back to OpenVPN
On this page I will run through getting am OpenVPN server running from a bare VPS to a server you can connect to. I will return to the server configuration after I get a basic instance running – I prefer taking an iterative process so I can debug as I go along. Phase 1 is to get a point-to-point connection running.
Server Considerations
In order of consideration, there is
- server location
- server hardware
- software installation
- certificates
Server Location
If you are going to set up a new server you have the freedom to decide where the server is located. VPS providers are global, and as long as you have a credit card you can rent a server. The location the server is going to determine the laws that apply to that server. So depending on how secure you want to be from data snooping you should at least give a passing consideration to your server location.
However, if you have an existing server, or want access to a specific site then your choice has been made for you.
If you have freedom to choose a location then consider countries known for strong data privacy.
- Iceland. Features near the top of most lists for data privacy. They have passed their own Data Protection Act and have privacy baked into their constitution.
- Switzerland. They have stringent data projection laws include the Federal Data Protection Act (FADP)
- Germany. Historically Germany has had strict rights to privacy and spearheaded the GDPR (Europe’s General Data Protection Regulation). In addition they passed the new German Privacy Act (Bundesdatenschutzgesetz), also known as BDSG-new. This is considered more stringent than GDPR.
- Norway – their local Norwegian Personal Data Act (PDA) implements the GDPR and includes specific national variations.
- Europe – if it’s in Europe it should be compliant with GDPR which gives a good baseline for security
Speed Considerations: Your server should be located on a fast connection is a reliable data centre. If you are based in the UK, then having a server in Australia is probably not a good idea.
Cost: The more exotic locations will cost more. For example, Iceland will be far more expensive than Germany per CPU core and TB of data
Server Hardware and Connectivity
This will boil down to the number of connections you want to maintain. There is a great page on the OpenVPN website that covers this in detail
To summarise:
- CPU – you want a CPU to support hardware-accelerated AES encryption. This is tagged as AES-NI support
- According to OpenVPN a rule of thumb is you “need about 12MHz of CPU per 1Mbps of traffic. For example, a 4-core 3GHz CPU has 12,000MHz, which can handle approximately 1,000Mbps of throughput.”
- Memory – 1GB is the minimum. Add 1GB for every 150 connected devices
- Hard Disk – minimum requirements. The system will be running in memory, so you only need space for the base system, logs and configuration. Aim for at least 20GB.
Network Considerations:
- Bandwidth – The server’s bandwidth is shared among all connected devices. So if you get a 100MB connection and only 2 users then it’s 50MB each. If you have 200 users then is 0.5MB. Its maths.
- Traffic – a lot of the cheaper VPS providers come with a metered connection. This is ok if you are hosting a website, but if you are running a VPN server it’s not a great idea. Unless you know you won’t exceed the limit (how?) then go for unmetered.
Selecting a VPS
I’ve used various providers over the years and most have been fine. There is a huge selection of VPS server options available, so it can be quite a long process to decide. To shortcut the process I decided to ask Perplexity to recommend one, and see what it came back with – and it came back with IONOS. They offer unlimited traffic and I know from past experience they have good connectivity.
I already have a server to install the VPN. so I was only going to hire a VPS to test the deployment and play with different configurations. I was going to use Amazon AWS, but costs mount very quickly if you have a permanently running server.
I ordered IONOS’s VPS Linux M at £8 per month and £10 setup fee. This comes with
- 2 vCores CPU
- 4 GB RAM
- 120 GB NVMe SSD
2 minutes later I received notification that the server was available.
Software Installation
Basic Housekeeping
After logging into the server for the first time, I locked it down a bit and updated the packages installed. I went for Ubuntu 22.04 LTS so I was pretty familiar with the setup.
- Updated the installed packages
- sudo apt-get update
- sudo apt-get upgrade
- Created a user account and added it to the sudo group
- adduser john
- usermod -aG sudo john
- Disabled root logon via SSH
- sudo nano /etc/ssh/sshd_config
- PermitRootLogin no
sudo systemctl restart ssh
- Added SSH keys for access
Software Install
Using a shell, I installed the core software – this is the easiest step by far!
john@ubuntu:~$ sudo apt install openvpn easy-rsa
[sudo] password for john:
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
libccid libeac3 libpcsclite1 libpkcs11-helper1t64 opensc opensc-pkcs11 pcscd
...Configuring the Certificates
To generate all the certificates, you can switch to the root user and work out of /etc/openvpn. Alternatively, you can use a non-root user to generate the certificates in their home directory and then copy the certificates to the /etc/openvpn directory. I went with the latter, as it means I don’t have to change the permissions on the easy-rsa subdirectories.
john@ubuntu:~$ mkdir easy-rsa
john@ubuntu:~$ ln -s /usr/share/easy-rsa/* ~/easy-rsa/
john@ubuntu:~$ ls easy-rsa/
easyrsa openssl-easyrsa.cnf vars.example x509-typesI then gave myself permissions on the directory
john@ubuntu:~$ sudo chown john ~/easy-rsa/
john@ubuntu:~$ chmod 700 easy-rsa/I can check everything looks good with
john@ubuntu:~$ ls -l easy-rsa/
total 0
lrwxrwxrwx 1 john john 27 Feb 26 18:16 easyrsa -> /usr/share/easy-rsa/easyrsa
lrwxrwxrwx 1 john john 39 Feb 26 18:16 openssl-easyrsa.cnf -> /usr/share/easy-rsa/openssl-easyrsa.cnf
lrwxrwxrwx 1 john john 32 Feb 26 18:16 vars.example -> /usr/share/easy-rsa/vars.example
lrwxrwxrwx 1 john john 30 Feb 26 18:16 x509-types -> /usr/share/easy-rsa/x509-types
Create a Certificate Authority
The Certificate Authority is the anchor of the “secure chain of trust” that we are about to build. The Certificate Authority doesn’t have anyone vouching for its authority; it is taken as fact. Back in the initial days of the internet, there were companies like VeriSign that simply owned the market. Their certificates came pre-installed with every browser, so if they generated a certificate for a website, it was accepted blindly. Getting an SSL certificate cost about $150, and without it you were destined to use HTTP. Then a new company called Let’s Encrypt came along and offered free certificates – suddenly everyone could use SSL!
Wikipedia provides some interesting history on Certificate Authorities
For me, however, I don’t want or need to use a globally recognised Certificate Authority. We are going to create our own chain of trust. We will use out own Certificate Authority to sign requests for client keys and vouch for them. This means the clients will also need to get a copy of the Certificate Authority (CA) public key so they can verify the client certificate is valid.
There are two steps to create the Certificate Authority – first is to initialise easy-rsa and then we tell it to build a new Certificate Authority.
john@ubuntu:~/easy-rsa$ ./easyrsa init-pki
Notice
------
'init-pki' complete; you may now create a CA or requests.
Your newly created PKI dir is:
* /home/john/easy-rsa/pki
Using Easy-RSA configuration:
* undefined
Create the Certificate Authority – I gave it the catchy name of ovpnCA
john@ubuntu:~/easy-rsa$ ./easyrsa build-ca
No Easy-RSA 'vars' configuration file exists!
Using SSL:
* openssl OpenSSL 3.0.13 30 Jan 2024 (Library: OpenSSL 3.0.13 30 Jan 2024)
Enter New CA Key Passphrase:
Confirm New CA Key Passphrase:
............+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.....+.....+...+....+........+....+......+........+..........+..+....+...+..+....+.........+.....+.......+.....+.+..+......+.+.....+.+..+
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:ovpnCA
Notice
------
CA creation complete. Your new CA certificate is at:
* /home/john/easy-rsa/pki/ca.crtServer Certificates and Keys
Server private key and Certificate Request
From the easy-rsa folder we can create a new certificate request for the server. This will generate a private key as well as a certificate signing request. We’ll then use our Certificate Authority to sign the request
john@ubuntu:~/easy-rsa$ ./easyrsa gen-req ionos_server nopass
No Easy-RSA 'vars' configuration file exists!
Using SSL:
* openssl OpenSSL 3.0.13 30 Jan 2024 (Library: OpenSSL 3.0.13 30 Jan 2024)
...+.......+.....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+..+.......+.....+............+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*......+..+.+..+...+.......+........+...+.+......+..+.......+.....+....+...........+......+...+.+......+........+....+...........+......+......+....+.....+..........+......+........+.+.........+......+......+...+.....+.........+.......+....................+...+.+...............+..+...+....+...+........+.....................+.+..+.+..+...+.......+..+..........+..+.+...+..+...+..........+......+.....+......+...+.+..................+...+..+............+...+...+............................+..+.......+..+....+...........+....+.....+............+....+........+.......+.........+...........+.+.....+..........+............+............+.....+......+.............+......+.....+.+........+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
..+..+...+.+........+...+...+....+..+.+...+.........+..+...+.......+...........+...+....+...+..+...+...+..........+.....+.+......+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*....+.+........+.+..+....+........+...+....+...+..+....+..+.........+.+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..........+.....+.......+..+.+..+......+.+...+......+.....+.......+..+.+..+...............+..........+.........+...+..+.+...............+...+.....+.+.....+...+...+.......+..+.........+....+...+.....+............+..........+...+..+.+.....+....+.....+............+....+..+.......+........+........................+.+...+..+....+.....+......+...+...............+......+....+.....+.+........+.+.....+.........+...+.......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [ionos_server]:Ionos
Notice
------
Private-Key and Public-Certificate-Request files created.
Your files are:
* req: /home/john/easy-rsa/pki/reqs/ionos_server.req
* key: /home/john/easy-rsa/pki/private/ionos_server.key
We copy the key file to the OpenVPN configuration folder. This is the private key for the server so that it can decrypt data encoded with the public key in the certificate.
john@ubuntu:~/easy-rsa$ sudo cp pki/private/ionos_server.key /etc/openvpn/server/Sign the Server Certificate
We now get easy-rsa to sign the certificate request we just generated using the sign-req command. The format of this command is “easyrsa sign-req [server|client] host-name”. As I’m signing a server request the command becomes –
john@ubuntu:~/easy-rsa$ ./easyrsa sign-req server ionos_server
No Easy-RSA 'vars' configuration file exists!
Using SSL:
* openssl OpenSSL 3.0.13 30 Jan 2024 (Library: OpenSSL 3.0.13 30 Jan 2024)
You are about to sign the following certificate:
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate
for '825' days:
subject=
commonName = Ionos
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /home/john/easy-rsa/pki/openssl-easyrsa.cnf
Enter pass phrase for /home/john/easy-rsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'Ionos'
Certificate is to be certified until Jun 1 20:51:37 2027 GMT (825 days)
Write out database with 1 new entries
Database updated
Notice
------
Certificate created at:
* /home/john/easy-rsa/pki/issued/ionos_server.crtThere is now a certificate in the pki/issued folder. If you look inside the crt file you will see it contains the public key for the server as well as the signing information, which in this case is the issuing server ovpnCA (my Certificate Authority). A client that gets this certificate can now encrypt data for the server.
We need to copy that and the Certificate Authority Certificate to the OpenVpn configuration directory
john@ubuntu:~/easy-rsa$ sudo cp pki/issued/ionos_server.crt /etc/openvpn/server
john@ubuntu:~/easy-rsa$ sudo cp pki/ca.crt /etc/openvpn/serverCreate the TLS key
TLS is the latest evolution of the SSL family of protocols developed originally by Netscape for their first secure web browser. TLS and its SSL predecessors have seen widespread usage on the web for many years and have been extensively analyzed for weaknesses. In turn, this analysis has led to a subsequent strengthening of the protocol such that today, SSL/TLS is considered to be one of the strongest and most mature secure protocols available. As such, we believe TLS is an excellent choice for the authentication and key exchange mechanism of a VPN product.
Create the TLS key and copy it to the OpenVpn server configuration directory. This key is used as part of the authentication process between the client and server.
john@ubuntu:~/easy-rsa$ openvpn --genkey secret ta.key
john@ubuntu:~/easy-rsa$ sudo cp ta.key /etc/openvpn/serverGenerate Diffie-Hellman Parameters
The option gen-dh generates the Diffie-Hellman parameters .pem file needed by the server.
john@ubuntu:~/easy-rsa$ ./easyrsa gen-dh
No Easy-RSA 'vars' configuration file exists!
Using SSL:
* openssl OpenSSL 3.0.13 30 Jan 2024 (Library: OpenSSL 3.0.13 30 Jan 2024)
Generating DH parameters, 2048 bit long safe prime
...
...
...
DH parameters of size 2048 created at:
* /home/john/easy-rsa/pki/dh.pem
Copy the generate file to the /etc/openvpn/server directory
john@ubuntu:~/easy-rsa$ sudo cp pki/dh.pem /etc/openvpn/server/Configure OpenVPN server
Finally we configure the server so that it can start listening for requests. The key elements we need to configure are:
- ta: The TLS Key to use.
- cert: The server certificate. This is how the server will identify itself to clients.
- key: The server private key. Using this key, the server can decrypt data encrypted with its public key.
- dh: Diffie-Hellman (DH) parameters used by the server
OpenVPN stores its configuration in /etc/openvpn. However, it doesn’t contain a default configuration file when you install it, which I found a bit unusual. The example configuration file is located in /usr/share/doc/openvpn/examples/sample-config-files/server.conf
Copy the example configuration (on some servers the example conjuration is zipped up)
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf /etc/openvpn/Editing the file I set the following values – the configuration is about half way down the file, so you need to find the values and edit them.
ca server/ca.crt
cert server/ionos_server.crt
key server/ionos_server.key
#
dh server/dh.pem
cipher AES-256-CBC
tls-auth server/ta.key 0Start the Server
Once you save you can start the server –
john@ubuntu:/etc/openvpn$ sudo systemctl start openvpn@server
john@ubuntu:/etc/openvpn$ sudo systemctl status openvpn@server
● openvpn@server.service - OpenVPN connection to server
Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; disabled; preset: enabled)
Active: active (running) since Sat 2025-03-01 14:37:46 UTC; 20s ago
Docs: man:openvpn(8)
https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
https://community.openvpn.net/openvpn/wiki/HOWTO
Main PID: 42810 (openvpn)
Status: "Initialization Sequence Completed"
Tasks: 1 (limit: 10)
Memory: 1.4M (peak: 1.6M)
CPU: 15ms
CGroup: /system.slice/system-openvpn.slice/openvpn@server.service
└─42810 /usr/sbin/openvpn --daemon ovpn-server --status /run/openvpn/server.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/server.conf --writepid /run/openvpn/server.>
Mar 01 14:37:46 ubuntu ovpn-server[42810]: net_iface_up: set tun0 up
Mar 01 14:37:46 ubuntu ovpn-server[42810]: net_addr_v4_add: 10.8.0.1/24 dev tun0
Mar 01 14:37:46 ubuntu ovpn-server[42810]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Mar 01 14:37:46 ubuntu ovpn-server[42810]: Socket Buffers: R=[212992->212992] S=[212992->212992]
Mar 01 14:37:46 ubuntu ovpn-server[42810]: UDPv4 link local (bound): [AF_INET][undef]:1194
Mar 01 14:37:46 ubuntu ovpn-server[42810]: UDPv4 link remote: [AF_UNSPEC]
Mar 01 14:37:46 ubuntu ovpn-server[42810]: MULTI: multi_init called, r=256 v=256
Mar 01 14:37:46 ubuntu ovpn-server[42810]: IFCONFIG POOL IPv4: base=10.8.0.2 size=253
Mar 01 14:37:46 ubuntu ovpn-server[42810]: IFCONFIG POOL LIST
Mar 01 14:37:46 ubuntu ovpn-server[42810]: Initialization Sequence CompletedIf there are any errors you should see more information in /var/log/syslog or /var/log/openvpn/openvpn-status.log
Conclusion
So after all this I have
- a certificate authority for issuing certificates
- a server certificate and private key
- OpenVPN server configuration
- Started the openvpn server.
Next I’ll generate client configuration and connect into the server.