To set up an OpenVPN server on Linux, first install OpenVPN and Easy-RSA with sudo apt update and sudo apt install openvpn easy-rsa; then create a PKI directory and initialize it with ./easyrsa init-pki; build a CA using ./easyrsa build-ca; generate the server certificate and key via ./easyrsa gen-req server nopass and sign it with ./easyrsa sign-req server server; create Diffie-Hellman parameters with ./easyrsa gen-dh and an HMAC key using openvpn --genkey --secret ta.key; generate client certificates like ./easyrsa gen-req client1 nopass and sign them with ./easyrsa sign-req client client1; copy all required files (ca.crt, server.crt, server.key, ta.key, dh.pem) to /etc/openvpn/server/; create a server configuration file at /etc/openvpn/server/server.conf with proper settings for port, protocol, device, certificates, and routing; enable IP forwarding by setting net.ipv4.ip_forward=1 in /etc/sysctl.conf and applying it with sudo sysctl -p; configure the firewall (e.g., UFW) to allow UDP port 1194 and SSH, and add NAT rules in /etc/ufw/before.rules to masquerade traffic from the VPN subnet; reload the firewall with sudo ufw disable && sudo ufw enable; start and enable the OpenVPN service using sudo systemctl start openvpn-server@server and sudo systemctl enable openvpn-server@server; verify operation with sudo systemctl status openvpn-server@server; create a client .ovpn file containing client directives and embedded certificates and keys; securely transfer the .ovpn file to the client device and import it into an OpenVPN client; finally, troubleshoot connectivity issues by checking port forwarding, firewall/NAT rules, system logs via sudo tail -f /var/log/syslog, and ensure time synchronization via NTP—once completed, the OpenVPN server provides a secure, encrypted tunnel for remote access.

Setting up a VPN server on Linux using OpenVPN is a solid way to secure your internet connection, access your home network remotely, or protect your privacy. While newer tools like WireGuard are gaining popularity, OpenVPN remains reliable, well-documented, and widely supported. Here’s how to set it up step by step on a typical Linux server (we’ll use Ubuntu/Debian, but the process is similar on other distros).

1. Install OpenVPN and Easy-RSA

First, update your system and install OpenVPN along with Easy-RSA, which helps manage certificates:

sudo apt update
sudo apt install openvpn easy-rsa

Easy-RSA handles the creation of a Certificate Authority (CA) and generates certificates for the server and clients.

2. Set Up the Certificate Authority (CA)

Create a directory to manage certificates:

mkdir ~/easy-rsa
ln -s /usr/share/easy-rsa/* ~/easy-rsa/
chmod 700 ~/easy-rsa

Initialize the PKI (Public Key Infrastructure):

cd ~/easy-rsa
./easyrsa init-pki

Build the CA. You’ll be prompted to enter a passphrase and common name:

./easyrsa build-ca

Note: Keep the CA key (ca.key) secure. If compromised, your entire VPN security is at risk.

3. Generate Server Certificate and Key

Generate a certificate request and sign it:

./easyrsa gen-req server nopass
./easyrsa sign-req server server

This creates server.crt and server.key in the pki directory.

Also generate Diffie-Hellman parameters (can take a few minutes):

./easyrsa gen-dh

And generate an HMAC key for added security:

openvpn --genkey --secret ta.key

4. Generate Client Certificates

Each device connecting to the VPN needs its own certificate. For a client named "client1":

./easyrsa gen-req client1 nopass
./easyrsa sign-req client client1

You’ll get client1.crt and client1.key.

5. Copy Files to OpenVPN Directory

Move the generated files to /etc/openvpn/server:

cd ~/easy-rsa/pki
sudo cp ca.crt server.crt server.key private/ta.key dh.pem /etc/openvpn/server/

6. Configure the OpenVPN Server

Create a server configuration file:

sudo nano /etc/openvpn/server/server.conf

Add the following (adjust as needed):

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
tls-auth ta.key 0
cipher AES-256-CBC
auth SHA256
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1

Note: explicit-exit-notify 1 should be omitted if the server uses TCP or runs on a client.

7. Enable IP Forwarding and Configure Firewall

Enable IP forwarding:

sudo nano /etc/sysctl.conf

Uncomment or add:

net.ipv4.ip_forward=1

Apply the change:

sudo sysctl -p

Configure ufw or iptables to allow traffic. If using ufw, edit /etc/ufw/sysctl.conf and ensure:

net/ipv4/ip_forward=1

Then add rules:

sudo ufw allow 1194/udp
sudo ufw allow OpenSSH

Edit /etc/ufw/before.rules and add NAT rules before the *filter section:

*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT

Replace eth0 with your main network interface (use ip a to check).

Reload UFW:

sudo ufw disable && sudo ufw enable

8. Start and Enable OpenVPN Service

Start the OpenVPN server:

sudo systemctl start openvpn-server@server
sudo systemctl enable openvpn-server@server

Check status:

sudo systemctl status openvpn-server@server

9. Create Client Configuration Files

On the server, create a base client config, e.g., client1.ovpn:

client
dev tun
proto udp
remote your_server_ip 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
auth SHA256
comp-lzo
verb 3

<ca>
[contents of ca.crt]
</ca>

<cert>
[contents of client1.crt]
</cert>

<key>
[contents of client1.key]
</key>

<tls-auth>
[contents of ta.key]
</tls-auth>
key-direction 1

To include file contents, use:

cat ca.crt
cat client1.crt
cat client1.key
cat ~/easy-rsa/ta.key

Copy the .ovpn file securely to your device and use an OpenVPN client (like OpenVPN Connect) to import it.

10. Troubleshooting Tips

• Make sure port 1194 is open on your router and firewall.
• If clients can't reach the internet, double-check IP forwarding and NAT rules.
• Use sudo tail -f /var/log/syslog to monitor OpenVPN logs.
• Ensure time is synchronized (NTP) — certificate validation fails if clocks are off.

Setting up OpenVPN isn’t trivial, but once configured, it’s stable and secure. While it involves many steps, each one plays a role in encryption, authentication, and routing. With everything in place, you’ll have a private, encrypted tunnel to your network.

Basically, just don’t lose your keys.

The above is the detailed content of Setting Up a VPN Server on Linux using OpenVPN. For more information, please follow other related articles on the PHP Chinese website!