This comprehensive Linux guide expects that you run the following commands as root user but if you decide to run the commands as a different user then ensure that the user has sudo access and that you precede each of the privileged commands with sudo

OpenVPN is an open-source VPN protocol allowing secure online access from point-to-point completely free of charge. It implements multiple secuirty layers using the SSL/TLS protocol. You can bypass blocked site and increase your privacy or safety online by being an anonymous user as your actual credentials and location are hidden to the target website.

Finding your own IP Address

First, you need to find your own IP Address. You can use following commands to find IPv4 public address.

ip addr show eth0

Or if your network card is identified as eth1 use the following command, otherwise type the identifier of your corresponding network card.

ip addr show eth1

Aternatively you can also view your public IP Address by using the host command.


Update System Libraries

Its a good practice to update system libraries before continuing so you can use the following commands to update your system

apt-get update
apt-get upgrade

You might also need to reboot, use the following command to reboot your linux machine.


Installing Uncomplicated Firewall

OpenVPN server must be configured on Debian 9 server along with firewall to secure and hardened OpenVPN Server on Debian 9

apt-get install ufw

After installation, you need to allow certain ports to be opened through the firewall such as SSH port 22, 80, 443. Use the following commands to enable the required ports.

ufw allow 22
ufw allow 80
ufw allow 443

Enabling The Firewall

To enable the firewall you can use the following commands

ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup

Verification Of Firewall Rules

To verify the firewall you can use the following commands

ufw status
Status: active

To                         Action      From
--                         ------      ----
22                         ALLOW       Anywhere                  
80                         ALLOW       Anywhere                  
443                        ALLOW       Anywhere                  
22 (v6)                    ALLOW       Anywhere (v6)             
80 (v6)                    ALLOW       Anywhere (v6)             
443 (v6)                   ALLOW       Anywhere (v6)  

Downloading The OpenVPN Script

Now its time to download and install the OpenVPN. You can use the following wget command to download the script.

wget -O

Configuring OpenVPN Server

After the download, type the following command to install and configure OpenVPN server automatically.


When the terminal asks for IP address, provide the actual IP address of the system previously determined in starting steps. Set the Port number to 1194. If you are not using a web server, you can set the port to 443 as well. Type in a client name and press enter to continue and finish the installation procedure.

The VPN service has been enabled and ready to use. You can view the configured firewall rules by using the following command

nano /etc/rc.local
#!/bin/sh -e
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD -s -j ACCEPT
iptables -I INPUT -p udp --dport 1194 -j ACCEPT
iptables -t nat -A POSTROUTING -s ! -d -j SNAT --to
exit 0

The OpenVPN server configuration can be viewed by the following command:

vi -M /etc/openvpn/server.conf
port 1194
proto udp
dev tun
sndbuf 0
rcvbuf 0
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-auth ta.key 0
topology subnet
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS"
push "dhcp-option DNS"
push "dhcp-option DNS"
push "dhcp-option DNS"
push "dhcp-option DNS"
push "dhcp-option DNS"
push "dhcp-option DNS"
push "dhcp-option DNS"
push "dhcp-option DNS"
push "dhcp-option DNS"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
status openvpn-status.log
verb 3
crl-verify crl.pem

Starting, Stopping and Restarting the OpenVPN Service

To Start the Service

systemctl start openvpn@server

To Stop the Service

systemctl stop openvpn@server

To Restart The Service

systemctl restart openvpn@server

Client Configuration

On your server you will find a client configuration file named as
 ~/macos-vpn-client.ovpn. In the Next Step, copy this file to your local desktop using the scp and provide this file to your OpenVPN client to connect:

scp [email protected]:~/macos-vpn-client.ovpn

On the Client System, use the following commands to install OpenVPN on a Debian System

apt install openvpn

Alternatively for CentOS you can use

yum install openvpn

Copy macos-vpn-client.ovpn as follows:

cp macos-vpn-client.ovpn /etc/openvpn/client.conf

Test connectivity using

openvpn --client --config /etc/openvpn/client.conf

To run this automatically at startup use:

systemctl start openvpn@client

Test the connectivity again using:

ip route
dig TXT +short