OpenVPN
1. Install OpenVPN and Easy-RSA on the VPS
Ensure your VPS has OpenVPN and Easy-RSA installed.
On Debian/Ubuntu
apt update
sudo apt install openvpn easy-rsa -yOn CentOS/RHEL
yum install epel-release -y
sudo yum install openvpn easy-rsa -y2. Set Up the Easy-RSA Environment
Create a directory for Easy-RSA:
codemake-cadir ~/openvpn-ca cd ~/openvpn-caInitialize the Public Key Infrastructure (PKI):
./easyrsa init-pkiBuild the Certificate Authority (CA):
./easyrsa build-caYou’ll be prompted to set a password for the CA and enter a name (e.g., "VPN_CA").
Generate the server certificate and key:
./easyrsa build-server-full server nopassGenerate the Diffie-Hellman key exchange:
./easyrsa gen-dhGenerate the HMAC key for additional security:
openvpn --genkey --secret ta.key
3. Configure OpenVPN Server
Copy the certificates and keys to the OpenVPN directory:
sudo cp ~/openvpn-ca/pki/ca.crt /etc/openvpn/ sudo cp ~/openvpn-ca/pki/private/server.key /etc/openvpn/ sudo cp ~/openvpn-ca/pki/issued/server.crt /etc/openvpn/ sudo cp ~/openvpn-ca/pki/dh.pem /etc/openvpn/ sudo cp ~/openvpn-ca/ta.key /etc/openvpn/Create the OpenVPN server configuration file:
codesudo nano /etc/openvpn/server.confAdd the following content to the file:
codeport 1194 proto udp dev tun ca ca.crt cert server.crt key server.key dh dh.pem auth SHA256 tls-auth ta.key 0 topology subnet server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" keepalive 10 120 cipher AES-256-CBC user nobody group nogroup persist-key persist-tun status openvpn-status.log verb 3Enable IP forwarding:
sysctl -w net.ipv4.ip_forward=1Persist the setting by editing
/etc/sysctl.conf:codenet.ipv4.ip_forward=1Configure firewall rules:
sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE sudo iptables-save > /etc/iptables/rules.v4
4. Start the OpenVPN Server
Start and enable the OpenVPN service:
sudo systemctl start openvpn@server
sudo systemctl enable openvpn@serverCheck the status:
sudo systemctl status openvpn@server5. Generate Client Configuration
Generate a client certificate and key:
cd ~/openvpn-ca ./easyrsa build-client-full client1 nopassCreate a client configuration file:
nano ~/client1.ovpnAdd the following content to the file:
client dev tun proto udp remote <your-server-ip> 1194 resolv-retry infinite nobind persist-key persist-tun remote-cert-tls server auth SHA256 cipher AES-256-CBC verb 3 <ca> [Paste the content of `ca.crt` here] </ca> <cert> [Paste the content of `client1.crt` here] </cert> <key> [Paste the content of `client1.key` here] </key> <tls-auth> [Paste the content of `ta.key` here] </tls-auth>
6. Transfer the Client Configuration
Transfer the client1.ovpn file to your device (PC, phone, or another client).
Example using scp:
bscp ~/client1.ovpn user@client-device:/path/to/destination7. Connect Using the Client
On Linux
Install OpenVPN:
sudo apt install openvpn
sudo openvpn --config client1.ovpnOn Windows
Download and install the OpenVPN client.
Import the
.ovpnfile and connect.
On Android/iOS
Download the OpenVPN Connect app.
Import the
.ovpnfile and connect.
8. Verify Connection
Check your public IP to confirm traffic is routed through the VPN:
curl ifconfig.meIt should display the IP address of your VPS, not your local IP.
You now have a fully functional OpenVPN server on your VPS and can connect securely from client devices!
Last updated