How to setup a VPN server with OpenVPN

OpenVPN logo

OpenVPN is one of the mostly used VPN solutions and the leading open source VPN. Using SSL it allows to create VPN tunnels to encrypt all the traffic going in. Today let’s take a look at how to install and set up a OpenVPN server.

Install OpenVPN

The first step is to install OpenVPN:

Ubuntu/DebianCentOS 7/FedoraOther distributions

Refer to your distribution package manager to install two packages: openvpn and easy_rsa.

Set up the Certificate Authority

In this step you will set up a Certificate Authority, a piece of software that you trust to sign certificates. If you already have a CA in your setup you can skip this step and should use the documentation associated with your CA to emit/revoke certificates.

Now you should edit a file named vars inside the folder you just created. Near the end of the file you will find the following lines, fill them in with your desired configuration using your favorite text editor:
Now that you’ve set all the variables, you can do:
Now that you have the CA up and running you’re ready to start signing certificates.

Set up the Server certificate and the OpenVPN server

The first certificate you will issue will be the one associated with the OpenVPN server. This will make sure your clients will be connected to the RIGHT server rather than an imposter.

You will be asked for the usual plethora of confirmations, in the end you will get a signed server certificate. In order to strengthen the encryption you will now generate a Diffie-Hellman keypair (be aware this will take some time):
In addition you can generate a HMAC signature to further increase security:
Now that you have all the pieces in place we can copy them to the server configuration directory (/etc/openvpn):
All that’s missing now is a server configuration file, luckily enough there’s a sample file within your installation. With this command we will extract the file from an archive and copy it to your server configuration directory:
This file can be quite daunting, but it’s full of comments that will help you out. For brevity you can find here a “clean” version of a functioning file:
Edit this file according to your needs, remembering that lines starting with a # or a ; are comments.

Setting up network and OpenVPN service

Allow IP Forwarding

In order to be able to route network packets, your Linux kernel must be instructed to do so:


Open firewall ports

In order for the OpenVPN traffic to pass you will need to open ports within your firewall. Change the following commands according to your port/protocol specified in the server.conf file:

Ubuntu/DebianCentOS 7/FedoraOther distributions

Refer to your distribution firewall to open the ports defined in the server.conf file.

Setting up masquerading

Ubuntu/DebianCentOS 7/Fedora

Change the default policy so that everything OpenVPN packets won’t get discarded:

Enable masquerading (NAT/PAT):

Starting and enabling OpenVPN at boot


Be mindful that if you used a different name for the server.conf file you should change these commands accordingly.

Generating client certificates

You can simply generate client certificates (that you will use to connect from other devices) by doing:

This will generate a certificate without password protection, if you’re willing to create a password-protected certificate use ./build-key-pass instead of ./build-key.

Image courtesy of mark | marksei

The following two tabs change content below.
The IT guy with a little boredom look in his eyes, fond of computers since forever he now works as a freelancer in the IT and shares his experiences through this blog.

You may also like...