BestHub
Sign in
Operations 11 min read

How to Set Up OpenVPN Server and Client on Linux: Step‑by‑Step Guide

This tutorial explains how to install, configure, and run OpenVPN on Linux, covering VPN concepts, types, OpenVPN features, server‑side certificate creation, key generation, configuration files, and client setup, with step‑by‑step commands and troubleshooting tips for secure remote access.

Raymond Ops
Raymond Ops
Raymond Ops
How to Set Up OpenVPN Server and Client on Linux: Step‑by‑Step Guide

VPN stands for Virtual Private Network. It enables a computer to send and receive data securely between private networks over a public network (Internet). This is useful for users who need to connect to an internal corporate network from outside, or for linking multiple branch offices.

Diagram
Diagram

When a company purchases dedicated lines to form a WAN, the cost is high. VPN fills this gap by providing point‑to‑point virtual connections over the public network, easily scaling to users in different locations.

VPN Types

Remote Access

Site‑to‑Site

Remote Access connects individual computers to a network via VPN, while Site‑to‑Site links two networks together.

What is OpenVPN

OpenVPN is an open‑source VPN daemon by James Yonan. It supports SSL/TLS security, Ethernet bridging, TCP/UDP tunneling through proxies or NAT, dynamic IP and DHCP, scalability for thousands of users, and portability across major operating systems.

This tutorial explains the process of setting up and configuring an OpenVPN server and client for remote access.

1. Configure OpenVPN – Server

1. Install OpenVPN

Install the openvpn package on both server and client machines.

$ sudo apt-get install openvpn
$ yum install openvpn

2. Create directory and set environment variables

Create a directory under /etc/openvpn named easy-rsa and copy the easy‑rsa contents into it. Change ownership to the current user so that files can be created.

$ sudo mkdir /etc/openvpn/easy-rsa
$ sudo cp /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
$ sudo chown -R $USER /etc/openvpn/easy-rsa/

Edit /etc/openvpn/easy-rsa/vars to match your environment.

export KEY_COUNTRY="IN"
export KEY_PROVINCE="TN"
export KEY_CITY="CHN"
export KEY_ORG="tgs"
export KEY_EMAIL="[email protected]"

3. Create CA – Certificate Authority (Root Certificate)

Build a public key infrastructure so the server and clients can authenticate each other.

$ cd /etc/openvpn/easy-rsa
$ source vars
$ . /clean-all
$ ln -s openssl-1.0.0.cnf openssl.cnf
$ . /build-ca
# Follow the prompts to enter country, province, city, organization, etc.
# The generated files <code>ca.key</code> and <code>ca.crt</code> are placed in <code>/etc/openvpn/easy-rsa/keys/</code>.
# Keep the <code>ca.key</code> file secret.

4. Create server certificate

Generate a certificate and key for the OpenVPN server.

$ ./build-key-server vpnserver
# Sign the certificate when prompted.

Note: vpnserver is the server’s hostname.

5. Create client certificates

Each client needs its own certificate for authentication.

$ ./build-key vpnclient1
# Sign the certificate when prompted.
vpnclient1

is the client’s hostname.

6. Create Diffie‑Hellman parameters

$ ./build-dh

After completing all steps, the /etc/openvpn/easy-rsa/keys directory contains the necessary keys and certificates.

7. Copy certificates to appropriate locations

$ cd /etc/openvpn/easy-rsa/keys
$ sudo cp ca.crt vpnserver.crt vpnserver.key dh1024.pem /etc/openvpn/
$ scp ca.crt vpnclient1.key vpnclient1.crt root@vpnclient1:/etc/openvpn

When copying key files, use a secure transfer method such as scp.

8. Configure the server

OpenVPN provides a default server.conf. Modify it as needed.

$ sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
$ sudo gzip -d /etc/openvpn/server.conf.gz
# Edit /etc/openvpn/server.conf to include:
ca ca.crt
cert vpnserver.crt
key vpnserver.key
dh dh1024.pem

Start the OpenVPN server:

$ sudo /etc/init.d/openvpn start
$ ifconfig tun0

By default, OpenVPN logs errors to the syslog file.

2. Configure OpenVPN – Client

9. Set up client configuration file

Copy the example client.conf to /etc/openvpn and edit it.

$ sudo cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/
# Edit /etc/openvpn/client.conf:
client
remote vpnserver 1194
ca ca.crt
cert vpnclient1.crt
key vpnclient1.key

Start OpenVPN on the client:

$ sudo /etc/init.d/openvpn start
$ ifconfig tun0

10. Test the VPN setup

Ping the VPN server from the client to verify connectivity. $ ping 10.8.0.1 If the ping succeeds, the configuration is correct.

Key points to remember:

Ensure the client and server use the same protocol and port.

Client and server must share parameters such as key size and compression.

If issues arise, increase log verbosity in the configuration and check the syslog for troubleshooting.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

linuxServer ConfigurationVPNOpenVPN
Raymond Ops
Written by

Raymond Ops

Linux ops automation, cloud-native, Kubernetes, SRE, DevOps, Python, Golang and related tech discussions.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment