Docs / Networking / How to Configure a VPN Gateway with OpenVPN

How to Configure a VPN Gateway with OpenVPN

By Admin · Feb 25, 2026 · Updated Apr 23, 2026 · 143 views · 2 min read

Install OpenVPN

sudo apt update && sudo apt install -y openvpn easy-rsa

Set Up Certificate Authority

make-cadir /etc/openvpn/easy-rsa
cd /etc/openvpn/easy-rsa
./easyrsa init-pki
./easyrsa build-ca nopass
./easyrsa gen-req server nopass
./easyrsa sign-req server server
./easyrsa gen-dh
openvpn --genkey secret /etc/openvpn/ta.key

Server Configuration

Create /etc/openvpn/server.conf:

port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server.crt
key /etc/openvpn/easy-rsa/pki/private/server.key
dh /etc/openvpn/easy-rsa/pki/dh.pem
tls-auth /etc/openvpn/ta.key 0
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 1.1.1.1"
keepalive 10 120
cipher AES-256-GCM
user nobody
group nogroup
persist-key
persist-tun
verb 3

Enable IP Forwarding

echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
sysctl -p
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

Generate Client Certificates

cd /etc/openvpn/easy-rsa
./easyrsa gen-req client1 nopass
./easyrsa sign-req client client1

Start Server

sudo systemctl enable --now openvpn@server

Client Configuration

client
dev tun
proto udp
remote YOUR_SERVER_IP 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-GCM
key-direction 1
verb 3
# Include ca.crt, client.crt, client.key, ta.key

OpenVPN vs WireGuard

OpenVPN is more mature with wider compatibility, while WireGuard is simpler and faster. Choose WireGuard for new setups unless you specifically need OpenVPN features (TCP mode, obfuscation).

Was this article helpful?

Related Articles