Setup an OpenVPN server

Running your own VPN can be useful to access your network from the outside in a secure way or to secure your network traffic when you are on the go. This is a basic setup.

Install apt-get update && apt-get install openvpn easy-rsa

gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf Extract default config file

Edit configuration

nano /etc/openvpn/server.conf Edit default configuration file

line ~87, replace

dh dh1024.pem with dh dh4096.pem to use 4096 bits keys

If you want to access the internet through the VPN server, at line ~187, replace

;push "redirect-gateway def1 bypass-dhcp" with push "redirect-gateway def1 bypass-dhcp"

line~196-197, replace

;push "dhcp-option DNS"
;push "dhcp-option DNS"


push "dhcp-option DNS"
push "dhcp-option DNS"

to push opendns servers instead of letting client rely on its own dns servers.

line ~262-263, replace

;user nobody
;group nogroup


user nobody
group nogroup

Packet forwarding

echo 1 > /proc/sys/net/ipv4/ip_forward to enable packet forwarding

nano /etc/sysctl.conf around line 28 replace #net.ipv4.ip_forward=1 with net.ipv4.ip_forward=1 to enable it permanently


You can use UFW to configure your firewall for OpenVPN. Setup a firewall with UFW interface for iptables

Allow anyone to connect to OpenVPN ufw allow 1194/udp

Then you must setup the forwarding policy nano /etc/default/ufw


nano /etc/ufw/before.rules around line 11 add

# NAT table rules
# Allow traffic from OpenVPN client to eth0

ufw disable then ufw enable

Certificate authority

Copy Easy-RSA generation scripts cp -r /usr/share/easy-rsa/ /etc/openvpn

Create directory for keys mkdir /etc/openvpn/easy-rsa/keys

Generate Diffie-Helman parameters openssl dhparam -out /etc/openvpn/dh4096.pem 4096

Generate key cd /etc/openvpn/easy-rsa . ./vars clear old keys ./clean-all build certificate authority ./build-ca

Generate certificate authority ./build-key-server EasyRSA leave 'extra' attributes blank : press enter twice then answer y twice.

Moving certificate and keys

cp /etc/openvpn/easy-rsa/keys/{EasyRSA.crt,EasyRSA.key,ca.crt} /etc/openvpn

Start server service openvpn start Check status service openvpn status

This should appear in the message if you succeed Active: active (exited) since...

Generating certificate and keys for the client


cd /etc/openvpn/easy-rsa ./build-key clientA leave 'extra' attributes blank : press enter twice then answer y twice.

cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/easy-rsa/keys/client.ovpn

nano /etc/openvpn/easy-rsa/keys/client.ovpn

At line 42 replace ;remote my-server-2 1194 with your ip or domain remote 1194

At line 61 replace

;user nobody
;group nogroup


user nobody
group nogroup

At line 88 replace

ca ca.crt
cert client.crt
key client.key


;ca ca.crt
;cert client.crt
;key client.key

Build ovpn file

clientA.ovpn is an example name, you can use anything you want.

cp /etc/openvpn/easy-rsa/keys/client.ovpn /etc/openvpn/easy-rsa/keys/clientA.ovpn

Include certificates and key to .ovpn file

echo -e '\n\n<ca>' >> /etc/openvpn/easy-rsa/keys/clientA.ovpn
cat /etc/openvpn/ca.crt >> /etc/openvpn/easy-rsa/keys/clientA.ovpn

echo -e '</ca>\n\n<cert>' >> /etc/openvpn/easy-rsa/keys/clientA.ovpn
cat /etc/openvpn/easy-rsa/keys/clientA.crt >> /etc/openvpn/easy-rsa/keys/clientA.ovpn

echo -e '</cert>\n\n<key>' >> /etc/openvpn/easy-rsa/keys/clientA.ovpn
cat /etc/openvpn/easy-rsa/keys/clientA.key >> /etc/openvpn/easy-rsa/keys/clientA.ovpn

echo '</key>' >> /etc/openvpn/easy-rsa/keys/clientA.ovpn

Add more clients

cd /etc/openvpn/easy-rsa source ./vars ./build-key clientB

Then repeat Build ovpn file steps replacing clientA with clientB (or anything)

Share key between clients

To connect multiple clients using the same key, there is a simple method, instead of generating one key per client. Make sure you understand the security implications.

nano /etc/openvpn/server.conf at line ~217 replace ;duplicate-cn with duplicate-cn then service openvpn restart

Run the server

systemctl start openvpn@server.service

Check status systemctl status openvpn@server.service Restart systemctl restart openvpn@server.service Stop systemctl stop openvpn@server.service

Enable automatic startup update-rc.d openvpn enable Disable automatic startup update-rc.d openvpn disable

Client configuration

You can use /etc/openvpn/easy-rsa/keys/clientA.ovpn file to connect to your vpn from windows (OpenVPN GUI), android (OpenVPN Connect), or linux :

apt-get install openvpn then openvpn --config clientA.ovpn For quick connection.

To use as a service : Client side mv clientA.ovpn /etc/openvpn/client.conf then systemctl start openvpn@client.service

Check status systemctl status openvpn@client.service Restart systemctl restart openvpn@client.service Stop systemctl stop openvpn@client.service


Disable comp-lzo by commenting it out ;comp-lzo in both server and client configuration files. In many cases this improves performances, drives data usage and overhead down.

Inspired from, OpenVPN on Github