Jump to content
Main menu
Main menu
move to sidebar
hide
Navigation
Main page
Recent changes
Random page
Help about MediaWiki
Special pages
jb-vpn.uk Wiki
Search
Search
Appearance
Create account
Log in
Personal tools
Create account
Log in
Pages for logged out editors
learn more
Contributions
Talk
Editing
OpenVPN:Server Configuration
Page
Discussion
English
Read
Edit
View history
Tools
Tools
move to sidebar
hide
Actions
Read
Edit
View history
General
What links here
Related changes
Page information
Appearance
move to sidebar
hide
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
This document describes the OpenVPN server configuration and setup. == Network Details == * '''Server IP''': 10.8.0.1 (on tun0 interface) * '''VPN Network''': 10.8.0.0/24 * '''Public IP''': 87.106.61.62 * '''Port''': 1194 (UDP) * '''Protocol''': UDP == Server Files Location == All OpenVPN server files are located in <code>/etc/openvpn/server/</code>: * <code>server.conf</code> - Main server configuration * <code>ca.crt</code> - Certificate Authority certificate * <code>ca.key</code> - Certificate Authority private key * <code>server.crt</code> - Server certificate * <code>server.key</code> - Server private key * <code>dh.pem</code> - Diffie-Hellman parameters * <code>tc.key</code> - TLS-Crypt key (for additional security) * <code>crl.pem</code> - Certificate Revocation List * <code>ipp.txt</code> - IP address persistence file * <code>easy-rsa/</code> - Easy-RSA directory for certificate management == Server Configuration File == The main configuration is in <code>/etc/openvpn/server/server.conf</code>: <pre class="lang-conf"> local 87.106.61.62 port 1194 proto udp dev tun ca ca.crt cert server.crt key server.key dh dh.pem auth SHA512 tls-crypt tc.key topology subnet server 10.8.0.0 255.255.255.0 push "redirect-gateway def1 bypass-dhcp" ifconfig-pool-persist ipp.txt push "dhcp-option DNS 212.227.123.16" push "dhcp-option DNS 212.227.123.17" push "block-outside-dns" keepalive 10 120 user nobody group nogroup persist-key persist-tun verb 3 crl-verify crl.pem explicit-exit-notify client-config-dir /etc/openvpn/ccd script-security 2 up /etc/openvpn/iptables-restore.sh </pre> == Key Configuration Options == * '''<code>local 87.106.61.62</code>''': Binds to the VPS public IP address * '''<code>port 1194</code>''': Standard OpenVPN port (UDP) * '''<code>server 10.8.0.0 255.255.255.0</code>''': Defines the VPN subnet * '''<code>push "redirect-gateway def1 bypass-dhcp"</code>''': Routes all client traffic through VPN * '''<code>client-config-dir /etc/openvpn/ccd</code>''': Directory for per-client configurations * '''<code>crl-verify crl.pem</code>''': Certificate revocation list for security * '''<code>tls-crypt tc.key</code>''': Additional encryption layer == Network Configuration == === VPN Interface === The VPN creates a TUN interface (<code>tun0</code>): <pre class="lang-bash"> ip addr show tun0 </pre> '''Output''': <pre> 3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 inet 10.8.0.1/24 scope global tun0 </pre> === IP Address Assignment === * '''Server''': 10.8.0.1 * '''Clients''': 10.8.0.2 - 10.8.0.254 (dynamically assigned) * '''Synology NAS''': Typically 10.8.0.2 (may be static via CCD) === Routing === The server uses iptables for NAT and routing: '''NAT Rules''': <pre class="lang-bash"> iptables -t nat -L -n -v </pre> '''Key Rules''': * '''SNAT''': Masquerades VPN client traffic (10.8.0.0/24) to VPS public IP * '''MASQUERADE''': Allows VPN clients to access internet through VPS == Firewall Configuration == === Required Ports === Ensure UDP port 1194 is open: <pre class="lang-bash"> ==== Check if port is listening ==== ss -ulnp | grep 1194 == Check firewall rules == iptables -L INPUT -n -v | grep 1194 ufw status | grep 1194 # if using ufw </pre> === iptables Rules === The OpenVPN server uses an iptables restore script (<code>/etc/openvpn/iptables-restore.sh</code>) that runs when the VPN starts. == Service Management == === Service Status === Check OpenVPN service status: <pre class="lang-bash"> systemctl status openvpn </pre> === Start/Stop/Restart === <pre class="lang-bash"> ==== Start OpenVPN ==== systemctl start openvpn == Stop OpenVPN == systemctl stop openvpn == Restart OpenVPN == systemctl restart openvpn == Reload configuration (graceful) == systemctl reload openvpn </pre> The OpenVPN service is enabled to start on boot: <pre class="lang-bash"> systemctl is-enabled openvpn == Output: enabled == </pre> == Related Documentation == * [Client Configuration](client-configuration.md) - Client setup * [User Management](user-management.md) - Managing users * [Certificate Management](certificate-management.md) - Certificate management * [[Documentation:Index|Troubleshooting]] - Server troubleshooting [[Category:Documentation]] [[Category:Documentation/OpenVPN]]
Summary:
Please note that all contributions to jb-vpn.uk Wiki may be edited, altered, or removed by other contributors. If you do not want your writing to be edited mercilessly, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource (see
Jb-vpn.uk Wiki:Copyrights
for details).
Do not submit copyrighted work without permission!
Cancel
Editing help
(opens in new window)
Search
Search
Editing
OpenVPN:Server Configuration
Add topic
