BestHub
Sign in
Information Security 12 min read

How to Build an OpenVPN Server on Public Cloud: Step‑by‑Step Guide

This guide walks you through installing OpenVPN on a public cloud, setting up Easy‑RSA for certificate management, configuring the server and client, creating authentication scripts, and connecting Windows or macOS clients, complete with commands and configuration examples.

Raymond Ops
Raymond Ops
Raymond Ops
How to Build an OpenVPN Server on Public Cloud: Step‑by‑Step Guide

1. Set up OpenVPN server on public cloud

<code># Install openvpn
yum install openvpn</code>

2. Install Easy RSA suite

Purpose: generate keys and certificates for server and clients

<code># Download Easy RSA source package
# Download address:
https://github.com/OpenVPN/easy-rsa/releases
# Download source package
wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.1.2/EasyRSA-3.1.2.tgz
# Move to fixed location
mv EasyRSA-3.1.2 /etc/openvpn/easy-rsa</code>

Modify configuration file

<code>1. Rename vars.example to vars and edit it
2. Search set_var EASYRSA_CA_EXPIRE to set certificate validity to one year
3. Search set_var EASYRSA_CERT_EXPIRE to set service validity</code>

Generate private key and certificate on server

Image
Image
<code># Clean existing keys
./easyrsa clean-all
# Build CA root certificate
./easyrsa build-ca
# CA certificate location: /etc/openvpn/easy-rsa/pki/ca.crt</code>

Generate server certificate and key

<code># Build server certificate without password
./easyrsa build-server-full server nopass
# Server certificate: /etc/openvpn/easy-rsa/pki/issued/server.crt
# Server private key: /etc/openvpn/easy-rsa/pki/private/server.key
# Generate Diffie‑Hellman parameters
./easyrsa gen-dh
# Generate tls-auth key
openvpn --genkey --secret ta.key
# tls-auth key location: /etc/openvpn/easy-rsa/ta.key</code>

3. OpenVPN server configuration

1. Create/modify server.conf

<code>port 1194
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA1
proto tcp
server 10.8.0.0 255.255.255.0
push "route 10.0.8.2 255.255.252.0"
client-to-client
verb 3
persist-key
persist-tun
keepalive 10 120
max-clients 200
ifconfig-pool-persist ipp.txt
duplicate-cn
script-security 3
auth-user-pass-verify /etc/openvpn/check.sh via-env
username-as-common-name</code>

2. Write user authentication script (check.sh)

<code>#!/bin/bash
PASSFILE="/etc/openvpn/openvpnfile"
LOG_FILE="/var/log/openvpn-password.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`
if [ ! -r "${PASSFILE}" ]; then
  echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
  exit 1
fi
CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="${username}"{print $2;exit}' "${PASSFILE}"`
if [ "${CORRECT_PASSWORD}" = "" ]; then
  echo "${TIME_STAMP}: User does not exist: username=\"${username}\",password=\"${password}\"." >> ${LOG_FILE}
  exit 1
fi
if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
  echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
  exit 0
fi
echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1</code>
<code>chmod +x /etc/openvpn/check.sh</code>

3. Create user password file

<code>/etc/openvpn/openvpnfile
koten 1</code>

4. Copy key files and start service

<code>cp /etc/openvpn/easy-rsa/pki/ca.crt /etc/openvpn/server/
cp /etc/openvpn/easy-rsa/pki/private/ca.key /etc/openvpn/server/
cp /etc/openvpn/easy-rsa/pki/issued/server.crt /etc/openvpn/server/
cp /etc/openvpn/easy-rsa/pki/private/server.key /etc/openvpn/server/
cp /etc/openvpn/easy-rsa/pki/dh.pem /etc/openvpn/server/
cp /etc/openvpn/easy-rsa/ta.key /etc/openvpn/server/
openvpn --config server.conf</code>

Server is now running and has virtual IP 10.8.0.1.

Image
Image

4. Client configuration

1. Install OpenVPN on client

<code># Install openvpn
yum install openvpn</code>

2. Generate client certificate and key

<code># In /etc/openvpn/easy-rsa/
./easyrsa build-client-full client nopass
# Client certificate: /etc/openvpn/easy-rsa/pki/issued/client.crt
# Client private key: /etc/openvpn/easy-rsa/pki/private/client.key
# Copy ca.crt, client.crt, client.key, ta.key to client /etc/openvpn/client/</code>

3. Create/modify client.conf

<code>client
dev tun
proto tcp
remote xx.xx.xx.xx 1194
ca ca.crt
cert client.crt
key client.key
nobind
auth SHA1
resolv-retry infinite
verb 3
persist-key
persist-tun
auth-user-pass.txt</code>

4. Create pass.txt with username and password

<code>张三
123456</code>

5. Start client

<code>openvpn --config client.conf</code>

Client receives a virtual IP and can communicate with other machines in the VPN network.

Image
Image

5. Access internal network from your computer

Download the OpenVPN client for Windows or macOS from the official site, import the generated configuration file, and connect to the VPN to access internal resources.

LinuxNetwork SecurityServer ConfigurationVPNEasyRSAOpenVPN
Raymond Ops
Written by

Raymond Ops

Linux ops automation, cloud-native, Kubernetes, SRE, DevOps, Python, Golang and related tech discussions.

0 followers
Reader feedback

How this landed with the community

login Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment