VPN Setup with OpenVPN on a Linux Server

This comprehensive guide walks you through every step necessary to deploy and secure a robust VPN solution using OpenVPN on a Linux server. From prerequisites to advanced hardening and client configuration, you will gain the knowledge to serve remote users with confidentiality, integrity, and availability.

Table of Contents

• Prerequisites
• Installation and Initial Setup
• PKI Infrastructure with Easy-RSA
• Server Configuration
• Network and Firewall Configuration
• Client Configuration
• Testing and Troubleshooting
• Security Best Practices
• Further Reading References

1. Prerequisites

• A Linux server (Debian, Ubuntu, CentOS, RHEL) with root or sudo privileges.
• Basic networking knowledge (IP addressing, routing, NAT).
• Familiarity with command-line and editing files (vim, nano).
• Open ports: UDP 1194 (default), or TCP/UDP custom port.

2. Installation and Initial Setup

2.1. Update System Packages

sudo apt update  sudo apt upgrade   # Debian/Ubuntu
sudo yum update                       # CentOS/RHEL
  

2.2. Install OpenVPN and Easy-RSA

sudo apt install openvpn easy-rsa   # Debian/Ubuntu
sudo yum install epel-release  yum install openvpn easy-rsa   # CentOS/RHEL
  

3. PKI Infrastructure with Easy-RSA

Easy-RSA simplifies certificate authority (CA) management.

3.1. Set Up Easy-RSA Directory

make-cadir ~/openvpn-ca
cd ~/openvpn-ca
  

3.2. Customize vars File

Edit vars to reflect your organization:

set_var EASYRSA_REQ_COUNTRY    US
set_var EASYRSA_REQ_PROVINCE   California
set_var EASYRSA_REQ_CITY       San Francisco
set_var EASYRSA_REQ_ORG        MyCompany
set_var EASYRSA_REQ_EMAIL      admin@mycompany.com
set_var EASYRSA_REQ_OU         IT
  

3.3. Build the CA and Server Certificates

1. Initialize PKI and build CA:

   ./easyrsa init-pki
   ./easyrsa build-ca nopass
         

2. Generate server key/cert and Diffie-Hellman params:

   ./easyrsa gen-req server nopass
   ./easyrsa sign-req server server
   ./easyrsa gen-dh
   openvpn --genkey --secret ta.key    # TLS-Auth key
         

4. Server Configuration

4.1. Create server.conf

port 1194
proto udp
dev tun

ca      pki/ca.crt
cert    pki/issued/server.crt
key     pki/private/server.key
dh      pki/dh.pem
tls-auth ta.key 0

server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt

push redirect-gateway def1 bypass-dhcp
push dhcp-option DNS 1.1.1.1
push dhcp-option DNS 8.8.8.8

keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
  

4.2. File Placement

• /etc/openvpn/server.conf (configuration file)
• /etc/openvpn/pki/ (CA, certs, keys, DH)
• /etc/openvpn/ta.key (TLS auth secret)

5. Network and Firewall Configuration

5.1. Enable IP Forwarding

echo net.ipv4.ip_forward=1  sudo tee -a /etc/sysctl.conf
sudo sysctl -p
  

5.2. Configure Firewall (iptables example)

sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
sudo iptables -A INPUT -i eth0 -p udp --dport 1194 -j ACCEPT
sudo iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT
sudo iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT
sudo iptables-save  sudo tee /etc/iptables.rules
  

6. Client Configuration

6.1. Generate Client Certificate Key

cd ~/openvpn-ca
./easyrsa gen-req client1 nopass
./easyrsa sign-req client client1
  

6.2. Create Client .ovpn Profile

client
dev tun
proto udp
remote your.server.ip 1194
resolv-retry infinite
nobind

persist-key
persist-tun


... contents of ca.crt ...


... contents of client1.crt ...


... contents of client1.key ...


... contents of ta.key ...

key-direction 1

cipher AES-256-CBC
verb 3
  

7. Testing and Troubleshooting

• Check server status: sudo systemctl status openvpn@server
• View logs: sudo journalctl -u openvpn@server or cat /var/log/openvpn-status.log
• Verify client connection with ping 10.8.0.1 and test internet routing.
• Firewall issues: ensure UDP/TCP port is reachable (use nc -zv your.server.ip 1194).

8. Security Best Practices

• Use strong ciphers: AES-256-GCM, TLS 1.2 .
• Rotate keys periodically and revoke compromised certificates.
• Restrict management interface and disable unused protocols.
• Implement logging and monitoring (fail2ban, logwatch).
• Lock down SSH, use key-based auth and 2FA.

9. Further Reading References

• OpenVPN 2.4 Reference Manual
• Easy-RSA 3 How-To
• iptables Documentation

By following this article, you will have a fully functional, secure VPN server based on OpenVPN that supports remote access, traffic encryption, and robust authentication. Tailor the configuration to your environment and always keep security at the forefront.