OpenVPN:Server Configuration: Difference between revisions
Minor update - troubleshooting guide: OpenVPN Server Configuration (15 sections) (configuration) |
Content added - troubleshooting guide: OpenVPN Server Configuration (22 sections) (configuration) |
||
| Line 1: | Line 1: | ||
This document describes the OpenVPN server configuration and setup. | This document describes the OpenVPN server configuration and setup. | ||
| Line 135: | Line 133: | ||
<pre class="lang-bash"> | <pre class="lang-bash"> | ||
= Check if port is listening = | ==== Check if port is listening ==== | ||
ss -ulnp | grep 1194 | ss -ulnp | grep 1194 | ||
= Check firewall rules = | == Check firewall rules == | ||
iptables -L INPUT -n -v | grep 1194 | iptables -L INPUT -n -v | grep 1194 | ||
ufw status | grep 1194 # if using ufw | ufw status | grep 1194 # if using ufw | ||
| Line 159: | Line 157: | ||
<pre class="lang-bash"> | <pre class="lang-bash"> | ||
= Start OpenVPN = | ==== Start OpenVPN ==== | ||
systemctl start openvpn | systemctl start openvpn | ||
= Stop OpenVPN = | == Stop OpenVPN == | ||
systemctl stop openvpn | systemctl stop openvpn | ||
= Restart OpenVPN = | == Restart OpenVPN == | ||
systemctl restart openvpn | systemctl restart openvpn | ||
= Reload configuration (graceful) = | == Reload configuration (graceful) == | ||
systemctl reload openvpn | systemctl reload openvpn | ||
</pre> | </pre> | ||
| Line 175: | Line 173: | ||
<pre class="lang-bash"> | <pre class="lang-bash"> | ||
systemctl is-enabled openvpn | systemctl is-enabled openvpn | ||
= Output: enabled = | == Output: enabled == | ||
</pre> | </pre> | ||
Latest revision as of 13:44, 1 January 2026
This document describes the OpenVPN server configuration and setup.
Network Details
[edit]- Server IP: 10.8.0.1 (on tun0 interface)
- VPN Network: 10.8.0.0/24
- Public IP: 87.106.61.62
- Port: 1194 (UDP)
- Protocol: UDP
Server Files Location
[edit]All OpenVPN server files are located in /etc/openvpn/server/:
server.conf- Main server configuration
ca.crt- Certificate Authority certificate
ca.key- Certificate Authority private key
server.crt- Server certificate
server.key- Server private key
dh.pem- Diffie-Hellman parameters
tc.key- TLS-Crypt key (for additional security)
crl.pem- Certificate Revocation List
ipp.txt- IP address persistence file
easy-rsa/- Easy-RSA directory for certificate management
Server Configuration File
[edit]The main configuration is in /etc/openvpn/server/server.conf:
local 87.106.61.62 port 1194 proto udp dev tun ca ca.crt cert server.crt key server.key dh dh.pem auth SHA512 tls-crypt tc.key topology subnet server 10.8.0.0 255.255.255.0 push "redirect-gateway def1 bypass-dhcp" ifconfig-pool-persist ipp.txt push "dhcp-option DNS 212.227.123.16" push "dhcp-option DNS 212.227.123.17" push "block-outside-dns" keepalive 10 120 user nobody group nogroup persist-key persist-tun verb 3 crl-verify crl.pem explicit-exit-notify client-config-dir /etc/openvpn/ccd script-security 2 up /etc/openvpn/iptables-restore.sh
Key Configuration Options
[edit]local 87.106.61.62: Binds to the VPS public IP address
port 1194: Standard OpenVPN port (UDP)
server 10.8.0.0 255.255.255.0: Defines the VPN subnet
push "redirect-gateway def1 bypass-dhcp": Routes all client traffic through VPN
client-config-dir /etc/openvpn/ccd: Directory for per-client configurations
crl-verify crl.pem: Certificate revocation list for security
tls-crypt tc.key: Additional encryption layer
Network Configuration
[edit]VPN Interface
[edit]The VPN creates a TUN interface (tun0):
ip addr show tun0
Output:
3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500
inet 10.8.0.1/24 scope global tun0
IP Address Assignment
[edit]- Server: 10.8.0.1
- Clients: 10.8.0.2 - 10.8.0.254 (dynamically assigned)
- Synology NAS: Typically 10.8.0.2 (may be static via CCD)
Routing
[edit]The server uses iptables for NAT and routing:
NAT Rules:
iptables -t nat -L -n -v
Key Rules:
- SNAT: Masquerades VPN client traffic (10.8.0.0/24) to VPS public IP
- MASQUERADE: Allows VPN clients to access internet through VPS
Firewall Configuration
[edit]Required Ports
[edit]Ensure UDP port 1194 is open:
==== Check if port is listening ==== ss -ulnp | grep 1194 == Check firewall rules == iptables -L INPUT -n -v | grep 1194 ufw status | grep 1194 # if using ufw
iptables Rules
[edit]The OpenVPN server uses an iptables restore script (/etc/openvpn/iptables-restore.sh) that runs when the VPN starts.
Service Management
[edit]Service Status
[edit]Check OpenVPN service status:
systemctl status openvpn
Start/Stop/Restart
[edit]==== Start OpenVPN ==== systemctl start openvpn == Stop OpenVPN == systemctl stop openvpn == Restart OpenVPN == systemctl restart openvpn == Reload configuration (graceful) == systemctl reload openvpn
The OpenVPN service is enabled to start on boot:
systemctl is-enabled openvpn == Output: enabled ==
Related Documentation
[edit]- [Client Configuration](client-configuration.md) - Client setup
- [User Management](user-management.md) - Managing users
- [Certificate Management](certificate-management.md) - Certificate management
- Troubleshooting - Server troubleshooting