DeluxHost
Terug naar Documentatie
Networking·3 min lezen

OpenVPN: VPN Server on Linux

Install and configure an OpenVPN server on Linux. Securely connect your devices and access the server's private network remotely.

OpenVPN is the most widespread open source VPN protocol. Compared to WireGuard it's slower but more compatible with all devices and corporate networks. Use the openvpn-install script for 5-minute setup.

02

Quick Installation (Automatic Script)

The simplest and most reliable way:

bash
# Download the script
curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh
chmod +x openvpn-install.sh

# Run as root
bash openvpn-install.sh

The script asks for:

When done, it generates a .ovpn file ready to import in the client.

Re-run bash openvpn-install.sh anytime: the script detects the existing installation and offers to add/remove clients or uninstall.

  • Server IP (auto-detects public IP)
  • Port (default 1194 UDP)
  • DNS for clients (recommended: Cloudflare 1.1.1.1 or Google 8.8.8.8)
  • First client name (e.g., my-pc)
03

Manual Installation

Install Packages

bash
apt update
apt install openvpn easy-rsa -y

PKI Setup (Certificate Infrastructure)

bash
mkdir /etc/openvpn/easy-rsa
cp -r /usr/share/easy-rsa/* /etc/openvpn/easy-rsa/
cd /etc/openvpn/easy-rsa

# Initialize the PKI
./easyrsa init-pki

# Create the Certificate Authority (CA)
./easyrsa build-ca nopass

# Generate server certificate
./easyrsa build-server-full server nopass

# Generate Diffie-Hellman parameters
./easyrsa gen-dh

# Generate TLS-Auth key
openvpn --genkey secret /etc/openvpn/ta.key

# Copy necessary files
cp pki/ca.crt pki/issued/server.crt pki/private/server.key pki/dh.pem /etc/openvpn/

Server Configuration

bash
cat > /etc/openvpn/server.conf << 'EOF'
port 1194
proto udp
dev tun

ca ca.crt
cert server.crt
key server.key
dh dh.pem
tls-auth ta.key 0

server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt

push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 8.8.8.8"

keepalive 10 120
cipher AES-256-GCM
auth SHA256
compress lz4-v2

user nobody
group nogroup
persist-key
persist-tun

status /var/log/openvpn/openvpn-status.log
verb 3
EOF

Enable IP Forwarding and NAT

bash
# IP forwarding
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
sysctl -p

# NAT (replace eth0 with your network interface)
IFACE=$(ip route get 8.8.8.8 | grep -oP 'dev \K\S+')
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o $IFACE -j MASQUERADE

# Make iptables rules persistent
apt install iptables-persistent -y
netfilter-persistent save

Start the Service

bash
systemctl enable --now openvpn@server
systemctl status openvpn@server
04

Add a Client

bash
cd /etc/openvpn/easy-rsa

# Generate certificate for the client
./easyrsa build-client-full clientname nopass

# Create the .ovpn file
cat > /root/clientname.ovpn << EOF
client
dev tun
proto udp
remote SERVER_IP 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-GCM
auth SHA256
compress lz4-v2
verb 3
key-direction 1
<ca>
$(cat /etc/openvpn/easy-rsa/pki/ca.crt)
</ca>
<cert>
$(cat /etc/openvpn/easy-rsa/pki/issued/clientname.crt)
</cert>
<key>
$(cat /etc/openvpn/easy-rsa/pki/private/clientname.key)
</key>
<tls-auth>
$(cat /etc/openvpn/ta.key)
</tls-auth>
EOF

Download the .ovpn file to your device via SCP:

bash
scp root@SERVER_IP:/root/clientname.ovpn ./
05

Clients

  • Windows/Mac/Linux: OpenVPN Connect or Tunnelblick (Mac)
  • Android/iOS: OpenVPN Connect from app store
  • Linux CLI: openvpn --config clientname.ovpn
06

Revoke a Client

bash
cd /etc/openvpn/easy-rsa
./easyrsa revoke clientname
./easyrsa gen-crl
cp pki/crl.pem /etc/openvpn/

# Add to server.conf if not there:
echo "crl-verify crl.pem" >> /etc/openvpn/server.conf
systemctl restart openvpn@server
07

Firewall

bash
ufw allow 1194/udp
ufw allow OpenSSH
ufw enable
08

WireGuard vs OpenVPN

WireGuardOpenVPN
Speed✅ Much faster⚠️ Slower
Simplicity✅ Minimal configuration⚠️ More complex
Compatibility⚠️ Kernel 5.6+ required✅ Works everywhere
Blocked Corporate Ports❌ UDP only✅ Can use TCP 443
Audit⚠️ Recent codebase✅ Audited for years

For personal use on modern servers: WireGuard. For corporate environments or networks blocking UDP: OpenVPN.

Gerelateerde artikelen

Networking

IP and Network Configuration

How to view and manage your server's IP addresses

2 min lezen
Networking

Firewall

How to configure your server's firewall with UFW or iptables

2 min lezen
Networking

DNS

How to configure your server's DNS and point a domain to your VPS

2 min lezen
Terug naar Documentatie

DeluxHost, opgericht in 2023, biedt hoogwaardige hostingoplossingen voor diverse digitale behoeften. Wij bieden gedeelde hosting, VPS en dedicated servers met geavanceerde beveiliging en wereldwijde datacenters.

© DeluxHost, Alle rechten voorbehouden. | BTW-nummer: IT17734661006
Alle systemen operationeel

Producten

VPSPlus VPSVDSPlus VDSDedicatedGame ServersDeals

Over ons

Neem contact opInfrastructuurNetwerkAnti-DDoS

Juridisch

ServicevoorwaardenPrivacybeleidBeleid voor eerlijk gebruikSLA

Overig

ServicestatusTicket indienenConfiguratieschermDedicated-paneelLooking Glass