Nextcloud is an open source platform that offers a modern content collaboration platform for managing your files, with capabilities such as real-time document editing, video chat & groupware on mobile, desktop and web. Nextcloud is similar to Dropbox and Google Drive, and was forked from the ownCloud open source software by some of the original ownCloud developers.

Installing Nextcloud on Debian 12 with Let's Encrypt

To install Nextcloud on Debian 12 with a Let's Encrypt certificate, you'll first update the package index, install the Snap package manager for Debian, use it to install Nextcloud, configure a Nextcloud administrative account, then you'll set up Let's Encrypt using the nextcloud.enable-https command.

Note

If you want to skip all the technical steps of setting up Nextcloud on your server and have it installed in minutes, you can use our tried and tested 1-click Nextcloud application. Just choose a server, and while prompted to choose the operating system, choose Nextcloud from the dropdown menu. This will set up Nextcloud in minutes! However, if you prefer to get your hands dirty, keep reading.

Prerequisites

To follow this tutorial, you'll need:

• A Debian 12 server. Get your VPS hosting from a reputable and trustworthy provider like SSD Nodes. We offer powerful Debian servers and the best deals. Take a look at our offerings and prepare for your mind to be blown .

Check out our How to access your server using SSH guide to learn how to access your server and create a sudo user.

Step 1: Updating the Package Cache

Start by updating the packages in the package manager cache to the latest available versions using the following command:

sudo apt update

Step 2: Installing Nextcloud on Debian 12

To install Nextcloud, we can take advantage of the Snap packaging tool, which allows software organizations to publish software in a single package with all dependencies, configurations, and auto-updating features.

First, install the Snap packaging tool with the following command:

sudo apt install snapd -y

Run the following command to install the Nextcloud snap package:

sudo snap install nextcloud

This will download and install Nextcloud on your system, and you will receive an output similar to the following:

To confirm that the installation was successful, run the following command:

snap changes nextcloud

You should receive the following output:

For more information on the Nextcloud package, you can use the following command:

snap info nextcloud

This will give you information such as the publisher, contact information, commands, services, and other metrics.

Step 3: Configuring your Nextcloud Administrative Account

Although you can configure your Nextcloud admin account on the web interface, it is best to avoid making your unsecured Nextcloud configuration accessible on the Internet.

You can use the nextcloud.manual-install command to configure a Nextcloud admin account directly from the command line by passing it a username and a password like so:

sudo /snap/bin/nextcloud.manual-install your_user password

Make sure to replace your_user and your_password with your preferred username and password.

As a result, you should see the following output:

Nextcloud was successfully installed

With this, you now need to add your server's domain name and IP address to your Nextcloud trusted domains.

Step 4: Configuring Trusted Domains

By default, Nextcloud only responds to web requests that are sent to the localhost hostname. This makes us unable to access Nextcloud via our server's IP address or our domain name. To solve this and make Nextcloud accessible to the outside world, we’ll need to change the trusted domains setting.

To add an additional trusted domain to Nextcloud on Debian, run the following command:

sudo /snap/bin/nextcloud.occ config:system:set trusted_domains 1 --value=example.com

Repeat this command for each domain name of yours with an incremented number, and make sure to replace example.com with your domain name or IP address. For example to add another domain:

sudo /snap/bin/nextcloud.occ config:system:set trusted_domains 2 --value=cloud.example.com

And to add your IP address:

sudo /snap/bin/nextcloud.occ config:system:set trusted_domains 3 --value=your_ip_address

Note the increments in the trusted_domains parameter.

To see all your trusted domains, use the following command:

sudo /snap/bin/nextcloud.occ config:system:get trusted_domains

Next, you'll secure your Nextcloud web server using HTTPS with a Let's Encrypt SSL certificate.

Step 5: Nextcloud Let's Encrypt Setup on Debian

To secure your Nextcloud server with HTTPS, add a Let's Encrypt SSL certificate to your installation using the following command:

sudo /snap/bin/nextcloud.enable-https lets-encrypt

You'll be presented with a few requirements:

Make sure your server meets these requirements and hit Y. Next, type in your email and domain name.

Restart Nextcloud:

sudo snap restart nextcloud

With this, you can now access your Nextcloud server throughout the Web via a secure HTTPS protocol.

Step 6: Using the Nextcloud Web Interface

With Nextcloud configured, navigate to your domain name or IP with your web browser:

https://your_domain_or_IP

Note: You may temporarily see a message informing you that Nextcloud is in Maintenance Mode, wait for a few minutes while Nextcloud sets things up, and refresh the page.

You should be moved to a login screen. Use the username and password you configured earlier.

Congrats

You've successfully installed Nextcloud on your Debian 12 server, and secured it with a Let's Encrypt SSL certificate. You can now upload your files and collaborate with others on the cloud, using your own private VPS server.

For more on information on Nextcloud, check out their official website

Reader Alert!

If you feel that the technical instructions in this tutorial are time-consuming, or beyond your expertise, you can choose a very convenient and practical solution, ready-made, fully and professionally tested, and developed by SSD Nodes (That is us ). Just visit our website, choose the server’s specifications that fit your needs, and while prompted to choose among the operating systems and the 1-Click Applications we have, choose Nextcloud from the dropdown menu, complete your checkout, and in a couple of minutes our algorithms will take care of all the technical aspects smoothly and effortlessly, just for you!

Installing Nextcloud on Ubuntu

To install Nextcloud on Ubuntu, take a look at our How To Install and Configure Nextcloud on Ubuntu article.

FAQ

Does Nextcloud support end-to-end encryption?

Yes, Nextcloud supports end-to-end encryption for securing data. This feature encrypts files on the client side before they are uploaded to the server, ensuring that only the user has access to the unencrypted data.

What are the best practices for Nextcloud backups?

Regularly back up the Nextcloud data directory and database. Use tools like rsync for file backups and mysqldump for database dumps. Automate the process and store backups in a separate, secure location.

Prerequisites

• Basic knowledge of the Linux command line.
• A Debian 11 server with a non-root user with sudo privileges. You can get affordable, and powerful Debian servers from our website, and you can check out our How to access your server using SSH guide to learn how to access your server and create a sudo user.
• The LAMP stack (Linux, Apache, MySQL, and PHP) installed on your server. Use our Installing LAMP on Ubuntu 22.04 LTS guide to set it up.

Note: You can use our LAMP 1-Click App to set up LAMP automatically when creating a server. Just visit our website, choose a server, and while prompted to choose the operating system, choose LAMP from the dropdown menu, complete your checkout, and in a couple of minutes our algorithms will take care of all the complex technicalities for you.

• A TLS/SSL certificate, because phpMyAdmin can access sensitive information about your infrastructure, and an unsecure HTTP connection will make your server extremely vulnerable.

Step 1: Updating the Package Cache and Installing Nano

Start by updating the packages in the package manager cache to the latest available versions using the following command:

sudo apt update

Next install the Nano editor which you'll later use in this article:

sudo apt -y install nano

Step 2 — Installing phpMyAdmin

Before you install phpMyAdmin, you may want to check whether you can access the MySQL command line interface using the root password and normal authentication. To do this, run the following command:

sudo mysql

If you get an error that contains Access denied for user 'root', this means that the default authentication method has changed, and connecting to MySQL requires a password for the root account. To solve this issue, use the following command to connect to MySQL using the root user and a password:

mysql -u root -p

You'll be asked for your MySQL root password, enter it and then press Enter.

Note: If you've installed the LAMP stack using our 1-Click App, you'll find your MySQL root password in the App Details widget on your SSDNodes Dashboard. As demonstrated in the following image:

Once the MySQL prompt opens, temporarily remove the root password. You will later run mysql_secure_installation to secure your MySQL installation once phpMyAdmin is installed.

SET PASSWORD FOR root@localhost=PASSWORD('');

Next, exit the MySQL interface:

exit;

To install phpMyAdmin, you also need to install some PHP extensions needed for it to properly work. Use the following command to install phpMyAdmin and its dependencies:

sudo apt install phpmyadmin php-mbstring php-zip php-gd php-json php-curl

Here you install phpmyadmin and the following packages:

• php-mbstring: A package that provides the MBSTRING module for PHP, which is used to manage non-ASCII strings.
• php-zip: Provides a Zip module for PHP. Zip is a tool that is used to archive and compress files.
• php-gd: Provides a GD module for PHP. The GD library is a library that offers graphics drawing tools to manage image data.
• php-json: Provides PHP with support for JSON serialization.
• php-curl: Provides a CURL module for PHP. CURL is used in command lines and scripts to transfer data through URLs.

Some of the dependencies above may already be installed on your server if you followed our Installing LAMP on Ubuntu 22.04 LTS guide.

During the installation, you'll be asked to configure the server, hit SPACE on the apache2 option, then TAB, then ENTER to set Apache as the server.

When asked whether to use dbconfig-common, select Yes.

Next, you will be asked to create a MySQL password for phpMyAdmin. Set a strong password and confirm it.

This will add an Apache configuration file for phpMyAdmin in the /etc/apache2/conf-enabled/ directory.

Next, in case you removed the root password earlier, run the mysql_secure_installation command to secure your MySQL installation:

sudo mysql_secure_installation

You’ll be asked for your current root password:

In order to log into MariaDB to secure it, we'll need the current
password for the root user. If you've just installed MariaDB, and
haven't set the root password yet, you should just press enter here.

Enter current password for root (enter for none): 

Tap Enter.

Next, you'll be asked whether you want to use the unix_socket authentication method:

OK, successfully used password, moving on...

Setting the root password or using the unix_socket ensures that nobody
can log into the MariaDB root user without the proper authorisation.

Switch to unix_socket authentication [Y/n] 

Tap Y to enable unix_socket authentication for better security.

Next, you'll be asked to change the root password:

Enabled successfully!
Reloading privilege tables..
 ... Success!

Change the root password? [Y/n] 

Tap Y to set a new password for root, and re-enter it for validation.

Next, you'll be asked to remove anonymous users:

Change the root password? [Y/n] y
New password: 
Re-enter new password: 
Password updated successfully!
Reloading privilege tables..
 ... Success!

By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] 

Tap Y to remove the anonymous users that come with your MariaDB installation.

Next, you’ll be asked whether you want to disallow remote root logins:

Remove anonymous users? [Y/n] y
 ... Success!

Normally, root should only be allowed to connect from 'localhost'.  This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] 

Tap Y to disable remote root login.

Next, you’ll be asked whether you want to remove the test database that comes with your MariaDB installation:

Disallow root login remotely? [Y/n] y
 ... Success!

By default, MariaDB comes with a database named 'test' that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n] 

Tap Y to remove your MariaDB test database and disable access to it.

In order for the changes you've made to take effect, you’ll be asked to reload your MariaDB privilege tables:

Remove test database and access to it? [Y/n] y
 - Dropping test database...
 ... Success!
 - Removing privileges on test database...
 ... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n] 

Tap Y to reload your MariaDB privilege tables. This will ensure that your changes will take effect immediately.

Reload privilege tables now? [Y/n] y
 ... Success!

Cleaning up...

All done!  If you've completed all of the above steps, your MariaDB
installation should now be secure.

Thanks for using MariaDB!

With this, your MySQL/MariaDB installation is more secure than before, provided that you follow security best practices.

Next, continue the phpMyAdmin configuration by enabling the mbstring PHP extension with the following command:

sudo phpenmod mbstring

Then restart Apache:

sudo systemctl restart apache2

With this, PHPMyadmin is now installed and configured with Apache. Next, you will need to configure MySQL privileges so that your MySQL users can interact with PHPMyadmin.

Step 3: Configuring a MySQL User for PHPMyadmin

PHPMyadmin is accessible by default with a user called phpmyadmin. But it is generally recommended that you create a dedicated MySQL user to manage your databases with the phpmyadmin web interface.

First, open up the MySQL command line interface:

sudo mysql

If you get an error that contains Access denied for user 'root', this means that the default authentication method has changed, and connecting to MySQL requires a password for the root account. To solve this issue, use the following command to connect to MySQL using the root user and a password:

mysql -u root -p

You'll be asked for your MySQL root password, enter it and then press Enter.

Note: If you've installed the LAMP stack using our 1-Click App, you'll find your MySQL root password in the App Details widget on your SSDNodes Dashboard. As demonstrated in the following image:

Once the MySQL prompt opens, create a new user with a strong password using the following command:

CREATE USER 'your_user'@'localhost' IDENTIFIED BY 'your_password';

Make sure to replace your_user and your_password with the appropriate values of your choice.

Next, grant your new user administrative privileges:

GRANT ALL PRIVILEGES ON *.* TO 'your_user'@'localhost' WITH GRANT OPTION;

Exit the MySQL command line interface:

exit

With this, you can now navigate to your phpmyadmin web interface with the following URL (changing your_domain_or_IP with your domain or your server's IP address):

https://your_domain_or_IP/phpmyadmin

You will see a login screen as follows:

Once you login with the credentials you specified earlier, you'll be taken to the phpmyadmin dashboard:

Step 4: Configuring HTTP Authentication for Additional Security

Because PHPMyadmin can access and manage all of your databases, it is extremely important to secure it. One way of adding additional security to PHPMyadmin is by adding another security layer using basic HTTP authentication, which requires users to authenticate before they access the PHPMyadmin login screen.

To use HTTP authentication, you can use the Apache's .htaccess file. First, enable .htaccess by modifying your PHPMyadmin's Apache configuration:

sudo nano /etc/apache2/conf-available/phpmyadmin.conf

Find the section, and then add the AllowOverride All option to it, as highlighted below:

<Directory /usr/share/phpmyadmin>
    Options SymLinksIfOwnerMatch
    DirectoryIndex index.php
    AllowOverride All

Save and close the file.

Restart Apache:

sudo systemctl restart apache2

Next create a .htaccess file inside your phpmyadmin directory:

sudo nano /usr/share/phpmyadmin/.htaccess

Type the following into this file:

AuthType Basic
AuthName "Restricted Files"
AuthUserFile /etc/phpmyadmin/.htpasswd
Require valid-user

Here, AuthUserFile sets the location of your password file. This is the password you'll use for authentication.

Save and close the file.

To create the password file, use the htpasswd tool passing a username of your choice as follows:

sudo htpasswd -c /etc/phpmyadmin/.htpasswd your_username

Remember to change your_username to a username of your choice.

You'll be asked to provide and confirm a password. Type in a strong password, confirm it, and then tap ENTER.

Restart Apache again for this new authentication method to work:

sudo systemctl restart apache2

Now, visiting your phpmyadmin URL will ask you for a second layer of authentication before you can access the phpmyadmin login screen:

https://your_domain_or_IP/phpmyadmin

Congrats

You've successfully installed phpmyadmin on your Debian 11 server, and you can now manage your MySQL database with a web interface. For more information on phpmyadmin, check out their official website.

Important Note

What we’ve done in this article is suitable for testing purposes and personal use, whereas if you want to publish your site to production, and securely process your customers’ online transactions, we do suggest you check our Secure Your Site Using HTTPS blog article, that explains in detail how to secure your site with SSL certificates.

Reader Alert!

If you feel that the technical instructions in this tutorial are time-consuming, or beyond your expertise, you can choose a very convenient and practical solution, ready-made, fully and professionally tested, and developed by SSD Nodes (That is us ). Just visit our website, choose the server’s specifications that fit your needs, and while prompted to choose among the operating systems and the 1-Click Applications we have, choose phpmyadmin from the dropdown menu, complete your checkout, and in a couple of minutes our algorithms will take care of all the technical aspects smoothly and effortlessly, just for you!

Bonus: All our 1-Click applications are now installed with an active HTTPS self-signed certificate!

Way more practical, smooth, and headacheless, isn’t it?

There are literally lists of reasons why you might want to use a VPN, but keeping your data safe is #1 on our list.

And while there are some paid VPN services out there that are pretty easy on your wallet...

If you're trying to keep your data safe then why would you trust it to a uber-secretive company that may-or-may-not have connections to data mining operations?

Answer: You shouldn't.

Especially when it's so easy and affordable to set up your own fast VPN on your SSD Nodes VPS.

So today, we're going to show you how to install OpenVPN on Debian 10 to keep your data truly safe.

Looking for a different Linux distro? Click any of the tutorials below:
How to install OpenVPN on Ubuntu 18.04
How to install OpenVPN on Ubuntu 16.04
How to install OpenVPN on Centos 7

Prerequisites to install OpenVPN on Debian 10

• Two VPS running Debian 10, one to host the OpenVPN service and another to serve as your Certificate Authority (CA). It is not recommended to use your OpenVPN Server as your CA, this opens up your VPN to security vulnerabilities.
• A regular (non-root) account with sudo privileges. See our SSH keys tutorial for more information.

NOTE: If you disable password authentication while configuring these servers, you may run into difficulties when transferring files between them later on in this guide. To resolve this issue, you can re-enable password authentication on each server. Or, you can generate an SSH keypair for each server, then add the OpenVPN server’s public SSH key to the CA machine’s authorized_keys file and vice versa.

Step 1: Install OpenVPN and EasyRSA

Let’s start by updating our apt cache and installing openvpn.

$ sudo apt-get update
$ sudo apt-get install openvpn

OpenVPN uses SSL/TLS for authentication and key exchange to encrypt traffic between the server and clients.
To issue trusted certificates, you will set up your simple certificate authority (CA). To do this, we will download the latest version of EasyRSA, which we will use to build our CA public key infrastructure (PKI), from the project’s official GitHub repository.

NOTE:It is recommended that you keep the CA server turned off when not being used to sign keys as a further precautionary measure.

To begin building the CA and PKI infrastructure, use wget to download the latest version of EasyRSA on both your CA machine and your OpenVPN server.

wget -P ~/ https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.6/EasyRSA-unix-v3.0.6.tgz

Then extract the tarball:

cd ~
tar xvf EasyRSA-unix-v3.0.6.tgz

You have successfully installed all the required software on your server and CA machine. Continue to configure the variables used by EasyRSA and to set up a CA directory, from which you will generate the keys and certificates needed for your server and clients to access the VPN.

Step 2: Set up the Certificate Authority

EasyRSA comes packaged with a configuration file that can be edited to define several variables for your CA.

On your CA machine, navigate to the EasyRSA directory:

cd ~/EasyRSA-v3.0.6/

We can utilize the easy-rsa template by making a copy of an existing vars.example file in this directory and renaming it vars:

cp vars.example vars

We need to edit some of the variables that help decide how to create the certificates. Use nano — or another favorite editor—to open the file. We’ll be editing some variables toward the end of the file.

nano vars

Find the settings that set field defaults for new certificates. It will look something like this:

#set_var EASYRSA_REQ_COUNTRY    "US"
#set_var EASYRSA_REQ_PROVINCE   "California"
#set_var EASYRSA_REQ_CITY       "San Francisco"
#set_var EASYRSA_REQ_ORG        "Copyleft Certificate Co"
#set_var EASYRSA_REQ_EMAIL      "me@example.net"
#set_var EASYRSA_REQ_OU         "My Organizational Unit"

Uncomment these lines and update the highlighted values to whatever you'd prefer, but do not leave them blank:

set_var EASYRSA_REQ_COUNTRY    "US"
set_var EASYRSA_REQ_PROVINCE   "NewYork"
set_var EASYRSA_REQ_CITY       "New York City"
set_var EASYRSA_REQ_ORG        "SSDNodes"
set_var EASYRSA_REQ_EMAIL      "joel@example.net"
set_var EASYRSA_REQ_OU         "Marketing"

Save and close the file after editing.

Inside the EasyRSA directory is a script called easyrsa which is used to perform a variety of tasks involved with building and managing the CA. Run this script with the init-pki option to initiate the public key infrastructure on the CA server:

./easyrsa init-pki

After this, call the easyrsa script again, following it with the build-ca option. This builds the CA and creates two important files — ca.crt and ca.key — which make up the public and private sides of an SSL certificate.

If you don’t want to be prompted for a password every time you interact with your CA, you can run the build-ca command with the nopass option:

./easyrsa build-ca nopass

In the output, you’ll be asked to confirm the common name for your CA:

The common name is the name used to refer to this machine in the context of the certificate authority. You can enter any string of characters for the CA’s common name but, for simplicity’s sake, press ENTER to accept the default name.

With that, your CA is in place and it’s ready to start signing certificate requests.

Step 3: Create the server certificate and public/private keys

With the CA set up correctly, you can generate a private key and certificate request from your server and then transfer the request over to your CA to be signed, creating the required certificate.

Navigate to the EasyRSA directory on your OpenVPN server:

cd EasyRSA-v3.0.6/

From here, run the easyrsa script with the init-pki option. Although you already ran this command on the CA machine, it’s necessary to run it here because your server and CA will have separate PKI directories:

./easyrsa init-pki

Then call the easyrsa script again, this time with the gen-req option followed by a common name for the machine.
This can be anything you like but for the sake of this tutorial, we’re choosing vpnserver. Include the nopass option, failing to do so will password-protect the request file which could lead to permissions issues later on:

NOTE: If you choose a name other than “server” here, you will have to adjust some of the instructions below. For instance, when copying the generated files to the /etc/openvpn directory, you will have to substitute the correct names. You will also have to modify the /etc/openvpn/server.conf file later to point to the correct .crt and .key files.

./easyrsa gen-req vpnserver nopass

This will create a private key for the server and a certificate request file called server.req. Copy the server key to the /etc/openvpn/ directory:

sudo cp ~/EasyRSA-v3.0.6/pki/private/vpnserver.key /etc/openvpn/

Using a secure method (like SCP, in our example below), transfer the vpnserver.req file to your CA machine:

scp ~/EasyRSA-v3.0.6/pki/reqs/vpnserver.req joel@your_CA_ip:/tmp

Next, on your CA machine, navigate to the EasyRSA directory:

cd EasyRSA-v3.0.6/

Using the easyrsa script again, import the vpnserver.req file, following the file path with its common name:

./easyrsa import-req /tmp/vpnserver.req vpnserver

Then sign the request by running the easyrsa script with the sign-req option, followed by the request type and the common name. The request type can either be client or server, so for the OpenVPN server’s certificate request, be sure to use the server request type:

./easyrsa sign-req server vpnserver

If you encrypted your CA key, you’ll be prompted for your password at this point.

Next, transfer the signed certificate back to your VPN server using a secure method:

scp pki/issued/vpnserver.crt joel@your_server_ip:/tmp

Before logging out of your CA machine, transfer the ca.crt file to your server as well:

scp pki/ca.crt joel@your_server_ip:/tmp

Next, log back into your OpenVPN server and copy the server.crt and ca.crt files into your /etc/openvpn/ directory:

sudo cp /tmp/{vpnserver.crt,ca.crt} /etc/openvpn/

Then navigate to your EasyRSA directory:

cd EasyRSA-v3.0.6/

From there, create a strong Diffie-Hellman key to use during the key exchange by typing:

./easyrsa gen-dh

This may take a few minutes to complete. Once it does, generate an HMAC signature to strengthen the server's TLS integrity verification capabilities:

openvpn --genkey --secret ta.key

When the command finishes, copy the two new files to your /etc/openvpn/ directory:

sudo cp ~/EasyRSA-v3.0.6/ta.key /etc/openvpn/
sudo cp ~/EasyRSA-v3.0.6/pki/dh.pem /etc/openvpn/

With all the needed certificate and key files generated, you are set to create the corresponding certificates and keys which will be used by your client machine to access your OpenVPN server.

Step 4: Generating a Client Certificate and Key Pair

Create a directory structure within your home directory to store the client certificate and key files:

mkdir -p ~/client-configs/keys

Since your clients' certificate/key pairs and configuration files will be stored in this directory, lock down its permissions as a security measure:

chmod -R 700 ~/client-configs

Next, navigate back to the EasyRSA directory and run the easyrsa script with the gen-req and nopass options, along with the common name for the client:

NOTE: You will need to pass a unique name value to the script for every client. Throughout this tutorial, the first certificate/key pair is referred to as clienta

cd ~/EasyRSA-v3.0.6/
./easyrsa gen-req clienta nopass

Press ENTER to confirm the common name. Then, copy the clienta.key file to the /client-configs/keys/ directory you created earlier:

cp pki/private/clienta.key ~/client-configs/keys/

Next, securely transfer the clienta.req file to your CA machine:

scp pki/reqs/clienta.req joel@your_CA_ip:/tmp

Log in to your CA machine, navigate to the EasyRSA directory, and import the certificate request:

ssh joel@your_CA_ip
cd EasyRSA-v3.0.6/
./easyrsa import-req /tmp/clienta.req clienta

Then sign the request as you did for the server in the previous step. This time, though, be sure to specify the client request type:

./easyrsa sign-req client clienta

At the prompt, enter yes to confirm that you intend to sign the certificate request and that it came from a trusted source. you'd get the following output

Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes

Again, if you encrypted your CA key, you’ll be prompted for your password here.

This will create a client certificate file named clienta.crt. Transfer this file back to the server:

scp pki/issued/clienta.crt joel@your_server_ip:/tmp

SSH back into your OpenVPN server and copy the client certificate to the /client-configs/keys/ directory:

cp /tmp/clienta.crt ~/client-configs/keys/

Next, copy the ca.crt and ta.key files to the /client-configs/keys/ directory as well:

cp ~/EasyRSA-v3.0.6/ta.key ~/client-configs/keys/
sudo cp /etc/openvpn/ca.crt ~/client-configs/keys/

Your server and client’s certificates and keys have all been generated and are stored in the appropriate directories on your server.

Step 5: Configure the OpenVPN Service

Now that both your client and server’s certificates and keys have been generated, you can start configuring the OpenVPN service to run on Debian 10 using these credentials.

Begin by copying a sample OpenVPN configuration file into the configuration directory and then extract it to use it as a basis for your setup:

sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
sudo gzip -d /etc/openvpn/server.conf.gz

Open the server configuration file in your preferred text editor:

sudo nano /etc/openvpn/server.conf

Find the HMAC section by looking for the tls-auth directive. This line should already be uncommented, but if isn’t then remove the ";" to uncomment it. Below this line, add the key-direction parameter, set to "0":

tls-auth ta.key 0 # This file is secret
key-direction 0

Next, find the section on cryptographic ciphers by looking for the commented out cipher lines. The AES-256-CBC cipher offers a good level of encryption and is well supported. Again, this line should already be uncommented, but if it isn’t then just remove the ";" preceding it:

cipher AES-256-CBC

Below this, add an auth directive to select the HMAC message digest algorithm. For this, SHA256 is a good choice:

auth SHA256

If like in this tutorial you selected a different name during the ./build-key-server command earlier, modify the cert and key lines that you see to point to the appropriate .crt and .key files. The default is server, while vpnserver is used in this guide.

cert vpnserver.crt
key vpnserver.key

Next, find the line containing a dh directive which defines the Diffie-Hellman parameters. Because of some recent changes made to EasyRSA, the filename for the Diffie-Hellman key may be different than what is listed in the example server configuration file. If necessary, change the file name listed here by removing the 2048 so it aligns with the key you generated in the previous step:

dh dh.pem

Finally, find the user and group settings and remove the ";" at the beginning of each to uncomment these lines:

user nobody
group nogroup

The changes you’ve made to the sample server.conf file up to this point are necessary for OpenVPN to function.
When you are finished, save and close the file.

After going through and making whatever changes to your server’s OpenVPN configuration are required for your specific use case, you can begin making some changes to your server’s networking.

Step 6: Start and Enabling the OpenVPN Service

Before we configure our clients, let’s make sure the OpenVPN server is running as we hope it will.

Make sure to turn on TUN/TAP in the SSD Nodes dashboard.

$ sudo systemctl enable openvpn@server
$ sudo systemctl start openvpn@server

You can double-check that OpenVPN is running with the systemctl status command:

$ sudo systemctl status openvpn@server

You will also need to set up iptables to properly direct traffic. First, look for the default interface.

$ sudo ip route | grep default

Your output will look like this:

default via 198.51.100.0 dev eth0 proto static 

The eth0 field is what we’re looking for. And then we set up iptables. To ensure this rule is persistent between reboots, install the iptables-persistent package, which will prompt you to save existing rules. Choose Yes and your rules will be persisted moving forward.

$ sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
$ sudo apt-get install iptables-persistent

Step 7: Configure clients

Lastly, you need to create client configurations. You can store these in any folder you’d like—they don’t need to be kept secret—as long as it isn’t the /etc/openvpn folder. We’ll create a directory in home for this purpose.

$ cd ~
$ mkdir openvpn-clients
cd openvpn-clients

Now, copy the sample client configuration into this new directory, and then open it in nano for editing.

$ cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/openvpn-clients/base.conf
$ nano base.conf

Look for the following block of lines. You’ll need to change the my-server-1 to the public IP address of this VPS. You can find this information in the SSD Nodes dashboard, or by typing in the ifconfig command and looking for the inet field that does not look like 127.0.0.x.

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote my-server-1 1194
;remote my-server-2 1194

Next, uncomment the following two lines by removing the semicolon.

Before:

# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nogroup

After:

# Downgrade privileges after initialization (non-Windows only)
user nobody
group nogroup

Because we’ll be adding keys and certificates directly into the .ovpn file, let’s comment out the following lines by adding semicolons to the beginning.

Before:

# SSL/TLS parms.
# See the server config file for more
# description.  It's best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
ca ca.crt
cert client.crt
key client.key

After:

# SSL/TLS parms.
# See the server config file for more
# description.  It's best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
;ca ca.crt
;cert client.crt
;key client.key

Finally, jump to the bottom of the file and add the following lines. The first two mirror the cipher/auth options we added to the server.conf file earlier, and the third establishes that this files will be used to connect to the server, not the other way around.

We’re also adding three commented-out files that should be uncommented for Linux-based systems that use update-resolv-conf.

# Added lines via SSD Nodes tutorial
cipher AES-256-CBC
auth SHA512
key-direction 1

# script-security 2
# up /etc/openvpn/update-resolv-conf
# down /etc/openvpn/update-resolv-conf

Finally, you need to embed the keys and certificates into an .ovpn file using base.conf as a framework. Copy this entire command and execute it to embed the keys and create a final client1.ovpn file.

$ cat base.conf 
<(echo -e '<ca>') ~/openvpn-ca/keys/ca.crt <(echo -e '</ca>') 
<(echo -e '<cert>') ~/openvpn-ca/keys/client1.crt <(echo -e '</cert>n') 
<(echo -e '<key>') ~/openvpn-ca/keys/client1.key <(echo -e '</key>n') 
<(echo -e '<tls-auth>') ~/openvpn-ca/keys/ta.key <(echo -e '</tls-auth>') 
>> client1.ovpn

This tutorial won’t cover client configurations in detail, but we’ll share one easy way to transfer the .ovpn file to your Linux or OS X client. This command will ssh into your VPS, and then use cat to write a new client1.ovpn file on your local machine.

$ ssh USER@SERVER-IP "cat ~/openvpn-clients/client1.ovpn" > client1.ovpn

Once you configure your client, you should be able to connect to the VPN and access the wider internet through it.

You're now using OpenVPN on Debian 10 to keep your browsing data private.

Congrats! You're can now browse the internet mostly anonymously. Your VPN can keep your ISP from seeing your browsing data and add an extra level of of encryption for critical information.

A VPN isn't a complete invisibility cloak, however.

It doesn't cause you to cease to exist. Some activity may still be traceable, especially by law enforcement entities. So study up on what it can and can't do for you to avoid getting yourself into trouble.

If you'd like a more automated method of installing OpenVPN, plus a few other VPN options, consider trying out our Streisand tutorial to learn about another popular VPN you can use on your VPS.