OpenVPN

In this article

• Deployment Features
• Getting Started After Deploying OpenVPN
• Connecting to the Server and Accessing Management
• Configuring User Profiles
• Setting Up User Access
• Ordering a server with OpenVPN using the API

Information

OpenVPN is open-source software for creating secure virtual private networks (VPNs). The solution uses SSL/TLS protocols to ensure security, providing reliable data encryption and authentication. OpenVPN operates over TCP or UDP, can pass through firewalls and proxy servers, ensuring high flexibility in various network environments.

Deployment Features

ID	Compatible OS	VM	BM	VGPU	GPU	Min CPU (Cores)	Min RAM (Gb)	Min HDD/SDD (Gb)	Active
298	Ubuntu 24.04	+	+	+	+	1	1	-	Yes

Getting Started After Deploying OpenVPN

After payment for the order on the email specified during registration, a notification about server readiness will be sent to that email. It will include the VPS IP address as well as login credentials for access. Our company's clients manage equipment through the control panel and API - Invapi.

Authentication data can be found in either the Info >> Tags tab of the server management panel or in the sent email:

• Login and Password for server administration: received via email after server deployment. It matches the root password on the server.

Connecting to the Server and Accessing Management

Information

OpenVPN consists of a server component installed on the server, and a client component for end users. The server application provides VPN connection setup and management, while the client application is available for various platforms including Windows, macOS, Android, iOS, and Linux.

1. Connect to the server via SSH:

   ssh root@<server_IP>
   

2. Main configuration files for OpenVPN are located in the /etc/openvpn/ directory:

   ls -la /etc/openvpn/
   

3. On the server, there is also a script for setting up client configurations:

   ls -la /root/openvpn-conf.sh
   

   

4. You can check the status of the OpenVPN server with the following command:

   systemctl status openvpn@server
   

Configuring User Profiles

1. On your server, there is already a ready-made user configuration file (client_hk.ovpn) in the /root/ directory:

   ls /root/
   client_hk.ovpn  openvpn-conf.sh
   

   You can use the existing client_hk.ovpn file or create a new one using the script.

2. Copy the desired configuration file to your local device with SCP:

   scp root@<server_IP>:/root/client_hk.ovpn /path/on/local/computer/
   

Creating a New User

1. Connect to the server via SSH:

   ssh root@<server_IP>
   

2. Run the OpenVPN configuration script:

   /root/openvpn-conf.sh
   

3. In the appearing menu, you will see the following options:

   Welcome to OpenVPN-install!
   The git repository is available at: https://github.com/angristan/openvpn-install
   It looks like OpenVPN is already installed.
   What do you want to do?
      1) Add a new user
      2) Revoke existing user
      3) Remove OpenVPN
      4) Exit
   Select an option [1-4]:
   

4. Choose option 1 for adding a new user:

   Select an option [1-4]: 1
   

5. Enter the name of the client, following the format requirements:

   Tell me a name for the client.
   The name must consist of alphanumeric characters. It may also include an underscore or a dash.
   Client name: UserName
   

   !!! info "Information" The username should contain only letters, numbers, underscores, or dashes.

6. Choose a method to protect the configuration file:

   Do you want to protect the configuration file with a password?
   (e.g., encrypt the private key with a password)
      1) Add a passwordless client
      2) Use a password for the client
   Select an option [1-2]:
   

   • Option 1: Creates a file without a password (a simpler option for users);
   • Option 2: Requires entering a password to protect the key (enhanced security).

7. If you chose protection with a password (option 2), you will be prompted to enter the password twice:

   ⚠️ You will be asked for the client password below ⚠️
   * Using SSL: openssl OpenSSL 3.0.2 15 Mar 2022
   * Using Easy-RSA configuration: /etc/openvpn/easy-rsa/vars
   
   Enter PEM pass phrase:
   Verifying - Enter PEM pass phrase:
   

8. After successfully completing all steps, you will see a message about the creation of a new user:

   Client UserName added.
   The configuration file has been written to /root/UserName.ovpn.
   Download the .ovpn file and import it in your OpenVPN client.
   

9. The .ovpn configuration file will be created in the /root/ directory with the username:

   ls -la /root/*.ovpn
   

Revoking User Access

1. Run the OpenVPN setup script:

   /root/openvpn-conf.sh
   

2. Choose option 2 to revoke an existing user:

   Select an option [1-4]: 2
   

3. Select a user from the list for revocation:

   Select the client to revoke:
   1) User1
   2) User2
   ...
   Client: 1
   

4. Confirm the revocation:

   Confirm revoke for User1? [y/n]: y
   

5. After successful revocation, you will see a message:

   Certificate for client User1 revoked!
   

Transferring Configuration File to User

1. Copy the .ovpn file from the server to your local computer:

    scp root@<server_IP>:/root/UserName.ovpn /path/on/local/computer/
   

2. Transfer the configuration file to the user through a secure communication channel.

Managing User Certificates

Viewing Existing Certificates

To view the list of all issued user certificates, run:

cd /etc/openvpn/easy-rsa/pki/issued/

ls -la

Example output:

total 20
drwx------ 2 root root 4096 Apr  4 09:33 .
drwx------ 8 root root 4096 Apr  4 09:33 ..
-rw------- 1 root root 2512 Apr  4 09:33 Testuser.crt
-rw------- 1 root root 2518 Apr  3 14:21 client_hk.crt
-rw------- 1 root root 2705 Apr  3 14:21 server_jGWMj7JIGkP69so7.crt

Each file with a .crt extension represents a user's certificate, and the filename corresponds to the username.

Revoking a User Certificate

If you need to revoke a user's access (for example, when an employee is terminated or a key is compromised), follow these steps:

1. Navigate to the Easy-RSA directory:

   cd /etc/openvpn/easy-rsa/
   

2. Run the certificate revocation command, specifying the exact username:

   ./easyrsa revoke UserName
   

   Important: The username must exactly match the filename of the certificate without the .crt extension and be case-sensitive.

   For example, to revoke the certificate for the user Testuser:

   ./easyrsa revoke Testuser
   

3. After successfully revoking the certificate, generate an updated list of revoked certificates (CRL):

   ./easyrsa gen-crl
   

   You will see a message about creating an updated CRL:

   Notice
   ------
   An updated CRL has been created.
   CRL file: /etc/openvpn/easy-rsa/pki/crl.pem
   

Updating the List of Revoked Certificates on the Server

To enforce revoked certificates, update the CRL on the server:

1. Copy the updated CRL to the OpenVPN directory:

   cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/
   

2. Restart the OpenVPN service to apply changes:

   systemctl restart openvpn@server
   

After completing these steps, a user with a revoked certificate will no longer be able to connect to the VPN server, even if they have a valid .ovpn configuration file.

Setting Up User Access

Installing OpenVPN

1. Go to the official site OpenVPN;
2. Download the latest version of OpenVPN Community Edition for Windows;
3. Run the installer and follow the setup wizard instructions;
4. During installation, ensure that all default components are selected, including TAP drivers.

Detailed information on installing on Windows can be found in the official guide

Obtaining Configuration File

To copy the OpenVPN configuration file directly from the server, use the SCP command:

scp root@SERVER_IP:/root/client_hk.ovpn C:\OpenVPN

Where:

• SERVER_IP - IP address of your VPN server
• /root/client_hk.ovpn - path to the configuration file on the server
• C:\OpenVPN - local directory on your computer where the file will be copied

After running the command, you will be prompted to enter the root account password for the server.

After successful copying, you will see information about process completion and the size of the transferred file:

Importing and Using Configuration

1. Copy the obtained .ovpn file to C:\Program Files\OpenVPN\config

2. Launch OpenVPN GUI — the program automatically starts in the system tray on Windows startup (icon in the bottom-right corner of the screen)

3. Right-click the OpenVPN icon in the system tray

4. In the context menu, select Import to add your configuration:

   

5. If your profile is already imported or copied to the config directory, you will see it in the menu. Select Connect and the name of your profile

6. Enter login and password if necessary, when using authentication or if the configuration file is password-protected

7. After successful connection, you will see a notification with confirmation:

The OpenVPN icon in the system tray will also change color to green.

To check the connection, visit whoer.net or whatismyip.com

If you need to set up OpenVPN on other operating systems, use the official developer instructions:

• macOS: OpenVPN Connect Installation Guide for macOS
• iOS: iOS Installation Guide
• Linux: Connecting to OpenVPN Access Server with Linux
• Android: Guide to Using OpenVPN on Android

Note

When connecting through OpenVPN, all device traffic passes through a secure tunnel. To disconnect, use the Disconnect option in the client application.

Note

Detailed information on basic settings of OpenVPN is available in the developer documentation.

Ordering a server with OpenVPN using the API

To install this software using the API, follow these instructions

---

Some of the content on this page was created or translated using AI.