Jump to content

OpenVPN:Server Configuration

From jb-vpn.uk Wiki
Revision as of 13:28, 1 January 2026 by Josh (talk | contribs) (Minor update - troubleshooting guide: OpenVPN Server Configuration (15 sections) (configuration))

OpenVPN Server Configuration

This document describes the OpenVPN server configuration and setup.

Network Details

  • Server IP: 10.8.0.1 (on tun0 interface)
  • VPN Network: 10.8.0.0/24
  • Public IP: 87.106.61.62
  • Port: 1194 (UDP)
  • Protocol: UDP

Server Files Location

All OpenVPN server files are located in /etc/openvpn/server/:

  • server.conf - Main server configuration
  • ca.crt - Certificate Authority certificate
  • ca.key - Certificate Authority private key
  • server.crt - Server certificate
  • server.key - Server private key
  • dh.pem - Diffie-Hellman parameters
  • tc.key - TLS-Crypt key (for additional security)
  • crl.pem - Certificate Revocation List
  • ipp.txt - IP address persistence file
  • easy-rsa/ - Easy-RSA directory for certificate management

Server Configuration File

The main configuration is in /etc/openvpn/server/server.conf: 

local 87.106.61.62
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-crypt tc.key
topology subnet
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 212.227.123.16"
push "dhcp-option DNS 212.227.123.17"
push "block-outside-dns"
keepalive 10 120
user nobody
group nogroup
persist-key
persist-tun
verb 3
crl-verify crl.pem
explicit-exit-notify
client-config-dir /etc/openvpn/ccd
script-security 2
up /etc/openvpn/iptables-restore.sh

Key Configuration Options

  • local 87.106.61.62: Binds to the VPS public IP address
  • port 1194: Standard OpenVPN port (UDP)
  • server 10.8.0.0 255.255.255.0: Defines the VPN subnet
  • push "redirect-gateway def1 bypass-dhcp": Routes all client traffic through VPN
  • client-config-dir /etc/openvpn/ccd: Directory for per-client configurations
  • crl-verify crl.pem: Certificate revocation list for security
  • tls-crypt tc.key: Additional encryption layer

Network Configuration

VPN Interface

The VPN creates a TUN interface (tun0): 

ip addr show tun0

Output: 

3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500
    inet 10.8.0.1/24 scope global tun0

IP Address Assignment

  • Server: 10.8.0.1
  • Clients: 10.8.0.2 - 10.8.0.254 (dynamically assigned)
  • Synology NAS: Typically 10.8.0.2 (may be static via CCD)

Routing

The server uses iptables for NAT and routing:

NAT Rules: 

iptables -t nat -L -n -v

Key Rules:

  • SNAT: Masquerades VPN client traffic (10.8.0.0/24) to VPS public IP
  • MASQUERADE: Allows VPN clients to access internet through VPS

Firewall Configuration

Required Ports

Ensure UDP port 1194 is open: 

= Check if port is listening =
ss -ulnp | grep 1194

= Check firewall rules =
iptables -L INPUT -n -v | grep 1194
ufw status | grep 1194  # if using ufw

iptables Rules

The OpenVPN server uses an iptables restore script (/etc/openvpn/iptables-restore.sh) that runs when the VPN starts.

Service Management

Service Status

Check OpenVPN service status: 

systemctl status openvpn

Start/Stop/Restart

= Start OpenVPN =
systemctl start openvpn

= Stop OpenVPN =
systemctl stop openvpn

= Restart OpenVPN =
systemctl restart openvpn

= Reload configuration (graceful) =
systemctl reload openvpn

The OpenVPN service is enabled to start on boot: 

systemctl is-enabled openvpn
= Output: enabled =
  • [Client Configuration](client-configuration.md) - Client setup
  • [User Management](user-management.md) - Managing users
  • [Certificate Management](certificate-management.md) - Certificate management
Retrieved from "https://wiki.jb-vpn.uk/index.php?title=OpenVPN:Server_Configuration&oldid=210"