When you’re running a VPN connection, it’s usually most reliable to run OpenVPN as a service. Somewhat strangely, it’s not that easy to do on Debian when you’re working with a static IP address.
Several systems are in conflict, and it takes a bit of extra care to straighten things out. This guide explains exactly how to set this up reliably.
In this tutorial you will learn:
- How to Install OpenVPN and Resolvconf on Debian.
- How to Disable NetworkManager.
- How to Configure Your Static IP.
- How to Configure OpenVPN.
Software Requirements and Conventions Used
|Category||Requirements, Conventions or Software Version Used|
|System||Debian Stable, Testing, or Sid|
|Other||Privileged access to your Linux system as root or via the
# – requires given linux commands to be executed with root privileges either directly as a root user or by use of
$ – requires given linux commands to be executed as a regular non-privileged user
How to Install OpenVPN and Resolvconf
There are a couple of components that you’ll need to get this all set up. Obviously, you’re going to need OpenVPN, but you’re also going to need Resolvconf. It’s a dedicated service that automatically updates the
resolv.conf file. Normally, it will work in conjunction with your network interfaces configuration, but OpenVPN also comes with scripts that utilize it to work with your VPN’s DNS.
Start off by installing both OpenVPN and Resolvconf on your system. They’re both available in the default Debian repositories, so you can just grab them with Apt.
$ sudo apt install openvpn resolvconf
How to Disable NetworkManager
Unless you’re running a minimal or headless Debian install, NetworkManager is going to be running your network connections by default. That’s usually a good thing, but if you’re looking to use a static IP address, NetworkManager can be a major pain.
NetworkManager will get in the way of your static IP configuration, and it absolutely will screw up your DNS. The best thing that you can do is stop and disable it. Before you shut down NetworkManager, make sure that you have your OpenVPN configuration files from your provider.
$ sudo systemctl stop NetworkManager $ sudo systemctl disable NetworkManager
How to Configure Your Static IP
You can now start to set up your static IP configuration. You actually don’t need to use a static IP for this to work. If you want to keep on using DHCP, you can leave this part out.
To use a static IP, open up
/etc/network/interfaces with your text editor of choice. On the first line, you’ll see
auto lo. Add your current network interface to that line. You can find it by running
ip a, if you aren’t sure.
Toward the bottom of the file, you’ll see a line like the one below. Substitute your own interface and change
iface eth0 inet dhcp
iface eth0 inet static
Below that, you’ll need to set up the following lines to match your network connection. Indent each one with four spaces.
address 192.168.1.110 broadcast 192.168.1.255 netmask 255.255.255.0 gateway 192.168.1.1 dns-nameservers 192.168.1.1
dns-nameservers line is where you can specify the nameservers that you want to use when not connected to your VPN. These are the servers that will also be used to establish the connection to the VPN. You can use external DNS, point it at your router, or use something like DNSCrypt.
How to Configure OpenVPN
Now, you’re ready to move on to OpenVPN. Copy the OpenVPN configuration from your VPN provider into
/etc/openvpn. In order to make everything automatic, there are a couple of modifications that you’ll need to make. First, create another file in the OpenVPN folder called,
auth.txt. Inside that file, put your VPN username on the first line and your password on the second one.
Open your VPN configuration file. Locate the line
auth-user-pass, and append
auth.txt to the end of it, so it looks like,
Toward the bottom of the file, before the keys, add in the following three lines to make OpenVPN update your nameservers when it starts and exits.
script-security 2 up /etc/openvpn/update-resolv-conf down /etc/openvpn/update-resolv-conf
Save the file and exit. Speaking of that file, it’s a good idea to rename it to something simple and easily identifiable. Leave on the
.conf extension, though.
There’s one more file that you need to edit. It controls which configurations OpenVPN starts by default. With your text editor, open up
/etc/default/openvpn. Towards the top of the file, you’ll find several commented lines that begin with
AUTOSTART. Uncomment one, and edit it contain the name of your OpenVPN configuration file without the
When you’re done, save the file and close it.
Double-check all of your configurations, and restart your computer. If everything lines up, it’ll boot up and immediately connect to your VPN. You can check that everything is working properly with the extended test on DNSLeakTest. You should only see your VPN’s IP and DNS.
Your Debian system should now be configured to use OpenVPN as a service on start-up. More importantly, though, it should be using the correct DNS to prevent leaks and other DNS related problems. Whenever you start up or shut down OpenVPN, your computer will toggle between your VPN’s DNS servers and the ones you configured during the static IP setup.