Join our Telegram: @serverrental_wiki | BTC Analysis | Trading Signals | Telegraph
Setting Up OpenVPN Server
Setting Up OpenVPN Server
This guide provides a comprehensive walkthrough for installing and configuring an OpenVPN server on a Linux system, along with instructions for setting up OpenVPN clients. OpenVPN is a powerful and flexible open-source VPN solution that allows you to create secure, encrypted tunnels over the internet. This is invaluable for securing your network traffic, accessing internal resources remotely, or bypassing geo-restrictions.
Prerequisites
Before you begin, ensure you have the following:
- A Linux server with root or sudo privileges. A dedicated server from PowerVPS with full root access is ideal for this setup, providing the necessary control and performance.
- A static public IP address for your OpenVPN server.
- Basic familiarity with the Linux command line.
- Internet connectivity on both the server and client machines.
- A firewall configured on your server (e.g., UFW, firewalld, iptables).
Step 1: Install OpenVPN and Easy-RSA
OpenVPN and the necessary tools for certificate management (Easy-RSA) can typically be installed from your distribution's package repositories.
On Debian/Ubuntu
sudo apt update sudo apt install openvpn easy-rsa -y
On CentOS/RHEL/Fedora
sudo dnf update -y # Or 'sudo yum update -y' on older systems sudo dnf install openvpn easy-rsa -y
Step 2: Set Up the Certificate Authority (CA)
Easy-RSA is used to create and manage the Public Key Infrastructure (PKI) for your OpenVPN server. This involves generating a Certificate Authority (CA) and then using that CA to sign server and client certificates.
1. **Copy Easy-RSA to a dedicated directory:**
sudo mkdir /etc/openvpn/easy-rsa
sudo cp -r /usr/share/easy-rsa/* /etc/openvpn/easy-rsa/
sudo chown -R root:root /etc/openvpn/easy-rsa
sudo chmod -R 700 /etc/openvpn/easy-rsa
2. **Navigate to the Easy-RSA directory:**
cd /etc/openvpn/easy-rsa
3. **Initialize the PKI:**
./easyrsa init-pki
4. **Build the Certificate Authority (CA):** You will be prompted to enter a Common Name for your CA. Choose something descriptive, like "MyOpenVPNCA".
./easyrsa build-ca
You will be asked for a passphrase for your CA. Remember this passphrase, as you'll need it for signing certificates.
5. **Generate the Server Certificate and Key:**
./easyrsa gen-req server nopass
./easyrsa sign-req server server
You will be prompted to enter the CA passphrase. The `nopass` option for `gen-req` means the server's private key will not be password-protected, which is necessary for automatic server startup.
6. **Generate Diffie-Hellman Parameters:** This is crucial for Perfect Forward Secrecy.
./easyrsa gen-dh
This process can take a significant amount of time, especially on less powerful hardware.
7. **Generate TLS Authentication Key:** This adds an extra layer of security.
openvpn --genkey --secret ta.key
8. **Copy Necessary Files to OpenVPN Directory:**
sudo cp pki/ca.crt /etc/openvpn/
sudo cp pki/issued/server.crt /etc/openvpn/
sudo cp pki/private/server.key /etc/openvpn/
sudo cp pki/dh.pem /etc/openvpn/
sudo cp ta.key /etc/openvpn/
Step 3: Configure the OpenVPN Server
Now, we'll create the server configuration file.
1. **Create a server configuration file:**
sudo nano /etc/openvpn/server.conf
2. **Add the following configuration:** Replace `your_server_public_ip` with your server's actual public IP address.
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
tls-auth ta.key 0 # This file is secret, don't copy to clients.
server 10.8.0.0 255.255.255.0 # VPN subnet
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp" # Route all client traffic through VPN
push "dhcp-option DNS 8.8.8.8" # Example DNS server
push "dhcp-option DNS 8.8.4.4" # Example DNS server
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1
* `port 1194`: The default OpenVPN port. * `proto udp`: Using UDP for better performance. * `dev tun`: Creates a routed IP tunnel. * `server 10.8.0.0 255.255.255.0`: Defines the VPN subnet from which clients will receive IP addresses. * `push "redirect-gateway def1 bypass-dhcp"`: This directive tells clients to send all their internet traffic through the VPN. * `push "dhcp-option DNS ..."`: Pushes specific DNS servers to clients. * `user nobody` and `group nogroup`: Drops privileges after initialization for security.
3. **Enable IP Forwarding:** This allows the server to route traffic between the VPN clients and the internet.
sudo nano /etc/sysctl.conf
Uncomment or add the following line:
net.ipv4.ip_forward=1
Apply the changes:
sudo sysctl -p
4. **Configure Firewall Rules:** You need to allow UDP traffic on port 1194 and configure NAT for VPN clients.
=== Using UFW (Uncomplicated Firewall) ===
sudo ufw allow 1194/udp
sudo ufw allow OpenSSH # Ensure SSH access is not blocked
sudo nano /etc/ufw/before.rules
Add the following lines at the top of the file, before the `*filter` section:
# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to eth0 (change eth0 to your primary network interface)
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT
# END OPENVPN RULES
Save the file and reload UFW:
sudo ufw disable
sudo ufw enable
=== Using firewalld ===
sudo firewall-cmd --permanent --add-port=1194/udp
sudo firewall-cmd --zone=public --add-masquerade
sudo firewall-cmd --reload
=== Using iptables === (This is more complex and depends on your existing iptables setup. A basic example for NAT might look like this, but it's highly recommended to use UFW or firewalld if possible or integrate carefully into your existing rules.)
sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE # Replace eth0 with your network interface
sudo iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT
sudo iptables -A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
# Save iptables rules (method depends on distribution)
# For Debian/Ubuntu:
sudo apt install iptables-persistent -y
sudo netfilter-persistent save
# For CentOS/RHEL:
sudo service iptables save
Step 4: Start and Enable OpenVPN Service
sudo systemctl start openvpn@server sudo systemctl enable openvpn@server sudo systemctl status openvpn@server
Check the status to ensure it's running without errors.
Step 5: Generate Client Configurations
For each client that needs to connect, you need to generate a unique certificate and key pair.
1. **Navigate back to the Easy-RSA directory:**
cd /etc/openvpn/easy-rsa
2. **Generate client certificate and key:** Replace `client1` with a unique name for each client.
./easyrsa gen-req client1 nopass
./easyrsa sign-req client client1
You will be prompted for the CA passphrase.
3. **Create a client configuration file template:**
sudo nano /etc/openvpn/client-common.txt
Add the following content. Replace `your_server_public_ip` with your server's public IP.
client
dev tun
proto udp
remote your_server_public_ip 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
tls-auth ta.key 1 # This file is secret, don't copy to clients.
cipher AES-256-CBC
verb 3
4. **Create a client-specific configuration script (optional but recommended):** This script will bundle all necessary client files into a single `.ovpn` file.
sudo nano /etc/openvpn/make_client_config.sh
Add the following script. Make sure to adjust `YOUR_SERVER_IP` and `YOUR_SERVER_NAME` placeholders.
#!/bin/bash
# Script to generate OpenVPN client configuration files
# --- Configuration ---
OVPN_DIR="/etc/openvpn"
EASYRSA_DIR="$OVPN_DIR/easy-rsa"
CLIENT_NAME="$1"
SERVER_IP="your_server_public_ip" # Replace with your server's public IP
SERVER_NAME="MyOpenVPNServer" # Replace with a descriptive name for your server
if [ -z "$CLIENT_NAME" ]; then
echo "Usage: $0 <client_name>"
exit 1
fi
# --- Check for required files ---
if [ ! -f "$EASYRSA_DIR/pki/ca.crt" ] || \
[ ! -f "$EASYRSA_DIR/pki/issued/$CLIENT_NAME.crt" ] || \
[ ! -f "$EASYRSA_DIR/pki/private/$CLIENT_NAME.key" ] || \
[ ! -f "$OVPN_DIR/ta.key" ]; then
echo "Error: Missing required certificate or key files for client '$CLIENT_NAME'."
echo "Please ensure you have generated them using easyrsa."
exit 1
fi
# --- Create client .ovpn file ---
echo "Generating client configuration for $CLIENT_NAME..."
# Extract CA, Client Cert, Client Key, and TA Key
CA_CERT=$(cat "$EASYRSA_DIR/pki/ca.crt")
CLIENT_CERT=$(cat "$EASYRSA_DIR/pki/issued/$CLIENT_NAME.crt")
CLIENT_KEY=$(cat "$EASYRSA_DIR/pki/private/$CLIENT_NAME.key")
TA_KEY=$(cat "$OVPN_DIR/ta.key")
# Create the .ovpn file content
cat <<EOF
client
dev tun
proto udp
remote $SERVER_IP 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
verb 3
<ca>
$CA_CERT
</ca>
<cert>
$CLIENT_CERT
</cert>
<key>
$CLIENT_KEY
</key>
<tls-auth>
$TA_KEY
</tls-auth>
EOF
# Save the .ovpn file
OUTPUT_FILE="${CLIENT_NAME}.ovpn"
echo "$(&& cat <<EOF
client
dev tun
proto udp
remote $SERVER_IP 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
verb 3
<ca>
$CA_CERT
</ca>
<cert>
$CLIENT_CERT
</cert>
<key>
$CLIENT_KEY
</key>
<tls-auth>
$TA_KEY
</tls-auth>
EOF
)" > "$OUTPUT_FILE"
echo "Client configuration saved to $OUTPUT_FILE"
echo "You can now transfer this file to your client device."
Make the script executable:
sudo chmod +x /etc/openvpn/make_client_config.sh
5. **Generate a client configuration file:**
sudo /etc/openvpn/make_client_config.sh client1
This will create a `client1.ovpn` file in the `/etc/openvpn/` directory. You will need to securely transfer this file to your client device.
Step 6: Connect Clients
The `client1.ovpn` file contains all the necessary information for a client to connect to your OpenVPN server.
1. **Install OpenVPN on your client device:**
* **Windows:** Download the installer from the official OpenVPN website ([1](https://openvpn.net/community-downloads/)). * **macOS:** Use Tunnelblick ([2](https://tunnelblick.net/)) or the official OpenVPN client. * **Linux:** Install `openvpn` package (e.g., `sudo apt install openvpn` or `sudo dnf install openvpn`).
2. **Import the `.ovpn` file:**
* **Windows/macOS:** Open the OpenVPN client application and import the `.ovpn` file. * **Linux:** Copy the `.ovpn` file to `/etc/openvpn/client/` (create the directory if it doesn't exist) and run:
sudo openvpn --config /etc/openvpn/client/client1.ovpn
Or, for a systemd service:
sudo cp client1.ovpn /etc/openvpn/client/client1.conf
sudo systemctl start openvpn-client@client1
sudo systemctl enable openvpn-client@client1
3. **Connect:** Start the VPN connection from your client application. You should now be connected to your OpenVPN server.
Troubleshooting
- **Cannot connect:**
* Check if the OpenVPN service is running on the server: `sudo systemctl status openvpn@server`. * Verify that UDP port 1194 is open in your server's firewall. * Ensure your client's firewall is not blocking outgoing UDP traffic on port 1194. * Check server logs for errors: `sudo journalctl -u openvpn@server`. * Double-check the `remote` directive in your client `.ovpn` file points to the correct public IP address of your server.
- **Clients get no internet access:**
* Ensure IP forwarding is enabled on the server (`net.ipv4.ip_forward=1` in `/etc/sysctl.conf`). * Verify your firewall's NAT rules are correctly configured to masquerade traffic from the VPN subnet (`10.8.0.0/24`) to your server's public interface. * Check if the `push "redirect-gateway def