How to Install and Configure a VPN Server (OpenVPN) on Debian 12 Bookworm

In today’s digital environment, ensuring secure communication over the internet is more important than ever. Whether you’re managing remote access for employees, securing your own browsing activity, or just learning about VPN technology, setting up a Virtual Private Network (VPN) server can be a powerful solution. One of the most popular open-source VPN solutions is OpenVPN, known for its strong encryption, flexibility, and community support.

In this guide, we will walk through the process of installing and configuring an OpenVPN server on Debian 12 “Bookworm”. This tutorial assumes you have basic knowledge of Linux and a fresh instance of Debian 12 with root or sudo access.

Prerequisites

Before diving into the installation process, ensure the following:

• A Debian 12 Bookworm server with a public IP address
• A regular user account with sudo privileges
• UFW (Uncomplicated Firewall) or similar firewall (optional but recommended)
• Basic networking knowledge

Step 1: Update Your System

Start by updating your system packages to ensure compatibility and security:

sudo apt update && sudo apt upgrade -y

This ensures that all the latest patches and packages are installed on your Debian 12 system.

Step 2: Install OpenVPN and Easy-RSA

OpenVPN can be installed directly from Debian’s repositories along with Easy-RSA, a utility for managing SSL certificates.

sudo apt install openvpn easy-rsa -y

After installation, OpenVPN’s configuration files will be placed in /etc/openvpn.

Step 3: Set Up the Public Key Infrastructure (PKI)

Easy-RSA allows you to create your own certificate authority (CA). Let’s begin by setting up the Easy-RSA directory:

make-cadir ~/openvpn-ca
cd ~/openvpn-ca

Now, configure the PKI variables:

nano vars

Modify the following lines to reflect your organizational details:

set_var EASYRSA_REQ_COUNTRY    "US"
set_var EASYRSA_REQ_PROVINCE   "State"
set_var EASYRSA_REQ_CITY       "City"
set_var EASYRSA_REQ_ORG        "MyCompany"
set_var EASYRSA_REQ_EMAIL      "admin@example.com"
set_var EASYRSA_REQ_OU         "MyOrganizationalUnit"

Save and exit (Ctrl + O, Enter, then Ctrl + X).

Now initialize the PKI:

./easyrsa init-pki

Build the CA:

./easyrsa build-ca

You’ll be prompted to create a password and provide a common name for the CA.

Step 4: Generate Server Certificate, Key, and Encryption Files

Next, build the OpenVPN server certificate and key:

./easyrsa gen-req server nopass
./easyrsa sign-req server server

Now generate Diffie-Hellman parameters:

./easyrsa gen-dh

And create an HMAC signature for additional security:

openvpn --genkey --secret ta.key

Step 5: Copy the Certificates and Keys

Now, copy all the necessary files to the OpenVPN configuration directory:

sudo cp pki/ca.crt pki/issued/server.crt pki/private/server.key pki/dh.pem ta.key /etc/openvpn

Step 6: Configure the OpenVPN Server

Now, create a new server configuration file:

sudo nano /etc/openvpn/server.conf

Paste the following basic configuration:

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA256
tls-auth ta.key 0
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
log-append /var/log/openvpn.log
verb 3
explicit-exit-notify 1

Save and exit the file.

Step 7: Enable Packet Forwarding

To allow traffic to be routed through the VPN, enable IP forwarding:

sudo nano /etc/sysctl.conf

Uncomment or add the following line:

net.ipv4.ip_forward = 1

Apply the changes:

sudo sysctl -p

Step 8: Configure UFW (Optional but Recommended)

If you’re using UFW, you need to allow OpenVPN connections and enable packet forwarding:

sudo ufw allow 1194/udp
sudo ufw allow OpenSSH

Edit the UFW configuration file:

sudo nano /etc/ufw/before.rules

Add these lines at the top of the file (before *filter):

*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
COMMIT

Now edit /etc/default/ufw and set:

DEFAULT_FORWARD_POLICY="ACCEPT"

Enable UFW:

sudo ufw enable

Step 9: Start and Enable OpenVPN Service

Enable the OpenVPN server to start on boot and launch the service:

sudo systemctl start openvpn@server
sudo systemctl enable openvpn@server

Check the status:

sudo systemctl status openvpn@server

Step 10: Generate Client Certificates

You’ll need to create certificates for each client. From the Easy-RSA directory:

cd ~/openvpn-ca
./easyrsa gen-req client1 nopass
./easyrsa sign-req client client1

Now copy the following files for your client:

• ca.crt
• client1.crt
• client1.key
• ta.key

You can securely transfer them via scp, sftp, or other secure means.

Step 11: Create Client Configuration File

Create a client configuration file (client1.ovpn):

client
dev tun
proto udp
remote YOUR_SERVER_IP 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA256
cipher AES-256-CBC
key-direction 1
verb 3

<ca>
# Paste contents of ca.crt here
</ca>
<cert>
# Paste contents of client1.crt here
</cert>
<key>
# Paste contents of client1.key here
</key>
<tls-auth>
# Paste contents of ta.key here
</tls-auth>

This .ovpn file can now be imported into any OpenVPN client.

Step 12: Test the Connection

On the client device, use your OpenVPN client to import the .ovpn file and connect. If successful, all your traffic will be tunneled securely through the VPN server.

Use curl or an IP checking website to verify:

curl ifconfig.me

You should see the public IP of the VPN server.

Conclusion

Setting up OpenVPN on Debian 12 Bookworm can be a robust way to secure traffic and enable private access to network resources. While the process might seem complex at first, the modular structure of Easy-RSA and OpenVPN makes management flexible and transparent.

With this guide, you’ve learned how to install, configure, and test an OpenVPN server. This foundation can be extended further with advanced configurations such as LDAP authentication, multiple client profiles, or integrating a GUI like OpenVPN Access Server or PiVPN.

For production setups, remember to regularly monitor your VPN server logs, rotate certificates when needed, and apply timely updates to your system and OpenVPN installation.