30. Install OpenVPN

by Cover Tower - Updated March 14, 2021

A Virtual Private Network (VPN) server installed on a remote server creates an encrypted tunnel between your local machine/device and the remote server. In this way, you can surf the Internet with the IP of the remote server, as if you were physically present in your server’s physical location. VPNs can also be used to create encrypted data channels between two business locations, etc. However in general, you will want to use a VPN in the following three common situations:

  • You want to access the Internet from an unsecure public network, such as from the Wi-Fi connection of a cafe, restaurant, hotel lobby, airport, railway station, etc. To make sure that nobody can intercept your traffic and credentials when logging in to HTTP websites, you’ll want to connect to a VPN. This way all the data traffic between you and the remote server will be encrypted.
  • You have access to an Internet banking account offered by your bank. You decide to leave your country and spend some time abroad. When you try to access your online banking account from outside your country, you find that your bank’s software blocks all IPs geolocated outside your country. Instead of calling the bank, complaining and listening to your bank’s excuses, etc., you can just access your bank’s site through a VPN. This way the bank will see that your IP is located in your home country and will let you log in. This is legal, because you have all the rights to log in to your Internet banking account and it’s not your fault that the bank’s software is not capable and flexible enough to deal with this kind of situations. This implies that your VPN server is installed on a server physically located in a datacenter inside your home country.
  • You want to access a website/service which requires you to be located in your home country, while you are abroad. Using a VPN you can sign up or log in to that website/service as if you were physically located in your home country. This implies that your VPN server is installed on a server physically located in a datacenter inside your home country.

Install OpenVPN from Debian repositories:

apt-get install openvpn

We’ll configure OpenVPN for IPv4 only because IPv6 connectivity can create problems such as DNS leaks in certain situations, at least with the current version of OpenVPN.

An OpenVPN connection consists of two channels between the server and the clients: the Control Channel and the Data Channel. A client connects to the server by initiating a TLS session over the control channel, in which credentials are exchanged between server and clients to establish the data channel. The data channel is the encrypted pipeline in which all traffic between server and clients is then transmitted.

Create a new user for the OpenVPN daemon to run as, after startup. Forcing OpenVPN to run under its own account is a good way to isolate it from the rest of the system. Here we’ll call the new user openvpn_server:

adduser –system –shell /bin/false –no-create-home openvpn_server

Next, we need to create the /etc/openvpn/server.conf configuration file. OpenVPN already has many sample configuration files. We’ll extract the /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz archived sample configuration file into the /etc/openvpn directory:

gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf

Run the make-cadir command to create a certificates directory and copy all the necessary files from /usr/share/easy-rsa to the new directory, which we’ll also name easy-rsa:

make-cadir /etc/openvpn/easy-rsa

Switch to the new directory:

cd /etc/openvpn/easy-rsa

Edit the /etc/openvpn/easy-rsa/vars file:

nano /etc/openvpn/easy-rsa/vars

Uncomment the following lines and change the default parameters with your own data, or leave them blank by deleting the words between double quotes:

set_var EASYRSA_REQ_COUNTRY “US”
set_var EASYRSA_REQ_PROVINCE “California”
set_var EASYRSA_REQ_CITY “San Francisco”
set_var EASYRSA_REQ_ORG “Copyleft Certificate Co”
set_var EASYRSA_REQ_EMAIL “me@example.net
set_var EASYRSA_REQ_OU “My Organizational Unit”

Also, uncomment the following lines and change the parameters as follows:

set_var EASYRSA_CA_EXPIRE 54750
set_var EASYRSA_CERT_EXPIRE 54750

Next, edit the /etc/openvpn/server.conf file:

nano /etc/openvpn/server.conf

Modify the lines for the location of the certificate and key files and of the Diffie Hellman parameter file, to make them look like the lines in red from below. Replace example.com with your domain:

# Any X509 key management system can be used.
# OpenVPN can also use a PKCS #12 formatted key file
# (see “pkcs12” directive in man page).
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/mail.example.com.crt
key /etc/openvpn/easy-rsa/pki/private/mail.example.com.key # This file should be kept secret

# Diffie hellman parameters.
# Generate your own with:
# openssl dhparam -out dh2048.pem 2048
dh /etc/openvpn/dh2048.pem

Set OpenVPN to push a gateway configuration so all clients send internet traffic through it:

# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and

# and DNS lookups to go through the VPN

# (The OpenVPN server machine may need to NAT

# or bridge the TUN/TAP interface to the internet

# in order for this to work properly).

push “redirect-gateway def1 bypass-dhcp”

Push DNS resolvers to client devices. Client-side DNS settings are ideal for preventing DNS leaks. OpenDNS DNS IPs are provided by default but you can change this to other DNS IPs.

# Certain Windows-specific network settings

# can be pushed to clients, such as DNS

# or WINS server addresses. CAVEAT:

# http://openvpn.net/faq.html#dhcpcaveats

# The addresses below refer to the public

# DNS servers provided by opendns.com.

push “dhcp-option DNS 208.67.222.222”

push “dhcp-option DNS 208.67.220.220”

Require a matching HMAC signature for all packets involved in the TLS handshake between the server and connecting clients. Packets without this signature will be dropped. Change the line:

s-auth ta.key 0 # This file is secret

make it look like this:

# For extra security beyond that provided

# by SSL/TLS, create an “HMAC firewall”

# to help block DoS attacks and UDP port flooding.

#

# Generate with:

# openvpn –genkey –secret ta.key

#

# The server and each client must have

# a copy of this key.

# The second parameter should be ‘0’

# on the server and ‘1’ on the clients.

tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0 # This file is secret

Also, change the data channel’s authentication digest to SHA-512 (a SHA-2 hash function). Search for the cipher AES-256-CBC line and right under it add:

auth SHA512

Also restrict the VPN’s control channel to strong cipher suites. It is recommended to be as restrictive as possible here, but not all cipher suites can be used with all versions of OpenVPN. Add the following line right under the auth SHA512 line:

tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA

The default cipher suite used for the control channel is one agreed on by both server and client during the TLS handshake; The agreement is based on what is supported by their respective OpenSSL versions.

Also enable compression like this:

# For compression compatible with older clients use comp-lzo

# If you enable it here, you must also

# enable it in the client config file.

comp-lzo

Uncomment the user and group lines and make them look like below. This tells the OpenVPN daemon to drop root privileges and switch to the openvpn_server user after startup.

# It’s a good idea to reduce the OpenVPN

# daemon’s privileges after initialization.

#

# You can uncomment this out on

# non-Windows systems.
user openvpn_server

group nogroup

Change logging verbosity to 0:

verb 0

30.1. Generate the Diffie-Hellman PEM file

The Diffie-Hellman parameter is a piece of randomly generated data used when establishing forward secrecy during the creation of a client’s session key. Create the file by running:

openssl dhparam 2048 > /etc/openvpn/dh2048.pem

The output should look like this:

Using SSL: openssl OpenSSL 1.1.1d 10 Sep 2019

Generating DH parameters, 2048 bit long safe prime, generator 2

This is going to take a long time

………………………………………………………………………………………………………………………………………………………………..+…..…

Depending on the specifications of your server, this will take about 1 minute to complete. The resulting file will be: /etc/openvpn/dh2048.pem where 2048 indicates the bit length of the Diffie-Hellman parameter.

The Diffie-Hellman PEM file can be arbitrarily deleted and regenerated without needing to change server or client settings.

30.2. Generate the HMAC key file

Later we’ll transfer it to each client device. First create the keys directory:

cd /etc/openvpn/easy-rsa
mkdir keys

Generate the HMAC key file:

openvpn –genkey –secret /etc/openvpn/easy-rsa/keys/ta.key


30.3. Server Credentials

It’s necessary to run the next commands while in the /etc/openvpn/easy-rsa directory, so navigate there:

cd /etc/openvpn/easy-rsa


30.3.1. Create the root certificate or Certificate Authority file

A root certificate, sometimes caled a Certificate Authority, is the certificate that will be used to generate the client key pairs. First create the pki directory:

./easyrsa init-pki

Create the Certificate Authority file:

./easyrsa build-ca

First, you will be prompted to enter a CA Key Passphrase, two times. Enter a passphrase and write it down in a secure place. Then you will be prompted to enter the Common Name: enter mail.example.com, which is the content of the /etc/hostname file, and press Enter. The ./easyrsa build-ca command will create the Certificate Authority file: /etc/openvpn/easy-rsa/pki/ca.crt .

Generate the server certificate and key by running:

./easyrsa build-server-full mail.example.com nopass

where mail.example.com is the content of the /etc/hostname file. The nopass option disables password for the key file. First you will be prompted to enter the CA Key Passphrase that you saved earlier, then you will be prompted to enter the Common Name, so enter mail.example.com . The command will generate two important files: the server key:

/etc/openvpn/easy-rsa/pki/private/mail.example.com.key

and the certificate:


/etc/openvpn/easy-rsa/pki/issued/mail.example.com.crt .

30.4. Client credentials

You have to generate a unique set of credentials for each client that will connect to the VPN server. You can repeat this step for any client that you need to create credentials for.

All clients should have a unique name. Change client1 in the following lines to a descriptive name of your choice that you will be able to associate with the client:

./easyrsa build-client-full client1 nopass

After you enter the CA Key Passphrase, the command will generate the client key:

/etc/openvpn/easy-rsa/pki/private/client1.key

and the client certificate:

/etc/openvpn/easy-rsa/pki/issued/client1.crt

30.4.1. Client configuration file

Each client needs a configuration file defining the OpenVPN server’s settings for it. We can’t save this configuration file in /etc/openvpn, because the server.conf file is located there. We’ll store it in the /etc/openvpn/easy-rsa/keys/client1 folder along with the other client files, even if this file doesn’t need to be kept secret.

First create a directory for the credentials of client1:

makedir /etc/openvpn/easy-rsa/keys/client1

Copy the client.conf template from the /usr/share/doc/openvpn/examples/sample-config-files directory and open it for editing. Clients usually require a .ovpn file format instead of .conf, so we’ll change the file extension during copying:

cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/easy-rsa/keys/client1/client.ovpn

Update the remote line with the OpenVPN server’s IP address:

nano /etc/openvpn/easy-rsa/keys/client.ovpn

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
Remote 123.123.123.123 1194

A hostname would work too but it’s preferable for security reasons to connect by IP and bypass the DNS lookup.

Tell the client-side OpenVPN service to drop root priviledges. This is for non-Windows machines only. If you use Windows, here you should comment out the user and group parameters by placing a semicolon in front of them.

# Downgrade privileges after initialization (non-Windows only)

user nobody
group nogroup

Further down in the file, edit the ca, cert and key lines to reflect the names and locations on the client device. If you use Linux, the paths will be as shown below. If you use Windows, the paths will be completely different, as shown:

# SSL/TLS parms.

# See the server config file for more

# description. It’s best to use

# a separate .crt/.key file pair

# for each client. A single ca

# file can be used for all clients.

ca /etc/openvpn/keys/ca.crt

cert /etc/openvpn/keys/client1.crt

key /etc/openvpn/keys/client1.key

For Windows:

ca ca.crt

cert client1.crt

key client1.key

Tell the client to use the HMAC key generated earlier. Please note that for Windows, the path is different:

# If a tls-auth key is used on the server

# then every client must also have the key.

tls-auth /etc/openvpn/keys/ta.key 1

For Windows:

tls-auth ta.key 1

Also enable compression like this:

# Enable compression on the VPN link.

# Don’t enable this unless it is also

# enabled in the server config file.

comp-lzo

Since the VPN server was told to force certain cryptographic settings in its config file, the clients must have the same settings. Add these lines right under cipher AES-256-CBC:

auth SHA512

tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA

If you use Windows, add this parameter at the end of the file, to prevent password caching:

auth-nocache

Copy all the files necessary for client1 in the /etc/openvpn/easy-rsa/keys/client1 directory:

cp /etc/openvpn/easy-rsa/pki/ca.crt /etc/openvpn/easy-rsa/keys/client1

cp /etc/openvpn/easy-rsa/pki/issued/client1.crt /etc/openvpn/easy-rsa/keys/client1

cp /etc/openvpn/easy-rsa/pki/private/client1.key /etc/openvpn/easy-rsa/keys/client1

cp /etc/openvpn/easy-rsa/keys/ta.key /etc/openvpn/easy-rsa/keys/client1

30.4.2. Pack all the necessary client files into a tarball to transfer them

The specific files are:

/etc/openvpn/easy-rsa/keys/client1/ca.crt

/etc/openvpn/easy-rsa/keys/client1/client1.crt

/etc/openvpn/easy-rsa/keys/client1/client1.key

/etc/openvpn/easy-rsa/keys/client1/client.ovpn

/etc/openvpn/easy-rsa/keys/client1/ta.key

tar czf /etc/openvpn/client1.tar.gz {ca.crt,client1.crt,client1.key,client.ovpn,ta.key} -C /etc/openvpn/easy-rsa/keys/client1

30.5. Open port in firewall

Open the necessary port in the firewall with ufw:

ufw allow 1194/udp

Since we don’t need IPv6 for OpenVPN, we can delete the allow rule for port 1194/udp for IPv6. Run:

ufw status numbered

The output of this command will look like this:

[15] 1194/udp (v6) ALLOW IN Anywhere (v6)

In this case, the number of the rule that we want to delete is 15. To remove the rule run:

ufw delete 15

replacing 15 with your number. Answer yes to confirm.

It’s assumed that you already have the HTTP and HTTPS ports (80 and 443) opened in the firewall.

The kernel must be told that it can forward incoming IPv4 traffic. Edit the /etc/sysctl.d/99-sysctl.conf:

nano /etc/sysctl.d/99-sysctl.conf

Add the following line at the end of the file:

net.ipv4.ip_forward=1

Activate the sysctl change:

sysctl -p

The UFW forwarding policy needs to be set as well. We’ll do this in the primary configuration file.

nano /etc/default/ufw

Look for the following line:

DEFAULT_FORWARD_POLICY=”DROP”

This must be changed from DROP to ACCEPT. It should look like this:

DEFAULT_FORWARD_POLICY=”ACCEPT”

Next we will add additional UFW rules for network address translation and IP masquerading of connected clients.

nano /etc/ufw/before.rules

Next, add the lines between # START OPENVPN RULES and # END OPENVPN RULES like this:

#

# rules.before

#

# Rules that should be run before the ufw command line added rules. Custom

# rules should be added to one of these chains:

# ufw-before-input

# ufw-before-output

# ufw-before-forward

#

# START OPENVPN RULES

# NAT table rules

*nat

:POSTROUTING ACCEPT [0:0]

# Allow traffic from OpenVPN client to eth0

-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE

COMMIT

# END OPENVPN RULES

Replace eth0 with the actual name of your server’s network interface, given by the ifconfig command.

Restart ufw in order to apply the new changes:

systemctl restart ufw

Next, enable and restart the openvpn service:

systemctl enable openvpn

systemctl restart openvpn

If you run ifconfig, the output should show a new network interface called tun0, created by OpenVPN.

30.6. Transfer client credentials to the client machine

If you use a Linux client machine follow the instructions from below.

You can transfer the /etc/openvpn/client1.tar.gz archive containing all the needed client credentials to the client machine using a FTP client like FileZilla. You can also transfer it by using the Secure Copy Protocol (SCP): on the client Linux computer open a terminal and run:

scp -P 6283 username@123.123.123.123:/etc/openvpn/client1.tar.gz /tmp

Where 6283 is the custom SSH port of the remote Debian server, 123.123.123.123 is its public IP address and username is the username of the SSH user. This command will download the archive in the /tmp directory.

We won’t describe how to transfer the client credentials to a Windows or MacOS client machine. If you use a Windows or MacOS client machine, please consider switching to Linux.

30.7.Configure a Linux client machine to use OpenVPN

The following settings are intended for a Debian 10 client (with Mate desktop environment), but they can be adapted to other distributions. Configure VPN connections using the same method you would use to configure ethernet or wireless connections. These steps assume you are using Network Manager for your network management.

Install the packages network-manager-openvpn and network-manager-openvpn-gnome . This will also install the necessary dependencies, including the package openvpn :

apt-get update

apt-get install network-manager-openvpn network-manager-openvpn-gnome

Enable the openvpn service, so that it starts at system startup, then start it:

systemctl enable openvpn

systemctl start openvpn

First, create a keys directory in /etc/openvpn:

mkdir /etc/openvpn/keys

Then extract the /tmp/client1.tar.gz archive (that has been downloaded earlier to /tmp), in the newly created directory:

tar xf /tmp/client1.tar.gz -C /etc/openvpn/keys

The client.ovpn file has to be placed in the /etc/openvpn directory, so we move it there:

mv /etc/openvpn/keys/client.ovpn /etc/openvpn

Go to the Main Menu > System > Control Center > click on ‘Advanced Network Configuration’, select Ethernet, then click on the + sign at the bottom of the window to add a new connection. In the ‘Choose a Connection Type’ window, select OpenVPN from the drop-down list:

Click ‘Create…’.

On the General tab enable LZO compression by checking the ‘Use LZO data compression’ checkbox and selecting ‘adaptive’ in the corresponding drop-down list.

In the new window, on the ‘VPN’ tab, in the ‘Gateway’ field, enter the public IPv4 address of your remote Debian server, in the ‘Type’ drop-down list choose ‘Certificates (TLS)’, then in the ‘CA certificate’ field, click on the folder icon and choose from your computer the /etc/openvpn/keys/ca.crt file, in the ‘User certificate’ field choose /etc/openvpn/keys/client1.crt, in the ‘User private key’ choose /etc/openvpn/keys/client1.key, then, on the same tab click ‘Advanced’.

In the new window, on the ‘Security’ tab, in the ‘Cipher’ field choose AES-256-CBC and in the ‘HMAC Authentication’ field choose SHA-512, as shown above. Then click the ‘TLS Authentication’ tab.

On the TLS Authentication tab, in the ‘Server Certificate Check’ field, choose ‘Verify whole subject exactly’, in the ‘Subject Match’ field enter CN=mail.example.com, where mail.example.com is the content of the remote server’s /etc/hostname file. Check the ‘Verify peer (server) certificate usage signature’ checkbox and select ‘Server’ next to ‘Remote peer certificate TLS type:’. Also, under ‘Additional TLS authentication or encryption’, in the ‘Mode’ field choose ‘TLS-Auth’, in the ‘Key File’ click on the folder icon and choose from your computer the /etc/openvpn/keys/ta.key file and in the ‘Key Direction’ field choose 1, then click OK, then click on the ‘IPv4 Settings’ tab.

On the ‘IPv4 Settings’ tab, in the ‘Method’ field choose ‘Automatic (VPN) addresses only’ and in the ‘DNS servers’ field enter the IP addresses of the DNS servers that you configured in the /etc/openvpn/server.conf file, in the push dhcp-option parameter, separated by comma. Here we used the OpenDNS servers: 208.67.222.222 and 208.67.220.220. Then click on the ‘IPv6 Settings’ tab.

On the ‘IPv6 Settings’ tab, in the ‘Method’ field choose ‘Ignore’, since we won’t use IPv6, then click ‘Save’.

Next, disable IPv6 for the main wired/wireless connection of the client Linux machine: go to the Main Menu > System > Control Center > click on ‘Advanced Network Configuration’, under Ethernet select ‘Wired connection 1’, then click on the small ‘Edit the selected connection’ button at the bottom of the window. Then click on the ‘IPv6 Settings’ tab.

On the ‘IPv6 Settings’ tab, next to ‘Method’ choose ‘Ignore’.

Restart network-manager:

systemctl restart network-manager

Remember also to disable the WebRTC (Web Real-Time Communication) service in the browser that you are going to use to connect to your OpenVPN server, because if enabled, WebRTC can send some information about LAN IPs over the Internet betraying the real IP of the client machine. Since WebRTC is enabled by default in all major browsers, and since it is needed in order to use other components of the RED SCARF Suite, such as SIP Trip Phone or Roundpin, it’s recommended to have a separate browser with WebRTC disabled, that you’ll use for browsing through VPN, while all the other browsers can have WebRTC enabled. A good choice for such a browser that you can use for surfing through VPN is GNU IceCat (https://ftp.gnu.org/gnu/gnuzilla/), which is a customized version of Firefox. To make IceCat really usable you should disable all the extensions that are installed and enabled by default and then install only uBlock Origin from https://addons.mozilla.org/en-US/firefox/search/?platform=linux&q=ublock .

30.7.1. Disable the WebRTC service in Firefox/IceCat

To disable the WebRTC service in IceCat/Firefox, type about:config in the address bar of your browser, click ‘I accept the risk’, then search for media.peerconnection.enabled . Double click on it to set it to false.

30.7.2. Disable the WebRTC service in Opera

Install the ‘WebRTC Leak Prevent’ extension and in its Options, select: ‘Disable non-proxied UDP (force Proxy)’.

30.7.3. Connect to the OpenVPN server

Click on the ‘Ethernet network connection’ icon in the taskbar, then hover over ‘VPN Connections’ and click on ‘VPN Connection 1’. A system notification will announce you that the VPN connection has been established successfully. From this point, when you open a browser, you will automatically connect through the VPN. If you access sites like https://www.whatsmyip.org/ you will see that your IP address is seen on the Internet as that of your server and not that of your client machine.

You can check if you have DNS leaks by running the test on https://www.dnsleaktest.com/ . When the test finishes, if you don’t find the name of the ISP of your client machine in the list of results, it means that there are no DNS leaks. You can still have ‘WebRTC leaks’. To check for this, you can access https://ipleak.net/ . In the “Your IP addresses – WebRTC detection” section, it should say: “No leak, RTCPeerConnection not available”. When you have WebRTC leaks, your client machine’s IPv6 may be detected and listed. That is why it’s so important to disable WebRTC in the browser and to disable IPv6 connectivity on the client machine.

30.7.4. Reenable IPv6 on the client machine when needed

When you don’t use your VPN connection, if you want to have IPv6 connectivity on your client machine again, you can reenable it as follows: go to the Main Menu > System > Control Center > click on ‘Advanced Network Configuration’, under Ethernet select ‘Wired connection 1’, then click on the small ‘Edit the selected connection’ button at the bottom of the window. Then click on the ‘IPv6 Settings’ tab. On the ‘IPv6 Settings’ tab, next to ‘Method’ choose ‘Automatic’, then click ‘Save’.

Restart network-manager:

systemctl restart network-manager

We won’t describe how to configure a Windows or MacOS client machine. If you use Windows or MacOS, please consider switching to Linux.

30.8. Revoke a VPN Client Certificate

To remove a client device’s access to the VPN you have to revoke its certificate. First navigate to

/etc/openvpn/easy-rsa:

cd /etc/openvpn/easy-rsa

Then run:

./easyrsa revoke client1

where client1 is the name of the client whose certificate you want to revoke. You will be asked to confirm and then you’ll have to enter the CA Key Passphrase. The command will revoke the certificate and will delete the /etc/openvpn/easy-rsa/pki/private/client1.key file and the /etc/openvpn/easy-rsa/pki/issued/client1.crt file.

Next, generate a new Certificate Revocation List (CRL) by running:

./easyrsa gen-crl

Enter again the CA Key Passphrase and press Enter.

30.9. Upgrading OpenVPN

Since OpenVPN was installed from the Debian repository, it will be upgraded automatically whenever there is a new version available and you run:

apt-get update

apt-get dist-upgrade

The configuration files will be preserved during upgrade, so you won’t have to configure it again after upgrade.