How to Set Up OpenVPN Server and Client on Linux: Step‑by‑Step Guide

VPN stands for Virtual Private Network. It enables a computer to send and receive data securely between private networks over a public network (Internet). This is useful for users who need to connect to an internal corporate network from outside, or for linking multiple branch offices.

When a company purchases dedicated lines to form a WAN, the cost is high. VPN fills this gap by providing point‑to‑point virtual connections over the public network, easily scaling to users in different locations.

VPN Types

Remote Access

Site‑to‑Site

Remote Access connects individual computers to a network via VPN, while Site‑to‑Site links two networks together.

What is OpenVPN

OpenVPN is an open‑source VPN daemon by James Yonan. It supports SSL/TLS security, Ethernet bridging, TCP/UDP tunneling through proxies or NAT, dynamic IP and DHCP, scalability for thousands of users, and portability across major operating systems.

This tutorial explains the process of setting up and configuring an OpenVPN server and client for remote access.

1. Configure OpenVPN – Server

1. Install OpenVPN

Install the openvpn package on both server and client machines.

<code>$ sudo apt-get install openvpn</code>

<code>$ yum install openvpn</code>

2. Create directory and set environment variables

Create a directory under

/etc/openvpn

named

easy-rsa

and copy the easy‑rsa contents into it. Change ownership to the current user so that files can be created.

<code>$ sudo mkdir /etc/openvpn/easy-rsa
$ sudo cp /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
$ sudo chown -R $USER /etc/openvpn/easy-rsa/</code>

Edit

/etc/openvpn/easy-rsa/vars

to match your environment.

<code>export KEY_COUNTRY="IN"
export KEY_PROVINCE="TN"
export KEY_CITY="CHN"
export KEY_ORG="tgs"
export KEY_EMAIL="[email protected]"</code>

3. Create CA – Certificate Authority (Root Certificate)

Build a public key infrastructure so the server and clients can authenticate each other.

<code>$ cd /etc/openvpn/easy-rsa
$ source vars
$ . /clean-all
$ ln -s openssl-1.0.0.cnf openssl.cnf
$ . /build-ca
# Follow the prompts to enter country, province, city, organization, etc.
# The generated files <code>ca.key</code> and <code>ca.crt</code> are placed in <code>/etc/openvpn/easy-rsa/keys/</code>.
# Keep the <code>ca.key</code> file secret.</code>

4. Create server certificate

Generate a certificate and key for the OpenVPN server.

<code>$ ./build-key-server vpnserver
# Sign the certificate when prompted.
</code>

Note:

vpnserver

is the server’s hostname.

5. Create client certificates

Each client needs its own certificate for authentication.

<code>$ ./build-key vpnclient1
# Sign the certificate when prompted.
</code>

vpnclient1

is the client’s hostname.

6. Create Diffie‑Hellman parameters

<code>$ ./build-dh</code>

After completing all steps, the

/etc/openvpn/easy-rsa/keys

directory contains the necessary keys and certificates.

7. Copy certificates to appropriate locations

<code>$ cd /etc/openvpn/easy-rsa/keys
$ sudo cp ca.crt vpnserver.crt vpnserver.key dh1024.pem /etc/openvpn/
$ scp ca.crt vpnclient1.key vpnclient1.crt root@vpnclient1:/etc/openvpn</code>

When copying key files, use a secure transfer method such as

scp

.

8. Configure the server

OpenVPN provides a default

server.conf

. Modify it as needed.

<code>$ sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
$ sudo gzip -d /etc/openvpn/server.conf.gz
# Edit /etc/openvpn/server.conf to include:
ca ca.crt
cert vpnserver.crt
key vpnserver.key
dh dh1024.pem
</code>

Start the OpenVPN server:

<code>$ sudo /etc/init.d/openvpn start
$ ifconfig tun0</code>

By default, OpenVPN logs errors to the syslog file.

2. Configure OpenVPN – Client

9. Set up client configuration file

Copy the example

client.conf

to

/etc/openvpn

and edit it.

<code>$ sudo cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/
# Edit /etc/openvpn/client.conf:
client
remote vpnserver 1194
ca ca.crt
cert vpnclient1.crt
key vpnclient1.key
</code>

Start OpenVPN on the client:

<code>$ sudo /etc/init.d/openvpn start
$ ifconfig tun0</code>

10. Test the VPN setup

Ping the VPN server from the client to verify connectivity.

<code>$ ping 10.8.0.1</code>

If the ping succeeds, the configuration is correct.

Key points to remember:

Ensure the client and server use the same protocol and port.

Client and server must share parameters such as key size and compression.

If issues arise, increase log verbosity in the configuration and check the syslog for troubleshooting.