This is a companion discussion topic for the original entry at https://linuxconfig.org/how-to-setup-a-vpn-with-openvpn-on-debian-9-stretch-linux
Francisco de Freitas
somebody should correct the paths
/etc/openvpn/cert-auth/keys/ to /etc/openvpn/certs/keys/
Although there are still a couple of typos throughout, I think this is a good how-to.
If you are having trouble getting the “openvpn@server” service to run, you probably need to check that the paths (e.g. “certs” instead of “cert-auth”) you used for the following parameters actually exist in your system:
ca cert key tls-cipher
Following this tutorial, right now at the TUN TAP , the part which im wondering about, and the tutorial is not mentioning allot about, The IP adress is this the local IP adress of the machine?
Tales A. Mendonça
How to configure on android? I am not getting it to work, I downloaded OpenVPN Connect, it only pings file.opnv, connects to the server, but it does not work. What about the other files?
Tales A. Mendonça
[acart tales]# systemctl start openvpn
[acart tales]# systemctl start openvpn@server
Job for firstname.lastname@example.org failed because the control process exited with error code.
See “systemctl status email@example.com” and “journalctl -xe” for details.
[acart tales]# systemctl status firstname.lastname@example.org
● email@example.com - OpenVPN connection to server
Loaded: loaded (/lib/systemd/system/openvpn@.service; disabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Thu 2017-12-28 00:19:41 -02; 18s ago
Process: 1694 ExecStart=/usr/sbin/openvpn --daemon ovpn-server --status /run/openvpn/server.status 10 --cd /etc/openvpn --config /etc/openvpn/server.conf --writepid /run/open
Dec 28 00:19:41 acart systemd: Starting OpenVPN connection to server…
Dec 28 00:19:41 acart systemd: firstname.lastname@example.org: Control process exited, code=exited status=1
Dec 28 00:19:41 acart systemd: Failed to start OpenVPN connection to server.
Dec 28 00:19:41 acart systemd: email@example.com: Unit entered failed state.
Dec 28 00:19:41 acart systemd: firstname.lastname@example.org: Failed with result ‘exit-code’.
lines 1-13/13 (END)
These paths are incorrect:
ca /etc/openvpn/cert-auth/keys/ca.crt cert /etc/openvpn/cert-auth/keys/server.crt key /etc/openvpn/cert-auth/keys/server.key # This file should be kept tls-auth /etc/openvpn/cert-auth/keys/ta.key 0 # This file is secret
ca /etc/openvpn/certs/keys/ca.crt cert /etc/openvpn/certs/keys/server.crt key /etc/openvpn/certs/keys/server.key # This file should be kept tls-auth /etc/openvpn/certs/keys/ta.key 0 # This file is secret
There is still an error in the section where you create thetar ball for the client.
# tar cJf /etc/openvpn/clients/firstclient.tar.xz -C /etc/openvpn/certs/keys ca.crt firstclient.crt firstclient.key ta.key -C /etc/openvpn/clients/client.ovpn
# tar cJf /etc/openvpn/clients/firstclient.tar.xz -C /etc/openvpn/certs/keys ca.crt firstclient.crt firstclient.key ta.key -C /etc/openvpn/clients client.ovpn
Check at the end. There is a space missing. Because tar is changing the directory with “-C” and then get the file “client.ovpn”.
Thank you for these very useful guide!
This tutorial is riddled with mistakes.
-A INPUT -i eth0 -p udp -m state --state NEW,ESTABLISHED -- dport 1194 -j ACCEPT
(–dport, not – dport)
-A OUTPUT -o eth0 -p udp -m state --state NEW,ESTABLISHED -- dport 53 -j ACCEPT
iptables -F && iptables -X
(you just lost your ssh connection)
iptables-restore < /tmp/v6rules
(you just deleted all of your ipv4 rules, and lost your ssh connection again)
It needs to be made into a script as follows:
# Delete all existing rules iptables -F && iptables -X # # set up vpn stuff iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE iptables-restore < /tmp/v4rules ip6tables-restore < /tmp/v6rules
Just remember to enter a password if you want to and answer “Yes” to the last two questions.
(This belongs in the next section, “Create A Server Key”)
systemctl start openvpn@server
(This fails, so all of the corrections above were for nothing)
I gave up at this point
contrary to Joe I got it working but please go through your commands and correct the mistakes like the ip4 & ip6 restore commands is the same, there are a few spaces after dashes in your rule entries and the DNS entry is pre-fixed with line numbers but all in all it gave me a good idea of what I had to do seeing that it’s my first “proper” install. I used the graphical “automated” install once before but it’s a bit to mysterious for my liking - now I know where stuff is.
Well for the most of the users who are using OpenVPN at home etc it is easier to use graphical tools available in Debian Stretch.
E.g. in the client side most of the desktop users most likely want to use Network Manager and Gnome Network settings to set the connection to VPN server.
well, but it fail start service at openvpn@server… and tun interface not exist in my ifconfig -a output (although it is in /dev/net/tun and i do modprobe tun)
I’ve followed it (doing things slightly different on the iptables part, just because I’m used to manage iptables differently) and it all worked, thanks very much! OpenVPN server is not super easy but with this tutorial it worked well!
Holy fk, are you kidding me? And they wonder why Mint is kicking their asses?
Dieter Maes -> Cof5
wtf you talking about? You think mint has some nice GUI for doing this the noob way? this is server stuff, hardcore linux. You’ll have to do exactly the same on mint. Also, you don’t want to run mint on a server. To much overhead from DE, and mint is just ubuntu (which is debian based) + some modifications (that even don’t work how they are supposed to work).