YouTube Icon

Code Playground.

How to Set Up an OpenVPN Server on Debian 9


How to Set Up an OpenVPN Server on Debian 9

Whether you want to access the Internet appropriately and securely whilst related on an untrusty public Wi-Fi network, bypass Geo-limited content material or allow your coworkers to connect securely on your corporation network when operating remotely, using a VPN is the excellent answer.

A VPN lets in you to hook up with remote VPN servers, making your connection encrypted and secure and surf the web anonymously through maintaining your visitors information private.

There are many business VPN companies you can choose from, however you could never be sincerely positive that the issuer isn't logging your hobby. The safest alternative is to installation your own VPN server.

This academic will provide an explanation for a way to deploy and configure OpenVPN on Debian 9. We will also show you how to generate clients certificates and create configuration documents

OpenVPN is a completely featured, open-source Secure Socket Layer (SSL) VPN solution. It implements OSI layer 2 or three cozy community extension the use of the SSL/TLS protocol.
To entire this tutorial, you will need:

Sudo get admission to to a Debian 9 server with a fundamental UFW firewall configured on which we are able to deploy the OpenVPN carrier.
Separate devoted machine to serve as your CA (certificates authority). If you don’t want to apply a devoted device for your CA, you can construct the CA in your OpenVPN server or your neighborhood machine. Once you're done constructing the CA it’s advocated to move the CA directory someplace cozy or offline.
This educational assumes that the CA is on a separate Debian nine system. The same steps (with small adjustments) will practice in case you’re the usage of your server as a CA.
We are the use of a separate CA gadget to prevent attackers to infiltrate the server. If an attacker manages to access the CA private key they could use it to sign new certificate, with a purpose to supply them get entry to to the VPN server.

Building CA with EasyRSA
The first step is to build a Public Key Infrastructure (PKI ) along with the following:

A Certificate Authority (CA) certificate and private key.
A separate certificates and private key pair for the server issued by our CA.
A separate certificates and personal key pair for every client issued by way of our CA.
As referred to inside the prerequisites for safety motives, we’ll build the CA on a standalone device.

We will use a CLI software named EasyRSA to create CA, generate certificate requests and signal certificates.

Perform the subsequent steps in your CA system:
Start by downloading the modern day release of EasyRSA from the project Github repository with the following wget command:

cd && wget

Once the down load is entire extract the archive :

tar xzf EasyRSA-unix-v3.0.6.tgz

Navigate to the EasyRSA directory and create a configuration file named vars through copying the vars.Instance report:

cd ~/EasyRSA-v3.0.6/
cp vars.example vars

Open the report and uncomment and replace the subsequent entries to suit your records.

nano ~/EasyRSA-v3.0.6/vars


set_var EASYRSA_REQ_PROVINCE   "Pennsylvania"
set_var EASYRSA_REQ_CITY       "Pittsburgh"
set_var EASYRSA_REQ_ORG        "Linuxize"
set_var EASYRSA_REQ_EMAIL      ""
set_var EASYRSA_REQ_OU         "Community"

Before producing a CA keypair first you want to initialize a new PKI with:

./easyrsa init-pki
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /home/causer/EasyRSA-v3.0.6/pki

If you don’t need to be induced for a password each time you signal your certificates, run the construct-ca command the usage of the nopass alternative:

./easyrsa build-ca
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:

You’ll be asked to set a password for the CA key and enter a common name on your CA.

Once completed, the script will create two documents — CA public certificate ca.Crt and CA non-public key ca.Key.

We will use the Certificate Authority (CA) documents to sign certificates requests for our OpenVPN server and customers.

Installing OpenVPN and EasyRSA
The subsequent step is to put in the OpenVPN package that is to be had in Debian’s repositories and down load the latest version of EasyRSA on the OpenVPN server.

The following steps are carried out at the OpenVPN server.

OpenVPN set up is quite honest, just run the following instructions on the OpenVPN server:

sudo apt update
sudo apt install openvpn

Download the latest launch of EasyRSA:

cd && wget

Once the download is finished kind the following command to extract the archive:

tar xzf EasyRSA-unix-v3.0.6.tgz

Although we've got already initialized a PKI at the CA gadget, we additionally need to create a brand new PKI on the OpenVPN server. To do so, use the same instructions as earlier than:

cd ~/EasyRSA-v3.0.6/
./easyrsa init-pki

If you continue to wonder why we want  EasyRSA installations, it's miles due to the fact we are able to use this EasyRSA example to generate certificate requests that allows you to be signed the usage of the EasyRSA instance at the CA device.

It may additionally sound complicated, and little puzzling but when you examine the entire academic you’ll see that it genuinely isn’t complex.

Creating Diffie-Hellman and HMAC keys

In this section, we will generate a sturdy Diffie-Hellman key with a view to be used at some point of the key alternate and a HMAC signature document to feature a further layer of protection to the connection.

First navigate to the EasyRSA directory to your OpenVPN server.

cd ~/EasyRSA-v3.0.6/

Generate a Diffie-Hellman key:

./easyrsa gen-dh

The script will generate 2048-bit long DH parameters. Depending to your gadget sources, the era can also make the effort. Once finished the subsequent message may be revealed to your display screen:

DH parameters of size 2048 created at /home/serveruser/EasyRSA-v3.0.6/pki/dh.pem

Copy the dh.Pem record to the /and so forth/openvpn directory:

sudo cp ~/EasyRSA-v3.0.6/pki/dh.pem /etc/openvpn/

Generate a HMAC signature:

openvpn --genkey --secret ta.key

Once achieved replica the ta.Key record to the /and so on/openvpn directory:

sudo cp ~/EasyRSA-v3.0.6/ta.key /etc/openvpn/

Creating Server Certificate and Private Key
This phase describes the way to generate a private key and certificates request for the OpenVPN server.
Navigate to the EasyRSA listing for your OpenVPN server and generate a new personal key for the server and a certificates request file:

cd ~/EasyRSA-v3.0.6/
./easyrsa gen-req server1 nopass

We are using the nopass argument because we want to start the OpenVPN server with out a password enter. Also in this situation, we're the usage of server1 as a server call (entity) identifier. If you pick out a distinctive name on your server don’t forget about to modify the commands beneath where the server call is used.

The command will create two files, a private key (server1.Key) and a certificate request document (server1.Req).

Common Name (eg: your user, host, or server name) [server1]:

Keypair and certificate request completed. Your files are:
req: /home/serveruser/EasyRSA-v3.0.6/pki/reqs/server1.req
key: /home/serveruser/EasyRSA-v3.0.6/pki/private/server1.key

Copy the non-public key to the /etc/openvpn listing:

sudo cp ~/EasyRSA-v3.0.6/pki/private/server1.key /etc/openvpn/

Transfer the certificate request record in your CA machine:

scp ~/EasyRSA-v3.0.6/pki/reqs/server1.req causer@your_ca_ip:/tmp

In this example we're the use of scp to switch the file, you could also use rsync over ssh or another at ease technique.

Login for your CA gadget, transfer to the EasyRSA listing and import the certificates request record:

cd ~/EasyRSA-v3.0.6
./easyrsa import-req /tmp/server1.req server1

The first argument is the course to the certificate request report and the second is the server short (entity) name. In our case the server call is server1.

The request has been successfully imported with a short name of: server1
You may now use this name to perform signing operations on this request.

This command simply copies the request record into the pki/reqs listing.

While still within the EasyRSA directory on CA machine run the subsequent command to signal the request:

cd ~/EasyRSA-v3.0.6
./easyrsa sign-req server server1

The first argument can either be server or purchaser and the second one is the server short (entity) call.

You’ll be triggered to verify that the request comes from a depended on source. Type yes and press input to affirm:

You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a server certificate for 1080 days:

    commonName                = server1

Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes

If your CA key's password included, you’ll be triggered to enter the password. Once confirmed the script will generate the SSL certificate and print the entire route to it.

Certificate is to be certified until Sep 17 10:54:48 2021 GMT (1080 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /home/causer/EasyRSA-v3.0.6/pki/issued/server1.crt
scp ~/EasyRSA-v3.0.6/pki/issued/server1.crt serveruser@your_server_ip:/tmp
scp ~/EasyRSA-v3.0.6/pki/ca.crt serveruser@your_server_ip:/tmp

Login for your OpenVPN server, and move the server1.Crt and ca.Crt files into the /and so on/openvpn/ listing:

sudo mv /tmp/{server1,ca}.crt /etc/openvpn/

Upon finishing the stairs mentioned on this section, you have to have the subsequent new documents on your OpenVPN server:

  • /etc/openvpn/ca.crt
  • /etc/openvpn/dh.pem
  • /etc/openvpn/ta.key
  • /etc/openvpn/server1.crt
  • /etc/openvpn/server1.key

Configuring the OpenVPN Service
Now that you have the server certificate signed by your CA and transferred in your OpenVPN server, it’s time to configure the OpenVPN service.

We will use the sample configuration report furnished with OpenVPN set up package deal as a place to begin after which upload our very own custom configuration options to it.

Start by means of extracting the configuration report to the /and so on/openvpn/ listing:

sudo sh -c "gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server1.conf"

Open the record with your favored text editor:

sudo nano /etc/openvpn/server1.conf

Find the Certificate, Key and DH parameters directives and exchange the report names:


cert server1.crt
key server1.key 

dh dh.pem

To redirect the clients site visitors thru the VPN find and uncomment the redirect-gateway and dhcp-option options:


push "redirect-gateway def1 bypass-dhcp"

push "dhcp-option DNS"
push "dhcp-option DNS"

By default OpenDNS resolvers are used. You can trade it and use CloudFlare, Google or every other DNS resolvers you need.

Find the user and institution directives and uncomment these settings through casting off the “;” at the start of every line:


user nobody
group nogroup

Append the subsequent line at the quit of the file. This directive will trade the message authentication algorithm (HMAC) from SHA1 to SHA256


auth SHA256

Once you're executed, the server configuration record (aside from comments) should appearance something like this:


port 1194
proto udp
dev tun
ca ca.crt
cert server1.crt
key server1.key  # This file should be kept secret
dh dh.pem
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS"
push "dhcp-option DNS"
keepalive 10 120
tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC
user nobody
group nogroup
status /var/log/openvpn/openvpn-status.log
verb 3
explicit-exit-notify 1
auth SHA256

Starting OpenVPN Service
In this educational, we’ve used server1.Conf as a configuration report. To start the OpenVPN carrier with this configuration we want to specify the configuration report name after the systemd unit file call:

On your OpenVPN server run the following command to begin the OpenVPN provider:

sudo systemctl start openvpn@server1

Verify whether or not the service has began efficaciously by typing:

sudo systemctl status openvpn@server1

If the provider is energetic and jogging, the output will look something like this:

? openvpn@server1.service - OpenVPN connection to server1
   Loaded: loaded (/lib/systemd/system/openvpn@.service; disabled; vendor preset: enabled)
   Active: active (running) since Tue 2019-03-19 03:49:53 PDT; 3s ago
     Docs: man:openvpn(8)
  Process: 1722 ExecStart=/usr/sbin/openvpn --daemon ovpn-server1 --status /run/openvpn/server1.status 10 --cd /etc/openvpn --config /etc/openvpn/server1.conf --writepid /run/openvpn/ (code=exited, status=0/SUCCESS)
 Main PID: 1723 (openvpn)
    Tasks: 1 (limit: 4915)
   CGroup: /system.slice/system-openvpn.slice/openvpn@server1.service
           ??1723 /usr/sbin/openvpn --daemon ovpn-server1 --status /run/openvpn/server1.status 10 --cd /etc/openvpn --config /etc/openvpn/server1.conf --writepid /run/openvpn/

Enable the provider to robotically begin on boot with:

sudo systemctl enable openvpn@server1
Created symlink /etc/systemd/system/ ? /lib/systemd/system/openvpn@.service.

If the OpenVPN provider fails to begin take a look at the logs with sudo journalctl -u openvpn@server1
When starting, the OpenVPN Server creates a tun tool tun0. To confirm it use the following ip command :

ip a show tun0

The output ought to appearance some thing like this:

3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    inet peer scope global tun0
       valid_lft forever preferred_lft forever

At this factor, your OpenVPN server is configured and jogging properly.

Firewall and Server Networking Configuration
In order to ahead community packets properly, we need to permit IP forwarding.
The following steps are achieved at the OpenVPN server.

Open the /and so forth/sysctl.Conf file and add or uncomment the line which reads internet.Ipv4.Ip_forward = 1:

sudo nano /etc/sysctl.conf


# Uncomment the next line to enable packet forwarding for IPv4

Once you are completed, save and close the record.

Apply the brand new settings by using running the following sysctl command:

sudo sysctl -p
net.ipv4.ip_forward = 1

If you accompanied the prerequisites, you ought to have already got a UFW firewall jogging to your server.

Now we want to feature firewall rules to enable masquerading. This will permit site visitors to depart the VPN, giving your VPN customers get admission to to the Internet.

Before including the regulations you need to recognize the public community interface of your Debian OpenVPN Server. You can effortlessly discover the interface by way of running the subsequent command:

ip -o -4 route show to default | awk '{print $5}'

In our case, the interface is named eth0 as shown at the output beneath. Your interface will possibly have a exceptional call.


By default, whilst the usage of UFW the forwarded packets are dropped. We’ll need to trade that and train our firewall to allow forwarded packets.

Open the UFW configuration report, find the DEFAULT_FORWARD_POLICY key and alternate the value from DROP to ACCEPT:

sudo nano /etc/default/ufw


# Set the default forward policy to ACCEPT, DROP or REJECT.  Please note that
# if you change this you will most likely want to adjust your rules

Next, we want to set the default policy for the POSTROUTING chain in the nat desk and set the masquerade rule.

To do so, open the /etc/ufw/earlier than.Regulations document and append the traces highlighted in yellow as proven beneath.

Sudo nano /etc/ufw/earlier than.Policies

sudo nano /etc/ufw/before.rules

Don’t overlook to replace eth0 in the -A POSTROUTING line to suit the call of public network interface you determined in the previous command. Paste the strains after the remaining line starting with COMMIT.


# don't delete the 'COMMIT' line or these rules won't be processed

#NAT table rules

# Forward traffic through eth0 - Change to public network interface

# don't delete the 'COMMIT' line or these rules won't be processed

When you're accomplished, save and near the file.

We additionally want to open UDP site visitors on port 1194 that's the default OpenVPN port. To do so, run the following command:

sudo ufw allow 1194/udp

In case you forgot to open the SSH port, to avoid being locked out, run the following command to open the port:

sudo ufw allow OpenSSH

Finally reload the UFW policies through disabling and re-enabling UFW:

sudo ufw disable
sudo ufw enable

To verify the changes run the subsequent command to list the POSTROUTING regulations:

sudo iptables -nvL POSTROUTING -t nat
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MASQUERADE  all  --  *      eth0 

Creating the Client Configuration Infrastructure
In this tutorial, we’ll create a separate SSL certificate and generate a exclusive configuration report for every VPN patron.

The patron non-public key and certificates request may be generated either on the patron system or at the server. For simplicity, we will generate the certificate request on the server after which send it to the CA to be signed.

The complete system of generating the patron certificate and configuration document is as follows:

Generate a non-public key and certificate request on the OpenVPN server.
Send the request to the CA system to be signed.
Copy the signed SSL certificate to the OpenVPN server and generate a configuration record.
Send the configuration record to the VPN client’s system.
Start by means of developing a fixed of directories to save the customers files:

mkdir -p ~/openvpn-clients/{configs,base,files}

base directory will keep the bottom files and configuration with a purpose to be shared throughout all consumer documents.
Configs directory will keep the generated consumer configuration.
Files listing will keep client-precise certificate/key pair.
Copy the ca.Crt and ta.Key documents to the ~/openvpn-clients/base listing:

cp ~/EasyRSA-v3.0.6/ta.key ~/openvpn-clients/base/
cp /etc/openvpn/ca.crt ~/openvpn-clients/base/

Next copy the pattern VPN purchaser configuration file into the customer-~/openvpn-clients/base listing. We will use this file as a base configuration:

cp ~/EasyRSA-v3.0.6/ta.key ~/openvpn-clients/base/
cp /etc/openvpn/ca.crt ~/openvpn-clients/base/

Now we need to edit the report to suit our server settings and configuration. Open the configuration record along with your textual content editor:

nano ~/openvpn-clients/base/client.conf

Find the far flung directive and change the default placeholder with the general public IP deal with of your OpenVPN server:


# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote YOUR_SERVER_IP 1194

Locate and comment the ca, cert, and key directives. The certs and keys might be brought inside the configuration record:


# SSL/TLS parms.
# See the server config file for more
# description.  It's best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
# ca ca.crt
# cert client.crt
# key client.key

Append the subsequent line on the quit of the file to match the server settings:


auth SHA256

Once you're executed, the server configuration report must look some thing like this:


dev tun
proto udp
remote YOUR_SERVER_IP 1194
resolv-retry infinite
remote-cert-tls server
cipher AES-256-CBC
verb 3
auth SHA256
key-direction 1

Next, create a easy bash script so as to merge the base configuration and files with the patron certificates and key, and shop the generated configuration in the ~/openvpn-clients/configs directory.

Open your textual content editor and create the following script:

nano ~/openvpn-clients/






# Test for files
    if [[ ! -f $i ]]; then
        echo " The file $i does not exist"
        exit 1

    if [[ ! -r $i ]]; then
        echo " The file $i is not readable."
        exit 1

# Generate client config
cat > ${CONFIGS_DIR}/${1}.ovpn <<EOF
$(cat ${BASE_CONF})
$(cat ${CLIENT_KEY})
$(cat ${CLIENT_CERT})
$(cat ${CA_FILE})
$(cat ${TA_FILE})

Save the document and make it executable with chmod :

chmod u+x ~/openvpn-clients/

Creating Client Certificate Private Key and Configuration
The system of producing a purchaser non-public key and certificate request is similar to we did whilst producing a server key and certificate request.

As we already mentioned inside the previous section, we’ll generate the customer personal key and certificate request at the OpenVPN server. In this example, the name of the primary VPN customer could be client1.

Navigate to the EasyRSA directory to your OpenVPN server and generate a new private key and a certificate request report for the client:

cd ~/EasyRSA-v3.0.6/
./easyrsa gen-req client1 nopass

The command will create two files, a personal key (client1.Key) and a certificates request file (client1.Req).

Common Name (eg: your user, host, or server name) [client1]:

Keypair and certificate request completed. Your files are:
req: /home/serveruser/EasyRSA-v3.0.6/pki/reqs/client1.req
key: /home/serveruser/EasyRSA-v3.0.6/pki/private/client1.key

Copy the non-public key client1.Key to the ~/openvpn-customers/files directory you created within the previous segment:

cp ~/EasyRSA-v3.0.6/pki/private/client1.key ~/openvpn-clients/files/

Transfer the certificate request document to your CA system:

scp ~/EasyRSA-v3.0.6/pki/reqs/client1.req causer@your_ca_ip:/tmp

In this case we're the use of scp to transfer the record, you may additionally use rsync over ssh or another at ease approach.

Login to your CA gadget, switch to the EasyRSA listing and import the certificates request report:

cd ~/EasyRSA-v3.0.6
./easyrsa import-req /tmp/client1.req client1

The first argument is the direction to the certificate request record and the second one is the purchaser name.

The request has been successfully imported with a short name of: client1
You may now use this name to perform signing operations on this request.

From in the EasyRSA listing on CA gadget run the subsequent command to signal the request:

cd ~/EasyRSA-v3.0.6
./easyrsa sign-req client client1

You’ll be precipitated to verify that the request comes from a trusted source. Type sure and press input to verify:

If your CA key's password protected, you’ll be prompted to enter the password. Once validated the script will generate the SSL certificate and print the overall course to it.

Certificate created at: /home/causer/EasyRSA-v3.0.6/pki/issued/client1.crt

Next, switch the signed certificate client1.Crt report again on your OpenVPN server. You can use scp , rsync or any other cozy approach:

scp ~/EasyRSA-v3.0.6/pki/issued/client1.crt serveruser@your_server_ip:/tmp

Login to your OpenVPN server, and pass the client1.Crt record into the ~/openvpn-clients/documents listing:

mv /tmp/client1.crt ~/openvpn-clients/files

The final step is to generate a patron configuration the use of the gen_config.Sh script. Switch to the ~/openvpn-customers listing and run the script the use of the purchaser call as an argument:

ls ~/openvpn-clients/configs

The script will create a file named client1.Ovpn in the ~/consumer-configs/configs listing. You can test by way of list the directory:

ls ~/openvpn-clients/configs

At this point the patron configuration is created. You can now switch the configuration document to the device you plan to use as a consumer.

For instance to transfer the configuration report to your neighborhood system with scp you must run the subsequent command:

scp ~/openvpn-clients/configs/client1.ovpn your_local_ip:/

To add additional customers, just repeat the identical steps.

Connecting Clients
Your distribution or computer surroundings may additionally provide a device or photograph consumer interface to connect with OpenVPN servers. In this academic, we are able to show you how to connect with the server the usage of the openvpn device.

Install OpenVPN on Ubuntu and Debian

sudo apt update
sudo apt install openvpn

Install OpenVPN on CentOS and Fedora

sudo yum install epel-release
sudo yum install openvpn

Once the package deal is set up, to hook up with the VPN server use the openvpn command and specify the customer configuration document:

sudo openvpn --config client1.ovpn

Tunnelblick is a unfastened, open-source photograph consumer interface for OpenVPN on OS X and macOS.

Download and deploy the trendy construct of OpenVPN software the OpenVPN’s Downloads page .

Copy the .Ovpn file to the OpenVPN config folder (Users<Name>OpenVPNConfig or Program FilesOpenVPNconfig).

Launch the OpenVPN utility.

Right click on on the OpenVPN system tray icon and the call of OpenVPN configuration report you copied will be indexed at the menu. Click Connect.

Android & iOS
A VPN application evolved via OpenVPN is available for both Android and iOS. Install the application and import the customer .Ovp record.

  • Android OpenVPN Connect
  • iOS OpenVPN Connect

Revoking Client Certificates
Revoking a certificates manner to invalidate a signed certificate so that it is able to now not be used for having access to the OpenVPN server.

To revoke a client certificates follow the steps underneath:

Login in your CA system and switch to the EasyRSA listing:

cd EasyRSA-v3.0.6

Run the easyrsa script the use of the revoke argument, followed through the consumer call you need to revoke:

./easyrsa revoke client1

You’ll be brought on to affirm which you want to revoke the certificate. Type sure and press enter to affirm:

Please confirm you wish to revoke the certificate with the following subject:

    commonName                = client1

Type the word 'yes' to continue, or any other input to abort.
Continue with revocation: yes
Revocation was successful. You must run gen-crl and upload a CRL to your
infrastructure in order to prevent the revoked cert from being accepted.

Use the gen-crl option to generate a certificates revocation list (CRL):

./easyrsa gen-crl
An updated CRL has been created.
CRL file: /home/causer/EasyRSA-v3.0.6/pki/crl.pem

Upload the CRL report to the OpenVPN server:

scp ~/EasyRSA-v3.0.6/pki/crl.pem serveruser@your_server_ip:/tmp

Login for your OpenVPN server server and move the record to the /and so forth/openvpn directory:

sudo mv /tmp/crl.pem /etc/openvpn

Open the OpenVPN server configuration file:

sudo nano /etc/openvpn/server1.conf

Paste the subsequent line at the end of the file


crl-verify crl.pem

Save and near the file.

Restart the OpenVPN service for the revocation directive to take impact:

sudo systemctl restart openvpn@server1

At this point, the consumer ought to now not be able to get entry to the OpenVPN server the use of the revoked certificate.

If you want revoke extra consumer certificates simply repeat the identical steps.

In this academic, you learned how to install and configure an OpenVPN server on an Debian nine device.

If you're facing any hassle, experience loose to leave a remark.