_REQ_PROVINCE "California" #set_var EASYRSA_REQ_CITY "San Francisco" #set_var EASYRSA_REQ_ORG "Copyleft Certificate Co" #set_var EASYRSA_REQ_EMAIL "[email protected]" #set_var EASYRSA_REQ_OU "My Organizational Unit"
Save and close the file after editing. Inside the EasyRSA directory is a script called
set_var EASYRSA_REQ_COUNTRY "US" set_var EASYRSA_REQ_PROVINCE "NewYork" set_var EASYRSA_REQ_CITY "New York City" set_var EASYRSA_REQ_ORG "SSDNodes" set_var EASYRSA_REQ_EMAIL "[email protected]" set_var EASYRSA_REQ_OU "Marketing"
easyrsawhich is used to perform a variety of tasks involved with building and managing the CA. Run this script with the
init-pkioption to initiate the public key infrastructure on the CA server:
After this, call the easyrsa script again, following it with the
build-caoption. This builds the CA and creates two important files —
ca.key— which make up the public and private sides of an SSL certificate. If you don’t want to be prompted for a password every time you interact with your CA, you can run the
build-cacommand with the
In the output, you’ll be asked to confirm the common name for your CA: The common name is the name used to refer to this machine in the context of the certificate authority. You can enter any string of characters for the CA’s common name but, for simplicity’s sake, press
./easyrsa build-ca nopass
ENTERto accept the default name. With that, your CA is in place and it’s ready to start signing
Continue reading this articleSubscribe now
by subscribing to our newsletter.
by subscribing to our newsletter.
Share this post:Reddit Hacker News Facebook Twitter Flipboard
Like what you saw? Subscribe to our weekly newsletter.