OpenVPN on Debian 8 (Jessie)

Update: I wrote a post how to harden OpenVPN on CentOS. It includes DoS mitigation, daemon privilege reduction, better certificate checks, enforcing use of TLS 1.2, stronger ciphers and more. The methods used to harden it can be applied to this post easily. See here:

This how-to will cover setting up a TLS-enabled OpenVPN server on Debian 8 (Jessie)
Not covered in this how-to: opening ports in the firewall.

Update the system:

apt-get update
apt-get upgrade -y

Install OpenVPN and easy-rsa:

apt-get -y install openvpn easy-rsa

Copy the easy-rsa directory for creating keys:

cp -R /usr/share/easy-rsa /etc/openvpn/

Edit the following variables in the /etc/openvpn/easy-rsa/vars file:

export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="mail@domain"
export KEY_EMAIL=mail@domain

Increase the key size to something above 3072 (4096 if you are paranoid, see:

sed -i 's/KEY_SIZE=2048/KEY_SIZE=3072/g' /etc/openvpn/easy-rsa/vars

Create the server side keys and certificates:

cd /etc/openvpn/easy-rsa/
source vars
./build-key-server server

Build the Diffie-Hellman parameters (this will take a long time, in some cases more than an hour):


Copy the server certificate, key and CA to the openvpn directory:

cd /etc/openvpn/easy-rsa/keys
cp server.crt server.key ca.crt dh3072.pem /etc/openvpn/

Copy the sample server config:

zcat /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf

Edit the server config file:

sed -i -r 's/^dh (.+)/dh dh3072.pem/g' /etc/openvpn/server.conf #new dh parameter
echo 'crl-verify easy-rsa/keys/crl.pem' >> /etc/openvpn/server.conf #certificate revocation list
echo 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/server.conf #redirect default gateway
echo 'push "dhcp-option DNS"' >> /etc/openvpn/server.conf #use google DNS
echo 'push "explicit-exit-notify 3"' >> /etc/openvpn/server.conf #send exit notification instead of timing out

OpenVPN won’t start if the CRL file doesn’t exist or is invalid, so we create a dummy client certificate and revoke it:

cd /etc/openvpn/easy-rsa/
source vars
./build-key dummy-client
./revoke-full dummy-client

Enable IPv4 forwarding:

echo 'net.ipv4.ip_forward=1' > /etc/sysctl.d/net.ipv4.ip_forward.conf
sysctl -p /etc/sysctl.d/net.ipv4.ip_forward.conf

Set up the following iptables rules:

iptables -A INPUT -p udp -m state --state NEW -m udp --dport 1194 -j ACCEPT # allow traffic to the openvpn server
iptables -A FORWARD -s -j ACCEPT # allow forwarding from the vpn subnet
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT # allow forwarding of related and established packets
iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE # masquerade packets leaving eth0 from the vpn subnet

Note: These firewall rules will not survive a reboot unless configured to:

Enable and start the OpenVPN service:

systemctl enable openvpn@server
systemctl start openvpn@server

Note: the @server means systemd will start openvpn with the config file “server.conf”.
For multiple servers/clients use systemctl enable openvpn@server2, systemctl enable openvpn@client1, etc..

Generate a client certificate:

cd /etc/openvpn/easy-rsa/
source vars
./build-key client1

Generate a client config file that works with the Windows OpenVPN GUI client with in-line ca, cert, and key:

echo 'client
dev tun
proto udp
remote 1194
resolv-retry infinite
remote-cert-tls server
verb 3' > /etc/openvpn/client1.ovpn
echo '<ca>' >> /etc/openvpn/client1.ovpn
cat /etc/openvpn/ca.crt >> /etc/openvpn/client1.ovpn
echo '</ca>' >> /etc/openvpn/client1.ovpn
echo '<cert>' >> /etc/openvpn/client1.ovpn
cat /etc/openvpn/easy-rsa/keys/client1.crt >> /etc/openvpn/client1.ovpn
echo '</cert>' >> /etc/openvpn/client1.ovpn
echo '<key>' >> /etc/openvpn/client1.ovpn
cat /etc/openvpn/easy-rsa/keys/client1.key >> /etc/openvpn/client1.ovpn
echo '</key>' >> /etc/openvpn/client1.ovpn

Note: Make sure the client key is delivered securely (in this case it’s inline in the client config file)! No point in using strong crypto if you post the keys to pastebin…

My brain

OpenVPN on Debian 8 (Jessie)

ownCloud on Debian 8 (Jessie)

This how-to will cover setting up an instance of ownCloud on Debian 8 using MySQL as the database and the Apache webserver
Not covered in this how-to: opening ports in the firewall.

Set up the ownCloud Debian 8 repository:

echo 'deb /' >> /etc/apt/sources.list.d/owncloud.list
wget -O- | apt-key add -

Install ownCloud and its dependencies (apache2, mysql, php-* etc…):

apt-get update
apt-get -y install owncloud

Configure MySql:


(Optional) Move valid cert and key to /etc/ssl/
You can get free SSL Certificates here:

mv owncloud.crt.pem /etc/ssl/certs/
mv owncloud.key.pem /etc/ssl/private/
chown root:ssl-cert /etc/ssl/private/owncloud.key.pem
chmod 640 /etc/ssl/private/owncloud.key.pem
chown root:root /etc/ssl/certs/owncloud.crt.pem
chmod 644 /etc/ssl/certs/owncloud.crt.pem

Create a new site config with a VirtualHost:
Note: Replace the IP address and domain name with whatever domain and IP you are using.

echo '<IfModule mod_ssl.c>
		DocumentRoot /var/www/owncloud/
		ErrorLog ${APACHE_LOG_DIR}/owncloud.domain.com_error.log
		CustomLog ${APACHE_LOG_DIR}/owncloud.domain.com_access.log combined
		SSLEngine on
		SSLCertificateFile      /etc/ssl/certs/owncloud.crt.pem
		SSLCertificateKeyFile /etc/ssl/private/owncloud.key.pem
		<FilesMatch "\.(cgi|shtml|phtml|php)$">
			SSLOptions +StdEnvVars
		<Directory /usr/lib/cgi-bin>
			SSLOptions +StdEnvVars
		BrowserMatch "MSIE [2-6]" \
			nokeepalive ssl-unclean-shutdown \
			downgrade-1.0 force-response-1.0
		BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</IfModule>' > /etc/apache2/sites-available/

Enable the site, the ssl module and reload apache2:

a2enmod ssl
systemctl reload apache2.service

Note: I recommend setting up up strong SSL security on Apache.

Open ownCloud in a browser, and follow the initial setup instructions using MySQL as a database:
owncloud initial setup

ownCloud on Debian 8 (Jessie)