Jump to content

OpenVPN:Server Configuration

From jb-vpn.uk Wiki
Revision as of 13:16, 1 January 2026 by Josh (talk | contribs) (Added troubleshooting guide: OpenVPN Server Configuration (configuration))
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

OpenVPN Server Configuration

This document describes the OpenVPN server configuration and setup.

Network Details

Server IP: 10.8.0.1 (on tun0 interface) VPN Network: 10.8.0.0/24 Public IP: 87.106.61.62 Port: 1194 (UDP) Protocol: UDP

Server Files Location

All OpenVPN server files are located in /etc/openvpn/server/:

server.conf - Main server configuration ca.crt - Certificate Authority certificate ca.key - Certificate Authority private key server.crt - Server certificate server.key - Server private key dh.pem - Diffie-Hellman parameters tc.key - TLS-Crypt key (for additional security) crl.pem - Certificate Revocation List ipp.txt - IP address persistence file easy-rsa/ - Easy-RSA directory for certificate management

Server Configuration File

The main configuration is in /etc/openvpn/server/server.conf: 

local 87.106.61.62
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-crypt tc.key
topology subnet
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 212.227.123.16"
push "dhcp-option DNS 212.227.123.17"
push "block-outside-dns"
keepalive 10 120
user nobody
group nogroup
persist-key
persist-tun
verb 3
crl-verify crl.pem
explicit-exit-notify
client-config-dir /etc/openvpn/ccd
script-security 2
up /etc/openvpn/iptables-restore.sh

Key Configuration Options

local 87.106.61.62: Binds to the VPS public IP address port 1194: Standard OpenVPN port (UDP) server 10.8.0.0 255.255.255.0: Defines the VPN subnet push "redirect-gateway def1 bypass-dhcp": Routes all client traffic through VPN client-config-dir /etc/openvpn/ccd: Directory for per-client configurations crl-verify crl.pem: Certificate revocation list for security tls-crypt tc.key: Additional encryption layer

Network Configuration

VPN Interface

The VPN creates a TUN interface (tun0): 

ip addr show tun0

Output: 

3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500
    inet 10.8.0.1/24 scope global tun0

IP Address Assignment

Server: 10.8.0.1 Clients: 10.8.0.2 - 10.8.0.254 (dynamically assigned) Synology NAS: Typically 10.8.0.2 (may be static via CCD)

Routing

The server uses iptables for NAT and routing:

NAT Rules: 

iptables -t nat -L -n -v

Key Rules: SNAT: Masquerades VPN client traffic (10.8.0.0/24) to VPS public IP MASQUERADE: Allows VPN clients to access internet through VPS

Firewall Configuration

Required Ports

Ensure UDP port 1194 is open: 

= Check if port is listening =
ss -ulnp | grep 1194

= Check firewall rules =
iptables -L INPUT -n -v | grep 1194
ufw status | grep 1194  # if using ufw

iptables Rules

The OpenVPN server uses an iptables restore script (/etc/openvpn/iptables-restore.sh) that runs when the VPN starts.

Service Management

Service Status

Check OpenVPN service status: 

systemctl status openvpn

Start/Stop/Restart

= Start OpenVPN =
systemctl start openvpn

= Stop OpenVPN =
systemctl stop openvpn

= Restart OpenVPN =
systemctl restart openvpn

= Reload configuration (graceful) =
systemctl reload openvpn

The OpenVPN service is enabled to start on boot: 

systemctl is-enabled openvpn
= Output: enabled =

[Client Configuration](client-configuration.md) - Client setup [User Management](user-management.md) - Managing users [Certificate Management](certificate-management.md) - Certificate management

Retrieved from "https://wiki.jb-vpn.uk/index.php?title=OpenVPN:Server_Configuration&oldid=176"