How to configure an Open VPN server


OpenVPN is a VPN implementation for both client and server for Linux/Windows/Mac. To use OpenVPN, it is necessary to have an OpenVPN server in the target network, either the gateway or a dedicated “DMZ” (with publicly available IP and connected to the internal network). The client software must be installed, and the server address, port, encryption key, etc. must be configured.

OpenVPN can work on a server with TCP/IP routing ie, “tun” interface or bridge to LAN ie, “tap” interface. In the case of the “tun” interface, firewall rules must be configured for the “tun +” interface, in the case of the “tap” interface, a bridge must be set between “tap+” and the interface to the chain (internal network).

The packages required on Linux are OpenVPN and easyRSA. Windows requires the OpenVPN package different server or client does the configuration file.

By default, OpenVPN uses port 1194 on UDP. Another TCP or UDP port can be set.


1. The configuration of the access keys – it is done only once – when installing on the server. Server keys are generated and – possibly – several client keys. The client keys can be additionally protected with the password. It is the most complicated and time-consuming step from the entire process.

2. Configure the /etc/OpenVPN/server.conf file, firewall rules, and set the OpenVPN service to boot.

3. Configuring the Linux or Windows client.


Step 1

Once we finish with the installation of the easy-rsa package, we will have in the directory /usr/share/doc/easy-RSA or /usr/share/doc/packages/easy-rsa a Readme which presents the steps for generating server /client keys. Binaries are in the /usr/share/easy-RSA directory, and it is generally recommended to copy them to /etc/OpenVPN which is the main configuration directory of OpenVPN.

cp -r /usr/share/easy-RSA / /etc/OpenVPN/easy-RSA

Go to the directory where the file “vars” exists and edit the variables which are at the bottom of it: KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL

export KEY_COUNTRY= “US.”

export KEY_PROVINCE= “SC.”

export KEY_CITY= “Myrtle Beach.”

export KEY_ORG= “Home.”

export KEY_EMAIL=” [email protected]

export KEY_OU= “PreferredOrganization.”

cd /usr/openvpn/easy-rsa – the directory that contains the vars file

source ./vars – loads the variable settings

./clean-all – any older keys will be deleted

./build-ca – Cert Authority (CA) is generated

./build-key-server – generates the certificate and private key for the server with the name “server”

./build-dh – generates dh.pem

The keys for generating VPN clients are to be generated – client, client 2 , client 3:

./build-key client

./build-key client 2

./build-key client 3

If you want the password for each client use build-key-pass instead of build-key.

Later other keys can be generated from the same directory with the command ./build-key <name> after running source ./vars

The generated keys are copied on the server – for example – to the /etc/openvpn/keys directory

mkdir / etc / openvpn / keys

Step 2

Edit the .conf file on the server:

A simple configuration is given below and must be created in /etc/openvpn/server.conf

(Configuration examples included in the openVPN package are given in /usr/share/doc/openvpn/examples)

• port 1194 (change your port)

• port 1337

• You can use UDP or TCP

• proto UDP

• “Dev tun” will create a routed IP tunnel.

dev tun

#Certify Configuration

# as certified

ca /etc/openvpn/keys/ca.crt

#Server Certificate

cert /etc/openvpn/keys/server.crt

#Server Key and keep this is secret

key /etc/openvpn/keys/server.key

#See the size a dh key in / etc / openvpn / keys /

dh /etc/openvpn/keys/dh2048.pem

#Internal IP will get when already connect


#this line will redirect all traffic through our OpenVPN

push “redirect-gateway def1”

# Provide DNS servers to the client, you can use google DNS

push “dhcp-option DNS

push “dhcp-option DNS

#Enable multiple clients to connect with same key


keepalive 20 60





#enable log

log-append /var/log/myvpn/openvpn.log

#Log Level

verb 3

To test the configuration it can be launched as root

openvpn –config server.conf (or openvpn /etc/openvpn/server.conf)

And then stop with

killall -9 openvpn

Or you can start as a service:

systemctl list-unit-files | grep enabled
systemctl enable openvpn
systemctl start openvpn

or stop with systemctl stop openvpn

sudo service openvpn start

or stop or restart

Firewall Rules

Firewall rules must be set for VPN ↔ LAN traffic to work:

iptables -I INPUT -i tun + -j ACCEPT

iptables -I FORWARD -s <local_lan_ip / 24> -d -j ACCEPT

iptables -I FORWARD -d <local_lan_ip / 24> -s -j ACCEPT

It must also allow internet access because in the server.conf file we set the default route through VPN

(echo 1> / proc / sys / net / ipv4 / ip_forward)

iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE

Step 3

ClientX.key, clientX.crt and ca.crt must be reached with the client.conf configuration file.

Under windows client.conf rename client.ovpn

At “remote” put the public address of the openVPN server and the port:



dev tun

proto udp

#Server IP and Port

remote 1337

resolv-retry infinite





as ca.crt

certain clientX.crt

key clientX.key

ns-cert-type server



For windows, files must be copied to C:/ProgramFiles/openvpnconf and run as administrator because they must have rights to create the tuner interface.

For Linux, copy the keys and client.conf in the same directory and launch:

sudo OpenVPN –config client.conf &

Recent Posts