Setting Up Your Own OpenVPN Server on Linux: A Step-by-Step Guide

Whether you need secure remote access, want to bypass geo-restrictions, or protect your online privacy, running your own VPN server with OpenVPN is a powerful solution. This guide walks you through the setup process on Linux with clarity and precision.

Prerequisites

1. A Linux server (Ubuntu 20.04/22.04 or Debian 11 used here)
2. sudo or root access
3. A public-facing static IP address
4. Port 1194/UDP open in your firewall

Step 1: Install OpenVPN & Easy-RSA

OpenVPN requires a PKI (Public Key Infrastructure) for encryption. We’ll use easy-rsa for certificate management:

# Update repositories  
sudo apt update && sudo apt upgrade -y  

# Install OpenVPN and Easy-RSA  
sudo apt install openvpn easy-rsa -y  

Step 2: Configure the PKI (Certificate Authority)

2.1 Initialize PKI Directory

make-cadir ~/openvpn-ca  # Create PKI directory  
cd ~/openvpn-ca  

2.2 Edit PKI Variables

Open vars and update these fields:

nano vars  

set_var EASYRSA_REQ_COUNTRY "US"  
set_var EASYRSA_REQ_PROVINCE "California"  
set_var EASYRSA_REQ_CITY "San Francisco"  
set_var EASYRSA_REQ_ORG "YourOrganization"  
set_var EASYRSA_REQ_EMAIL "admin@example.com"  
set_var EASYRSA_REQ_OU "MyOpenVPN"  

2.3 Build Certificates

# Initialize and generate CA  
./easyrsa init-pki  
./easyrsa build-ca nopass  # Leave passphrase empty for automation  

# Generate server certificate  
./easyrsa build-server-full server nopass  

# Generate Diffie-Hellman key  
./easyrsa gen-dh  

# Generate HMAC signature  
openvpn --genkey secret ta.key  

Step 3: Configure OpenVPN Server

3.1 Copy Certificates to OpenVPN

sudo cp ~/openvpn-ca/pki/ca.crt /etc/openvpn/server/  
sudo cp ~/openvpn-ca/pki/issued/server.crt /etc/openvpn/server/  
sudo cp ~/openvpn-ca/pki/private/server.key /etc/openvpn/server/  
sudo cp ~/openvpn-ca/pki/dh.pem /etc/openvpn/server/  
sudo cp ~/openvpn-ca/ta.key /etc/openvpn/server/  

3.2 Create Server Configuration

Copy the sample config:

sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/server/  
sudo gzip -d /etc/openvpn/server/server.conf.gz  

Edit /etc/openvpn/server/server.conf:

# Uncomment/Modify these lines:  
port 1194  
proto udp  
dev tun  
ca ca.crt  
cert server.crt  
key server.key  
dh dh.pem  
server 10.8.0.0 255.255.255.0  # VPN subnet  
push "redirect-gateway def1 bypass-dhcp"  # Route all traffic via VPN  
push "dhcp-option DNS 8.8.8.8"            # Google DNS  
tls-auth ta.key 0  
cipher AES-256-GCM                       # Strong encryption  
auth SHA256  
user nobody  
group nogroup  
keepalive 10 120  
persist-key  
persist-tun  
verb 3  

Step 4: Enable IP Forwarding & Configure Firewall

4.1 Enable Kernel IP Forwarding

sudo nano /etc/sysctl.conf  

Uncomment:

net.ipv4.ip_forward=1  

Apply:

sudo sysctl -p  

4.2 Configure UFW Firewall

Allow OpenVPN and SSH:

sudo ufw allow 1194/udp  
sudo ufw allow OpenSSH  

Edit /etc/default/ufw and set:

DEFAULT_FORWARD_POLICY="ACCEPT"  

Add NAT rules to /etc/ufw/before.rules (above *filter):

*nat  
:POSTROUTING ACCEPT [0:0]  
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE  
COMMIT  

Reload UFW:

sudo ufw disable && sudo ufw enable  

Step 5: Start OpenVPN Service

sudo systemctl start openvpn@server  
sudo systemctl enable openvpn@server  

Verify with:

sudo systemctl status openvpn@server  

Step 6: Create Client Configuration Files

6.1 Generate Client Certificate

cd ~/openvpn-ca  
./easyrsa build-client-full client1 nopass  # Replace "client1" with your client name  

6.2 Create Client Config File

Make a directory for client files:

mkdir -p ~/client-configs/files  

Create a base config ~/client-configs/base.conf:

client  
dev tun  
proto udp  
remote your_server_ip 1194  # ← Replace with your server's public IP  
resolv-retry infinite  
nobind  
persist-key  
persist-tun  
remote-cert-tls server  
cipher AES-256-GCM  
auth SHA256  
verb 3  

6.3 Generate Client .ovpn File

Use this script:

#!/bin/bash  
cd ~/client-configs  
KEY_DIR=~/openvpn-ca/pki/private  
CERT_DIR=~/openvpn-ca/pki/issued  
CA_DIR=~/openvpn-ca/pki  
OUTPUT_DIR=~/client-configs/files  

cat ${OUTPUT_DIR}/base.conf \  
    <(echo -e '') \  
    ${CA_DIR}/ca.crt \  
    <(echo -e '\n') \  
    ${CERT_DIR}/${1}.crt \  
    <(echo -e '\n') \  
    ${KEY_DIR}/${1}.key \  
    <(echo -e '\n') \  
    ${CA_DIR}/ta.key \  
    <(echo -e '') \  
    > ${OUTPUT_DIR}/${1}.ovpn  

Make it executable:

chmod +x ~/client-configs/generate_client.sh  

Generate for client1:

~/client-configs/generate_client.sh client1  

Download ~/client-configs/files/client1.ovpn and import it into OpenVPN client apps.

Connecting Clients

• Windows/macOS: Use OpenVPN GUI
• Android/iOS: Install “OpenVPN Connect” from app stores
• Linux: sudo openvpn --config client1.ovpn

Troubleshooting Tips

1. Connection Fails:
   • Verify port 1194/UDP is open in the firewall.
   • Check sudo journalctl -u openvpn@server -b for errors.
2. No Internet Access:
   • Confirm IP forwarding is enabled (cat /proc/sys/net/ipv4/ip_forward).
   • Ensure NAT rules are applied in the firewall.
3. Certificate Errors:
   • Re-generate certificates with matching CA and server/client names.

Final Notes

• Security: Always restrict SSH access, use fail2ban, and update regularly.
• Performance: For high-traffic scenarios, consider TCP and port 443 to evade firewalls.
• Backups: Securely backup your ~/openvpn-ca directory!

By hosting your VPN, you gain full control over your data. Test your setup, refine configurations, and enjoy private browsing! 🔒