Revision as of 13:28, 1 January 2026

OpenVPN Server Configuration

This document describes the OpenVPN server configuration and setup.

Network Details

Server IP: 10.8.0.1 (on tun0 interface)

VPN Network: 10.8.0.0/24

Public IP: 87.106.61.62

Port: 1194 (UDP)

Protocol: UDP

Server Files Location

All OpenVPN server files are located in /etc/openvpn/server/:

server.conf - Main server configuration

ca.crt - Certificate Authority certificate

ca.key - Certificate Authority private key

server.crt - Server certificate

server.key - Server private key

dh.pem - Diffie-Hellman parameters

tc.key - TLS-Crypt key (for additional security)

crl.pem - Certificate Revocation List

ipp.txt - IP address persistence file

easy-rsa/ - Easy-RSA directory for certificate management

Server Configuration File

The main configuration is in /etc/openvpn/server/server.conf:

local 87.106.61.62
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-crypt tc.key
topology subnet
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 212.227.123.16"
push "dhcp-option DNS 212.227.123.17"
push "block-outside-dns"
keepalive 10 120
user nobody
group nogroup
persist-key
persist-tun
verb 3
crl-verify crl.pem
explicit-exit-notify
client-config-dir /etc/openvpn/ccd
script-security 2
up /etc/openvpn/iptables-restore.sh

Key Configuration Options

local 87.106.61.62: Binds to the VPS public IP address

port 1194: Standard OpenVPN port (UDP)

server 10.8.0.0 255.255.255.0: Defines the VPN subnet

push "redirect-gateway def1 bypass-dhcp": Routes all client traffic through VPN

client-config-dir /etc/openvpn/ccd: Directory for per-client configurations

crl-verify crl.pem: Certificate revocation list for security

tls-crypt tc.key: Additional encryption layer

Network Configuration

VPN Interface

The VPN creates a TUN interface (tun0):

ip addr show tun0

Output:

3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500
    inet 10.8.0.1/24 scope global tun0

IP Address Assignment

Server: 10.8.0.1

Clients: 10.8.0.2 - 10.8.0.254 (dynamically assigned)

Synology NAS: Typically 10.8.0.2 (may be static via CCD)

Routing

The server uses iptables for NAT and routing:

NAT Rules:

iptables -t nat -L -n -v

Key Rules:

SNAT: Masquerades VPN client traffic (10.8.0.0/24) to VPS public IP

MASQUERADE: Allows VPN clients to access internet through VPS

Firewall Configuration

Required Ports

Ensure UDP port 1194 is open:

= Check if port is listening =
ss -ulnp | grep 1194

= Check firewall rules =
iptables -L INPUT -n -v | grep 1194
ufw status | grep 1194  # if using ufw

iptables Rules

The OpenVPN server uses an iptables restore script (/etc/openvpn/iptables-restore.sh) that runs when the VPN starts.

Service Management

Service Status

Check OpenVPN service status:

systemctl status openvpn

Start/Stop/Restart

= Start OpenVPN =
systemctl start openvpn

= Stop OpenVPN =
systemctl stop openvpn

= Restart OpenVPN =
systemctl restart openvpn

= Reload configuration (graceful) =
systemctl reload openvpn

The OpenVPN service is enabled to start on boot:

systemctl is-enabled openvpn
= Output: enabled =

@@ Line 5: / Line 5: @@
 == Network Details ==
-'' '''Server IP''': 10.8.0.1 (on tun0 interface)
+* '''Server IP''': 10.8.0.1 (on tun0 interface)
-'' '''VPN Network''': 10.8.0.0/24
-'' '''Public IP''': 87.106.61.62
+* '''VPN Network''': 10.8.0.0/24
-'' '''Port''': 1194 (UDP)
-'' '''Protocol''': UDP
+* '''Public IP''': 87.106.61.62
+* '''Port''': 1194 (UDP)
+* '''Protocol''': UDP
 == Server Files Location ==
@@ Line 15: / Line 19: @@
 All OpenVPN server files are located in <code>/etc/openvpn/server/</code>:
-'' <code>server.conf</code> - Main server configuration
+* <code>server.conf</code> - Main server configuration
-'' <code>ca.crt</code> - Certificate Authority certificate
-'' <code>ca.key</code> - Certificate Authority private key
+* <code>ca.crt</code> - Certificate Authority certificate
-'' <code>server.crt</code> - Server certificate
-'' <code>server.key</code> - Server private key
+* <code>ca.key</code> - Certificate Authority private key
-'' <code>dh.pem</code> - Diffie-Hellman parameters
-'' <code>tc.key</code> - TLS-Crypt key (for additional security)
+* <code>server.crt</code> - Server certificate
-'' <code>crl.pem</code> - Certificate Revocation List
-'' <code>ipp.txt</code> - IP address persistence file
+* <code>server.key</code> - Server private key
-'' <code>easy-rsa/</code> - Easy-RSA directory for certificate management
+* <code>dh.pem</code> - Diffie-Hellman parameters
+* <code>tc.key</code> - TLS-Crypt key (for additional security)
+* <code>crl.pem</code> - Certificate Revocation List
+* <code>ipp.txt</code> - IP address persistence file
+* <code>easy-rsa/</code> - Easy-RSA directory for certificate management
 == Server Configuration File ==
@@ Line 63: / Line 76: @@
 == Key Configuration Options ==
-'' '''<code>local 87.106.61.62</code>''': Binds to the VPS public IP address
+* '''<code>local 87.106.61.62</code>''': Binds to the VPS public IP address
-'' '''<code>port 1194</code>''': Standard OpenVPN port (UDP)
-'' '''<code>server 10.8.0.0 255.255.255.0</code>''': Defines the VPN subnet
+* '''<code>port 1194</code>''': Standard OpenVPN port (UDP)
-'' '''<code>push "redirect-gateway def1 bypass-dhcp"</code>''': Routes all client traffic through VPN
-'' '''<code>client-config-dir /etc/openvpn/ccd</code>''': Directory for per-client configurations
+* '''<code>server 10.8.0.0 255.255.255.0</code>''': Defines the VPN subnet
-'' '''<code>crl-verify crl.pem</code>''': Certificate revocation list for security
-'' '''<code>tls-crypt tc.key</code>''': Additional encryption layer
+* '''<code>push "redirect-gateway def1 bypass-dhcp"</code>''': Routes all client traffic through VPN
+* '''<code>client-config-dir /etc/openvpn/ccd</code>''': Directory for per-client configurations
+* '''<code>crl-verify crl.pem</code>''': Certificate revocation list for security
+* '''<code>tls-crypt tc.key</code>''': Additional encryption layer
 == Network Configuration ==
@@ Line 89: / Line 108: @@
 === IP Address Assignment ===
-'' '''Server''': 10.8.0.1
+* '''Server''': 10.8.0.1
-'' '''Clients''': 10.8.0.2 - 10.8.0.254 (dynamically assigned)
-'' '''Synology NAS''': Typically 10.8.0.2 (may be static via CCD)
+* '''Clients''': 10.8.0.2 - 10.8.0.254 (dynamically assigned)
+* '''Synology NAS''': Typically 10.8.0.2 (may be static via CCD)
 === Routing ===
@@ Line 103: / Line 124: @@
 '''Key Rules''':
-'' '''SNAT''': Masquerades VPN client traffic (10.8.0.0/24) to VPS public IP
+* '''SNAT''': Masquerades VPN client traffic (10.8.0.0/24) to VPS public IP
-'' '''MASQUERADE''': Allows VPN clients to access internet through VPS
+* '''MASQUERADE''': Allows VPN clients to access internet through VPS
 == Firewall Configuration ==
@@ Line 158: / Line 180: @@
 == Related Documentation ==
-'' [Client Configuration](client-configuration.md) - Client setup
+* [Client Configuration](client-configuration.md) - Client setup
-'' [User Management](user-management.md) - Managing users
-'' [Certificate Management](certificate-management.md) - Certificate management
+* [User Management](user-management.md) - Managing users
+* [Certificate Management](certificate-management.md) - Certificate management
 * [[Documentation:Index|Troubleshooting]] - Server troubleshooting
 [[Category:Documentation]]
 [[Category:Documentation/OpenVPN]]