Skip to content

πŸ” Install OpenVPN Server

openvpn OpenVPN is a full-featured SSL VPN (virtual private network). It implements OSI layer 2 or 3 secure network extension using the SSL/TLS protocol. It is an open source software and distributed under the GNU GPL. A VPN allows you to connect securely to an insecure public network such as wifi network at the airport or hotel. VPN is also required to access your corporate or enterprise or home server resources. You can bypass geo-blocked site and increase your privacy or safety online.

πŸ“₯ Installation

πŸ“¦ Install OpenVPN

# install openvpn
wget https://git.io/vpn -O openvpn-install.sh
chmod +x openvpn-install.sh
sudo ./openvpn-install.sh

Welcome to this OpenVPN road warrior installer!

Which protocol should OpenVPN use?
1) UDP (recommended)
2) TCP
Protocol [1]: 

What port should OpenVPN listen to?
Port [1194]: 

Select a DNS server for the clients:
1) Current system resolvers
2) Google
3) 1.1.1.1
4) OpenDNS
5) Quad9
6) AdGuard
DNS server [1]: 

Enter a name for the first client:
Name [client]: 

OpenVPN installation is ready to begin.
Press any key to continue...

Important

Select all recommended options such as UDP, 1194 and Current system resolvers.
It's highly recommended to use port-forwarding to not directly expose the default vpn port: 1194.

βš™οΈ Configuration

Generate OpenVPN encryption and authentication keys

# πŸ”‘ generate Diffie–Hellman parameters for secure key exchange
sudo openssl dhparam -out /etc/openvpn/server/dh2048.pem 2048

# 🧱 generate shared TLS authentication key (ta.key) for extra security
sudo openvpn --genkey tls-auth /etc/openvpn/server/ta.key

Prepare and harden the OpenVPN server configuration

# πŸ“‹ copy default OpenVPN server.conf file
sudo grep -Ev '^(#|;|$)' /usr/share/doc/openvpn/examples/sample-config-files/server.conf > /etc/openvpn/server/server.conf
sudo sed -i 's/[[:space:]]*#.*$//' /etc/openvpn/server/server.conf

# 🎯 bind (listen) only on a specific local IP address
sudo sed -i '1ilocal 192.168.1.20' /etc/openvpn/server/server.conf

# πŸ›‘οΈ tells clients to send all traffic through the VPN and add modern DNS
awk '
{print}
$0 ~ /server 10\.8\.0\.0 255\.255\.255\.0/ {
  print "push \"redirect-gateway def1 bypass-dhcp\""
  print "push \"block-outside-dns\""
  print "push \"dhcp-option DNS 1.1.1.1\""
  print "push \"dhcp-option DNS 9.9.9.9\""
}' /etc/openvpn/server/server.conf \
| tee /tmp/server.conf >/dev/null \
&& sudo mv /tmp/server.conf /etc/openvpn/server/server.conf

# 🌐 set network topology to subnet
awk '
{print}
$0 ~ /dh dh2048\.pem$/ {
  print "topology subnet"
}' /etc/openvpn/server/server.conf \
| tee /tmp/server.conf >/dev/null \
&& sudo mv /tmp/server.conf /etc/openvpn/server/server.conf

# πŸ”’ add strong HMAC authentication
awk '
{print}
$0 ~ /dh dh2048\.pem$/ {
  print "auth SHA512"
}' /etc/openvpn/server/server.conf \
| tee /tmp/server.conf >/dev/null \
&& sudo mv /tmp/server.conf /etc/openvpn/server/server.conf

# πŸ”’ upgrade encryption to modern ciphers
awk '
$0 ~ /^cipher AES-256-CBC$/ {
  print "data-ciphers AES-256-GCM"
  print "data-ciphers-fallback AES-256-GCM"
  next
}{print}' /etc/openvpn/server/server.conf \
| tee /tmp/server.conf >/dev/null \
&& sudo mv /tmp/server.conf /etc/openvpn/server/server.conf

# πŸ”’ enforce modern TLS protocol minimum
awk '
$0 ~ /^tls-auth ta\.key 0$/ {
  print "tls-crypt tc.key"
  print "tls-version-min 1.2"
  next
}{print}' /etc/openvpn/server/server.conf \
| tee /tmp/server.conf >/dev/null \
&& sudo mv /tmp/server.conf /etc/openvpn/server/server.conf

Handle OpenVPN service

# view status of OpenVPN service
sudo systemctl status openvpn-server@server.service

# restart OpenVPN service
sudo systemctl restart openvpn-server@server.service

Enable IPv4 forwarding

# persistently enable IPv4 forwarding via sysctl.d
echo "net.ipv4.ip_forward=1" | sudo tee /etc/sysctl.d/99-openvpn-forward.conf > /dev/null

# reload all sysctl configuration files 
sudo sysctl --system

Enable routing, NAT, and UFW rules for VPN internet access

# πŸ” enable IPv4 forwarding and allow packet forwarding through UFW
sudo sed -i 's/^#\?net\/ipv4\/ip_forward=1/net\/ipv4\/ip_forward=1/' /etc/ufw/sysctl.conf
sudo sed -i 's/^DEFAULT_FORWARD_POLICY="DROP"/DEFAULT_FORWARD_POLICY="ACCEPT"/' /etc/default/ufw
sudo ufw reload

# 🌐 detect the current WAN interface
WAN_IF=$(ip route get 1.1.1.1 | awk '{for(i=1;i<=NF;i++) if($i=="dev"){print $(i+1); exit}}')

# 🧩 create a systemd unit that adds/removes the MASQUERADE rule after UFW is up (persists across reboots)
sudo tee /etc/systemd/system/openvpn-nat.service > /dev/null <<EOF
[Unit]
Description=Add NAT rule for OpenVPN subnet
After=ufw.service network-online.target
Requires=ufw.service

[Service]
Type=oneshot
ExecStart=/usr/sbin/iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ${WAN_IF} -j MASQUERADE
ExecStop=/usr/sbin/iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o ${WAN_IF} -j MASQUERADE
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target
EOF

#🧹 remove any old/legacy iptables service to avoid conflicts
sudo systemctl stop openvpn-iptables.service
sudo systemctl disable openvpn-iptables.service
sudo rm /etc/systemd/system/openvpn-iptables.service
sudo systemctl daemon-reload

# βš“ enable and start the new NAT unit (persistent on boot)
sudo systemctl enable openvpn-nat.service
sudo systemctl start openvpn-nat.service

# πŸ”“ open firewall for OpenVPN and SSH, then apply rules
sudo ufw allow 1194/udp
sudo ufw allow OpenSSH
sudo ufw reload

# πŸš€ restart OpenVPN server to pick up any config changes
sudo systemctl restart openvpn-server@server.service

πŸ‘€ Create clients

./openvpn-install.sh

OpenVPN is already installed.

Select an option:
   1) Add a new client
   2) Revoke an existing client
   3) Remove OpenVPN
   4) Exit
Option: 1

Provide a name for the client:
Name:

Updating your OpenVPN Client Configuration

It will create an OpenVPN client file: xxx.ovpn.

To ensure a stable connection, update your OpenVPN client file by replacing:

  • remote xxx.xxx.xxx.xxx xxxx: remote IPv4 address and forwarded port, but avoid using port 1194

  • cipher AES-256-CBC: replace to AES-256-GCM

    For stronger, faster, and more modern encryption that includes built-in authentication

  • add lines: 

    ignore-unknown-option block-outside-dns
block-outside-dns
ignore-unknown-option register-dns
register-dns

    On Windows clients, these options force DNS through the VPN, register the VPN’s DNS servers, and block DNS queries outside the tunnel; without them, the VPN may connect but DNS can leak or fail.

  • add line: mssfix 1300

    Limits MSS to 1300 bytes to prevent fragmentation on low-MTU links like 4G, improving stability and reducing packet loss for TCP VPN connections.

Copy this file file to device and install OpenVPN, then open this file to install the certificate.