Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/openvpn/openvpn/llms.txt

Use this file to discover all available pages before exploring further.

This guide covers deployment strategies and best practices for running OpenVPN in production environments.

Installation methods

1

Install from package repositories

Use official OpenVPN repositories for the most up-to-date packages:
# Debian/Ubuntu
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
echo "deb http://build.openvpn.net/debian/openvpn/stable $(lsb_release -sc) main" > /etc/apt/sources.list.d/openvpn-aptrepo.list
apt update && apt install openvpn

# RHEL/CentOS/Fedora
yum install https://swupdate.openvpn.net/repos/openvpn-repo-pkg-key.pub
yum install openvpn
Package repositories are available for CentOS/Fedora, Debian, and Ubuntu. See the OpenvpnSoftwareRepos wiki for details.
2

Build from source

For custom builds or the latest features:
# From tarball
./configure
make
sudo make install

# From source repository
git clone https://github.com/OpenVPN/openvpn
cd openvpn
autoreconf -i -v -f
./configure
make
sudo make install
3

Verify installation

Test that OpenVPN is properly installed:
openvpn --version
openvpn --show-ciphers

System requirements

Required components

A virtual network device driver is required for OpenVPN to function:
  • Linux 2.6+: Built-in TUN/TAP driver 
    modprobe tun
echo 1 > /proc/sys/net/ipv4/ip_forward
  • FreeBSD: TUN/TAP integrated in recent versions
  • OpenBSD: Dynamically created tun devices
  • Windows: TAP-Windows adapter included in installers
Choose one of the following:
On Linux systems, additional libraries are needed:
  • libnl-gen - Required for kernel netlink support
  • libcap-ng - Required for Linux capability handling

Optional components

Compression is not supported when using DCO (Data Channel Offload). Use --compress migrate to transition away from compression.

Deployment modes

Server deployment

For multi-client server deployments: 
# Basic server configuration
openvpn --config /etc/openvpn/server.conf --daemon
Use systemd or init scripts for automatic startup:
systemctl enable openvpn-server@server
systemctl start openvpn-server@server

Client deployment

For client connections: 
# Connect to VPN server
openvpn --config /etc/openvpn/client.conf

Point-to-point deployment

For P2P tunnels without client/server architecture: 
# Static key mode
openvpn --remote server.example.com --dev tun --ifconfig 10.4.0.1 10.4.0.2 --secret static.key
P2P mode with DCO requires DATA_V2 support, available in OpenVPN 2.6+. Verify with:
P2P mode NCP negotiation result: TLS_export=1, DATA_v2=1, peer-id 9484735, cipher=AES-256-GCM

Security best practices

Certificate management

1

Generate certificate authority

Create a secure CA for signing certificates:
# Using easy-rsa
git clone https://github.com/OpenVPN/easy-rsa
cd easy-rsa/easyrsa3
./easyrsa init-pki
./easyrsa build-ca
Never use test certificates and keys from OpenVPN distributions in production environments.
2

Generate server certificates

./easyrsa gen-req server nopass
./easyrsa sign-req server server
3

Generate client certificates

./easyrsa gen-req client1 nopass
./easyrsa sign-req client client1
4

Generate Diffie-Hellman parameters

./easyrsa gen-dh

TLS authentication

Add an HMAC authentication layer to protect against DoS attacks: 
# Generate TLS auth key
openvpn --genkey secret ta.key

# Server configuration
tls-auth ta.key 0

# Client configuration
tls-auth ta.key 1
Consider using tls-crypt instead of tls-auth for additional packet encryption:
openvpn --genkey tls-crypt tls-crypt.key

Privilege management

Run OpenVPN with reduced privileges after initialization: 
# In configuration file
user nobody
group nogroup
persist-key
persist-tun

High availability setup

Multiple remote entries

Configure fallback servers for clients: 
remote primary.vpn.example.com 1194 udp
remote secondary.vpn.example.com 1194 udp
remote tertiary.vpn.example.com 1194 tcp
remote-random  # Randomize connection order

Server clustering

For load balancing across multiple servers:
Use a load balancer in front of multiple OpenVPN servers:
  • UDP load balancing requires session affinity
  • TCP connections can use round-robin
  • Share client certificate database across servers
  • Use consistent --server address ranges
Synchronize these files across all servers:
  • Server certificates and keys
  • CA certificates
  • DH parameters
  • TLS auth/crypt keys
  • Client configuration directory (if using --client-config-dir)

Configuration management

Directory structure

Organize configuration files systematically: 
/etc/openvpn/
├── server/
│   ├── server.conf
│   ├── ca.crt
│   ├── server.crt
│   ├── server.key
│   ├── dh.pem
│   ├── ta.key
│   └── ccd/           # Client-specific configs
├── client/
│   ├── client.conf
│   ├── ca.crt
│   ├── client.crt
│   ├── client.key
│   └── ta.key
└── keys/              # Backup keys (secure separately)
Protect private keys with appropriate file permissions:
chmod 600 /etc/openvpn/server/server.key
chown root:root /etc/openvpn/server/server.key

Logging configuration

Set up appropriate logging for production: 
# Log to file
log-append /var/log/openvpn/server.log

# Or use syslog
syslog openvpn-server

# Set verbosity (3 recommended for production)
verb 3

# Limit repeated messages
mute 20

Service management

Systemd integration

Manage OpenVPN as a systemd service: 
# Enable and start server
systemctl enable openvpn-server@server
systemctl start openvpn-server@server

# Check status
systemctl status openvpn-server@server

# View logs
journalctl -u openvpn-server@server -f

Graceful restarts

Reload configuration without disconnecting clients: 
# Send SIGHUP to reload
systemctl reload openvpn-server@server

# Or use kill
kill -HUP $(pgrep openvpn)
SIGHUP causes OpenVPN to reload the configuration and reconnect. For servers, existing client connections will be preserved when possible.

Testing deployment

Crypto self-test

Verify encryption functionality: 
openvpn --genkey secret key
openvpn --test-crypto --secret key

TLS negotiation test

Test SSL/TLS connections using loopback: 
# Terminal 1
openvpn --config sample/sample-config-files/loopback-server

# Terminal 2
openvpn --config sample/sample-config-files/loopback-client
These tests run for 2 minutes and verify TLS negotiation.

Connection verification

After deployment, verify connections:
1

Check process status

ps aux | grep openvpn
systemctl status openvpn-server@server
2

Verify interface creation

ip addr show tun0
ifconfig tun0
3

Test connectivity

# From client, ping server VPN address
ping 10.8.0.1

# Check routing
ip route

Build docs developers (and LLMs) love

Get started for freeTalk to us