How To Set Up an OpenVPN Server on Debian 9

OpenVPN Whether you want to get right of entry to the Internet safely. And securely whilst linked on an untrusty public Wi-Fi community.

Bypass Geo-confined content or permit your coworkers to connect securely on your agency network. Whilst running remotely, using a VPN is the high-quality answer.

A VPN lets in you to connect to far off VPN servers, making your connection encrypted and comfortable. And surf the web anonymously by keeping your traffic data private.

There are many commercial VPN companies you can pick from. But you could in no way be certainly positive that the provider is not logging your activity.

The most secure choice is to set up your very own VPN server.

This educational will provide an explanation for the way to deploy and configure OpenVPN on Debian 9. We will even show you the way to generate clients certificate and create configuration documents

OpenVPN is a completely featured, open-source Secure Socket Layer (SSL) VPN solution. It implements OSI layer 2 or 3 secure community extension the use of the SSL/TLS protocol.


To entire this tutorial, you may need:

  • Sudo get admission to to a Debian 9 server with a fundamental UFW firewall configured on which we are able to installation the OpenVPN carrier.
  • Separate dedicated system to serve as your CA (certificate authority). If you don’t need to apply a devoted machine on your CA.
  • You could construct the CA to your OpenVPN server or your nearby machine. Once you’re finished building the CA it’s encouraged to transport the CA listing someplace cozy or offline.

This educational assumes that the CA is on a separate Debian nine machine. The equal steps (with small modifications).

Will practice in case you’re the usage of your server as a CA. We are the use of a separate CA machine to prevent attackers to infiltrate the server.

If an attacker manages to get right of entry to the CA personal key they might use it to sign new certificates. If you want to provide them access to the VPN server

Building CA with EasyRSA

The first step is to construct a Public Key Infrastructure (PKI) consisting of the following:

  • A Certificate Authority (CA) certificate and personal key.
  • A separate certificate and personal key pair for the server issued with the aid of our CA.
  • A separate certificate and private key pair for every patron issued with the aid of our CA.

As stated in the stipulations for protection motives, we’ll build the CA on a standalone machine.

We will use a CLI software named EasyRSA to create CA. Generate certificates requests and signal certificate.

Perform the following steps in your CA system:

1.Start via downloading the trendy release of EasyRSA. From the undertaking Github repository with the following wget command:

cd && wget

2.Once the down load is entire extract the archive:

tar xzf EasyRSA-unix-v3.0.6.tgz

3.Navigate to the EasyRSA directory and create a configuration file named vars by copying the vars.Instance record:

cd ~/EasyRSA-v3.0.6/cp vars.example vars

4.Open the document and uncomment and update the following entries to suit your statistics.

nano ~/EasyRSA-v3.0.6/vars


set_var EASYRSA_REQ_PROVINCE   "Pennsylvania"
set_var EASYRSA_REQ_CITY       "Pittsburgh"
set_var EASYRSA_REQ_ORG        "Linuxize"
set_var EASYRSA_REQ_EMAIL      "[email protected]"
set_var EASYRSA_REQ_OU         "Community"

5.Before generating a CA keypair first you need to initialize a new PKI with:

./easyrsa init-pki
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /home/causer/EasyRSA-v3.0.6/pki

6.The subsequent step is to build the CA:

./easyrsa build-ca

If you don’t want to be caused for a password on every occasion you signal your certificates. Run the build-ca command using the nopass alternative: ./easyrsa construct-ca nopass.

Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:

You’ll be requested to set a password for the CA key and input a common name on your CA.

Once completed, the script will create two documents — CA public certificates ca.Crt and CA private key ca.Key.

We will use the Certificate Authority (CA) files to sign certificate requests for our OpenVPN server and clients.

Installing OpenVPN and EasyRSA

The subsequent step is to put in the OpenVPN package deal that’s to be had in Debian’s repositories.

And download the modern model of EasyRSA at the OpenVPN server.

The following steps are completed at the OpenVPN server.

1.OpenVPN installation is pretty honest, just run the following commands at the OpenVPN server:

sudo apt updatesudo apt install openvpn

2. Download the cutting-edge release of EasyRSA:

cd && wget

Once the down load is finished kind the following command to extract the archive:

tar xzf EasyRSA-unix-v3.0.6.tgz

Although we’ve got already initialized a PKI on the CA device, we additionally need to create a brand new PKI at the OpenVPN server. To achieve this, use the identical instructions as before:

cd ~/EasyRSA-v3.0.6/./easyrsa init-pki

If you continue to marvel why we need EasyRSA installations. It’s miles due to the fact we will use this EasyRSA example to generate certificate requests so that you can be signed the usage of the EasyRSA instance at the CA device.

It may sound complex, and little puzzling however after you study the entire tutorial you’ll see that it simply isn’t complex.

Creating Diffie-Hellman and HMAC keys

In this phase, we will generate a robust Diffie-Hellman key in order to be used throughout the important thing trade and a HMAC signature document to feature a further layer of security to the connection.

1.First navigate to the EasyRSA directory to your OpenVPN server.

cd ~/EasyRSA-v3.0.6/

2.Generate a Diffie-Hellman key:

./easyrsa gen-dh

The script will generate 2048-bit lengthy DH parameters. Depending in your device sources, the generation may also take some time. Once completed the subsequent message will be published on your screen:

DH parameters of size 2048 created at /home/serveruser/EasyRSA-v3.0.6/pki/dh.pem

Copy the dh.Pem record to the /and so forth/openvpn listing:

sudo cp ~/EasyRSA-v3.0.6/pki/dh.pem /etc/openvpn/

3. Generate a HMAC signature:

openvpn --genkey --secret ta.key

Once done copy the ta.key file to the /etc/openvpn directory:

sudo cp ~/EasyRSA-v3.0.6/ta.key /etc/openvpn/

Creating Server Certificate and Private Key

This segment describes the way to generate a personal key and certificate request for the OpenVPN server.

1.Navigate to the EasyRSA listing in your OpenVPN server and generate a brand new private key for the server and a certificates request record:

cd ~/EasyRSA-v3.0.6/./easyrsa gen-req server1 nopass

We are the usage of the nopass argument due to the fact we want to start the OpenVPN server with out a password enter. Also in this example, we’re the usage of server1 as a server call (entity) identifier.

If you pick out a specific name to your server don’t forget about to alter the instructions under in which the server call is used.

The command will create two documents, a private key (server1.Key) and a certificates request file (server1.Req).

Common Name (eg: your user, host, or server name) [server1]:

Keypair and certificate request completed. Your files are:
req: /home/serveruser/EasyRSA-v3.0.6/pki/reqs/server1.req
key: /home/serveruser/EasyRSA-v3.0.6/pki/private/server1.key

2. Copy the private key to the /etc/openvpn directory:

sudo cp ~/EasyRSA-v3.0.6/pki/private/server1.key /etc/openvpn/

3. Transfer the certificate request file to your CA machine:

scp ~/EasyRSA-v3.0.6/pki/reqs/server1.req causer@your_ca_ip:/tmp

In this example we are the use of scp to switch the report, you can also use rsync over ssh or another comfy technique.

4.Login on your CA machine, switch to the EasyRSA listing and import the certificates request report:

cd ~/EasyRSA-v3.0.6./easyrsa import-req /tmp/server1.req server1

The first argument is the course to the certificates request report and the second one is the server quick (entity) name. In our case the server call is server1.

The request has been successfully imported with a short name of: server1
You may now use this name to perform signing operations on this request.

This command just copies the request file into the pki/reqs directory.

5.While still inside the EasyRSA directory on CA machine run the following command to sign the request:

cd ~/EasyRSA-v3.0.6./easyrsa sign-req server server1

The first argument can both be server or client and the second one is the server short (entity) call.

You’ll be prompted to confirm that the request comes from a relied on supply. Type yes and press input to verify:

You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a server certificate for 1080 days:

    commonName                = server1

Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes

If your CA secret’s password included, you’ll be prompted to go into the password. Once confirmed the script will generate the SSL certificates and print the whole direction to it.

Certificate is to be certified until Sep 17 10:54:48 2021 GMT (1080 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /home/causer/EasyRSA-v3.0.6/pki/issued/server1.crt

6.Next step is to transfer the signed certificate server1.Crt and ca.Crt files again in your OpenVPN server. Again you may use scp, rsync or every other cozy approach:

scp ~/EasyRSA-v3.0.6/pki/issued/server1.crt serveruser@your_server_ip:/tmpscp ~/EasyRSA-v3.0.6/pki/ca.crt serveruser@your_server_ip:/tmp

Login on your OpenVPN server, and pass the server1.Crt and ca.Crt documents into the /and so on/openvpn/ directory:

sudo mv /tmp/{server1,ca}.crt /etc/openvpn/

Upon completing the steps mentioned in this section, you should have the subsequent new documents for your OpenVPN server:

  • /etc/openvpn/ca.crt
  • /etc/openvpn/dh.pem
  • /etc/openvpn/ta.key
  • /etc/openvpn/server1.crt
  • /etc/openvpn/server1.key

Configuring the OpenVPN Service

Now that you have the server certificates signed through your CA and transferred in your OpenVPN server, it’s time to configure the OpenVPN provider.

We will use the pattern configuration report provided with OpenVPN set up bundle as a place to begin and then upload our very own custom configuration alternatives to it. Start via extracting the configuration file to the /and many others/openvpn/ listing:

sudo sh -c "gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server1.conf"

Open the file with your favorite text editor:

sudo nano /etc/openvpn/server1.conf
  • Find the Certificate, Key and DH parameters directives and alternate the record names:
cert server1.crt
key server1.key 

dh dh.pem

To redirect the customers visitors through the VPN locate and uncomment the redirect-gateway and dhcp-alternative options:

push "redirect-gateway def1 bypass-dhcp"

push "dhcp-option DNS"
push "dhcp-option DNS"

By default OpenDNS resolvers are used. You can change it and use CloudFlare, Google or every other DNS resolvers you want.

  • Find the consumer and organization directives and uncomment these settings by way of casting off the “;” at the beginning of every line:
user nobody
group nogroup
  • Append the following line on the quit of the file. This directive will change the message authentication set of rules (HMAC) from SHA1 to SHA256
auth SHA256

Once you are done, the server configuration file (excluding comments) should look something like this:

port 1194
proto udp
dev tun
ca ca.crt
cert server1.crt
key server1.key  # This file should be kept secret
dh dh.pem
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS"
push "dhcp-option DNS"
keepalive 10 120
tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC
user nobody
group nogroup
status /var/log/openvpn/openvpn-status.log
verb 3
explicit-exit-notify 1
auth SHA256

Starting OpenVPN Service

In this academic, we’ve used server1.Conf as a configuration file. To begin the OpenVPN provider with this configuration we want to specify the configuration record name after the systemd unit document call:

On your OpenVPN server run the following command to start the OpenVPN provider:

sudo systemctl start openvpn@server1

Verify whether the service has started successfully by typing:

sudo systemctl status openvpn@server1

If the service is active and running, the output will look something like this:

[email protected] - OpenVPN connection to server1
   Loaded: loaded (/lib/systemd/system/[email protected]; disabled; vendor preset: enabled)
   Active: active (running) since Tue 2019-03-19 03:49:53 PDT; 3s ago
     Docs: man:openvpn(8)
  Process: 1722 ExecStart=/usr/sbin/openvpn --daemon ovpn-server1 --status /run/openvpn/server1.status 10 --cd /etc/openvpn --config /etc/openvpn/server1.conf --writepid /run/openvpn/ (code=exited, status=0/SUCCESS)
 Main PID: 1723 (openvpn)
    Tasks: 1 (limit: 4915)
   CGroup: /system.slice/system-openvpn.slice/[email protected]
           └─1723 /usr/sbin/openvpn --daemon ovpn-server1 --status /run/openvpn/server1.status 10 --cd /etc/openvpn --config /etc/openvpn/server1.conf --writepid /run/openvpn/

Enable the service to automatically start on boot with:

sudo systemctl enable openvpn@server1
Created symlink /etc/systemd/system/[email protected] → /lib/systemd/system/[email protected].
If the OpenVPN service fails to start check the logs with sudo journalctl -u openvpn@server1

When starting, the OpenVPN Server creates a tun device tun0. To verify it use the following ip command:

ip a show tun0

The output ought to look something like this:

3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    inet peer scope global tun0
       valid_lft forever preferred_lft forever

At this factor, your OpenVPN server is configured and walking properly.

Firewall and Server Networking Configuration

In order to ahead network packets well, we want to enable IP forwarding.

The following steps are done on the OpenVPN server.

Open the /and so forth/sysctl.Conf report and upload or uncomment the road which reads internet.Ipv4.Ip_forward = 0:

sudo nano /etc/sysctl.conf
# Uncomment the next line to enable packet forwarding for IPv4

Once you are finished, keep and near the file.

Apply the new settings by walking the subsequent command:

sudo sysctl -p
net.ipv4.ip_forward = 1

If you observed the stipulations, you should already have a UFW firewall jogging in your server.

Now we want to add firewall guidelines to allow masquerading. This will permit site visitors to depart the VPN, giving your VPN customers get entry to to the Internet.

Before adding the guidelines you need to recognise the public network interface of your Debian OpenVPN Server. You can without difficulty locate the interface by means of strolling the following command:

ip -o -4 route show to default | awk '{print $5}'

In our case, the interface is known as eth0 as shown at the output under. Your interface will likely have a one of a kind call.


By default, when the usage of UFW the forwarded packets are dropped. We’ll need to trade that and coach our firewall to allow forwarded packets.

Open the UFW configuration record, locate the DEFAULT_FORWARD_POLICY key and trade the fee from DROP to ACCEPT:

sudo nano /etc/default/ufw
# Set the default forward policy to ACCEPT, DROP or REJECT.  Please note that
# if you change this you will most likely want to adjust your rules

Next, we want to set the default coverage for the POSTROUTING chain inside the nat desk and set the masquerade rule.

To do so, open the /etc/ufw/earlier than.Rules file and append the lines highlighted in yellow as shown beneath.

sudo nano /etc/ufw/before.rules

Don’t neglect to update eth0 inside the -A POSTROUTING line to healthy the call of public network interface you found within the preceding command. Paste the lines after the final line beginning with COMMIT.

# don't delete the 'COMMIT' line or these rules won't be processed

#NAT table rules

# Forward traffic through eth0 - Change to public network interface

# don't delete the 'COMMIT' line or these rules won't be processed

When you are performed, save and close the report.

We additionally need to open UDP traffic on port 1194 which is the default OpenVPN port. To achieve this, run the subsequent command:

sudo ufw allow 1194/udp

In case you forgot to open the SSH port, to avoid being locked out, run the following command to open the port:

sudo ufw allow OpenSSH

Finally reload the UFW regulations by using disabling and re-allowing UFW:

sudo ufw disablesudo ufw enable

To affirm the modifications run the following command to list the POSTROUTING rules:

sudo iptables -nvL POSTROUTING -t nat
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MASQUERADE  all  --  *      eth0  

Creating the Client Configuration Infrastructure

In this tutorial, we’ll create a separate SSL certificates and generate a exceptional configuration report for each VPN customer.

The patron personal key and certificate request may be generated both on the purchaser system or on the server. For simplicity, we will generate the certificate request on the server after which send it to the CA to be signed.

The entire manner of producing the patron certificate and configuration document is as follows:

1.Generate a private key and certificates request on the OpenVPN server. 2.Send the request to the CA system to be signed. 3.Copy the signed SSL certificates to the OpenVPN server and generate a configuration file. 4.Send the configuration record to the VPN patron’s system.

Start via growing a hard and fast of directories to shop the customers files:

mkdir -p ~/openvpn-clients/{configs,base,files}

Base- listing will save the base documents and configuration so as to be shared throughout all purchaser files.

Configs- directory will save the generated consumer configuration.

Files- directory will shop client-particular certificate/key pair

Copy the ca.crt and ta.key files to the ~/openvpn-clients/base directory:

cp ~/EasyRSA-v3.0.6/ta.key ~/openvpn-clients/base/cp /etc/openvpn/ca.crt ~/openvpn-clients/base/

Next copy the pattern VPN client configuration document into the client-~/openvpn-clients/base directory. We will use this file as a base configuration:

cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/openvpn-clients/base/

Now we need to edit the document to match our server settings and configuration. Open the configuration document with your text editor:

nano ~/openvpn-clients/base/client.conf

Find the faraway directive and trade the default placeholder with the public IP cope with of your OpenVPN server:

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote YOUR_SERVER_IP 1194
  • Locate and comment the cacert, and key directives. The certs and keys will be added within the configuration file:

# SSL/TLS parms.
# See the server config file for more
# description.  It's best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
# ca ca.crt
# cert client.crt
# key client.key
  • Append the following line at the end of the file to match the server settings:

auth SHA256

Once you are done, the server configuration report should look something like this:


dev tun
proto udp
remote YOUR_SERVER_IP 1194
resolv-retry infinite
remote-cert-tls server
cipher AES-256-CBC
verb 3
auth SHA256
key-direction 1

Next, create a easy bash script in order to merge the base configuration and files with the client certificates and key, and save the generated configuration inside the ~/openvpn-clients/configs listing.

Open your text editor and create the subsequent script:

nano ~/openvpn-clients/





# Test for files
    if [[ ! -f $i ]]; then
        echo " The file $i does not exist"
        exit 1

    if [[ ! -r $i ]]; then
        echo " The file $i is not readable."
        exit 1

# Generate client config
cat > ${CONFIGS_DIR}/${1}.ovpn <<EOF
$(cat ${BASE_CONF})
$(cat ${CLIENT_KEY})
$(cat ${CLIENT_CERT})
$(cat ${CA_FILE})
$(cat ${TA_FILE})

Save the file and make it executable by running:

chmod u+x ~/openvpn-clients/

Creating Client Certificate Private Key and Configuration

The process of generating a consumer non-public key and certificate request is similar to we did while generating a server key and certificate request.

As we already mentioned in the preceding phase, we’ll generate the client non-public key and certificate request on the OpenVPN server. In this example, the call of the first VPN customer may be client1.

1.Navigate to the EasyRSA directory on your OpenVPN server and generate a new private key and a certificates request record for the customer:

cd ~/EasyRSA-v3.0.6/./easyrsa gen-req client1 nopass

The command will create two files, a private key (client1.Key) and a certificate request record (client1.Req).

Common Name (eg: your user, host, or server name) [client1]:

Keypair and certificate request completed. Your files are:
req: /home/serveruser/EasyRSA-v3.0.6/pki/reqs/client1.req
key: /home/serveruser/EasyRSA-v3.0.6/pki/private/client1.key

2.Copy the non-public key client1.Key to the ~/openvpn-clients/documents listing you created inside the preceding phase:

cp ~/EasyRSA-v3.0.6/pki/private/client1.key ~/openvpn-clients/files/

3.Transfer the certificates request report in your CA device:

scp ~/EasyRSA-v3.0.6/pki/reqs/client1.req causer@your_ca_ip:/tmp

In this case we’re using scp to switch the record, you can additionally use rsync over ssh or some other secure approach.

4.Login in your CA gadget, transfer to the EasyRSA listing and import the certificates request report:

cd ~/EasyRSA-v3.0.6./easyrsa import-req /tmp/client1.req client1

The first argument is the course to the certificates request report and the second is the client name.

The request has been successfully imported with a short name of: client1
You may now use this name to perform signing operations on this request.

5.From within the EasyRSA directory on CA device run the subsequent command to sign the request:

cd ~/EasyRSA-v3.0.6./easyrsa sign-req client client1

You’ll be prompted to verify that the request comes from a depended on supply. Type sure and press enter to confirm:

If your CA key is password protected, you’ll be prompted to go into the password. Once validated the script will generate the SSL certificate and print the total route to it.

Certificate created at: /home/causer/EasyRSA-v3.0.6/pki/issued/client1.crt

6.Next, transfer the signed certificate client1.crt file back to your OpenVPN server. You can use scprsync or any other secure method:

scp ~/EasyRSA-v3.0.6/pki/issued/client1.crt serveruser@your_server_ip:/tmp

7.Login to your OpenVPN server, and move the client1.crt file into the ~/openvpn-clients/files directory:

mv /tmp/client1.crt ~/openvpn-clients/files

8.The final step is to generate a client configuration using the script. Switch to the ~/openvpn-clients directory and run the script using the client name as an argument:

cd ~/openvpn-clients./ client1
The script will create a document named client1.Ovpn inside the ~/client-configs/configs directory. You can test by using list the directory:
ls ~/openvpn-clients/configs

At this point the consumer configuration is created. You can now transfer the configuration document to the device you propose to apply as a purchaser.

For example to transfer the configuration report for your neighborhood machine with scp you need to run the subsequent command:

scp ~/client-configs/files/client1.ovpn your_local_ip:/

To upload extra customers, just repeat the identical steps.

OpenVPN, Connecting Clients


Your distribution or computer surroundings may also provide a device. or picture user interface to connect to OpenVPN servers. In this academic, we are able to display you the way to hook up with the server the usage of the openvpn device.

  • Install OpenVPN on Ubuntu and Debian
sudo apt updatesudo apt install openvpn

Install OpenVPN on CentOS and Fedora

sudo yum install epel-releasesudo yum install openvpn

Once the package deal is hooked up, to connect with the VPN server use the openvpn command. And specify the patron configuration record:

sudo openvpn --config client1.ovpn


Tunnelblick is a unfastened, open source photograph consumer interface for OpenVPN on OS X and macOS.


Download and set up the cutting-edge construct of OpenVPN utility the OpenVPN’s Downloads web page.

Copy the .Ovpn record to the OpenVPN config folder (UsersOpenVPNConfig or Program FilesOpenVPNconfig).

Launch the OpenVPN utility.

Right click on at the OpenVPN system tray icon. And the name of OpenVPN configuration document you copied might be indexed on the menu. Click Connect.

OpenVPN, Android & iOS

A VPN software advanced by OpenVPN is to be had for both Android and iOS. Install the application and import the customer .Ovp document.

  • Android OpenVPN Connect
  • iOS OpenVPN Connect

Revoking Client Certificates

Revoking a certificate means to invalidate a signed certificate. So that it may now not be used for accessing the OpenVPN server.

To revoke a consumer certificate observe the stairs below:

01. Login to your CA machine and switch to the EasyRSA directory:

cd EasyRSA-v3.0.6

02. Run the easyrsa script using the revoke argument. Followed by the client name you want to revoke:

./easyrsa revoke client1

You’ll be prompted to verify that you wish to revoke the certificate. Type yes and press enter to confirm:


Please confirm you wish to revoke the certificate with the following subject:

    commonName                = client1

Type the word 'yes' to continue, or any other input to abort.
Continue with revocation: yes

If your CA key is password protected, you’ll be prompted to enter the password. Once verified the script will revoke the certificate

Revocation was successful. You must run gen-crl and upload a CRL to your
infrastructure in order to prevent the revoked cert from being accepted.

3. Use the gen-crl option to generate a certificate revocation list (CRL):

./easyrsa gen-crl
An updated CRL has been created.
CRL file: /home/causer/EasyRSA-v3.0.6/pki/crl.pem

04. Upload the CRL file to the OpenVPN server:

scp ~/EasyRSA-v3.0.6/pki/crl.pem serveruser@your_server_ip:/tmp

05. Login to your OpenVPN server server and move the file to the /etc/openvpn directory:

sudo mv /tmp/crl.pem /etc/openvpn

06. Open the OpenVPN server configuration file:

sudo nano /etc/openvpn/server1.conf

Paste the following line at the end of the file

crl-verify crl.pem

Save and close the file.

07. Restart the OpenVPN service for the revocation directive to take effect:

sudo systemctl restart openvpn@server1

At this factor, the consumer must no longer be able to get right of. Entry to the OpenVPN server the usage of the revoked certificates.

If you want revoke extra consumer certificate just repeat the equal steps.

OpenVPN, Conclusion

In this tutorial, you learned how to install and configure an OpenVPN server on an Debian 9 machine.