OpenVPN/Checklist guide

From ArchWiki

This article summarizes the install process required for OpenVPN. See OpenVPN instead for a walkthrough.


Install the packages openvpn and easy-rsa.

Prepare data

# easyrsa clean-all

Generate the certificates

  • Create a seed for the CA creation
# dd if=/dev/urandom of=pki/.rnd bs=256 count=1
  • Create the "certificate authority" key
# easyrsa build-ca nopass
  • Create certificate and private key for the server
# easyrsa build-server-full <server-name> nopass
  • Create the Diffie-Hellman pem file for the server.
# easyrsa gen-dh
  • Create a certificate for each client.
# easyrsa build-client-full <client-name> nopass

All certificates are stored in pki directory. If you mess up, you can start all over by doing a easyrsa clean-all

Copy to each client the ca.crt, and their respective crt and key files.

Setting up the server

Create /etc/openvpn/server/myvpnserver.conf with a content like this:

port <port>
proto tcp
dev tun0

ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/<server-name>.crt
key /etc/openvpn/easy-rsa/pki/private/<server-name>.key
dh /etc/openvpn/easy-rsa/pki/<your pem file>

server <desired base ip>
ifconfig-pool-persist ipp.txt
keepalive 10 120
user nobody
group nobody
status /var/log/openvpn-status.log
verb 3

log-append /var/log/openvpn
status /tmp/vpn.status 10

Start and optionally enable the service. In this example, it is openvpn-server@myvpnserver.service.

Setting up the clients

Create a .conf file for each client like this:

remote <server> <port>
dev tun0
proto tcp
resolv-retry infinite
verb 2
ca ca.crt
cert <client crt file with full path>
key <client key file with full path>

Start and optionally enable the service. In this example the unit is openvpn-client@a-client-conf-file.service.


If the openvpn server can be started manually as root but not using systemd, you can try fixing the permissions:

# chown -R openvpn:network /etc/openvpn/*