How to Setup a VPN with OpenVPN on Debian 9 Stretch Linux -

Setting up your own VPN is no small task, but there are plenty of reasons that you'd want to do it. For one, when you run your own VPN, you have complete control of it and know exactly what it's doing.
This is a companion discussion topic for the original entry at

Francisco de Freitas

somebody should correct the paths

/etc/openvpn/cert-auth/keys/ to /etc/openvpn/certs/keys/


Although there are still a couple of typos throughout, I think this is a good how-to.

If you are having trouble getting the “openvpn@server” service to run, you probably need to check that the paths (e.g. “certs” instead of “cert-auth”) you used for the following parameters actually exist in your system:



Following this tutorial, right now at the TUN TAP , the part which im wondering about, and the tutorial is not mentioning allot about, The IP adress is this the local IP adress of the machine?

Tales A. Mendonça

How to configure on android? I am not getting it to work, I downloaded OpenVPN Connect, it only pings file.opnv, connects to the server, but it does not work. What about the other files?

Tales A. Mendonça


[acart tales]# systemctl start openvpn
[acart tales]# systemctl start openvpn@server
Job for openvpn@server.service failed because the control process exited with error code.
See “systemctl status openvpn@server.service” and “journalctl -xe” for details.

[acart tales]# systemctl status openvpn@server.service
● openvpn@server.service - OpenVPN connection to server
Loaded: loaded (/lib/systemd/system/openvpn@.service; disabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Thu 2017-12-28 00:19:41 -02; 18s ago
Docs: man:openvpn(8)
Process: 1694 ExecStart=/usr/sbin/openvpn --daemon ovpn-server --status /run/openvpn/server.status 10 --cd /etc/openvpn --config /etc/openvpn/server.conf --writepid /run/open

Dec 28 00:19:41 acart systemd[1]: Starting OpenVPN connection to server…
Dec 28 00:19:41 acart systemd[1]: openvpn@server.service: Control process exited, code=exited status=1
Dec 28 00:19:41 acart systemd[1]: Failed to start OpenVPN connection to server.
Dec 28 00:19:41 acart systemd[1]: openvpn@server.service: Unit entered failed state.
Dec 28 00:19:41 acart systemd[1]: openvpn@server.service: Failed with result ‘exit-code’.
lines 1-13/13 (END)

Alejandra Monroy


These paths are incorrect:

ca /etc/openvpn/cert-auth/keys/ca.crt
cert /etc/openvpn/cert-auth/keys/server.crt
key /etc/openvpn/cert-auth/keys/server.key # This file should be kept 
tls-auth /etc/openvpn/cert-auth/keys/ta.key 0 # This file is secret

Corrected ones:

ca /etc/openvpn/certs/keys/ca.crt
cert /etc/openvpn/certs/keys/server.crt
key /etc/openvpn/certs/keys/server.key # This file should be kept 
tls-auth /etc/openvpn/certs/keys/ta.key 0 # This file is secret


There is still an error in the section where you create thetar ball for the client.

# tar cJf /etc/openvpn/clients/firstclient.tar.xz -C /etc/openvpn/certs/keys ca.crt firstclient.crt firstclient.key ta.key -C /etc/openvpn/clients/client.ovpn


# tar cJf /etc/openvpn/clients/firstclient.tar.xz -C /etc/openvpn/certs/keys ca.crt firstclient.crt firstclient.key ta.key -C /etc/openvpn/clients client.ovpn

Check at the end. There is a space missing. Because tar is changing the directory with “-C” and then get the file “client.ovpn”.


Thank you for these very useful guide!


This tutorial is riddled with mistakes.

-A INPUT -i eth0 -p udp -m state --state NEW,ESTABLISHED -- dport 1194 -j ACCEPT
(–dport, not – dport)

-A OUTPUT -o eth0 -p udp -m state --state NEW,ESTABLISHED -- dport 53 -j ACCEPT
(same here)

iptables -F && iptables -X
(you just lost your ssh connection)

iptables-restore < /tmp/v6rules
(you just deleted all of your ipv4 rules, and lost your ssh connection again)

It needs to be made into a script as follows:

# Delete all existing rules
iptables -F && iptables -X
# set up vpn stuff
iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE
iptables-restore < /tmp/v4rules
ip6tables-restore < /tmp/v6rules

Just remember to enter a password if you want to and answer “Yes” to the last two questions.
(This belongs in the next section, “Create A Server Key”)

systemctl start openvpn@server
(This fails, so all of the corrections above were for nothing)

I gave up at this point


contrary to Joe I got it working but please go through your commands and correct the mistakes like the ip4 & ip6 restore commands is the same, there are a few spaces after dashes in your rule entries and the DNS entry is pre-fixed with line numbers but all in all it gave me a good idea of what I had to do seeing that it’s my first “proper” install. I used the graphical “automated” install once before but it’s a bit to mysterious for my liking - now I know where stuff is.

Mika Hanhijärvi

Well for the most of the users who are using OpenVPN at home etc it is easier to use graphical tools available in Debian Stretch.
E.g. in the client side most of the desktop users most likely want to use Network Manager and Gnome Network settings to set the connection to VPN server.

Chiara ebasta

well, but it fail start service at openvpn@server… and tun interface not exist in my ifconfig -a output (although it is in /dev/net/tun and i do modprobe tun)

Carles Pina


I’ve followed it (doing things slightly different on the iptables part, just because I’m used to manage iptables differently) and it all worked, thanks very much! OpenVPN server is not super easy but with this tutorial it worked well! :slight_smile:


Holy fk, are you kidding me? And they wonder why Mint is kicking their asses?

Dieter Maes -> Cof5

wtf you talking about? You think mint has some nice GUI for doing this the noob way? this is server stuff, hardcore linux. You’ll have to do exactly the same on mint. Also, you don’t want to run mint on a server. To much overhead from DE, and mint is just ubuntu (which is debian based) + some modifications (that even don’t work how they are supposed to work).

Thank you very much for the tutorial. It was really helpful!