User Tools

Site Tools


OpenVPN with a 6in4 tunnel for Debian 10 (Buster)

Adapted from Quietlife wiki to reflect changes in easy-rsa distributed by Debian 10.

Server installation

Install the packages:

sudo apt install openvpn easy-rsa

Copy an example config file:

gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | \
sudo tee /etc/openvpn/server.conf

Some example values are used. The WAN IP addresses 111.222.333.444/32 and 2001:1:2:3:4:5:6::/64 are made up. Also, ethernet interface enp0s25 will very likely be different on your system.

Main server configuration

# Listen on UDP port 1194
port 1194
proto udp
proto udp6
# Use a tun device and push an IPv6 tunnel to clients
dev tun
# Certificate settings
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
# Create subnets for the clients
topology subnet
server-ipv6 2001:1:2:3:80::/112
# Have all traffic go through the VPN
push "redirect-gateway def1 bypass-dhcp"
## OpenDNS is used in this example, but anything reachable by the VPN server will work
push "dhcp-option DNS"
push "dhcp-option DNS"
# Allow direct client-to-client connections
# Ping every 10 seconds, assume disconnect after 120 seconds
keepalive 10 120
# TLS parameters
## This is the server
tls-auth ta.key 0
key-direction 0
## Use strong ciphers
cipher AES-256-CBC
auth SHA512
# Run the daemon with minimal privileges
user nobody
group nogroup
# Logging settings
status openvpn-status.log
verb 3
explicit-exit-notify 1

Networking configuration

Allow packet forwarding and enable the IPv6 neighbour detection proxy:


Load the kernel parameters:

sudo sysctl -p


If your server gets its IPv6 configuration through SLAAC, also do this:


Load the kernel parameters:

sudo sysctl -p

Force acceptance of router advertisements for the WAN ethernet interface:

# This setting is not inherited from 'all' or 'default' when the interface is already up.
# It will be inherited after the next reboot, so this only has to be done once.
sudo su -c 'echo 2 > /proc/sys/net/ipv6/conf/enp0s25/accept_ra'

Firewall rules

Allow masquerading for the OpenVPN subnet:

-A POSTROUTING -s 2001:1:2:3:80::/112 -o enp0s25 -j MASQUERADE

Don't drop forwarded packets:


Allow incoming connections on UDP port 1194 and restart the firewall:

sudo ufw allow 1194/udp
sudo ufw disable && sudo ufw enable

Setting up your own certificate authority

Create a working directory:

make-cadir openvpn-ca
cd openvpn-ca/

Fill in these variables as desired (saves time):

export KEY_COUNTRY="..."
export KEY_PROVINCE="..."
export KEY_CITY="..."
export KEY_ORG="..."
export KEY_EMAIL="..."
export KEY_OU="..."

Clean the directory:

./easyrsa init-pki

Build a certificate authority:

./easyrsa build-ca nopass

Build a server key called server:

./easyrsa build-server-full server nopass

Build a Diffie-Hellman key:

./easyrsa gen-dh

Generate a pre-shared key:

/usr/sbin/openvpn --genkey --secret pki/ta.key

Copy the generated keys to the server configuration directory:

cd pki/
sudo cp ca.crt private/ca.key issued/server.crt private/server.key ta.key dh.pem /etc/openvpn/
sudo mv /etc/openvpn/dh.pem /etc/openvpn/dh2048.pem

Restart the server:

sudo systemctl daemon-reload
sudo systemctl restart openvpn@server.service

Creating configuration files automatically

Create a working directory next to openvpn-ca:

cd ../../
mkdir -p client-configs/files/
cd client-configs/

Client configuration

Add a base configuration file for your clients:

# Specify that we are a client
# Use the same setting as you are using on the server
dev tun
# Connect to the server on UDP port 1194
proto udp
remote 1194
# Run the daemon with minimal privileges
user nobody
group nogroup
# Unset these defaults (certificates will be provided by the .ovpn file)
#ca ca.crt
#cert client.crt
#key client.key
# Use strong ciphers
cipher AES-256-CBC
auth SHA512
# This is the client
key-direction 1
# Run these scripts after connecting (sets up DNS)
script-security 2
up /etc/openvpn/update-systemd-resolved
down /etc/openvpn/update-systemd-resolved
dhcp-option DNSSEC allow-downgrade
dhcp-option DOMAIN-ROUTE .

Build script

Add a configuration build script:
cat ${BASE_CONFIG} \
    <(echo -e '<ca>') \
    ${KEY_DIR}/ca.crt \
    <(echo -e '</ca>\n<cert>') \
    ${KEY_DIR}/issued/${1}.crt \
    <(echo -e '</cert>\n<key>') \
    ${KEY_DIR}/private/${1}.key \
    <(echo -e '</key>\n<tls-auth>') \
    ${KEY_DIR}/ta.key \
    <(echo -e '</tls-auth>') \
    > ${OUTPUT_DIR}/${1}.ovpn

Make it executable:

chmod 770 ./

Generating client certificates and configurations

Create and store a new password for the client, for example using pass (on your laptop):

pass generate --clip openvpn/$name-clientkey 20

Build a client certificate with password:

cd ~/openvpn-ca/
./easyrsa build-client-full $name

Create a client configuration file:

cd ../client-configs/
./ $name

The resulting configuration will be in client-configs/files/$name.ovpn

Copy this to your client with SFTP. Repeat as many times as desired.

Revoking a client certificate

Revoke the certificate:

cd ~/openvpn-ca/
./easyrsa revoke $name
./easyrsa gen-crl

Copy the revocation list to the server configuration directory:

sudo cp ./pki/crl.pem /etc/openvpn/

Make sure that the OpenVPN server configuration file contains this line:

crl-verify crl.pem

Then restart the server:

sudo systemctl restart openvpn@server

Client installation

Use the password you generated earlier (on laptop):

pass --clip openvpn/$name-clientkey

GNU/Linux (Debian)

sudo apt install network-manager-openvpn-gnome

Then simply import the .ovpn file and use the password.
For more information, see GNOME Help on Connecting to VPN (In step 5, choose Import from file).


Install and open OpenVPN for Android. Then simply import the .ovpn file and use the password.

start/openvpn-6in4.txt ยท Last modified: 2019/09/13 23:04 by justin