Low Orbit Flux Logo 2 F

OpenVPN Setup

OpenVPN is a mature, widely-deployed VPN solution that uses TLS for authentication and encryption. It’s more complex to set up than WireGuard — it requires a PKI (Public Key Infrastructure) with a Certificate Authority — but it has broader compatibility and more configuration options. It works in environments where WireGuard isn’t available, and is the protocol behind most commercial VPN services.

This guide sets up an OpenVPN server on Ubuntu and connects a Linux client. The server needs a public IP address.

Install OpenVPN and easy-rsa

On the server:


sudo apt update
sudo apt install -y openvpn easy-rsa

Set up the PKI with easy-rsa

easy-rsa manages the Certificate Authority and generates the certificates needed for the server and each client.


make-cadir ~/openvpn-ca
cd ~/openvpn-ca

Initialize the PKI:


./easyrsa init-pki

Build the Certificate Authority. You’ll be prompted for a CA name — enter something like OpenVPN-CA:


./easyrsa build-ca nopass

Generate the server certificate and key (no password):


./easyrsa gen-req server nopass
./easyrsa sign-req server server

Generate Diffie-Hellman parameters (this takes a minute):


./easyrsa gen-dh

Generate a shared HMAC key for extra protection against DoS:


openvpn --genkey secret ~/openvpn-ca/pki/ta.key

Generate a client certificate:


./easyrsa gen-req client1 nopass
./easyrsa sign-req client client1

Copy certificates to OpenVPN directory


sudo cp ~/openvpn-ca/pki/ca.crt /etc/openvpn/
sudo cp ~/openvpn-ca/pki/issued/server.crt /etc/openvpn/
sudo cp ~/openvpn-ca/pki/private/server.key /etc/openvpn/
sudo cp ~/openvpn-ca/pki/dh.pem /etc/openvpn/
sudo cp ~/openvpn-ca/pki/ta.key /etc/openvpn/

Enable IP forwarding


sudo nano /etc/sysctl.conf

Add or uncomment:


net.ipv4.ip_forward=1

Apply:


sudo sysctl -p

Server configuration

Create the server config file:


sudo nano /etc/openvpn/server.conf


port 1194
proto udp
dev tun

ca ca.crt
cert server.crt
key server.key
dh dh.pem
tls-auth ta.key 0

server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt

# Push routes to clients
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 8.8.8.8"

keepalive 10 120
cipher AES-256-CBC
persist-key
persist-tun

status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3

Create the log directory:


sudo mkdir -p /var/log/openvpn

Configure NAT on the server

Find your main network interface name:


ip link show

Add a NAT rule (replace eth0 with your interface):


sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

To persist iptables rules across reboots:


sudo apt install -y iptables-persistent
sudo netfilter-persistent save

Open the firewall port


sudo ufw allow 1194/udp
sudo ufw reload

Start OpenVPN server


sudo systemctl enable openvpn@server
sudo systemctl start openvpn@server
sudo systemctl status openvpn@server

Client configuration

Collect these files from the server and transfer them to the client machine:


~/openvpn-ca/pki/ca.crt
~/openvpn-ca/pki/issued/client1.crt
~/openvpn-ca/pki/private/client1.key
~/openvpn-ca/pki/ta.key

Transfer with scp (run on the client):


scp user@SERVER_IP:~/openvpn-ca/pki/ca.crt ~/vpn/
scp user@SERVER_IP:~/openvpn-ca/pki/issued/client1.crt ~/vpn/
scp user@SERVER_IP:~/openvpn-ca/pki/private/client1.key ~/vpn/
scp user@SERVER_IP:~/openvpn-ca/pki/ta.key ~/vpn/

Install OpenVPN on the client:


sudo apt update
sudo apt install -y openvpn

Create the client config (replace SERVER_PUBLIC_IP with your server’s IP):


sudo nano /etc/openvpn/client.conf


client
dev tun
proto udp
remote SERVER_PUBLIC_IP 1194
resolv-retry infinite
nobind
persist-key
persist-tun

ca /home/YOUR_USER/vpn/ca.crt
cert /home/YOUR_USER/vpn/client1.crt
key /home/YOUR_USER/vpn/client1.key
tls-auth /home/YOUR_USER/vpn/ta.key 1

cipher AES-256-CBC
verb 3

Connect from the client


sudo openvpn --config /etc/openvpn/client.conf

Or run it as a service:


sudo systemctl enable openvpn@client
sudo systemctl start openvpn@client

Verify the connection

Check your public IP — it should match the server’s:


curl ifconfig.me

Ping the server’s VPN IP:


ping 10.8.0.1

Adding more clients

For each new client, generate a new certificate on the server:


cd ~/openvpn-ca
./easyrsa gen-req client2 nopass
./easyrsa sign-req client client2

Then copy the new cert, key, ca.crt, and ta.key to the new client and create a matching .conf file pointing to them.

Useful commands


sudo systemctl status openvpn@server
sudo tail -f /var/log/openvpn/openvpn.log
sudo cat /var/log/openvpn/openvpn-status.log   # connected clients