Dockstar: HowTo setup OpenVPN on Debian

Dockstar: HowTo setup OpenVPN on Debian

(8 votes, average: 5.00 out of 5)

Well, if you want to have a secure connection to your dockstar or even your home net, this post describes all steps you have to take to get this done. In my setup I have a dd-wrt router connected to the internet and forwarding all needed ports to the dockstar. You probably don’t use a firewall on the debian machine, but you will have to, because we need package forwarding to reach the home net through the VPN tunnel. I assume you don’t use your dockstar as the default gateway for your LAN, so you will need an additional route in the router:

Let me explain the path of the packages of a ping from a remote machine to a host in the LAN. For the different subnets refer to the exhibit (VPN:; LAN:

Let us ping the hostaddress from The ping starts at the VPN-client into the vpn tunnel to the tun device on the dockstar The VPN-client knows about the LAN, because it gets pushed a valid route by the openvpn-server.
The dockstar directly forwards the icmp-package to the LAN-host. Assuming the LAN-host’s firewall doesn’t block packages from/to, it will send out the respond-package to its default gateway ( because the lan hosts doesn’t know anything about the VPN.
Well, by default the router doesn’t know the VPN either and will forward the package to its default gateway, yes, its the first hop of your ISP! So we need to redirect packages to back to the dockstar. Now the additional route in the router comes to work. In dd-wrt you can set it in the web interface: Setup->Advanced Routing. The icmp-package will be send to dockstar’s eth0 ( and forwarded to the VPN-client (
With this knowledge we are ready to install and configure openvpn and the firewall e.g. iptables.

1. OpenVPN

First of all we need to install the package:

1.1 Configure the Server

The configuration files are stored in /etc/openvpn. If you want to run multiple servers you simple create a serverX.conf for each server. In my case I’m running one UDP server, the config file is called tun0.conf and looks like this:

1.2 Build the Certificates and Keys

We will do this with easy-rsa which comes with openvpn:

You may want to edit vars first to get your own defaults:

Now we will create the certificate for CA:

Then we will create the certificate for the server:

Then we will create the certificate for client (you can build one for each vpn-client in order not to share them):

We will build diffie hellman

Now all keys are built, you should have these files:

Now we have the keys and certificates. So we will put them to our clients who want to connect to the vpn. Just be sure that you only copy these files to the clients:

  • client1.crt
  • client1.key
  • ca.crt

1.3 Configure the Client

A minimal client.conf could look like this:

2. Some Firewall Rules

If you don’t have a firewall running just install it:

As mentioned above we need the packages forwarded to enable the communication between the VPN and the LAN.
To permanently set net.ipv4.ip_forward=1 uncomment this line:

Add these rules to your firewall-script (tun+ is a wildcard for all tun-devices, $device is set to eth0):

In case you don’t want to set up a script from scratch, this is mine, so some of you might say its a bit overloaded But… security first.
This is a fully working init-script, (/etc/init.d/firewall)

If you use this script don’t forget to make it executable.

3. Restart the Services

Now we are ready to restart the services and run a first test:

If everything works you should be able to ping around your VPN and your LANs. For additional understanding the routes take a look at a traceroute.

4. Reference