Install openvpn server on Debian 9 “Stretch” Linux systems


In this article we will discuss the installation of Openvpn server on Linux systems (Debian Family “Debian 9 “Stretch”/Ubuntu 16.04, and higher”).

VPN, or virtual private network, is a secure method of connecting remote internet resources together as if they were under the same LAN. OpenVPN is a tool for creating private networking tunnels between remote computers/servers that are not on the same local network. This is useful if you want to remotely access services on a network or computer without making those services publicly accessible.


  • Linux server “any member of Debian Linux family”
  • root access to the server.

Step 1: Installing OpenVPN Server

We will install two packages. Run the following commands as a root to install easy-rsa and the OpenVPN server.

# apt-get -y update
# apt-get -y install openvpn easy-rsa

Now we need to unzip the openvpn.conf sample file into /etc/openvpn, so Run the following command:

# gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf

Also, we need to create a directory for holding our generated keys and certificates using the below command:

# mkdir /etc/openvpn/rsa

Finally, copy the key and certificate generation scripts into the directory as below:

# cp -rf /usr/share/easy-rsa/* /etc/openvpn/rsa

At this point we are ready to Generate our keys,and certificates.

Step 2: Generating Keys and Certificates

Now, we’ll need to generate our keys and certificates. Let’s start step by step to generate the needed keys, and certificates.

Here you can specify the identification information for your OpenVPN server’s certificate authority, which then will be passed to client certificates. Changing these fields is optional and you can always input them manually during certificate creation, but setting them here creates less work during client cert creation. We use vim text editor to edit vars file

# vim /etc/openvpn/rsa/vars

Update the following entities with your openvpn server data:

. . .
 # These are the default values for fields
 # which will be placed in the certificate.
 # Don't leave any of these fields blank.
 export KEY_COUNTRY="EG"
 export KEY_CITY="Kafr El Dawar"
 export KEY_ORG=""
 export KEY_EMAIL=""
 export KEY_OU="Systems Engineering"

# X509 Subject Field
 export KEY_NAME="Mohammed Semari"

As I said before the above modifications are optional, but before we leave this file, there are two other important entities you may need to change their values:

One of the two important entities is the root CA key expire, the default one was 10 years I made it one year.

# In how many days should the root CA key expire?
 export CA_EXPIRE=365

Then come the client certificate expiration date, one year is good to have more control on you clients

# In how many days should certificates expire?
 export KEY_EXPIRE=365

Save and exit the vars file.

The following steps will generate the server root CA, server certificate ” optional “, and client certificate, So run all the below commands

# cd /etc/openvpn/rsa/
# source ./vars
# ./clean-all
# ./build-ca
# ./build-key-server server
# ./build-dh
# ./build-key <client_name>

In the above commands, we sourced the changes we made in vars file, then cleaned previously existing keys and certifications which may exist in the keys directory, then create the root CA, then the server certificate” which is optional to add a more secure layer to the connection”, then generate Diffie-Hellman key exchange file “will take some time to complete”, finally create the client key and certificate.

 1. We need to press ENTER for each blanked field we asked to fill, also answer y in case of questions.
 2. <client_name> is your client name, each client must has a unique/descriptive name for better control on them, and for security aspects.

We need to copy the generated files into our OpenVPN directory, Run the following commands:

# cd keys
# cp dh2048.pem ca.crt server.crt server.key /etc/openvpn

Next, For client to connect to the openvpn server, He needs to have three files we generated previously ” ca.crt, client.crt, client.key”, Also he will need a configuration file for the client software he will use to connect to the openvpn server, this file we will create under name “client.ovpn”. This file contains the following entities:

dev tun
proto udp
remote <openvpn server IP> 1194
resolv-retry infinite
verb 3
ca ca.crt
cert <client_name>.crt
key <client_name>.key

Just replace the entities between < > with your server IP address, and client certificates, and Send the four files to your client.

At this point we are ready to configure the openVPN server.

Step 3: Configuring OpenVPN

Now it’s time to configure the openvpn server, the file is self-explanatory file, each field has explanation above it. I’ll go and do a minimal changes for the openvpn server to start.
Let’s edit the configuration file:

# vim /etc/openvpn/server.conf

We need to change the dh file name to dh2048.pem. Because the default Diffie-Hellman encryption length we previously generated by Easy RSA was 2048 bytes. Find the entity <dh dh1024.pem> and change it with <dh dh2048.pem>. This is a mandatory step for the openvpn to work

dh dh2048.pem

Next comes the optional steps, we need to uncomment the push “redirect-gateway def1 bypass-dhcp” line, which tells the client to redirect all traffic through our OpenVPN.

push "redirect-gateway def1 bypass-dhcp"
 1. This step and the below 4 steps are optional.
 2. Uncommenting the redirect-gateway means forcing clients traffic to go to the openvpn, your clients will be forced to follow your Firewall rules, and your internet usage policy. They may not be able to surf the internet while connecting to your openvpn.
 3. For me I received many complains from clients about not able to use the internet while connecting to my openvpn, So I commented this entity again, Now they can connect to my Openvpn, and enjoy their normal use of the internet.

Next we need to provide DNS servers to the clients, this step is needed if you enabled the push “redirect-gateway def1 bypass-dhcp”, otherwise leave it commented

push "dhcp-option DNS"
push "dhcp-option DNS"

Finally, change user and group to nobody, as mention in the configuration file, it’s important for the none-windows systems

user nobody
group nogroup

Save and exit the OpenVPN server configuration file.

 1. I only changed the necessary field "dh dh2048.pem", the other five steps I made is optional.
 2. The configuration file has many important fields, you can use tcp protocol instead of the default udp protocol, you can change the listen port, you can change the listen IP, etc...
 3. Other advanced configuration parameters depending on your needs, in this article I used the minimal configuration changes.

At this point we are ready to enable traffic routing to our openvpn.


If You Appreciate What We Do Here On Mimastech, You Should Consider:

  1. Stay Connected to: Facebook | Twitter | Google+
  2. Support us via PayPal Donate
  3. Subscribe to our email newsletters.
  4. Tell other sysadmins / friends about Us - Share and Like our posts and services

We are thankful for your never ending support.

One Comment to Install openvpn server on Debian 9 “Stretch” Linux systems

  1. Anton says:

    Hi Mohammed. Thanks for the article. However I’m getting stuck on:

    root@raspberrypi:/etc/openvpn/rsa# ./build-ca
    pkitool: KEY_CONFIG (set by the ./vars script) is pointing to the wrong
    version of openssl.cnf: /etc/openvpn/rsa/openssl.cnf
    The correct version should have a comment that says: easy-rsa version 2.x

    When I open the file /etc/openvpn/rsa/openssl.cnf, at the top there is the comment: # For use with Easy-RSA 3.0 and OpenSSL 1.0.*

    Do you have a clean solution for me?

Leave a Reply

Your email address will not be published. Required fields are marked *