body {
font-family: Arial, sans-serif;
line-height: 1.6;
margin: 20px;
}

h1, h2 {
color: #333;
}

h2 {
margin-top: 30px;
}

p {
margin-bottom: 15px;
}

pre {
background-color: #f4f4f4;
padding: 10px;
overflow-x: auto;
border: 1px solid #ddd;
}

ul {
list-style-type: disc;
margin-left: 20px;
}

li {
margin-bottom: 5px;
}

How to Install OpenVPN on Your Private Server

Setting up a Virtual Private Network (VPN) on your private server offers a secure and encrypted connection, allowing you to protect your online activity and access resources as if you were on the same network. OpenVPN is a popular open-source VPN solution known for its reliability and security. This article provides a comprehensive guide on installing and configuring OpenVPN on your private server.

Prerequisites

Before you begin, ensure you have the following:

• A private server running a Linux distribution like Ubuntu, Debian, CentOS, or similar.
• Root access or sudo privileges to execute administrative commands.
• A basic understanding of the command line interface.
• A domain name or a static public IP address for your server.

Choosing an OpenVPN Installation Method

There are several methods to install OpenVPN. We’ll focus on two common approaches:

• Using the OpenVPN installation script (easy-rsa).
• Manual installation and configuration.

For beginners, the OpenVPN installation script offers a simpler and faster setup process. For advanced users who desire more customization, the manual installation and configuration offers more flexibility. This guide will primarily focus on the scripted install, with mentions of manual configuration points where relevant.

Using the OpenVPN Installation Script (easy-rsa)

This is the recommended method for most users. It automates many of the configuration steps and simplifies the setup process.

Step 1: Update and Upgrade Your Server

First, connect to your server via SSH and update the package lists and upgrade installed packages:

sudo apt update
sudo apt upgrade -y

(For CentOS/RHEL, use sudo yum update -y instead.)

Step 2: Download and Run the OpenVPN Installation Script

You can find various automated OpenVPN installation scripts online. A popular and widely used script is available from GitHub. Use wget to download the script:

wget https://git.io/vpn -O openvpn-install.sh

Make the script executable:

chmod +x openvpn-install.sh

Run the script with sudo privileges:

sudo ./openvpn-install.sh

Step 3: Follow the Script’s Prompts

The script will guide you through the installation process. It will ask you several questions:

• IP address: Usually the script automatically detects your public IP address. Verify it.
• Protocol: Choose between UDP or TCP. UDP is generally faster but less reliable. TCP is more reliable but can be slower. For most uses, UDP is fine.
• Port: The default port is 1194. You can change it if desired, but keep a note of the port you choose.
• DNS server: Choose a DNS server for your VPN clients to use. Options include Google DNS, Cloudflare DNS, OpenDNS, etc.
• Client name: Enter a name for the first client configuration file. This is typically the name of the device using the VPN (e.g., “laptop,” “phone”).

The script will automatically install OpenVPN, generate the necessary certificates, and configure the server.

Step 4: Retrieve the Client Configuration File

After the script completes, it will create a client configuration file (e.g., laptop.ovpn) in your home directory (usually /root). You need to transfer this file to the device you want to connect to the VPN.

You can use several methods to retrieve the file:

• Using scp (Secure Copy):
• Using sftp (Secure File Transfer Protocol):
• Using a tool like FileZilla (SFTP support required).

For example, using scp:

scp root@your_server_ip:/root/laptop.ovpn .

(Replace your_server_ip with your server’s IP address or domain name, and laptop.ovpn with the actual filename.)

Step 5: Install the OpenVPN Client on Your Device

Install the OpenVPN client application on your device (e.g., Windows, macOS, Android, iOS, Linux). You can find the appropriate client on the OpenVPN website or your device’s app store.

Step 6: Import the Configuration File into the OpenVPN Client

Import the .ovpn configuration file into the OpenVPN client application. The process varies slightly depending on the client, but it usually involves selecting “Import” or “Add Profile” and choosing the .ovpn file.

Step 7: Connect to the VPN

Enter your username and password (if prompted – the script usually sets up certificate-based authentication which doesn’t require username/password). Then, connect to the VPN. Your device should now be connected to your OpenVPN server.

Manual Installation and Configuration

This method provides more control over the OpenVPN configuration but requires more technical expertise.

Step 1: Install OpenVPN and easy-rsa

Install the OpenVPN package and the easy-rsa package (for certificate management):

sudo apt install openvpn easy-rsa

(For CentOS/RHEL, use sudo yum install openvpn easy-rsa. You may need to enable the EPEL repository first.)

Step 2: Configure easy-rsa

Copy the easy-rsa directory to /etc/openvpn:

sudo cp -r /usr/share/easy-rsa /etc/openvpn
cd /etc/openvpn/easy-rsa

Edit the vars file to set the certificate authority (CA) details:

sudo nano vars

Modify the following lines (replace with your own information):

export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="San Francisco"
export KEY_ORG="MyCompany"
export KEY_EMAIL="admin@example.com"
export KEY_OU="MyDivision"

Save the file and exit. Initialize the PKI (Public Key Infrastructure):

sudo ./easyrsa init-pki

Create a Certificate Authority (CA):

sudo ./easyrsa build-ca

You will be prompted for a CA name. Enter a descriptive name (e.g., “MyOpenVPNCert”).

Step 3: Generate the Server Certificate and Key

Generate the server certificate and key:

sudo ./easyrsa build-server-full server nopass

This will create the server.key and server.crt files.

Step 4: Generate Diffie-Hellman Parameters

Generate the Diffie-Hellman parameters:

sudo ./easyrsa gen-dh

Step 5: Copy the Certificates and Keys to the OpenVPN Directory

Copy the generated certificates and keys to the /etc/openvpn directory:

sudo cp pki/ca.crt /etc/openvpn/
sudo cp pki/issued/server.crt /etc/openvpn/
sudo cp pki/private/server.key /etc/openvpn/
sudo cp pki/dh.pem /etc/openvpn/

Step 6: Create the OpenVPN Server Configuration File

Create the server.conf file:

sudo nano /etc/openvpn/server.conf

Add the following configuration (adjust as needed):

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3

Save the file and exit.

Step 7: Enable IP Forwarding

Enable IP forwarding by editing the /etc/sysctl.conf file:

sudo nano /etc/sysctl.conf

Uncomment the following line (remove the # at the beginning):

net.ipv4.ip_forward=1

Save the file and exit. Apply the changes:

sudo sysctl -p

Step 8: Configure Firewall Rules

Configure the firewall to allow OpenVPN traffic and forward traffic through the VPN. Use iptables or firewalld depending on your distribution. Here’s an example using iptables:

sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT
sudo iptables -I INPUT -p udp --dport 1194 -j ACCEPT

(Replace eth0 with your server’s network interface. Replace 1194 if you chose a different port.)

Save the iptables rules to persist after reboot (the method varies depending on your distribution).

Step 9: Start the OpenVPN Service

Start the OpenVPN service:

sudo systemctl start openvpn@server

Enable the OpenVPN service to start on boot:

sudo systemctl enable openvpn@server

Step 10: Generate Client Configuration Files

Generate client configuration files for each client device. This involves creating a client key and certificate, and then creating a .ovpn file.

cd /etc/openvpn/easy-rsa
sudo ./easyrsa build-client-full client1 nopass

(Replace client1 with the client’s name.)

Create the client configuration file (e.g., client1.ovpn):

sudo nano /etc/openvpn/client1.ovpn

Add the following configuration (adjust as needed):

client
dev tun
proto udp
remote your_server_ip 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
comp-lzo
verb 3

(Replace your_server_ip with your server’s IP address or domain name. Replace client1 with the client’s name.)

Copy the necessary certificates and keys into the .ovpn file:

-----BEGIN CERTIFICATE-----
(Contents of ca.crt)
-----END CERTIFICATE-----


-----BEGIN CERTIFICATE-----
(Contents of pki/issued/client1.crt)
-----END CERTIFICATE-----


-----BEGIN PRIVATE KEY-----
(Contents of pki/private/client1.key)
-----END PRIVATE KEY-----

Save the file and exit. Transfer the .ovpn file to the client device.

Step 11: Connect the Client Device

Install the OpenVPN client on the client device and import the .ovpn file. Connect to the VPN.

Troubleshooting

If you encounter issues, check the following:

• Firewall rules: Ensure the firewall is configured correctly to allow OpenVPN traffic.
• OpenVPN server logs: Check the OpenVPN server logs (usually located in /var/log/syslog or /var/log/openvpn.log) for errors.
• Client configuration file: Verify that the client configuration file is correct and contains the correct certificates and keys.
• DNS resolution: Ensure that DNS resolution is working correctly on the client device.

Security Considerations

• Keep your server and OpenVPN software up-to-date to patch any security vulnerabilities.
• Use strong passwords for any accounts.
• Regularly review your OpenVPN configuration and firewall rules.
• Consider using two-factor authentication for additional security.

Conclusion

Installing OpenVPN on your private server can significantly enhance your online security and privacy. Whether you choose the automated script or manual configuration, carefully follow the steps outlined in this guide to set up a secure and reliable VPN connection.