OpenVPN Setup (Server & Client)
Environment
-
VPN Server
Field Spec or Version CPU QEMU Virtual CPU version 2.5+ (2 Cores) RAM 2G OS Ubuntu 24.04.1 LTS (Noble Numbat) Network interface ens18enp6s18 with static IP 192.168.3.100/24DNS 192.168.3.1 (Private DNS Server) -
VPN Client
Field Spec or Version CPU QEMU Virtual CPU version 2.5+ (2 Cores) RAM 2G OS Ubuntu 24.04.1 LTS (Noble Numbat) Network interface ens18enp6s18 with static IP 192.168.5.100/24DNS 192.168.5.1 (Private DNS Server)
Server - Package Installation
apt install -y openvpn
Server - Configuration
-
Copy from sample configuration file
cp /usr/share/doc/openvpn/examples/sample/config-files/server.conf /etc/openvpn/server/server.conf -
Edit the copied file as following content
port 1194 proto tcp # Use routing mode instead of bridge mode dev tun ca ca.crt cert example.fake.crt key example.fake.key dh dh.pem topology subnet server 192.168.7.0 255.255.255.0 # Add route for subnet on server to connected VPN clients # Notice: firewall rule adjustment is required push "route 192.168.3.0 255.255.255.0"
Server - Firewall rule
-
Allow incoming connections to port 1194 if default policy of chain INPUT is NOT ACCEPT
-
Allow VPN interface and subnet to access other devices inside the server subnet (192.168.3.0/24)
iptables -A FORWARD -i tun0 -o enp6s18 -s 192.168.7.0/24 -d 192.168.3.0/24 -j ACCEPT iptables -A FORWARD -i enp6s18 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -t nat -A POSTROUTING -s 192.168.7.0/24 -o enp6s18 -j MASQUERADE -
Don't forget to save the changes to both firewall configuration file and runtime configuration
# Save iptables runtime to file iptables-save > /etc/iptables/rules.v4