OpenVPN Server Overview

This guide provides a complete setup for a secure OpenVPN server that allows remote access to your local network and routes internet traffic through your home connection.

What You’ll Achieve

By following this guide, you’ll create:

  • Secure remote access to your home network from anywhere

  • Enhanced privacy by routing all internet traffic through your VPN

  • Modern security using Elliptic Curve Cryptography (ECC) and tls-crypt authentication

  • Easy client management with automated configuration file generation

How It Works

OpenVPN Diagram

This diagram shows how OpenVPN creates a secure tunnel between remote devices and your local network.

Network Components

  • OpenVPN Server: Located on your local network; manages VPN connections and handles network routing

  • OpenVPN Client: Remote devices (laptops, phones) connecting securely from the internet

  • Gateway Router: Your home router that connects to the internet

Traffic Security

The diagram shows three types of network traffic:

  • Encrypted VPN Tunnel (Red Dashed Line):

    • Secure: All data is encrypted between client and server across the internet

    • Allows remote access to local resources and routes internet traffic through your home connection

  • Local Network Traffic (Green Dashed Line):

    • Unencrypted: Normal traffic within your local network

    • Also represents direct internet traffic that doesn’t use the VPN

  • Physical Connections (White Solid Lines):

    • Hardware connections (ethernet cables, WiFi) between devices

Setup Process

This guide walks you through three main phases:

  1. Server Installation & PKI Setup

    • Install OpenVPN and Easy-RSA

    • Create certificates and encryption keys

    • Generate the tls-crypt authentication key

  2. Server Configuration

    • Configure the main server.conf file

    • Set up network routing and firewall rules

    • Enable the OpenVPN service

  3. Client Management

    • Generate client certificates

    • Create easy-to-use .ovpn configuration files

    • Distribute to your devices

Client Configuration Script

The included make-client-ovpn.sh script simplifies client setup by automatically creating secure, all-in-one configuration files.

What It Does

  • Creates .ovpn files: Single files containing all necessary certificates and keys

  • Embeds security keys: Includes CA certificate, client certificate, private key, and tls-crypt key

  • Uses your settings: Applies your custom client configuration from client-base.conf

How to Use

  1. Generate client certificate:

    cd ~/easy-rsa
./easyrsa build-client-full client-name nopass

  2. Create the configuration file:

    ./make-client-ovpn.sh client-name

  3. Find your file:

    ~/easy-rsa/client-ovpn-files/client-name.ovpn

Note: Complete the server setup first by following the detailed installation guide linked below.

Common Issues

Connection Works But Web Won’t Load

If you can connect to the VPN and ping devices but websites don’t load, this is often an MTU (Maximum Transmission Unit) issue.

Quick Fix: Add this line to your server.conf and restart the OpenVPN service:

tun-mtu 1432

When This Happens:

  • Your internet connection uses PPPoE (common with Home Internet both DSL and Fiber)

  • VPN packets are too large and get fragmented or dropped

For a detailed explanation of MTU calculation and troubleshooting:

How determine if you have - black-holing

Ready to Start?

Follow the complete setup guide to build your secure OpenVPN server:

Install OpenVPN and Easy-RSA

What’s Next:

  1. Server installation and certificate setup

  2. Configuration file creation

  3. Firewall and routing setup

  4. Client configuration and testing