Setting up your own VPN is no small task, but there are plenty of reasons that you'd want to do it. For one, when you run your own VPN, you have complete control of it and know exactly what it's doing.
This is a companion discussion topic for the original entry at https://linuxconfig.org/how-to-setup-a-vpn-with-openvpn-on-debian-9-stretch-linux
Francisco de Freitas
somebody should correct the paths
/etc/openvpn/cert-auth/keys/ to /etc/openvpn/certs/keys/
pool_newbie
Although there are still a couple of typos throughout, I think this is a good how-to.
If you are having trouble getting the “openvpn@server” service to run, you probably need to check that the paths (e.g. “certs” instead of “cert-auth”) you used for the following parameters actually exist in your system:
ca
cert
key
tls-cipherJasper
Following this tutorial, right now at the TUN TAP , the part which im wondering about, and the tutorial is not mentioning allot about, The IP adress is this the local IP adress of the machine?
Tales A. Mendonça
How to configure on android? I am not getting it to work, I downloaded OpenVPN Connect, it only pings file.opnv, connects to the server, but it does not work. What about the other files?
Tales A. Mendonça
Error:
[acart tales]# systemctl start openvpn
[acart tales]# systemctl start openvpn@server
Job for openvpn@server.service failed because the control process exited with error code.
See “systemctl status openvpn@server.service” and “journalctl -xe” for details.
[acart tales]# systemctl status openvpn@server.service
● openvpn@server.service - OpenVPN connection to server
Loaded: loaded (/lib/systemd/system/openvpn@.service; disabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Thu 2017-12-28 00:19:41 -02; 18s ago
Docs: man:openvpn(8)
https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
https://community.openvpn.net/openvpn/wiki/HOWTO
Process: 1694 ExecStart=/usr/sbin/openvpn --daemon ovpn-server --status /run/openvpn/server.status 10 --cd /etc/openvpn --config /etc/openvpn/server.conf --writepid /run/open
Dec 28 00:19:41 acart systemd[1]: Starting OpenVPN connection to server…
Dec 28 00:19:41 acart systemd[1]: openvpn@server.service: Control process exited, code=exited status=1
Dec 28 00:19:41 acart systemd[1]: Failed to start OpenVPN connection to server.
Dec 28 00:19:41 acart systemd[1]: openvpn@server.service: Unit entered failed state.
Dec 28 00:19:41 acart systemd[1]: openvpn@server.service: Failed with result ‘exit-code’.
lines 1-13/13 (END)
Alejandra Monroy
Also:
These paths are incorrect:
ca /etc/openvpn/cert-auth/keys/ca.crt
cert /etc/openvpn/cert-auth/keys/server.crt
key /etc/openvpn/cert-auth/keys/server.key # This file should be kept
tls-auth /etc/openvpn/cert-auth/keys/ta.key 0 # This file is secret
Corrected ones:
ca /etc/openvpn/certs/keys/ca.crt
cert /etc/openvpn/certs/keys/server.crt
key /etc/openvpn/certs/keys/server.key # This file should be kept
tls-auth /etc/openvpn/certs/keys/ta.key 0 # This file is secretzigbee
There is still an error in the section where you create thetar ball for the client.
Wrong:
# tar cJf /etc/openvpn/clients/firstclient.tar.xz -C /etc/openvpn/certs/keys ca.crt firstclient.crt firstclient.key ta.key -C /etc/openvpn/clients/client.ovpn
Correct:
# tar cJf /etc/openvpn/clients/firstclient.tar.xz -C /etc/openvpn/certs/keys ca.crt firstclient.crt firstclient.key ta.key -C /etc/openvpn/clients client.ovpn
Check at the end. There is a space missing. Because tar is changing the directory with “-C” and then get the file “client.ovpn”.
geug4UIlS4
Thank you for these very useful guide!
jc
This tutorial is riddled with mistakes.
-A INPUT -i eth0 -p udp -m state --state NEW,ESTABLISHED -- dport 1194 -j ACCEPT
(–dport, not – dport)
-A OUTPUT -o eth0 -p udp -m state --state NEW,ESTABLISHED -- dport 53 -j ACCEPT
(same here)
iptables -F && iptables -X
(you just lost your ssh connection)
iptables-restore < /tmp/v6rules
(you just deleted all of your ipv4 rules, and lost your ssh connection again)
It needs to be made into a script as follows:
# Delete all existing rules
iptables -F && iptables -X
#
# set up vpn stuff
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables-restore < /tmp/v4rules
ip6tables-restore < /tmp/v6rules
Just remember to enter a password if you want to and answer “Yes” to the last two questions.
(This belongs in the next section, “Create A Server Key”)
systemctl start openvpn@server
(This fails, so all of the corrections above were for nothing)
I gave up at this point
arch
contrary to Joe I got it working but please go through your commands and correct the mistakes like the ip4 & ip6 restore commands is the same, there are a few spaces after dashes in your rule entries and the DNS entry is pre-fixed with line numbers but all in all it gave me a good idea of what I had to do seeing that it’s my first “proper” install. I used the graphical “automated” install once before but it’s a bit to mysterious for my liking - now I know where stuff is.
Mika Hanhijärvi
Well for the most of the users who are using OpenVPN at home etc it is easier to use graphical tools available in Debian Stretch.
E.g. in the client side most of the desktop users most likely want to use Network Manager and Gnome Network settings to set the connection to VPN server.
Chiara ebasta
well, but it fail start service at openvpn@server… and tun interface not exist in my ifconfig -a output (although it is in /dev/net/tun and i do modprobe tun)
Carles Pina
Hi!
I’ve followed it (doing things slightly different on the iptables part, just because I’m used to manage iptables differently) and it all worked, thanks very much! OpenVPN server is not super easy but with this tutorial it worked well! 
Cof5
Holy fk, are you kidding me? And they wonder why Mint is kicking their asses?
Dieter Maes -> Cof5
wtf you talking about? You think mint has some nice GUI for doing this the noob way? this is server stuff, hardcore linux. You’ll have to do exactly the same on mint. Also, you don’t want to run mint on a server. To much overhead from DE, and mint is just ubuntu (which is debian based) + some modifications (that even don’t work how they are supposed to work).
Thank you very much for the tutorial. It was really helpful!