HxHippy

OpenVPN Server Configuration

Deploy OpenVPN server with certificate-based authentication and security hardening.

Last updated: 2025-01-15

OpenVPN Server

OpenVPN is a full-featured SSL VPN supporting various authentication methods.

Installation

# Debian/Ubuntu
sudo apt install openvpn easy-rsa

# RHEL/CentOS
sudo dnf install openvpn easy-rsa

PKI Setup with Easy-RSA

# Create PKI directory
make-cadir ~/openvpn-ca
cd ~/openvpn-ca

# Initialize PKI
./easyrsa init-pki

# Build CA
./easyrsa build-ca nopass

# Generate server certificate
./easyrsa gen-req server nopass
./easyrsa sign-req server server

# Generate Diffie-Hellman parameters
./easyrsa gen-dh

# Generate TLS auth key
openvpn --genkey secret ta.key

Generate Client Certificates

# Generate client key and request
./easyrsa gen-req client1 nopass

# Sign client certificate
./easyrsa sign-req client client1

Copy Files to Server

# Copy to OpenVPN directory
sudo cp pki/ca.crt /etc/openvpn/server/
sudo cp pki/issued/server.crt /etc/openvpn/server/
sudo cp pki/private/server.key /etc/openvpn/server/
sudo cp pki/dh.pem /etc/openvpn/server/
sudo cp ta.key /etc/openvpn/server/

Server Configuration

/etc/openvpn/server/server.conf

port 1194
proto udp
dev tun

ca ca.crt
cert server.crt
key server.key
dh dh.pem

# TLS Authentication
tls-auth ta.key 0
cipher AES-256-GCM
auth SHA256

# Network
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 1.0.0.1"

# Clients can't connect to each other
client-to-client

# Keepalive
keepalive 10 120

# Security
user nobody
group nogroup
persist-key
persist-tun

# Logging
status /var/log/openvpn/status.log
log-append /var/log/openvpn/openvpn.log
verb 3

Client Configuration

client1.ovpn

client
dev tun
proto udp
remote vpn.example.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun

# Certificates (inline)
<ca>
-----BEGIN CERTIFICATE-----
[CA certificate content]
-----END CERTIFICATE-----
</ca>

<cert>
-----BEGIN CERTIFICATE-----
[Client certificate content]
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN PRIVATE KEY-----
[Client key content]
-----END PRIVATE KEY-----
</key>

<tls-auth>
-----BEGIN OpenVPN Static key V1-----
[TLS auth key content]
-----END OpenVPN Static key V1-----
</tls-auth>
key-direction 1

cipher AES-256-GCM
auth SHA256
verb 3

Enable IP Forwarding

# Enable
echo "net.ipv4.ip_forward = 1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

# Configure NAT
sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

Start Server

# Start service
sudo systemctl start openvpn-server@server

# Enable on boot
sudo systemctl enable openvpn-server@server

# Check status
sudo systemctl status openvpn-server@server

Firewall Configuration

# UFW
sudo ufw allow 1194/udp

# iptables
sudo iptables -A INPUT -p udp --dport 1194 -j ACCEPT
sudo iptables -A INPUT -i tun0 -j ACCEPT
sudo iptables -A FORWARD -i tun0 -j ACCEPT

Revoke Client Certificate

cd ~/openvpn-ca

# Revoke certificate
./easyrsa revoke client1

# Generate CRL
./easyrsa gen-crl

# Copy CRL to server
sudo cp pki/crl.pem /etc/openvpn/server/

# Add to server config
echo "crl-verify crl.pem" | sudo tee -a /etc/openvpn/server/server.conf

# Restart
sudo systemctl restart openvpn-server@server

Monitoring

# Connected clients
cat /var/log/openvpn/status.log

# Tail logs
sudo tail -f /var/log/openvpn/openvpn.log

Best Practices

  1. Use TLS-auth - Prevent DoS attacks
  2. Strong ciphers - AES-256-GCM
  3. Drop privileges - Run as nobody
  4. Separate PKI - Keep CA offline
  5. CRL - Revoke compromised certs
advanced VPN Updated 2025-01-15
  • openvpn
  • vpn
  • ssl
  • certificate
  • encryption
  • tunnel