Skip to main content

Quick start guide

This guide will walk you through setting up a basic OpenVPN server and client connection using SSL/TLS authentication. You’ll have a working VPN in minutes.
This guide assumes you have already installed OpenVPN on both the server and client machines.

Overview

We’ll set up a routed VPN (TUN mode) with the following configuration:
  • Protocol: UDP on port 1194
  • Network: 10.8.0.0/24 subnet
  • Security: SSL/TLS with certificates
  • Topology: Subnet (recommended)

Setup process

1

Set up the Certificate Authority

First, we need to create certificates for authentication. Install and initialize Easy-RSA:
# Clone Easy-RSA
git clone https://github.com/OpenVPN/easy-rsa
cd easy-rsa/easyrsa3

# Initialize PKI
./easyrsa init-pki
Create the Certificate Authority:
./easyrsa build-ca
You’ll be prompted for a CA password and Common Name. For testing, you can use simple values.
Keep the CA key (pki/private/ca.key) secure and never share it. This is the root of your PKI security.
2

Generate server certificate and key

Create the server certificate:
./easyrsa build-server-full server nopass
Generate Diffie-Hellman parameters (this may take several minutes):
./easyrsa gen-dh
Optionally, generate an HMAC signature for additional security:
openvpn --genkey secret pki/ta.key
The nopass option creates a key without a password. For production, consider using a password and systemd to manage it securely.
3

Generate client certificate and key

Create a certificate for your first client:
./easyrsa build-client-full client1 nopass
Repeat this step for each client that needs access, using unique names (client2, client3, etc.).
Each client should have its own unique certificate for better security and revocation management.
4

Create server configuration

Copy the certificates to your OpenVPN directory:
sudo mkdir -p /etc/openvpn/server
sudo cp pki/ca.crt /etc/openvpn/server/
sudo cp pki/issued/server.crt /etc/openvpn/server/
sudo cp pki/private/server.key /etc/openvpn/server/
sudo cp pki/dh.pem /etc/openvpn/server/
sudo cp pki/ta.key /etc/openvpn/server/  # if you created it
Create the server configuration file /etc/openvpn/server/server.conf:
# Listen on UDP port 1194
port 1194
proto udp

# Create a routed IP tunnel
dev tun

# SSL/TLS certificates and keys
ca ca.crt
cert server.crt
key server.key
dh dh.pem

# Network topology
topology subnet

# VPN subnet - server will use 10.8.0.1
server 10.8.0.0 255.255.255.0

# Maintain client IP associations
ifconfig-pool-persist /var/log/openvpn/ipp.txt

# Keepalive ping
keepalive 10 120

# Persist across restarts
persist-tun

# Status log
status /var/log/openvpn/openvpn-status.log

# Verbosity level
verb 3

# Notify clients when restarting
explicit-exit-notify 1
This is a minimal production-ready configuration based on the official sample configuration.
5

Configure the server system

Enable IP forwarding:
# Temporary (until reboot)
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward

# Permanent
echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p
Create log directory:
sudo mkdir -p /var/log/openvpn
Configure firewall to allow OpenVPN traffic:
# UFW (Ubuntu/Debian)
sudo ufw allow 1194/udp

# firewalld (RHEL/CentOS/Fedora)
sudo firewall-cmd --add-service=openvpn --permanent
sudo firewall-cmd --reload
Make sure your cloud provider’s security group or firewall also allows UDP port 1194.
6

Start the OpenVPN server

Verify the TUN interface was created:
ip addr show tun0
You should see an interface with IP 10.8.0.1.
7

Create client configuration

On the client machine, create a directory for OpenVPN:
mkdir -p ~/openvpn-client
cd ~/openvpn-client
Copy the following files from the server:
  • pki/ca.crt
  • pki/issued/client1.crt
  • pki/private/client1.key
  • pki/ta.key (if you created it)
Create the client configuration file client.conf:
# Specify that we are a client
client

# Use the same settings as the server
dev tun
proto udp

# Server hostname/IP and port
remote your-server-ip-or-hostname 1194

# Keep trying to resolve the server
resolv-retry infinite

# Don't bind to a specific local port
nobind

# Persist across restarts
persist-tun

# SSL/TLS certificates and keys
ca ca.crt
cert client1.crt
key client1.key

# Verify server certificate
remote-cert-tls server

# Verbosity level
verb 3
Replace your-server-ip-or-hostname with your actual server’s IP address or domain name.
8

Connect the client

Connect to the VPN:
sudo openvpn --config client.conf
Successful connection output:
Initialization Sequence Completed
Verify the connection:
# Check the TUN interface
ip addr show tun0

# Test connectivity to the server
ping 10.8.0.1
On macOS and Windows, you may see different interface names (e.g., utun0 on macOS).
9

Verify the VPN is working

Check connected clients on the server:
sudo cat /var/log/openvpn/openvpn-status.log
Output shows connected clients:
CLIENT_LIST,client1,10.8.0.2,192.168.1.100:54321,2024-03-03 10:30:00
ROUTING_TABLE,10.8.0.2,client1,192.168.1.100:54321,2024-03-03 10:30:00
From the client, test internet connectivity through the VPN:
traceroute 8.8.8.8
The first hop should be 10.8.0.1 (the VPN server).

Advanced configuration options

Enhance your VPN with these common configuration options:
Add to server configuration:
# Redirect all client traffic through VPN
push "redirect-gateway def1 bypass-dhcp"

# Push DNS servers to clients
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
Configure NAT on the server:
# Replace eth0 with your server's internet interface
sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
Make sure to save iptables rules to persist across reboots.
Add to server configuration:
# Allow clients to see each other
client-to-client
Restart the server to apply changes:
sudo systemctl restart openvpn-server@server
If you generated a ta.key file, add to server configuration:
tls-auth ta.key 0
Add to client configuration:
tls-auth ta.key 1
The server uses parameter 0, clients use parameter 1. This adds an HMAC signature to prevent DoS attacks.
Change in both server and client configurations:
proto tcp-server  # on server
proto tcp-client  # on client
Update firewall:
sudo ufw allow 1194/tcp
TCP is more reliable but has higher overhead than UDP. Use it when UDP is blocked or unreliable.
Add to server configuration (Linux only):
user openvpn
group openvpn
Create the user:
sudo useradd -r -s /usr/sbin/nologin openvpn
Dropping privileges improves security by limiting what the OpenVPN process can do if compromised.
Create client config directory:
sudo mkdir -p /etc/openvpn/server/ccd
Add to server configuration:
client-config-dir ccd
Create a file /etc/openvpn/server/ccd/client1:
ifconfig-push 10.8.0.10 255.255.255.0
This assigns 10.8.0.10 to the client named “client1”.

Configuration reference

Here’s the complete server configuration from the official sample with all options: 
# Multi-client server configuration
port 1194
proto udp
dev tun

# SSL/TLS certificates
ca ca.crt
cert server.crt
key server.key

# Network topology (recommended)
topology subnet

# VPN subnet configuration
server 10.8.0.0 255.255.255.0

# Maintain client IP associations
ifconfig-pool-persist ipp.txt

# Push routes to clients for internal networks
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"

# Redirect all client traffic through VPN
;push "redirect-gateway def1 bypass-dhcp"

# Push DNS servers to clients
;push "dhcp-option DNS 208.67.222.222"
;push "dhcp-option DNS 208.67.220.220"

# Allow clients to see each other
;client-to-client

# Keepalive configuration
keepalive 10 120

# HMAC authentication
;tls-auth ta.key 0

# Maximum concurrent clients
;max-clients 100

# Drop privileges (non-Windows)
;user openvpn
;group openvpn

# Persist across restarts
persist-tun

# Status log
status openvpn-status.log

# Verbosity level (0-9)
verb 3

# Notify clients on restart
explicit-exit-notify 1

Platform-specific notes

Windows client setup

  1. Install OpenVPN from openvpn.net/community-downloads/
  2. Place your configuration and certificates in: 
    C:\Program Files\OpenVPN\config\
  3. Rename your config file to client.ovpn
  4. Right-click the OpenVPN GUI icon and select “Run as administrator”
  5. Right-click the system tray icon and select “Connect”
Windows may show a warning about the TAP adapter. Allow it through Windows Firewall.

Troubleshooting

Check that the server is running:
sudo systemctl status openvpn-server@server
Verify firewall allows UDP 1194:
sudo ufw status
sudo netstat -uln | grep 1194
Check cloud provider security groups allow inbound UDP 1194.
This usually indicates certificate problems:
# Verify certificate validity
openssl x509 -in ca.crt -text -noout
openssl x509 -in server.crt -text -noout
openssl x509 -in client.crt -text -noout
Ensure the client cert was signed by the same CA as the server cert.
Verify IP forwarding is enabled:
cat /proc/sys/net/ipv4/ip_forward
Should output 1. If not:
sudo sysctl -w net.ipv4.ip_forward=1
Check NAT rules:
sudo iptables -t nat -L POSTROUTING -v
OpenVPN needs root/admin privileges:
# Linux/macOS
sudo openvpn --config client.conf

# Windows
# Run OpenVPN GUI as Administrator

Next steps

Certificate management

Learn to revoke certificates, renew expired certs, and manage your PKI

Advanced configurations

Explore site-to-site VPNs, bridged mode, and load balancing

Security hardening

Implement TLS-crypt, stronger ciphers, and security best practices

Monitoring

Set up logging, monitoring, and alerting for your VPN infrastructure
For production deployments, consider using configuration management tools like Ansible or Terraform to automate OpenVPN deployment and certificate management.