How to Install OpenVPN on a KVM VPS Server

OpenVPN is a robust and widely used open-source application that provides a secure way to establish virtual private network (VPN) connections over the internet. VPNs are becoming increasingly essential in today’s digital world, providing an extra layer of security, privacy, and encryption for online activities. Installing OpenVPN on a KVM VPS server is a cost-effective and reliable way to create a secure and private VPN connection that can be accessed from anywhere in the world.

OpenVPN is particularly useful for businesses that require secure remote access to their network resources and individuals who wish to protect their online privacy by hiding their IP addresses and encrypting their internet traffic. While the idea of installing OpenVPN on a KVM VPS server may seem daunting at first, it’s a straightforward process if you follow the right steps.

In this blog post, we’ll take you through a step-by-step guide to installing OpenVPN on your KVM VPS server. We’ll cover everything you need to know, from the necessary requirements to the configuration of the OpenVPN server, the creation of client certificates, and the configuration of the OpenVPN client. By the end of this blog post, you’ll have a secure and reliable OpenVPN connection set up on your KVM VPS server, ready for use. So, let’s dive in and get started!

Prerequisites

To begin the OpenVPN installation process on your KVM VPS server, you must have the following prerequisites:

• A KVM VPS server with root access and a user account with sudo privileges
• Basic knowledge of the Linux command line
• Optional: A valid domain name and DNS pointing to your server’s IP address

Once you have these prerequisites, follow the steps outlined below to install OpenVPN on your KVM VPS server:

Step 1: Update the Server

Before installing any new software or applications, it’s essential to update your server to ensure you have the latest security patches and bug fixes. To do this, run the following command:

sudo apt-get update && sudo apt-get upgrade

This command updates the package list and installs any available updates. You may be prompted to enter your sudo password, so make sure you have it on hand. Once the update and upgrade process is complete, you can move on to the next step.

Step 2: Install OpenVPN

After updating your server, the next step is to install OpenVPN using your distribution’s package manager. For instance, if you’re using Ubuntu, run the command below:

sudo apt-get install openvpn

The installation process should only take a few seconds, and once completed, you can verify the installation by checking the OpenVPN version number using the command:

openvpn –version

This will confirm that OpenVPN is installed and running correctly on your KVM VPS server.

Step 3: Generate Server Certificates

To generate the certificates for OpenVPN, the EasyRSA script can be used. The following steps need to be followed:

1. Install EasyRSA by running the command 

sudo apt-get install easy-rsa

2. Create a new EasyRSA directory and initialize it using the command 

make-cadir ~/openvpn-ca

3. Edit the “vars” file to configure the EasyRSA script.

4. Generate the CA and server certificates using the command

/easyrsa build-ca nopass

/easyrsa gen-req server nopass

/easyrsa sign-req server server

It is important to keep the server key and certificate files in a safe place, as they will be needed for the next steps.

Step 4: Configure the CA

To configure the Certificate Authority (CA), the vars file needs to be edited. This can be done by following these steps:

1. Open the vars file using the command 

nano ~/openvpn-ca/vars

2. Modify the values in the file according to your requirements.

3. Save the changes and exit the file. This step is important as it allows you to customize the CA settings to suit your needs. Once the vars file has been edited, you can proceed to configure the OpenVPN server.

Step 5: Build the Certificate Authority (CA)

After configuring the CA, you need to build it. Follow these steps:

1. Change to the EasyRSA directory:

cd ~/openvpn-ca

2. Set the environment variables by running:

source vars

3. Clean out any existing keys:

./clean-all

4. Build the CA by running:

./build-ca

Step 6: Generate Server Certificates

Once you have built the CA, you can generate the server certificate and key. Here’s how:

1. Change to the EasyRSA directory:

cd ~/openvpn-ca

2. Generate the server certificate and key by running:

./build-key-server server

Step 7: Configure the OpenVPN Server

Now that you have the server certificate and key, you can configure the OpenVPN server. Follow these steps:

1. Create a new configuration file by running:

nano /etc/openvpn/server.conf

2. Add the following lines to the file:

port 1194

proto udp

dev tun

ca /etc/openvpn/ca.crt

cert /etc/openvpn/server.crt

key /etc/openvpn/server.key

dh /etc/openvpn/dh.pem

server 10.8.0.0 255.255.255.0

push “redirect-gateway def1 bypass-dhcp”

push “dhcp-option DNS 8.8.8.8”

3. Save and close the file by pressing “Ctrl + X”, then “Y”, and finally “Enter”.

Step 8: Configure IP Forwarding

To allow clients to access the internet through the OpenVPN server, you need to enable IP forwarding. This can be done by editing the sysctl.conf file:

nano /etc/sysctl.conf

Uncomment the following line by removing the “#” symbol:

#net.ipv4.ip_forward=1

After uncommenting the line, it should look like this:

net.ipv4.ip_forward=1

Save and close the file. Then, reload the sysctl configuration to apply the changes:

sudo sysctl -p

IP forwarding is now enabled on your server, allowing clients to access the internet through the OpenVPN connection.

Step 9: Configure Firewall Rules

To allow OpenVPN traffic through the firewall, you need to configure the firewall rules. If you’re using UFW, you can follow these steps:

Allow UDP traffic on port 1194:

sudo ufw allow 1194/udp

Allow SSH traffic:

sudo ufw allow OpenSSH

Enable the firewall:

sudo ufw enable

This will allow UDP traffic on port 1194 and SSH traffic through the firewall, which is necessary for the OpenVPN server to function properly.

Step 10: Start the OpenVPN Service

Once the configuration is complete, you can start the OpenVPN service by executing the following command:

sudo systemctl start openvpn@server

Additionally, enable it to start automatically upon booting the system by running the command:

sudo systemctl enable openvpn@server

Step 11: Generate Client Certificates

To connect to the OpenVPN server, generate a client certificate and key using the EasyRSA script:

Go to the openvpn-ca directory:

cd ~/openvpn-ca

Source the vars file:

source vars

Build the client certificate and key:

./build-key client1

Step 12: Configure the OpenVPN Client

To connect to the OpenVPN server, you need to configure the client. First, download and install the OpenVPN client for your operating system. Then, create a new configuration file called “client.ovpn” using a text editor. Copy and paste the following content into the file:

client

dev tun

proto udp

remote YOUR_SERVER_IP_ADDRESS 1194

resolv-retry infinite

nobind

persist-key

persist-tun

remote-cert-tls server

cipher AES-256-CBC

verb 3

<ca>

INSERT_CA_CERTIFICATE_HERE

</ca>

<cert>

INSERT_CLIENT_CERTIFICATE_HERE

</cert>

<key>

INSERT_CLIENT_KEY_HERE

</key>

Replace “YOUR_SERVER_IP_ADDRESS” with your server’s IP address and insert the contents of the CA, client certificate, and client key files.

Step 13: Connect to the OpenVPN Server

To establish a connection to the OpenVPN server using the client, run the following command:

sudo openvpn –config client.ovpn

Once the connection is established, you should be able to access your network or the internet securely through the OpenVPN server. Congratulations, you have successfully set up and connected to your OpenVPN server!

Conclusion

Setting up OpenVPN on a KVM VPS server is a simple process, but it requires some technical expertise. By following the steps provided in this blog post, you can quickly establish a secure and dependable OpenVPN connection. If you encounter any problems or have any questions, don’t hesitate to contact your VPS provider for help.