Network & Connectivity

OpenVPN: VPN Server on Linux

Install and configure an OpenVPN server on Linux. Securely connect your devices and access the server's private network remotely.

OpenVPN is the most widespread open source VPN protocol. Compared to WireGuard it's slower but more compatible with all devices and corporate networks. Use the openvpn-install script for 5-minute setup.

Quick Installation (Automatic Script)

The simplest and most reliable way:

# Download the script
curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh
chmod +x openvpn-install.sh

# Run as root
bash openvpn-install.sh

The script asks for:

  • Server IP (auto-detects public IP)
  • Port (default 1194 UDP)
  • DNS for clients (recommended: Cloudflare 1.1.1.1 or Google 8.8.8.8)
  • First client name (e.g., my-pc)

When done, it generates a .ovpn file ready to import in the client.

Adding Other Clients

Re-run bash openvpn-install.sh anytime: the script detects the existing installation and offers to add/remove clients or uninstall.

Manual Installation

Install Packages

apt update
apt install openvpn easy-rsa -y

PKI Setup (Certificate Infrastructure)

mkdir /etc/openvpn/easy-rsa
cp -r /usr/share/easy-rsa/* /etc/openvpn/easy-rsa/
cd /etc/openvpn/easy-rsa

# Initialize the PKI
./easyrsa init-pki

# Create the Certificate Authority (CA)
./easyrsa build-ca nopass

# Generate server certificate
./easyrsa build-server-full server nopass

# Generate Diffie-Hellman parameters
./easyrsa gen-dh

# Generate TLS-Auth key
openvpn --genkey secret /etc/openvpn/ta.key

# Copy necessary files
cp pki/ca.crt pki/issued/server.crt pki/private/server.key pki/dh.pem /etc/openvpn/

Server Configuration

cat > /etc/openvpn/server.conf << 'EOF'
port 1194
proto udp
dev tun

ca ca.crt
cert server.crt
key server.key
dh dh.pem
tls-auth ta.key 0

server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt

push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 8.8.8.8"

keepalive 10 120
cipher AES-256-GCM
auth SHA256
compress lz4-v2

user nobody
group nogroup
persist-key
persist-tun

status /var/log/openvpn/openvpn-status.log
verb 3
EOF

Enable IP Forwarding and NAT

# IP forwarding
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
sysctl -p

# NAT (replace eth0 with your network interface)
IFACE=$(ip route get 8.8.8.8 | grep -oP 'dev \K\S+')
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o $IFACE -j MASQUERADE

# Make iptables rules persistent
apt install iptables-persistent -y
netfilter-persistent save

Start the Service

systemctl enable --now openvpn@server
systemctl status openvpn@server

Add a Client

cd /etc/openvpn/easy-rsa

# Generate certificate for the client
./easyrsa build-client-full clientname nopass

# Create the .ovpn file
cat > /root/clientname.ovpn << EOF
client
dev tun
proto udp
remote SERVER_IP 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-GCM
auth SHA256
compress lz4-v2
verb 3
key-direction 1
<ca>
$(cat /etc/openvpn/easy-rsa/pki/ca.crt)
</ca>
<cert>
$(cat /etc/openvpn/easy-rsa/pki/issued/clientname.crt)
</cert>
<key>
$(cat /etc/openvpn/easy-rsa/pki/private/clientname.key)
</key>
<tls-auth>
$(cat /etc/openvpn/ta.key)
</tls-auth>
EOF

Download the .ovpn file to your device via SCP:

scp root@SERVER_IP:/root/clientname.ovpn ./

Clients

  • Windows/Mac/Linux: OpenVPN Connect or Tunnelblick (Mac)
  • Android/iOS: OpenVPN Connect from app store
  • Linux CLI: openvpn --config clientname.ovpn

Revoke a Client

cd /etc/openvpn/easy-rsa
./easyrsa revoke clientname
./easyrsa gen-crl
cp pki/crl.pem /etc/openvpn/

# Add to server.conf if not there:
echo "crl-verify crl.pem" >> /etc/openvpn/server.conf
systemctl restart openvpn@server

Firewall

ufw allow 1194/udp
ufw allow OpenSSH
ufw enable

WireGuard vs OpenVPN

WireGuardOpenVPN
Speed✅ Much faster⚠️ Slower
Simplicity✅ Minimal configuration⚠️ More complex
Compatibility⚠️ Kernel 5.6+ required✅ Works everywhere
Blocked Corporate Ports❌ UDP only✅ Can use TCP 443
Audit⚠️ Recent codebase✅ Audited for years

For personal use on modern servers: WireGuard. For corporate environments or networks blocking UDP: OpenVPN.

MTR: Advanced Network Diagnostics

Use MTR to diagnose network problems like packet loss, high latency and anomalous routing. Complete guide with result interpretation.

UFW Firewall

Configure UFW (Uncomplicated Firewall) on your VPS, simple iptables management with practical rules for web servers, SSH and services

On this page

Quick Installation (Automatic Script)Manual InstallationInstall PackagesPKI Setup (Certificate Infrastructure)Server ConfigurationEnable IP Forwarding and NATStart the ServiceAdd a ClientClientsRevoke a ClientFirewallWireGuard vs OpenVPN