Admin: New server guide

2026-04-12T20:00:39Z

New server guide

New page

= Setting Up OpenVPN Server =

This guide provides a comprehensive walkthrough for installing and configuring an OpenVPN server on a Linux system, along with instructions for setting up OpenVPN clients. OpenVPN is a powerful and flexible open-source VPN solution that allows you to create secure, encrypted tunnels over the internet. This is invaluable for securing your network traffic, accessing internal resources remotely, or bypassing geo-restrictions.

== Prerequisites ==

Before you begin, ensure you have the following:

* A Linux server with root or sudo privileges. A dedicated server from [https://powervps.net/?from=32 PowerVPS] with full root access is ideal for this setup, providing the necessary control and performance.
* A static public IP address for your OpenVPN server.
* Basic familiarity with the Linux command line.
* Internet connectivity on both the server and client machines.
* A firewall configured on your server (e.g., UFW, firewalld, iptables).

== Step 1: Install OpenVPN and Easy-RSA ==

OpenVPN and the necessary tools for certificate management (Easy-RSA) can typically be installed from your distribution's package repositories.

=== On Debian/Ubuntu ===
<pre>
sudo apt update
sudo apt install openvpn easy-rsa -y
</pre>

=== On CentOS/RHEL/Fedora ===
<pre>
sudo dnf update -y # Or 'sudo yum update -y' on older systems
sudo dnf install openvpn easy-rsa -y
</pre>

== Step 2: Set Up the Certificate Authority (CA) ==

Easy-RSA is used to create and manage the Public Key Infrastructure (PKI) for your OpenVPN server. This involves generating a Certificate Authority (CA) and then using that CA to sign server and client certificates.

1. **Copy Easy-RSA to a dedicated directory:**
<pre>
sudo mkdir /etc/openvpn/easy-rsa
sudo cp -r /usr/share/easy-rsa/* /etc/openvpn/easy-rsa/
sudo chown -R root:root /etc/openvpn/easy-rsa
sudo chmod -R 700 /etc/openvpn/easy-rsa
</pre>

2. **Navigate to the Easy-RSA directory:**
<pre>
cd /etc/openvpn/easy-rsa
</pre>

3. **Initialize the PKI:**
<pre>
./easyrsa init-pki
</pre>

4. **Build the Certificate Authority (CA):** You will be prompted to enter a Common Name for your CA. Choose something descriptive, like "MyOpenVPNCA".
<pre>
./easyrsa build-ca
</pre>
You will be asked for a passphrase for your CA. Remember this passphrase, as you'll need it for signing certificates.

5. **Generate the Server Certificate and Key:**
<pre>
./easyrsa gen-req server nopass
./easyrsa sign-req server server
</pre>
You will be prompted to enter the CA passphrase. The `nopass` option for `gen-req` means the server's private key will not be password-protected, which is necessary for automatic server startup.

6. **Generate Diffie-Hellman Parameters:** This is crucial for Perfect Forward Secrecy.
<pre>
./easyrsa gen-dh
</pre>
This process can take a significant amount of time, especially on less powerful hardware.

7. **Generate TLS Authentication Key:** This adds an extra layer of security.
<pre>
openvpn --genkey --secret ta.key
</pre>

8. **Copy Necessary Files to OpenVPN Directory:**
<pre>
sudo cp pki/ca.crt /etc/openvpn/
sudo cp pki/issued/server.crt /etc/openvpn/
sudo cp pki/private/server.key /etc/openvpn/
sudo cp pki/dh.pem /etc/openvpn/
sudo cp ta.key /etc/openvpn/
</pre>

== Step 3: Configure the OpenVPN Server ==

Now, we'll create the server configuration file.

1. **Create a server configuration file:**
<pre>
sudo nano /etc/openvpn/server.conf
</pre>

2. **Add the following configuration:** Replace `your_server_public_ip` with your server's actual public IP address.
<pre>
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
tls-auth ta.key 0 # This file is secret, don't copy to clients.
server 10.8.0.0 255.255.255.0 # VPN subnet
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp" # Route all client traffic through VPN
push "dhcp-option DNS 8.8.8.8" # Example DNS server
push "dhcp-option DNS 8.8.4.4" # Example DNS server
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1
</pre>

* `port 1194`: The default OpenVPN port.
* `proto udp`: Using UDP for better performance.
* `dev tun`: Creates a routed IP tunnel.
* `server 10.8.0.0 255.255.255.0`: Defines the VPN subnet from which clients will receive IP addresses.
* `push "redirect-gateway def1 bypass-dhcp"`: This directive tells clients to send all their internet traffic through the VPN.
* `push "dhcp-option DNS ..."`: Pushes specific DNS servers to clients.
* `user nobody` and `group nogroup`: Drops privileges after initialization for security.

3. **Enable IP Forwarding:** This allows the server to route traffic between the VPN clients and the internet.
<pre>
sudo nano /etc/sysctl.conf
</pre>
Uncomment or add the following line:
<pre>
net.ipv4.ip_forward=1
</pre>
Apply the changes:
<pre>
sudo sysctl -p
</pre>

4. **Configure Firewall Rules:** You need to allow UDP traffic on port 1194 and configure NAT for VPN clients.

=== Using UFW (Uncomplicated Firewall) ===
<pre>
sudo ufw allow 1194/udp
sudo ufw allow OpenSSH # Ensure SSH access is not blocked
sudo nano /etc/ufw/before.rules
</pre>
Add the following lines at the top of the file, before the `*filter` section:
<pre>
# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to eth0 (change eth0 to your primary network interface)
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT
# END OPENVPN RULES
</pre>
Save the file and reload UFW:
<pre>
sudo ufw disable
sudo ufw enable
</pre>

=== Using firewalld ===
<pre>
sudo firewall-cmd --permanent --add-port=1194/udp
sudo firewall-cmd --zone=public --add-masquerade
sudo firewall-cmd --reload
</pre>

=== Using iptables ===
(This is more complex and depends on your existing iptables setup. A basic example for NAT might look like this, but it's highly recommended to use UFW or firewalld if possible or integrate carefully into your existing rules.)
<pre>
sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE # Replace eth0 with your network interface
sudo iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT
sudo iptables -A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
# Save iptables rules (method depends on distribution)
# For Debian/Ubuntu:
sudo apt install iptables-persistent -y
sudo netfilter-persistent save
# For CentOS/RHEL:
sudo service iptables save
</pre>

== Step 4: Start and Enable OpenVPN Service ==

<pre>
sudo systemctl start openvpn@server
sudo systemctl enable openvpn@server
sudo systemctl status openvpn@server
</pre>
Check the status to ensure it's running without errors.

== Step 5: Generate Client Configurations ==

For each client that needs to connect, you need to generate a unique certificate and key pair.

1. **Navigate back to the Easy-RSA directory:**
<pre>
cd /etc/openvpn/easy-rsa
</pre>

2. **Generate client certificate and key:** Replace `client1` with a unique name for each client.
<pre>
./easyrsa gen-req client1 nopass
./easyrsa sign-req client client1
</pre>
You will be prompted for the CA passphrase.

3. **Create a client configuration file template:**
<pre>
sudo nano /etc/openvpn/client-common.txt
</pre>
Add the following content. Replace `your_server_public_ip` with your server's public IP.
<pre>
client
dev tun
proto udp
remote your_server_public_ip 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
tls-auth ta.key 1 # This file is secret, don't copy to clients.
cipher AES-256-CBC
verb 3
</pre>

4. **Create a client-specific configuration script (optional but recommended):** This script will bundle all necessary client files into a single `.ovpn` file.
<pre>
sudo nano /etc/openvpn/make_client_config.sh
</pre>
Add the following script. Make sure to adjust `YOUR_SERVER_IP` and `YOUR_SERVER_NAME` placeholders.
<pre>
#!/bin/bash

# Script to generate OpenVPN client configuration files

# --- Configuration ---
OVPN_DIR="/etc/openvpn"
EASYRSA_DIR="$OVPN_DIR/easy-rsa"
CLIENT_NAME="$1"
SERVER_IP="your_server_public_ip" # Replace with your server's public IP
SERVER_NAME="MyOpenVPNServer" # Replace with a descriptive name for your server

if [ -z "$CLIENT_NAME" ]; then
echo "Usage: $0 <client_name>"
exit 1
fi

# --- Check for required files ---
if [ ! -f "$EASYRSA_DIR/pki/ca.crt" ] || \
[ ! -f "$EASYRSA_DIR/pki/issued/$CLIENT_NAME.crt" ] || \
[ ! -f "$EASYRSA_DIR/pki/private/$CLIENT_NAME.key" ] || \
[ ! -f "$OVPN_DIR/ta.key" ]; then
echo "Error: Missing required certificate or key files for client '$CLIENT_NAME'."
echo "Please ensure you have generated them using easyrsa."
exit 1
fi

# --- Create client .ovpn file ---
echo "Generating client configuration for $CLIENT_NAME..."

# Extract CA, Client Cert, Client Key, and TA Key
CA_CERT=$(cat "$EASYRSA_DIR/pki/ca.crt")
CLIENT_CERT=$(cat "$EASYRSA_DIR/pki/issued/$CLIENT_NAME.crt")
CLIENT_KEY=$(cat "$EASYRSA_DIR/pki/private/$CLIENT_NAME.key")
TA_KEY=$(cat "$OVPN_DIR/ta.key")

# Create the .ovpn file content
cat <<EOF
client
dev tun
proto udp
remote $SERVER_IP 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
verb 3

<ca>
$CA_CERT
</ca>

<cert>
$CLIENT_CERT
</cert>

<key>
$CLIENT_KEY
</key>

<tls-auth>
$TA_KEY
</tls-auth>
EOF
# Save the .ovpn file
OUTPUT_FILE="${CLIENT_NAME}.ovpn"
echo "$(&& cat <<EOF
client
dev tun
proto udp
remote $SERVER_IP 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
verb 3

<ca>
$CA_CERT
</ca>

<cert>
$CLIENT_CERT
</cert>

<key>
$CLIENT_KEY
</key>

<tls-auth>
$TA_KEY
</tls-auth>
EOF
)" > "$OUTPUT_FILE"

echo "Client configuration saved to $OUTPUT_FILE"
echo "You can now transfer this file to your client device."
</pre>
Make the script executable:
<pre>
sudo chmod +x /etc/openvpn/make_client_config.sh
</pre>

5. **Generate a client configuration file:**
<pre>
sudo /etc/openvpn/make_client_config.sh client1
</pre>
This will create a `client1.ovpn` file in the `/etc/openvpn/` directory. You will need to securely transfer this file to your client device.

== Step 6: Connect Clients ==

The `client1.ovpn` file contains all the necessary information for a client to connect to your OpenVPN server.

1. **Install OpenVPN on your client device:**
* **Windows:** Download the installer from the official OpenVPN website ([https://openvpn.net/community-downloads/](https://openvpn.net/community-downloads/)).
* **macOS:** Use Tunnelblick ([https://tunnelblick.net/](https://tunnelblick.net/)) or the official OpenVPN client.
* **Linux:** Install `openvpn` package (e.g., `sudo apt install openvpn` or `sudo dnf install openvpn`).

2. **Import the `.ovpn` file:**
* **Windows/macOS:** Open the OpenVPN client application and import the `.ovpn` file.
* **Linux:** Copy the `.ovpn` file to `/etc/openvpn/client/` (create the directory if it doesn't exist) and run:
<pre>
sudo openvpn --config /etc/openvpn/client/client1.ovpn
</pre>
Or, for a systemd service:
<pre>
sudo cp client1.ovpn /etc/openvpn/client/client1.conf
sudo systemctl start openvpn-client@client1
sudo systemctl enable openvpn-client@client1
</pre>

3. **Connect:** Start the VPN connection from your client application. You should now be connected to your OpenVPN server.

== Troubleshooting ==

* **Cannot connect:**
* Check if the OpenVPN service is running on the server: `sudo systemctl status openvpn@server`.
* Verify that UDP port 1194 is open in your server's firewall.
* Ensure your client's firewall is not blocking outgoing UDP traffic on port 1194.
* Check server logs for errors: `sudo journalctl -u openvpn@server`.
* Double-check the `remote` directive in your client `.ovpn` file points to the correct public IP address of your server.

* **Clients get no internet access:**
* Ensure IP forwarding is enabled on the server (`net.ipv4.ip_forward=1` in `/etc/sysctl.conf`).
* Verify your firewall's NAT rules are correctly configured to masquerade traffic from the VPN subnet (`10.8.0.0/24`) to your server's public interface.
* Check if the `push "redirect-gateway def

[[Category:Security]]

{{Exchange Box}}

Setting Up OpenVPN Server - Revision history

Admin: New server guide