{"id":18890,"date":"2023-10-03T22:30:10","date_gmt":"2023-10-03T19:30:10","guid":{"rendered":"https:\/\/kifarunix.com\/?p=18890"},"modified":"2024-03-10T11:45:14","modified_gmt":"2024-03-10T08:45:14","slug":"step-by-step-guide-to-install-and-setup-openvpn-server-on-debian-12","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/step-by-step-guide-to-install-and-setup-openvpn-server-on-debian-12\/","title":{"rendered":"Step-by-Step Guide to Install and Setup OpenVPN Server on Debian 12"},"content":{"rendered":"\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"988\" height=\"550\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/05\/install-and-setup-openvpn.png\" alt=\"Install and Setup OpenVPN Server on Debian 12\" class=\"wp-image-12795\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/05\/install-and-setup-openvpn.png 988w, https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/05\/install-and-setup-openvpn-768x428.png 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/05\/install-and-setup-openvpn-150x84.png 150w, https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/05\/install-and-setup-openvpn-300x167.png 300w, https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/05\/install-and-setup-openvpn-696x387.png 696w, https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/05\/install-and-setup-openvpn-754x420.png 754w\" sizes=\"(max-width: 988px) 100vw, 988px\" \/><\/figure>\n\n\n\n<p>In this guide, we are going to learn how to install and setup OpenVPN Server on Debian 12.&nbsp;<a href=\"https:\/\/openvpn.net\/\" target=\"_blank\" rel=\"noreferrer noopener\">OpenVPN<\/a>&nbsp;is a robust and highly flexible open-source VPN software that uses all of the encryption, authentication, and certification features of the OpenSSL library to securely tunnel IP networks over a single UDP or TCP port. It facilitates the extension of private network across a public network, access remote sites, make secure point-to-point connections, while maintaining security that would be achieved in a private network.<\/p>\n\n\n\n<div class=\"wp-block-rank-math-toc-block\" id=\"rank-math-toc\"><h2>Table of Contents<\/h2><nav><ul><li><a href=\"#installing-open-vpn-server-on-debian-12\">Installing OpenVPN Server on Debian 12<\/a><ul><li><a href=\"#run-system-update\">Run system update<\/a><\/li><li><a href=\"#install-open-vpn-on-debian-12\">Install OpenVPN on Debian 12<\/a><\/li><li><a href=\"#install-easy-rsa-ca-utility-on-debian-12\">Install Easy-RSA CA Utility on Debian 12<\/a><\/li><li><a href=\"#create-open-vpn-public-key-infrastructure\">Create OpenVPN Public Key Infrastructure<\/a><ul><li><a href=\"#generate-the-certificate-authority-ca-certificate-and-key\">Generate the Certificate Authority (CA) Certificate and Key<\/a><\/li><li><a href=\"#generate-diffie-hellman-parameters\">Generate Diffie Hellman Parameters<\/a><\/li><\/ul><\/li><li><a href=\"#generate-open-vpn-server-certificate-and-key\">Generate OpenVPN Server Certificate and Key<\/a><\/li><li><a href=\"#generate-hash-based-message-authentication-code-hmac-key\">Generate Hash-based Message Authentication Code (HMAC) key<\/a><\/li><li><a href=\"#generate-open-vpn-revocation-certificate\">Generate OpenVPN Revocation Certificate<\/a><\/li><li><a href=\"#copy-server-certificates-and-keys-to-server-config-directory\">Copy Server Certificates and Keys to Server Config Directory<\/a><\/li><li><a href=\"#generate-open-vpn-client-certificates-and-keys\">Generate OpenVPN Client Certificates and Keys<\/a><\/li><li><a href=\"#copy-client-certificates-and-keys-to-client-directory\">Copy Client Certificates and Keys to Client Directory<\/a><\/li><li><a href=\"#configure-open-vpn-server-on-debian-12\">Configure OpenVPN Server on Debian 12<\/a><\/li><li><a href=\"#configure-open-vpn-ip-forwarding\">Configure OpenVPN IP Forwarding<\/a><ul><li><a href=\"#allow-open-vpn-service-port-through-firewall\">Allow OpenVPN service port through firewall<\/a><\/li><\/ul><\/li><li><a href=\"#configure-ip-masquerading-on-ufw\">Configure IP Masquerading on UFW<\/a><\/li><li><a href=\"#configure-ip-masquerading-on-i-ptables\">Configure IP Masquerading on IPtables<\/a><\/li><li><a href=\"#running-open-vpn-server-on-debian-12\">Running OpenVPN Server on Debian 12<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"installing-open-vpn-server-on-debian-12\">Installing OpenVPN Server on Debian 12<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"run-system-update\">Run system update<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">apt update<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"install-open-vpn-on-debian-12\">Install OpenVPN on Debian 12<\/h3>\n\n\n\n<p>OpenVPN package is available on the default Debian 12 repos. Thus the installation is as simple as running the command below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">apt install openvpn<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"install-easy-rsa-ca-utility-on-debian-12\">Install Easy-RSA CA Utility on Debian 12<\/h3>\n\n\n\n<p>Easy-RSA package provides utilities for generating SSL key-pairs that is used to secure VPN connections.<\/p>\n\n\n\n<p>It installs with OpenVPN pakage above. If it is not installed, run the command below to install it.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">apt install easy-rsa<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"create-open-vpn-public-key-infrastructure\">Create OpenVPN Public Key Infrastructure<\/h3>\n\n\n\n<p>Once you have installed easy-rsa, you need to initialize the OpenVPN PKI. The PKI consists of:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>a public key and private key for the server and each client<\/li>\n\n\n\n<li>a master Certificate Authority (CA) certificate and key which is used to sign each of the server and client certificates.<\/li>\n<\/ul>\n\n\n\n<p>Before you can proceed, copy the easy-rsa configuration directory to a different location to ensure that that future OpenVPN package upgrades won\u2019t overwrite your modifications.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">cp -r \/usr\/share\/easy-rsa \/etc\/<\/pre>\n\n\n\n<p>Next, initialize the PKI.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">cd \/etc\/easy-rsa\/<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">.\/easyrsa init-pki<\/pre>\n\n\n\n<p>Once the PKI is initialized, <code><strong>\/etc\/easy-rsa\/pki<\/strong><\/code> is created.<\/p>\n\n\n\n<p>Sample output of the command above;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>* Notice:\n\n  init-pki complete; you may now create a CA or requests.\n\n  Your newly created PKI dir is:\n  * \/etc\/easy-rsa\/pki\n\n* Notice:\n  IMPORTANT: Easy-RSA 'vars' file has now been moved to your PKI above.\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"generate-the-certificate-authority-ca-certificate-and-key\">Generate the Certificate Authority (CA) Certificate and Key<\/h4>\n\n\n\n<p>Next, generate the CA certificate and key for signing OpenVPN server and client certificates.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">cd \/etc\/easy-rsa\/<\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>.\/easyrsa build-ca<\/code><\/pre>\n\n\n\n<p>This will prompt you for the CA key and PEM pass phrase and the server common name.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>* Notice:\nUsing Easy-RSA configuration from: \/etc\/easy-rsa\/pki\/vars\n\n* Notice:\nUsing SSL: openssl OpenSSL 3.0.9 30 May 2023 (Library: OpenSSL 3.0.9 30 May 2023)\n\n\nEnter New CA Key Passphrase: \nRe-Enter New CA Key Passphrase: \nUsing configuration from \/etc\/easy-rsa\/pki\/6873accc\/temp.a174efe7\n.+...+.........+........+....+..............+.+...+...+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...+..+....+...........+.+.....+....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*....+.......+..+...+.+....................+....+..+.+.....+.........+.+...+..............+..........+..+.........+....+.....+.....................+..........+..+...+.........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n...+.+..+.+..+.........+.....................+...+....+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...+.......+...+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*............+.............+............+..+.+..+.......+.....+...............+.+..+....+...............+...............+........+......+.......+...+...........+...............+.............+...+...+...........+..........+.....+.+............+..+......+....+......+.....+...+....+...+..................+.....+.+........+.+......+...+..+.+........+.......+..+...+...+.........+.......+......+........+..........+.................+....+...+...............+..+....+.....+.........+..........+...........+....+..+.+........+............+.......+..+....+.....+.......+............+..+.+........+............+.........+..........+.........+.........+.....+.+..+............+.......+...+...+.....+....+........+.+......+.....+.........+....+..+.........+....+..+....+.........+..+.+..+............+...+.......+..............+.........+.+.....+.+.....+...+.+......+...+.......................+.......+..+.+..+.......+..................+.....+.+..+...+....+..+...+.......+......+...+..+..........+.....+.......+...+........+.........+...+....+.....+...+.+......+...+...+..+...+...+..........+...........+....+..+...............+....+...+..+.+...+.....+.....................+....+..+....+......+.........+...+..+...+.+...............+.........+..+.+..+......+.......+........+.........+..........+.....................+.....+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\nEnter PEM pass phrase:\nVerifying - Enter PEM pass phrase:\n-----\nYou are about to be asked to enter information that will be incorporated\ninto your certificate request.\nWhat you are about to enter is what is called a Distinguished Name or a DN.\nThere are quite a few fields but you can leave some blank\nFor some fields there will be a default value,\nIf you enter '.', the field will be left blank.\n-----\nCommon Name (eg: your user, host, or server name) [Easy-RSA CA]:\n\n* Notice:\n\nCA creation complete and you may now import and sign cert requests.\nYour new CA certificate file for publishing is at:\n\/etc\/easy-rsa\/pki\/ca.crt\n<\/code><\/pre>\n\n\n\n<p>The CA certificate is generated and stored at&nbsp;<code>\/etc\/easy-rsa\/pki\/ca.crt<\/code>.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"generate-diffie-hellman-parameters\">Generate Diffie Hellman Parameters<\/h4>\n\n\n\n<p>Generate Diffie-Hellman keys used for key exchange during the TLS handshake between OpenVPN server and the connecting clients. This command has be executed within the Easy-RSA directory;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">.\/easyrsa gen-dh<\/pre>\n\n\n\n<p>DH parameters of size 2048 created at <code><strong>\/etc\/easy-rsa\/pki\/dh.pem<\/strong><\/code>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"generate-open-vpn-server-certificate-and-key\">Generate OpenVPN Server Certificate and Key<\/h3>\n\n\n\n<p>To generate a certificate and private key for the OpenVPN server, run the command below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">cd \/etc\/easy-rsa<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">.\/easyrsa build-server-full server nopass<\/pre>\n\n\n\n<p>Enter the CA passphrase created above to generate the certificates and keys.<\/p>\n\n\n\n<p><strong><code>nopass<\/code><\/strong> option&nbsp;disables the use of passphrase.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>* Notice:\nUsing Easy-RSA configuration from: \/etc\/easy-rsa\/pki\/vars\n\n* Notice:\nUsing SSL: openssl OpenSSL 3.0.9 30 May 2023 (Library: OpenSSL 3.0.9 30 May 2023)\n\n.+......+.....+....+..+...+.+.....+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+........+.......+..+....+.....+.+...............+...+..+.+..+.+...........+.+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.......+...+...+.........+...+......+.......+...+.....+..........+......+...+......+......+........+......+......+.+...+.....+............+....+...+...........+....+...+..............+....+..+............+.+..............+............+.+.........+.....+.+..+.+............+..................+..+...............+....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n.....+.+.....+...+.+.........+..+......+.......+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+...+...............+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+.+...+..+.........+.+.....+...+...+...+.........+.............+........+......+..........+.....+......+...+.+........+............+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n-----\n* Notice:\n\nKeypair and certificate request completed. Your files are:\nreq: \/etc\/easy-rsa\/pki\/reqs\/server.req\nkey: \/etc\/easy-rsa\/pki\/private\/server.key\n\n\nYou are about to sign the following certificate.\nPlease check over the details shown below for accuracy. Note that this request\nhas not been cryptographically verified. Please be sure it came from a trusted\nsource or that you have verified the request checksum with the sender.\n\nRequest subject, to be signed as a server certificate for 825 days:\n\nsubject=\n    commonName                = server\n\n\nType the word 'yes' to continue, or any other input to abort.\n  Confirm request details: yes\n\nUsing configuration from \/etc\/easy-rsa\/pki\/06ebef0a\/temp.ba6f7433\nEnter pass phrase for \/etc\/easy-rsa\/pki\/private\/ca.key:\n40A725DB857F0000:error:0700006C:configuration file routines:NCONF_get_string:no value:..\/crypto\/conf\/conf_lib.c:315:group=<NULL> name=unique_subject\nCheck that the request matches the signature\nSignature ok\nThe Subject's Distinguished Name is as follows\ncommonName            :ASN.1 12:'server'\nCertificate is to be certified until Jan  5 18:30:06 2026 GMT (825 days)\n\nWrite out database with 1 new entries\nData Base Updated\n\n* Notice:\nCertificate created at: \/etc\/easy-rsa\/pki\/issued\/server.crt\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"generate-hash-based-message-authentication-code-hmac-key\">Generate Hash-based Message Authentication Code (HMAC) key<\/h3>\n\n\n\n<p>TLS\/SSL pre-shared authentication key is used as an additional HMAC signature on all SSL\/TLS handshake packets to avoid DoS attack and UDP port flooding. This can be generated using the command;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">openvpn --genkey secret \/etc\/easy-rsa\/pki\/ta.key<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"generate-open-vpn-revocation-certificate\">Generate OpenVPN Revocation Certificate<\/h3>\n\n\n\n<p>To invalidate a previously signed certificate, you need to generate a revocation certificate. Run the script within the Easy-RSA directory;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">.\/easyrsa gen-crl<\/pre>\n\n\n\n<p>The revocation certificate is generated and stored at&nbsp;<code>\/etc\/easy-rsa\/pki\/crl.pem<\/code>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"copy-server-certificates-and-keys-to-server-config-directory\">Copy Server Certificates and Keys to Server Config Directory<\/h3>\n\n\n\n<p>Copy all generated server certificates\/keys to OpenVPN server configuration directory.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">cp -rp \/etc\/easy-rsa\/pki\/{ca.crt,dh.pem,ta.key,crl.pem,issued,private} \/etc\/openvpn\/server\/<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"generate-open-vpn-client-certificates-and-keys\">Generate OpenVPN Client Certificates and Keys<\/h3>\n\n\n\n<p>OpenVPN clients certificates and private keys can be generated as follows<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">cd \/etc\/easy-rsa<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">.\/easyrsa build-client-full &lt;username&gt; nopass<\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>where&nbsp;<strong>&lt;username&gt;<\/strong>&nbsp;is the name of the client for which the certificate and keys are generated.<\/li>\n\n\n\n<li>Always use a unique common name for each client that you are generating certificate and keys for.<\/li>\n<\/ul>\n\n\n\n<p>For example, to generate VPN client certificate file for the user, gentoo;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>.\/easyrsa build-client-full gentoo nopass<\/code><\/pre>\n\n\n\n<p>To generate for another client;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">.\/easyrsa build-client-full janedoe nopass<\/pre>\n\n\n\n<p>You can see how to use <code>easyrsa<\/code> command with <code><strong>.\/easyrsa --help<\/strong><\/code>.<\/p>\n\n\n\n<p>The certificate files will be placed under the <strong><code>\/etc\/easy-rsa\/pki\/issued<\/code><\/strong> directory for each user.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"copy-client-certificates-and-keys-to-client-directory\">Copy Client Certificates and Keys to Client Directory<\/h3>\n\n\n\n<p>Create OpenVPN clients directories. For example, we have generated certificates and key files for two clients, gentoo and janedoe, hence we create directories as;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">mkdir \/etc\/openvpn\/client\/{gentoo,janedoe}<\/pre>\n\n\n\n<p>After that, copy the client generated certificates\/keys and server CA certificate to OpenVPN client configuration directory. You can<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">cp -rp \/etc\/easy-rsa\/pki\/{ca.crt,issued\/gentoo.crt,private\/gentoo.key} \/etc\/openvpn\/client\/gentoo<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">cp -rp \/etc\/easy-rsa\/pki\/{ca.crt,issued\/janedoe.crt,private\/janedoe.key} \/etc\/openvpn\/client\/janedoe\/<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"configure-open-vpn-server-on-debian-12\">Configure OpenVPN Server on Debian 12<\/h3>\n\n\n\n<p>The next step is to configure OpenVPN server.<\/p>\n\n\n\n<p>Copy the sample OpenVPN server configuration to <code>\/etc\/openvpn\/server<\/code> directory as shown below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">cp \/usr\/share\/doc\/openvpn\/examples\/sample-config-files\/server.conf \/etc\/openvpn\/server\/<\/pre>\n\n\n\n<p>Extract the configuration and modify it to suite your needs.<\/p>\n\n\n\n<p>The configuration is highly commented to help you understand various option usage.<\/p>\n\n\n\n<p>This is how <strong>our updated<\/strong> sample configuration looks like with no comments.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>grep -vE \"^$|^#|^;\" \/etc\/openvpn\/server\/server.conf<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>port 1194\nproto udp4\ndev tun\nca ca.crt\ncert issued\/server.crt\nkey private\/server.key  # This file should be kept secret\ndh dh.pem \ntopology subnet\nserver 172.16.20.0 255.255.255.0\nifconfig-pool-persist \/var\/log\/openvpn\/ipp.txt\npush \"redirect-gateway def1 bypass-dhcp\"\npush \"dhcp-option DNS 9.9.9.9\"\npush \"dhcp-option DNS 8.8.8.8\"\nclient-to-client\nkeepalive 10 120\ntls-auth ta.key 0 # This file is secret\ncipher AES-256-CBC\npersist-key\npersist-tun\nstatus \/var\/log\/openvpn\/openvpn-status.log\nlog-append  \/var\/log\/openvpn\/openvpn.log\nverb 3\nexplicit-exit-notify 1\nauth SHA512\n<\/code><\/pre>\n\n\n\n<p>Save and exit the config once done editing.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"configure-open-vpn-ip-forwarding\">Configure OpenVPN IP Forwarding<\/h3>\n\n\n\n<p>To ensure that traffic from the client is routed through the OpenVPN server&#8217;s IP address (helps masks the the client IP address), you need to enable IP forwarding on the OpenVPN server. <\/p>\n\n\n\n<p>Uncomment the line, <code><strong>net.ipv4.ip_forward=1<\/strong><\/code>, on <code><strong>\/etc\/sysctl.conf<\/strong><\/code> to enable packet forwarding for IPv4 <\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sed -i 's\/#net.ipv4.ip_forward=1\/net.ipv4.ip_forward=1\/' \/etc\/sysctl.conf<\/pre>\n\n\n\n<p>Apply the changes without rebooting the server.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sysctl -p<\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"allow-open-vpn-service-port-through-firewall\">Allow OpenVPN service port through firewall<\/h4>\n\n\n\n<p>If you are using UFW, then;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">ufw allow 1194\/udp<\/pre>\n\n\n\n<p>You can also limit connection to specific sources only;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ufw allow from &lt;source&gt; to any port 1194 proto udp comment \"Allow VPN\"<\/code><\/pre>\n\n\n\n<p>or iptables;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>iptables -A INPUT -p udp --dport 1194 -j ACCEPT<\/code><\/pre>\n\n\n\n<p>Make a backup of old rules and save the changes. Ensure you have the <strong><code>iptables-persistent<\/code><\/strong> package installed to save the changes.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cp \/etc\/iptables\/rules.v4{,.old}<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>iptables-save &gt; \/etc\/iptables\/rules.v4<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"configure-ip-masquerading-on-ufw\">Configure IP Masquerading on UFW<\/h3>\n\n\n\n<p>Find your default interface through which your packets are sent.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">ip route get 8.8.8.8<\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>8.8.8.8 via 10.0.2.2 dev <strong>enp0s3<\/strong> src 10.0.2.15 uid 0<\/code><\/pre>\n\n\n\n<p>Next, update UFW rules;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>vim \/etc\/ufw\/before.rules<\/code><\/pre>\n\n\n\n<p>Add the following highlighted lines just before the <strong><code>*filter<\/code><\/strong> table settings. Note the interface used shoud match the interface name above.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>...\n<strong>*nat\n:POSTROUTING ACCEPT [0:0]\n-A POSTROUTING -s 172.16.20.0\/24 -o enp0s3 -j MASQUERADE\nCOMMIT<\/strong>\n# Don't delete these required lines, otherwise there will be errors\n*filter\n...<\/code><\/pre>\n\n\n\n<p>Save and exit the config.<\/p>\n\n\n\n<p>Enable UFW packet forwarding;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>sed -i 's\/DEFAULT_FORWARD_POLICY=\"DROP\"\/DEFAULT_FORWARD_POLICY=\"ACCEPT\"\/' \/etc\/default\/ufw<\/code><\/pre>\n\n\n\n<p>Reload UFW;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ufw reload<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"configure-ip-masquerading-on-i-ptables\">Configure IP Masquerading on IPtables<\/h3>\n\n\n\n<p>If using iptables, enable masquerade;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>iptables -t nat -A POSTROUTING -s 172.16.20.0\/24 -o enp0s3 -j MASQUERADE<\/code><\/pre>\n\n\n\n<p>Save the rules!<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"running-open-vpn-server-on-debian-12\">Running OpenVPN Server on Debian 12<\/h3>\n\n\n\n<p>Start and enable OpenVPN server to run on system boot;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">systemctl enable --now openvpn-server@server<\/pre>\n\n\n\n<p>Checking the status;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">systemctl status openvpn-server@server<\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\u25cf openvpn-server@server.service - OpenVPN service for server\n     Loaded: loaded (\/lib\/systemd\/system\/openvpn-server@.service; enabled; preset: enabled)\n     Active: active (running) since Tue 2023-10-03 15:20:57 EDT; 8s ago\n       Docs: man:openvpn(8)\n             https:\/\/community.openvpn.net\/openvpn\/wiki\/Openvpn24ManPage\n             https:\/\/community.openvpn.net\/openvpn\/wiki\/HOWTO\n   Main PID: 2798 (openvpn)\n     Status: \"Initialization Sequence Completed\"\n      Tasks: 1 (limit: 2304)\n     Memory: 1.4M\n        CPU: 20ms\n     CGroup: \/system.slice\/system-openvpn\\x2dserver.slice\/openvpn-server@server.service\n             \u2514\u25002798 \/usr\/sbin\/openvpn --status \/run\/openvpn-server\/status-server.log --status-version 2 --suppress-timestamps --config server.conf\n\nOct 03 15:20:57 debian systemd[1]: Starting openvpn-server@server.service - OpenVPN service for server...\nOct 03 15:20:57 debian systemd[1]: Started openvpn-server@server.service - OpenVPN service for server.\n<\/code><\/pre>\n\n\n\n<p>When OpenVPN service runs, it will create a tunnelling interface, tun0;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">ip add s<\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>...\n4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500\n    link\/none \n    inet 172.16.20.1\/24 scope global tun0\n       valid_lft forever preferred_lft forever\n    inet6 fe80::49e1:76ac:b0b0:33b7\/64 scope link stable-privacy \n       valid_lft forever preferred_lft forever\n<\/code><\/pre>\n\n\n\n<p>Also, be sure to check the logs;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">tail \/var\/log\/openvpn\/openvpn.log<\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>net_iface_mtu_set: mtu 1500 for tun0\nnet_iface_up: set tun0 up\nnet_addr_v4_add: 172.16.20.1\/24 dev tun0\nSocket Buffers: R=[212992->212992] S=[212992->212992]\nUDPv4 link local (bound): [AF_INET][undef]:1194\nUDPv4 link remote: [AF_UNSPEC]\nMULTI: multi_init called, r=256 v=256\nIFCONFIG POOL IPv4: base=172.16.20.2 size=253\nIFCONFIG POOL LIST\n<strong>Initialization Sequence Completed<\/strong>\n<\/code><\/pre>\n\n\n\n<p>Magnificent. The OpenVPN server is now ready. That marks the end of our guide on installing OpenVPN Server on Debian 12.<\/p>\n\n\n\n<p>You can now install and configure your <a href=\"https:\/\/kifarunix.com\/?s=openvpn+clients\" target=\"_blank\" rel=\"noreferrer noopener\">OpenVPN clients<\/a> accordingly.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this guide, we are going to learn how to install and setup OpenVPN Server on Debian 12.&nbsp;OpenVPN&nbsp;is a robust and highly flexible open-source VPN<\/p>\n","protected":false},"author":10,"featured_media":12795,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[121,282,34,321],"tags":[7252,7253,7251],"class_list":["post-18890","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-howtos","category-openvpn","category-security","category-vpn","tag-debian-12-openvpn-setup","tag-install-openvpn-on-debian-12","tag-setup-openvpn-server-debian-12","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/18890"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/10"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=18890"}],"version-history":[{"count":8,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/18890\/revisions"}],"predecessor-version":[{"id":20867,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/18890\/revisions\/20867"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/12795"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=18890"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=18890"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=18890"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}