Posted inNetwork

How to Install and Configure OpenVPN Server on Linux: Easy Secure Remote Network Access

Network tutorial - IT technology blog
Network tutorial - IT technology blog

The Need for Secure Remote Network Access

In today’s IT environment, accessing internal network resources remotely is an essential need. You might need to access servers, databases, or other internal services from your home, a coffee shop, or while traveling. However, connecting directly over the public Internet poses numerous security risks. That’s why we need a Virtual Private Network (VPN).

A VPN creates an encrypted “tunnel” over the Internet, protecting your data from threats and allowing you to securely access the internal network as if you were working in the office.

Popular VPN Solutions Today

Before diving into OpenVPN, let’s briefly review some other popular VPN solutions to get an overview.

IPsec (Internet Protocol Security)

  • Pros: IPsec is a powerful suite of protocols, deeply integrated into most operating systems and network devices. It provides robust encryption and authentication, often deployed in large enterprise environments or for connections between branch offices. Operating at the network layer, IPsec offers high performance.
  • Cons: The main drawback of IPsec lies in its complex configuration. Setting up a stable and secure IPsec connection requires deep knowledge of networking and security. Troubleshooting can also be quite challenging. Additionally, IPsec often encounters issues when traversing NAT (Network Address Translation) firewalls.

WireGuard

  • Pros: WireGuard is a relatively new VPN protocol that has quickly made a strong impression due to its simplicity, superior performance, and minimal codebase. It uses modern cryptographic algorithms and is designed for easy deployment. In many cases, WireGuard’s performance significantly surpasses OpenVPN.
  • Cons: Being relatively new, WireGuard may not yet be widely supported on all platforms or older devices. While its simplicity is a plus, it also makes WireGuard less flexible for deep customization compared to OpenVPN.

OpenVPN

  • Pros: OpenVPN is an open-source, flexible, and well-established VPN solution. It uses SSL/TLS for data encryption, providing high security. OpenVPN is supported on almost every operating system (Windows, macOS, Linux, Android, iOS) and device, with a large community and extensive documentation. OpenVPN’s firewall traversal capabilities are also very impressive, especially when running on TCP port 443 (like HTTPS).
  • Cons: OpenVPN’s performance can be lower than WireGuard in some situations, especially when using older encryption algorithms or on weaker hardware. Manual OpenVPN configuration can be quite verbose initially, requiring many steps to create certificates and keys. However, modern automation scripts have significantly simplified this process.

Why Choose OpenVPN for This Guide?

Each VPN solution has its own strengths and weaknesses. IPsec is powerful but complex, while WireGuard is fast but still relatively new. For beginners seeking a solution that balances security, flexibility, broad compatibility, and ease of deployment, OpenVPN is the ideal choice.

OpenVPN has proven its stability and reliability over many years. With automated installation scripts, setting up an OpenVPN server is now incredibly simple, helping you quickly establish a secure connection without delving into complex encryption and certificate details.

Before You Begin (Prerequisites)

Before starting, please prepare the following:

  • A Linux server: You need a Linux server (Ubuntu/Debian or CentOS/RHEL recommended) with a public IP address. This will be your OpenVPN Server.
  • Access Permissions: You need root privileges or a user account with sudo permissions.
  • System Update: Always ensure your system is updated to the latest version.

# For Ubuntu/Debian
sudo apt update && sudo apt upgrade -y

# For CentOS/RHEL
sudo yum update -y
  • Open port on firewall: OpenVPN by default uses port 1194/UDP. You need to ensure this port is open on the server’s firewall, and also on your network router/firewall if the server is behind NAT.

Oh, a personal tip I’d like to share: when I need to quickly calculate a subnet to allocate IPs for VPN clients without overlapping with the internal network, I often use toolcraft.app/en/tools/developer/ip-subnet-calculator. Just enter the CIDR, and it instantly provides the network range, broadcast, and number of hosts. It’s super convenient and helps me avoid unnecessary IP configuration errors.

Installing OpenVPN Server with an Automated Script (Recommended)

To install an OpenVPN Server on Linux, the simplest way is to use an automated installation script. This script automatically handles complex steps such as installing OpenVPN packages, creating a Certificate Authority (CA), issuing certificates and keys for the server/client, configuring the server, and setting up the firewall. I especially recommend this method for beginners.

Step 1: Download and Run the Script

Download the script from GitHub and grant execute permissions:


wget https://git.io/vpn -O openvpn-install.sh
chmod +x openvpn-install.sh

Then, run the script with sudo privileges:


sudo ./openvpn-install.sh

Step 2: Follow the Script’s Instructions

The script will ask you to provide some necessary information. Please read carefully and select the appropriate options:

  1. IP Address: The script will automatically detect the server’s public IP. If the server has multiple IPs, choose the one you want to use.
  2. Protocol: Choose UDP (recommended for better performance) or TCP (better for firewall traversal). Default is UDP.
  3. Port: Default is 1194. You can change it if desired (e.g., 443 if you choose TCP for easier firewall traversal).
  4. DNS Servers: Choose a DNS provider you want the VPN clients to use (e.g., Google DNS, Cloudflare DNS).
  5. Client Name: Name your first VPN client (e.g., myclient).

After you provide all the information, the script will automatically install and configure everything. This process may take a few minutes to complete. Once finished, the script will create an .ovpn file for your client, for example myclient.ovpn.


# Example output after the script finishes running
Client 'myclient' added. Configuration available at: /root/myclient.ovpn

This .ovpn file contains all the necessary information for the client to connect to your VPN server.

Firewall Configuration

Although the script attempts to configure the firewall, you should still double-check to ensure everything is working correctly. OpenVPN requires port 1194/UDP (or your chosen port) to be open and IP forwarding to be enabled.

For UFW (Uncomplicated Firewall – common on Ubuntu/Debian)


sudo ufw allow 1194/udp # Or your chosen port
sudo ufw allow OpenSSH # Keep SSH connection
sudo ufw enable
sudo ufw status

The openvpn-install.sh script usually automatically adds the necessary NAT (masquerading) rules to /etc/ufw/before.rules (or similar) to allow traffic from VPN clients to the Internet. Please check this file to confirm.

For Firewalld (common on CentOS/RHEL)


sudo firewall-cmd --add-port=1194/udp --permanent # Or your chosen port
sudo firewall-cmd --add-masquerade --permanent
sudo firewall-cmd --reload
sudo firewall-cmd --list-all

Creating and Managing Clients

To add or remove clients, you just need to run the script openvpn-install.sh again:


sudo ./openvpn-install.sh

The script will provide options to:

  • Add a new user.
  • Revoke an existing user.
  • Remove OpenVPN.

When adding a new user, the script will create a new .ovpn file for that client. Ensure you securely copy this file to the client machine (e.g., using scp).


# Example of copying the client configuration file to your local machine
scp user@your_server_ip:/root/myclient.ovpn .

Connecting from the Client

Once you have the .ovpn file, you can connect from your device:

  1. Download OpenVPN Client:
    • Windows: Download OpenVPN GUI from the OpenVPN website.
    • macOS: Download Tunnelblick or OpenVPN Connect.
    • Linux: Install the openvpn package (e.g., sudo apt install openvpn) and use the command sudo openvpn --config /path/to/myclient.ovpn or via NetworkManager.
    • Android/iOS: Download the OpenVPN Connect app from the Google Play Store or Apple App Store.
  2. Import the .ovpn file: Open the OpenVPN client application and import the .ovpn file you downloaded.
  3. Connect: Click the connect button. If everything is correct, you should see a successful connection.
  4. Test: After connecting, visit a public IP checker website (e.g., whatismyip.com). If the displayed IP is your OpenVPN Server’s public IP, it means you have successfully connected to the VPN!

Basic Troubleshooting

If you encounter issues when connecting, here are some basic troubleshooting steps you can take:

  • Check the OpenVPN service status on the server: 
    
sudo systemctl status openvpn@server

    Ensure the service is running and there are no errors.

  • Check OpenVPN logs: 
    
sudo journalctl -u openvpn@server -f

    Look for error messages or warnings related to the connection.

  • Check the firewall on the server: Ensure the OpenVPN port (default 1194/UDP) is open and NAT/masquerade rules are correctly set up.
  • Check the client’s network connection: Ensure the client can access the Internet before attempting to connect to the VPN.
  • Check the .ovpn file: Ensure the configuration file is not corrupted and contains the correct server IP address/port.

Conclusion

Thanks to automation tools like the openvpn-install.sh script, installing and configuring an OpenVPN Server on Linux is no longer a complex task. With a working OpenVPN server, you have a powerful solution to securely access your internal network from anywhere, protecting your data from prying eyes on the public Internet.

We hope this guide helps you confidently deploy your own VPN solution. Don’t hesitate to explore OpenVPN’s advanced customizations to optimize performance and security according to your specific needs!

Share:
Tags: