Install openvpn on Debian OVH VPS

Posted on by Kael

This post will show you how to install a openVPN server on your OVH VPS.

It uses self-signed certificate with a custom certificate for each allowed user.

# AS ROOT
apt-get install openvpn openssl
mkdir /root/easy-rsa/ 
cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /root/easy-rsa/
cd /root/easy-rsa/

Modify “./vars” :

export KEY_SIZE=1024
export KEY_COUNTRY="FR" 
export KEY_PROVINCE="FR" 
export KEY_CITY="Anywhere" 
export KEY_ORG="domain.do" 
export KEY_EMAIL="[email protected]"
export [email protected]
# AS ROOT
source ./vars
./clean-all
./build-ca
./build-key-server server
./build-dh
./build-client client
openvpn --genkey --secret /root/easy-rsa/keys/ta.key
mkdir -p /etc/openvpn/certs/
cp /root/easy-rsa/keys/{ca.{crt,key},server.{crt,key},ta.key,dh1024.pem} /etc/openvpn/certs/

Create “/etc/openvpn/server.conf”, fill with :

mode server
proto tcp
port 443
dev tun

ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/server.crt
key /etc/openvpn/certs/server.key
dh /etc/openvpn/certs/dh1024.pem
tls-auth /etc/openvpn/certs/ta.key 0
cipher AES-256-CBC

server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 4.4.4.4"
push "dhcp-option DNS 8.8.8.8"
keepalive 10 120

user nobody
group nogroup
persist-key
persist-tun
comp-lzo

verb 3
mute 20
status openvpn-status.log
;log-append /var/log/openvpn.log

Modify “/etc/sysctl.conf”, uncomment/add :

net.ipv4.ip_forward=1
# AS ROOT
sysctl -p
iptables -I FORWARD -i tun0 -j ACCEPT 
iptables -I FORWARD -o tun0 -j ACCEPT 
iptables -I OUTPUT -o tun0 -j ACCEPT 
iptables -A FORWARD -i tun0 -o venet0 -j ACCEPT 
iptables -t nat -A POSTROUTING -o venet0 -j MASQUERADE 
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j MASQUERADE
sh -c "iptables-save > /etc/iptables.rules"

Modify “/etc/network/interfaces.tail”, add :

pre-up iptables-restore < /etc/iptables.rules
# AS ROOT
/etc/init.d/openvpn restart
update-rc.d -f openvpn defaults

Files needed for each entities :

  • Server : ca.crt, ca.key, server.crt, server.key, ta.key, dh2014.pem
  • Clients : ca.crt, client.crt, client.key, ta.key

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.