Configure your OpenVPN server on Linux

After you install OpenVPN, it's time to configure it.
25 readers like this.

JanBaby, via Pixabay CC0.

OpenVPN creates an encrypted tunnel between two points, preventing a third party from accessing your network traffic. By setting up your virtual private network (VPN) server, you become your own VPN provider. Many popular VPN services already use OpenVPN, so why tie your connection to a specific provider when you can have complete control?

The first article in this series set up a server for your VPN, and the second article demonstrated how to install and configure the OpenVPN server software. This third article shows how to start OpenVPN with authentication in place.

To set up an OpenVPN server, you must:

  • Create a configuration file.
  • Set the sysctl value net.ipv4.ip_forward = 1 to enable routing.
  • Set up appropriate ownership for all configuration and authentication files to run the OpenVPN server daemon under a non-root account.
  • Set OpenVPN to start with the appropriate configuration file.
  • Configure your firewall.

Configuration file

You must create a server config file in /etc/openvpn/server/. You can start from scratch if you want, and OpenVPN includes several sample configuration files to use as a starting point. Have a look in /usr/share/doc/openvpn/sample/sample-config-files/ to see them all.

If you want to build a config file by hand, start with either server.conf or roadwarrior-server.conf (as appropriate), and place your config file in /etc/openvpn/server. Both files are extensively commented, so read the comments and decide which makes the most sense for your situation.

You can save time and aggravation by using my prebuilt server and client configuration file templates and sysctl file to turn on network routing. This configuration also includes customization to log connects and disconnects. It keeps logs on the OpenVPN server in /etc/openvpn/server/logs.

If you use my templates, you'll need to edit them to use your IP addresses and hostnames.

To use my prebuilt config templates, scripts, and sysctl to turn on IP forwarding, download my script:

$ curl \ > \

Read the script to get an idea of what it does. Here's a quick overview of its actions:

  • Creates the appropriate directories on your OpenVPN server
  • Downloads server and client config file templates from my website
  • Downloads my custom scripts and places them into the correct directory with correct permissions
  • Downloads 99-ipforward.conf and places it into /etc/sysctl.d to turn on IP forwarding at the next boot
  • Sets up ownership for everything in /etc/openvpn

Once you're satisfied that you understand what the script does, make it executable and run it:

$ chmod +x
$ sudo ./

Here are the files it copies (notice the file ownership):

$ ls -al -R /etc/openvpn
total 12
drwxr-xr-x.   4 openvpn openvpn   34 Apr  6 20:35 .
drwxr-xr-x. 139 root    root    8192 Apr  6 20:35 ..
drwxr-xr-x.   2 openvpn openvpn   33 Apr  6 20:35 client
drwxr-xr-x.   4 openvpn openvpn   56 Apr  6 20:35 server

total 4
drwxr-xr-x. 2 openvpn openvpn   33 Apr  6 20:35 .
drwxr-xr-x. 4 openvpn openvpn   34 Apr  6 20:35 ..
-rw-r--r--. 1 openvpn openvpn 1764 Apr  6 20:35 OVPNclient2020.ovpn

total 4
drwxr-xr-x. 4 openvpn openvpn   56 Apr  6 20:35 .
drwxr-xr-x. 4 openvpn openvpn   34 Apr  6 20:35 ..
drwxr-xr-x. 2 openvpn openvpn   59 Apr  6 20:35 ccd
drwxr-xr-x. 2 openvpn openvpn    6 Apr  6 20:35 logs
-rw-r--r--. 1 openvpn openvpn 2588 Apr  6 20:35 OVPNserver2020.conf

total 8
drwxr-xr-x. 2 openvpn openvpn  59 Apr  6 20:35 .
drwxr-xr-x. 4 openvpn openvpn  56 Apr  6 20:35 ..
-rwxr-xr-x. 1 openvpn openvpn 917 Apr  6 20:35
-rwxr-xr-x. 1 openvpn openvpn 990 Apr  6 20:35

total 0
drwxr-xr-x. 2 openvpn openvpn  6 Apr  6 20:35 .
drwxr-xr-x. 4 openvpn openvpn 56 Apr  6 20:35 ..

Here's the 99-ipforward.conf file:

# Turn on IP forwarding. OpenVPN servers need to do routing
net.ipv4.ip_forward = 1

Edit OVPNserver2020.conf and OVPNclient2020.ovpn to include your IP addresses. Also, edit OVPNserver2020.conf to include your server certificate names from earlier. Later, you will rename and edit a copy of OVPNclient2020.ovpn for use with your client computers. The blocks that start with ***? show you where to edit.

File ownership

If you used the automated script from my website, file ownership is already in place. If not, you must ensure that your system has a user called openvpn that is a member of a group named openvpn. You must set the ownership of everything in /etc/openvpn to that user and group. It's safe to do this if you're unsure whether the user and group already exist because useradd will refuse to create a user with the same name as one that already exists:

$ sudo useradd openvpn
$ sudo chown -R openvpn.openvpn /etc/openvpn


If you decided not to disable the firewalld service in step 1, then your server's firewall service might not allow VPN traffic by default. Using the firewall-cmd command, you can enable the OpenVPN service, which opens the necessary ports and routes traffic as necessary:

$ sudo firewall-cmd --add-service openvpn --permanent
$ sudo firewall-cmd --reload

No need to get lost in a maze of iptables!

Start your server

You can now start your OpenVPN server. So that it starts automatically after a reboot, use the enable subcommand of systemctl:

systemctl enable --now openvpn-server@OVPNserver2020.service

Final steps

The fourth and final article in this article will demonstrate how to set up clients to connect to your OpenVPN from afar.

This article is based on D. Greg Scott's blog and is reused with permission.

What to read next
Greg Scott head shot
After surviving multiple layoff rounds at Digital Equipment Corporation, a large computer company in its day, I started Scott Consulting in 1994. A larger firm bought Scott Consulting in 1999, just as the dot com bust devastated the IT Service industry.

1 Comment

Didn't thought micro services could pose as a security threat. Thanks for awaring it to us. Very informative article thank you so much for posting it.


Creative Commons LicenseThis work is licensed under a Creative Commons Attribution-Share Alike 4.0 International License.