VPN Server Setup with OpenVPN

Complete guide for setting up an OpenVPN server in the homelab environment.

Table of Contents

• Overview
• Prerequisites
• Certificate Authority Setup
• OpenVPN Server Installation
• Client Configuration
• Firewall Configuration
• Troubleshooting
• References

Overview

This guide covers setting up a secure VPN server using OpenVPN to provide remote access to your homelab network. The setup includes:

• Creating a Certificate Authority (CA)
• Generating server and client certificates
• Configuring OpenVPN server
• Setting up client connections

Prerequisites

Hardware Requirements

• Ubuntu 20.04+ server
• Static IP address
• At least 1GB RAM

Network Requirements

• Public IP address or dynamic DNS
• Port forwarding capability on router
• Ports required:
  • 443/tcp - HTTPS VPN traffic
  • 443/udp - OpenVPN traffic
  • 3478/udp - UniFi Cloud access
  • 8883/tcp - UniFi secure communication

Software Requirements

• Ubuntu Server 20.04 or newer
• SSH access to server
• Root or sudo privileges

Certificate Authority Setup

Step 1: Install Easy-RSA

# Update system and install Easy-RSA
sudo apt update -y
sudo apt install easy-rsa -y

# Set up Easy-RSA directory
mkdir ~/easy-rsa
ln -s /usr/share/easy-rsa/* ~/easy-rsa/
chmod 700 /home/ubuntu/easy-rsa

Step 2: Initialize PKI

cd ~/easy-rsa
./easyrsa init-pki

Step 3: Configure CA Variables

Create the vars file:

cd ~/easy-rsa
vim vars

Add the following configuration:

set_var EASYRSA_REQ_COUNTRY    "US"
set_var EASYRSA_REQ_PROVINCE   "Colorado"
set_var EASYRSA_REQ_CITY       "Denver"
set_var EASYRSA_REQ_ORG        "HomeLab"
set_var EASYRSA_REQ_EMAIL      "${VPN_ADMIN_EMAIL}"
set_var EASYRSA_REQ_OU         "Community"
set_var EASYRSA_ALGO           "ec"
set_var EASYRSA_DIGEST         "sha512"

Step 4: Build Certificate Authority

./easyrsa build-ca nopass

OpenVPN Server Installation

Step 1: Install OpenVPN

sudo apt install openvpn -y

Step 2: Generate Server Certificate

On the CA server:

cd ~/easy-rsa
./easyrsa gen-req server nopass
./easyrsa sign-req server server

Step 3: Transfer Certificates

Copy certificates to OpenVPN server:

# Copy server certificate
scp pki/issued/server.crt ubuntu@${VPN_SERVER_IP}:/tmp

# Copy CA certificate
scp pki/ca.crt ubuntu@${VPN_SERVER_IP}:/tmp

# Copy server key (if generated on CA server)
scp pki/private/server.key ubuntu@${VPN_SERVER_IP}:/tmp

Step 4: Configure OpenVPN Server

Create server configuration:

sudo vim /etc/openvpn/server.conf

Add configuration:

port 443
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3

Step 5: Start OpenVPN Service

# Enable and start service
sudo systemctl enable openvpn@server
sudo systemctl start openvpn@server

# Check status
sudo systemctl status openvpn@server

Client Configuration

Step 1: Generate Client Certificate

On the CA server:

cd ~/easy-rsa
./easyrsa gen-req client1 nopass
./easyrsa sign-req client client1

Step 2: Transfer Client Files

# Copy client certificate
scp pki/issued/client1.crt ubuntu@${VPN_SERVER_IP}:/tmp

# Copy client key
scp pki/private/client1.key ubuntu@${VPN_SERVER_IP}:/tmp

Step 3: Create Client Configuration

Create .ovpn file:

client
dev tun
proto tcp
remote ${VPN_SERVER_PUBLIC_IP} 443
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
cipher AES-256-CBC
verb 3

Step 4: Download Client Configuration

# From your local machine
scp ubuntu@${VPN_SERVER_IP}:/home/ubuntu/client-configs/files/client1.ovpn ~/

Firewall Configuration

Configure UFW

# Allow OpenVPN
sudo ufw allow 443/tcp
sudo ufw allow 443/udp

# Allow SSH (important!)
sudo ufw allow OpenSSH

# Enable firewall
sudo ufw enable

Configure IP Forwarding

# Enable IP forwarding
sudo sysctl -w net.ipv4.ip_forward=1

# Make permanent
echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf

Verification

Check VPN Service

# Check service status
sudo systemctl status openvpn@server

# View logs
sudo journalctl -u openvpn@server -f

# Check connected clients
sudo cat /var/log/openvpn-status.log

Test Client Connection

1. Import .ovpn file into OpenVPN client
2. Connect to VPN
3. Verify IP address: curl ifconfig.me
4. Test internal network access

Troubleshooting

Common Issues

Issue: Service fails to start

Check logs for errors:

sudo journalctl -u openvpn@server -xe

Issue: Client cannot connect

Verify:

• Port forwarding on router
• Firewall rules
• Certificate validity

Issue: No internet after connecting

Check NAT/masquerade rules:

sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

Debug Mode

Enable verbose logging:

# In server.conf
verb 6

Security Best Practices

1. Use strong encryption (AES-256)
2. Implement certificate-based authentication
3. Regularly rotate certificates
4. Monitor access logs
5. Restrict client permissions
6. Use non-standard ports if possible

Integration with UniFi

For UniFi Cloud access through VPN:

• Ensure ports 443/tcp, 443/udp, 3478/udp, 8883/tcp are accessible
• Configure split tunneling if needed
• Add UniFi controller to VPN client routes

References

External Resources

• OpenVPN Documentation
• Easy-RSA Documentation
• Ubuntu OpenVPN Guide

Related Documentation

• Network Architecture
• Security Best Practices

---

Last Updated: 2024 Part of the Homelab Documentation Series