Tutorials networking

Configure OpenVPN server with certificate management and client automation

Intermediate 25 min Apr 03, 2026 14 views
Ubuntu 24.04 Ubuntu 22.04 Debian 12 AlmaLinux 9 Rocky Linux 9 Fedora 41

Set up a production-grade OpenVPN server with Easy-RSA certificate authority, automated client configuration generation, and certificate revocation management for secure remote access.

Prerequisites

  • Root or sudo access
  • Server with public IP address
  • Open port 1194/UDP

What this solves

OpenVPN provides secure remote access to your private network, but manual certificate management becomes unwieldy as you scale. This tutorial sets up an OpenVPN server with automated certificate generation, client configuration bundling, and proper certificate revocation handling for production environments.

Step-by-step installation

Update system packages

Start by updating your package manager to ensure you get the latest versions of OpenVPN and dependencies.

sudo apt update && sudo apt upgrade -y
sudo dnf update -y

Install OpenVPN and Easy-RSA

Install OpenVPN server and Easy-RSA for certificate management. Easy-RSA provides scripts for building a certificate authority and managing certificates.

sudo apt install -y openvpn easy-rsa iptables-persistent
sudo dnf install -y openvpn easy-rsa iptables-services
sudo systemctl enable iptables

Set up Easy-RSA certificate authority

Create a dedicated directory for the certificate authority and initialize it with Easy-RSA templates.

sudo mkdir -p /etc/openvpn/easy-rsa
sudo cp -r /usr/share/easy-rsa/* /etc/openvpn/easy-rsa/
cd /etc/openvpn/easy-rsa
sudo ./easyrsa init-pki

Configure Easy-RSA variables

Create the vars file to define certificate defaults and organizational information for your CA.

set_var EASYRSA_REQ_COUNTRY    "US"
set_var EASYRSA_REQ_PROVINCE   "CA"
set_var EASYRSA_REQ_CITY       "San Francisco"
set_var EASYRSA_REQ_ORG        "Example Corp"
set_var EASYRSA_REQ_EMAIL      "admin@example.com"
set_var EASYRSA_REQ_OU         "IT Department"
set_var EASYRSA_KEY_SIZE       2048
set_var EASYRSA_ALGO           rsa
set_var EASYRSA_CA_EXPIRE      3650
set_var EASYRSA_CERT_EXPIRE    365

Build the certificate authority

Generate the root CA certificate that will sign all server and client certificates. Use a strong passphrase to protect the CA private key.

cd /etc/openvpn/easy-rsa
sudo ./easyrsa build-ca nopass

Generate server certificate and key

Create the server certificate and private key. The server certificate identifies your OpenVPN server to clients.

sudo ./easyrsa gen-req server nopass
sudo ./easyrsa sign-req server server

Generate Diffie-Hellman parameters

Generate DH parameters for perfect forward secrecy. This process may take several minutes depending on your server's CPU.

sudo ./easyrsa gen-dh

Generate TLS authentication key

Create an additional shared secret key to protect against DoS attacks and unauthorized connections.

sudo openvpn --genkey secret /etc/openvpn/easy-rsa/pki/ta.key

Copy certificates to OpenVPN directory

Move the generated certificates and keys to the OpenVPN configuration directory with proper permissions.

sudo cp /etc/openvpn/easy-rsa/pki/ca.crt /etc/openvpn/server/
sudo cp /etc/openvpn/easy-rsa/pki/issued/server.crt /etc/openvpn/server/
sudo cp /etc/openvpn/easy-rsa/pki/private/server.key /etc/openvpn/server/
sudo cp /etc/openvpn/easy-rsa/pki/dh.pem /etc/openvpn/server/dh2048.pem
sudo cp /etc/openvpn/easy-rsa/pki/ta.key /etc/openvpn/server/

Configure OpenVPN server

Create the main OpenVPN server configuration with secure defaults, routing, and certificate paths.

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
tls-auth ta.key 0
cipher AES-256-GCM
auth SHA256
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1
crl-verify /etc/openvpn/server/crl.pem

Create log directory

Create the logging directory and set proper permissions for the OpenVPN service.

sudo mkdir -p /var/log/openvpn
sudo chown nobody:nogroup /var/log/openvpn

Generate initial certificate revocation list

Create an empty CRL file that OpenVPN will use to check for revoked certificates.

cd /etc/openvpn/easy-rsa
sudo ./easyrsa gen-crl
sudo cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/server/
sudo chmod 644 /etc/openvpn/server/crl.pem

Enable IP forwarding

Configure the kernel to forward packets between the VPN network and your local network.

echo 'net.ipv4.ip_forward=1' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

Configure firewall and NAT

Set up iptables rules to allow VPN traffic and enable NAT for internet access. Replace eth0 with your actual network interface.

sudo iptables -A INPUT -i tun+ -j ACCEPT
sudo iptables -A FORWARD -i tun+ -j ACCEPT
sudo iptables -A INPUT -i eth0 -p udp --dport 1194 -j ACCEPT
sudo iptables -A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i tun+ -o eth0 -j ACCEPT
sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
sudo iptables-save | sudo tee /etc/iptables/rules.v4
Important: Replace eth0 with your server's actual network interface name. Use ip route | grep default to find it.

Create client certificate generation script

Create an automated script to generate client certificates and configuration files.

#!/bin/bash

if [ -z "$1" ]; then
    echo "Usage: $0 "
    exit 1
fi

CLIENT_NAME="$1"
EASY_RSA_DIR="/etc/openvpn/easy-rsa"
CLIENT_DIR="/etc/openvpn/clients"
SERVER_IP=$(curl -s ifconfig.me)


Create client directory

mkdir -p "$CLIENT_DIR"


Generate client certificate

cd "$EASY_RSA_DIR"
./easyrsa gen-req "$CLIENT_NAME" nopass
./easyrsa sign-req client "$CLIENT_NAME"


Create client configuration

cat > "$CLIENT_DIR/$CLIENT_NAME.ovpn" <
$(cat $EASY_RSA_DIR/pki/ca.crt)



$(cat $EASY_RSA_DIR/pki/issued/$CLIENT_NAME.crt)



$(cat $EASY_RSA_DIR/pki/private/$CLIENT_NAME.key)



$(cat $EASY_RSA_DIR/pki/ta.key)

EOF

echo "Client configuration created: $CLIENT_DIR/$CLIENT_NAME.ovpn"
echo "Download this file to your client device."
EOF

Create certificate revocation script

Create a script to revoke client certificates and update the certificate revocation list.

#!/bin/bash

if [ -z "$1" ]; then
    echo "Usage: $0 "
    exit 1
fi

CLIENT_NAME="$1"
EASY_RSA_DIR="/etc/openvpn/easy-rsa"


Revoke the certificate

cd "$EASY_RSA_DIR"
./easyrsa revoke "$CLIENT_NAME"


Generate new CRL

./easyrsa gen-crl


Copy updated CRL to OpenVPN directory

cp "$EASY_RSA_DIR/pki/crl.pem" /etc/openvpn/server/
chmod 644 /etc/openvpn/server/crl.pem


Restart OpenVPN to reload CRL

systemctl restart openvpn-server@server

echo "Certificate for $CLIENT_NAME has been revoked and CRL updated."
echo "Client will be disconnected within 10 minutes."

Make scripts executable

Set proper permissions on the client management scripts.

sudo chmod +x /usr/local/bin/openvpn-client-gen
sudo chmod +x /usr/local/bin/openvpn-client-revoke

Start and enable OpenVPN service

Enable the OpenVPN service to start automatically on boot and start it now.

sudo systemctl enable --now openvpn-server@server
sudo systemctl status openvpn-server@server

Generate your first client certificate

Create a test client

Generate your first client certificate and configuration file using the automation script.

sudo /usr/local/bin/openvpn-client-gen client1

Download client configuration

The client configuration file contains all necessary certificates and keys embedded inline.

sudo ls -la /etc/openvpn/clients/
sudo cat /etc/openvpn/clients/client1.ovpn

Certificate management operations

List all certificates

View all issued certificates and their expiration dates.

cd /etc/openvpn/easy-rsa
sudo ./easyrsa show-cert client1

Revoke a client certificate

Use the revocation script to immediately disable a client's access.

sudo /usr/local/bin/openvpn-client-revoke client1

Renew server certificate

Renew the server certificate before it expires. Clients don't need updates when only the server certificate is renewed.

cd /etc/openvpn/easy-rsa
sudo ./easyrsa renew server nopass
sudo cp /etc/openvpn/easy-rsa/pki/issued/server.crt /etc/openvpn/server/
sudo systemctl restart openvpn-server@server

Monitoring and maintenance

Monitor active connections

Check which clients are currently connected to your VPN server.

sudo cat /var/log/openvpn/openvpn-status.log
sudo journalctl -u openvpn-server@server -f

Set up automatic CRL updates

Create a cron job to periodically refresh the certificate revocation list.

echo '0 2   * cd /etc/openvpn/easy-rsa && ./easyrsa gen-crl && cp pki/crl.pem /etc/openvpn/server/ && systemctl reload openvpn-server@server' | sudo crontab -

Verify your setup

sudo systemctl status openvpn-server@server
sudo ss -tuln | grep 1194
sudo iptables -L -n | grep 1194
sudo cat /var/log/openvpn/openvpn.log | tail -20
Note: The server should show as active, port 1194 should be listening, and the log should show successful initialization without errors.

Performance optimization

For high-traffic VPN servers, consider implementing network stack optimizations. Our guide on Linux network performance tuning covers advanced kernel parameters that can improve VPN throughput.

You can also integrate OpenVPN with monitoring solutions covered in our Prometheus and Grafana monitoring tutorial to track connection metrics and performance.

Common issues

SymptomCauseFix
Service fails to startCertificate path errorsCheck file paths in server.conf match actual certificate locations
Clients can't connectFirewall blocking port 1194Verify iptables rules and cloud security groups allow UDP 1194
No internet access through VPNIP forwarding disabledCheck sysctl net.ipv4.ip_forward returns 1
Certificate errors on clientClock skew or expired certSync server time with NTP, check cert expiry with easyrsa show-cert
DNS resolution failsDNS push options incorrectVerify DNS servers in push directives are reachable
Permission denied on CRLWrong file permissionsUse chmod 644 /etc/openvpn/server/crl.pem
Never use chmod 777. It gives every user on the system full access to your files. Certificate files should be 644 for public certs and 600 for private keys.

Next steps

Automated install script

Run this to automate the entire setup

#openvpn #vpn-server #certificate-management #easy-rsa #client-automation

Related tutorials

networking Beginner

Configure network interface monitoring with ICMP ping and connectivity testing

Set up automated network connectivity monitoring using ICMP ping tests with email alerts for interface failures. Create comprehensive network health checks and reporting for production systems.

45 min 6 distros 5 views
networking Beginner

Set up network interface monitoring with SNMP and basic traffic analysis

Learn how to install and configure SNMP daemon for network interface monitoring, implement basic traffic analysis with automated alerting, and create monitoring scripts with cron jobs for continuous network performance tracking.

25 min 6 distros 18 views
networking Beginner

Configure network interface aliases and secondary IP addresses on Linux

Learn how to configure multiple IP addresses on a single network interface using systemd-networkd and NetworkManager. Set up persistent network aliases for hosting multiple services, load balancing, and network segmentation.

20 min 6 distros 3 views

Need help?

Don't want to manage this yourself?

We handle infrastructure for businesses that depend on uptime. From initial setup to ongoing operations.

Talk to an engineer