Jump to content

OpenVPN:Server Configuration: Difference between revisions

From jb-vpn.uk Wiki
Added troubleshooting guide: OpenVPN Server Configuration (configuration)
 
Content added - troubleshooting guide: OpenVPN Server Configuration (22 sections) (configuration)
 
(One intermediate revision by the same user not shown)
Line 1: Line 1:
= OpenVPN Server Configuration =
This document describes the OpenVPN server configuration and setup.
This document describes the OpenVPN server configuration and setup.


== Network Details ==
== Network Details ==


'' '''Server IP''': 10.8.0.1 (on tun0 interface)
* '''Server IP''': 10.8.0.1 (on tun0 interface)
'' '''VPN Network''': 10.8.0.0/24
 
'' '''Public IP''': 87.106.61.62
* '''VPN Network''': 10.8.0.0/24
'' '''Port''': 1194 (UDP)
 
'' '''Protocol''': UDP
* '''Public IP''': 87.106.61.62
 
* '''Port''': 1194 (UDP)
 
* '''Protocol''': UDP


== Server Files Location ==
== Server Files Location ==
Line 15: Line 17:
All OpenVPN server files are located in <code>/etc/openvpn/server/</code>:
All OpenVPN server files are located in <code>/etc/openvpn/server/</code>:


'' <code>server.conf</code> - Main server configuration
* <code>server.conf</code> - Main server configuration
'' <code>ca.crt</code> - Certificate Authority certificate
 
'' <code>ca.key</code> - Certificate Authority private key
* <code>ca.crt</code> - Certificate Authority certificate
'' <code>server.crt</code> - Server certificate
 
'' <code>server.key</code> - Server private key
* <code>ca.key</code> - Certificate Authority private key
'' <code>dh.pem</code> - Diffie-Hellman parameters
 
'' <code>tc.key</code> - TLS-Crypt key (for additional security)
* <code>server.crt</code> - Server certificate
'' <code>crl.pem</code> - Certificate Revocation List
 
'' <code>ipp.txt</code> - IP address persistence file
* <code>server.key</code> - Server private key
'' <code>easy-rsa/</code> - Easy-RSA directory for certificate management
 
* <code>dh.pem</code> - Diffie-Hellman parameters
 
* <code>tc.key</code> - TLS-Crypt key (for additional security)
 
* <code>crl.pem</code> - Certificate Revocation List
 
* <code>ipp.txt</code> - IP address persistence file
 
* <code>easy-rsa/</code> - Easy-RSA directory for certificate management


== Server Configuration File ==
== Server Configuration File ==
Line 63: Line 74:
== Key Configuration Options ==
== Key Configuration Options ==


'' '''<code>local 87.106.61.62</code>''': Binds to the VPS public IP address
* '''<code>local 87.106.61.62</code>''': Binds to the VPS public IP address
'' '''<code>port 1194</code>''': Standard OpenVPN port (UDP)
 
'' '''<code>server 10.8.0.0 255.255.255.0</code>''': Defines the VPN subnet
* '''<code>port 1194</code>''': Standard OpenVPN port (UDP)
'' '''<code>push "redirect-gateway def1 bypass-dhcp"</code>''': Routes all client traffic through VPN
 
'' '''<code>client-config-dir /etc/openvpn/ccd</code>''': Directory for per-client configurations
* '''<code>server 10.8.0.0 255.255.255.0</code>''': Defines the VPN subnet
'' '''<code>crl-verify crl.pem</code>''': Certificate revocation list for security
 
'' '''<code>tls-crypt tc.key</code>''': Additional encryption layer
* '''<code>push "redirect-gateway def1 bypass-dhcp"</code>''': Routes all client traffic through VPN
 
* '''<code>client-config-dir /etc/openvpn/ccd</code>''': Directory for per-client configurations
 
* '''<code>crl-verify crl.pem</code>''': Certificate revocation list for security
 
* '''<code>tls-crypt tc.key</code>''': Additional encryption layer


== Network Configuration ==
== Network Configuration ==
Line 89: Line 106:
=== IP Address Assignment ===
=== IP Address Assignment ===


'' '''Server''': 10.8.0.1
* '''Server''': 10.8.0.1
'' '''Clients''': 10.8.0.2 - 10.8.0.254 (dynamically assigned)
 
'' '''Synology NAS''': Typically 10.8.0.2 (may be static via CCD)
* '''Clients''': 10.8.0.2 - 10.8.0.254 (dynamically assigned)
 
* '''Synology NAS''': Typically 10.8.0.2 (may be static via CCD)


=== Routing ===
=== Routing ===
Line 103: Line 122:


'''Key Rules''':
'''Key Rules''':
'' '''SNAT''': Masquerades VPN client traffic (10.8.0.0/24) to VPS public IP
* '''SNAT''': Masquerades VPN client traffic (10.8.0.0/24) to VPS public IP
'' '''MASQUERADE''': Allows VPN clients to access internet through VPS
 
* '''MASQUERADE''': Allows VPN clients to access internet through VPS


== Firewall Configuration ==
== Firewall Configuration ==
Line 113: Line 133:


<pre class="lang-bash">
<pre class="lang-bash">
= Check if port is listening =
==== Check if port is listening ====
ss -ulnp | grep 1194
ss -ulnp | grep 1194


= Check firewall rules =
== Check firewall rules ==
iptables -L INPUT -n -v | grep 1194
iptables -L INPUT -n -v | grep 1194
ufw status | grep 1194  # if using ufw
ufw status | grep 1194  # if using ufw
Line 137: Line 157:


<pre class="lang-bash">
<pre class="lang-bash">
= Start OpenVPN =
==== Start OpenVPN ====
systemctl start openvpn
systemctl start openvpn


= Stop OpenVPN =
== Stop OpenVPN ==
systemctl stop openvpn
systemctl stop openvpn


= Restart OpenVPN =
== Restart OpenVPN ==
systemctl restart openvpn
systemctl restart openvpn


= Reload configuration (graceful) =
== Reload configuration (graceful) ==
systemctl reload openvpn
systemctl reload openvpn
</pre>
</pre>
Line 153: Line 173:
<pre class="lang-bash">
<pre class="lang-bash">
systemctl is-enabled openvpn
systemctl is-enabled openvpn
= Output: enabled =
== Output: enabled ==
</pre>
</pre>


== Related Documentation ==
== Related Documentation ==


'' [Client Configuration](client-configuration.md) - Client setup
* [Client Configuration](client-configuration.md) - Client setup
'' [User Management](user-management.md) - Managing users
 
'' [Certificate Management](certificate-management.md) - Certificate management
* [User Management](user-management.md) - Managing users
 
* [Certificate Management](certificate-management.md) - Certificate management
 
* [[Documentation:Index|Troubleshooting]] - Server troubleshooting
* [[Documentation:Index|Troubleshooting]] - Server troubleshooting


[[Category:Documentation]]
[[Category:Documentation]]
[[Category:Documentation/OpenVPN]]
[[Category:Documentation/OpenVPN]]

Latest revision as of 13:44, 1 January 2026

This document describes the OpenVPN server configuration and setup.

Network Details

[edit]
  • Server IP: 10.8.0.1 (on tun0 interface)
  • VPN Network: 10.8.0.0/24
  • Public IP: 87.106.61.62
  • Port: 1194 (UDP)
  • Protocol: UDP

Server Files Location

[edit]

All OpenVPN server files are located in /etc/openvpn/server/:

  • server.conf - Main server configuration
  • ca.crt - Certificate Authority certificate
  • ca.key - Certificate Authority private key
  • server.crt - Server certificate
  • server.key - Server private key
  • dh.pem - Diffie-Hellman parameters
  • tc.key - TLS-Crypt key (for additional security)
  • crl.pem - Certificate Revocation List
  • ipp.txt - IP address persistence file
  • easy-rsa/ - Easy-RSA directory for certificate management

Server Configuration File

[edit]

The main configuration is in /etc/openvpn/server/server.conf: 

local 87.106.61.62
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-crypt tc.key
topology subnet
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 212.227.123.16"
push "dhcp-option DNS 212.227.123.17"
push "block-outside-dns"
keepalive 10 120
user nobody
group nogroup
persist-key
persist-tun
verb 3
crl-verify crl.pem
explicit-exit-notify
client-config-dir /etc/openvpn/ccd
script-security 2
up /etc/openvpn/iptables-restore.sh

Key Configuration Options

[edit]
  • local 87.106.61.62: Binds to the VPS public IP address
  • port 1194: Standard OpenVPN port (UDP)
  • server 10.8.0.0 255.255.255.0: Defines the VPN subnet
  • push "redirect-gateway def1 bypass-dhcp": Routes all client traffic through VPN
  • client-config-dir /etc/openvpn/ccd: Directory for per-client configurations
  • crl-verify crl.pem: Certificate revocation list for security
  • tls-crypt tc.key: Additional encryption layer

Network Configuration

[edit]

VPN Interface

[edit]

The VPN creates a TUN interface (tun0): 

ip addr show tun0

Output: 

3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500
    inet 10.8.0.1/24 scope global tun0

IP Address Assignment

[edit]
  • Server: 10.8.0.1
  • Clients: 10.8.0.2 - 10.8.0.254 (dynamically assigned)
  • Synology NAS: Typically 10.8.0.2 (may be static via CCD)

Routing

[edit]

The server uses iptables for NAT and routing:

NAT Rules: 

iptables -t nat -L -n -v

Key Rules:

  • SNAT: Masquerades VPN client traffic (10.8.0.0/24) to VPS public IP
  • MASQUERADE: Allows VPN clients to access internet through VPS

Firewall Configuration

[edit]

Required Ports

[edit]

Ensure UDP port 1194 is open: 

==== Check if port is listening ====
ss -ulnp | grep 1194

== Check firewall rules ==
iptables -L INPUT -n -v | grep 1194
ufw status | grep 1194  # if using ufw

iptables Rules

[edit]

The OpenVPN server uses an iptables restore script (/etc/openvpn/iptables-restore.sh) that runs when the VPN starts.

Service Management

[edit]

Service Status

[edit]

Check OpenVPN service status: 

systemctl status openvpn

Start/Stop/Restart

[edit]
==== Start OpenVPN ====
systemctl start openvpn

== Stop OpenVPN ==
systemctl stop openvpn

== Restart OpenVPN ==
systemctl restart openvpn

== Reload configuration (graceful) ==
systemctl reload openvpn

The OpenVPN service is enabled to start on boot: 

systemctl is-enabled openvpn
== Output: enabled ==
[edit]
  • [Client Configuration](client-configuration.md) - Client setup
  • [User Management](user-management.md) - Managing users
  • [Certificate Management](certificate-management.md) - Certificate management
Retrieved from "https://wiki.jb-vpn.uk/index.php?title=OpenVPN:Server_Configuration&oldid=240"