Search Our Database

How to configure OpenVPN on a linux server

Last updated on |
under
Networking & Security, VPN, Linux
|
by

Introduction

This guide provides step-by-step instructions on how to configure OpenVPN on a Linux server after installation. By completing this setup, you’ll enable secure remote access for clients using encrypted VPN tunnels. This setup includes certificate generation, server configuration, enabling IP forwarding, and firewall setup.

This version includes commands for both Ubuntu/Debian and RockyLinux/AlmaLinux systems.

Prerequisites

Before proceeding, ensure you have the following:

  • OpenVPN and Easy-RSA already installed

  • SSH access to your Linux server

  • A public IP or domain name

  • Firewall access to allow UDP port 1194

 

Step-by-Step Instructions

Step 1: Set up the Easy-RSA Public Key Infrastructure (PKI)

Ubuntu/Debian:

make-cadir ~/openvpn-ca
cd ~/openvpn-ca
source vars
./clean-all
./build-ca

RockyLinux/AlmaLinux:

mkdir -p ~/openvpn-ca
cp -r /usr/share/easy-rsa/3/* ~/openvpn-ca
cd ~/openvpn-ca
./easyrsa init-pki
./easyrsa build-ca

Step 2: Generate server certificate and keys

Ubuntu/Debian:

./build-key-server server
./build-dh
openvpn --genkey --secret keys/ta.key

RockyLinux/AlmaLinux:

./easyrsa gen-req server nopass
./easyrsa sign-req server server
./easyrsa gen-dh
openvpn --genkey --secret ta.key

 

📌 Note: In RHEL-based systems, certificates are stored in the pki subdirectory ( pki/ca.crt, pki/private/server.key, etc.).

 

Step 3: Configure the OpenVPN server

Ubuntu/Debian:

gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf

RockyLinux/AlmaLinux:

cp /usr/share/doc/openvpn/sample/sample-config-files/server.conf /etc/openvpn/server.conf

Edit /etc/openvpn/server.conf to point to the correct certificate and key paths.

Example key lines:

ca ca.crt
cert server.crt
key server.key
dh dh.pem
tls-auth ta.key 0
proto udp
port 1194

 

Step 4: Enable IP forwarding:

Edit sysctl.conf:

nano /etc/sysctl.conf

Uncomment or add the line:

net.ipv4.ip_forward = 1

Apply the change:

sysctl -p

 

Step 5: Configure the firewall:

Ubuntu/Debian (using UFW):

ufw allow 1194/udp
ufw allow OpenSSH
ufw enable
ufw reload

RockyLinux/AlmaLinux (using firewalld):

firewall-cmd --add-port=1194/udp --permanent
firewall-cmd --add-service=openvpn --permanent
firewall-cmd --add-masquerade --permanent
firewall-cmd --reload

 

Step 6: Start and enable the OpenVPN server

Ubuntu/Debian:

systemctl start openvpn@server
systemctl enable openvpn@server

RockyLinux/AlmaLinux:

systemctl start openvpn-server@server
systemctl enable openvpn-server@server

📝 Note: The service name is slightly different on RHEL-based systems (openvpn-server@server instead of openvpn@server).

 

Conclusion

You have now successfully configured your Linux server to act as an OpenVPN server. You can now proceed to create VPN user profiles, generate client .ovpn configuration files, and distribute them securely.

Related Article

Related Posts