How to Set Up a VPN Server on Linux

A VPN (Virtual Private Network) provides a secure, encrypted connection between your devices and the internet. By setting up your own VPN server with OpenVPN, you can ensure privacy, bypass content restrictions, and protect your data from unauthorized access. This guide will walk you through the process of setting up an OpenVPN server on your Linux system.

Using OpenVPN

Step 1: Open Terminal

Open the terminal by pressing Ctrl + Alt + T on your keyboard or by searching for it in the applications menu.

Step 2: Install OpenVPN and Easy-RSA

On Debian/Ubuntu-based systems:

sudo apt update && sudo apt install openvpn easy-rsa

On Fedora/RPM-based systems:

sudo dnf update && sudo dnf install openvpn easy-rsa

Step 3: Set Up Certificate Authority (CA)

A Certificate Authority (CA) is necessary to generate and sign certificates for your VPN server and clients. To set up a CA, follow these steps:

Create a directory for your CA:

mkdir -p ~/easy-rsa && cp -r /usr/share/easy-rsa/* ~/easy-rsa/

Edit the vars file to customize your CA:

nano ~/easy-rsa/vars

Modify the following lines to match your organization’s information:

export KEY_CITY=”SanFrancisco”
export KEY_ORG=”YourOrganization”
export KEY_EMAIL=”[email protected]
export KEY_OU=”MyOrganizationalUnit”

Save the file and exit the text editor.

Initialize the CA and generate the necessary files:

cd ~/easy-rsa && source ./vars && ./clean-all && ./build-ca

Step 4: Create Server Certificate and Key

To create the server certificate and key, execute the following command:

./build-key-server server

When prompted, confirm that you want to sign the certificate and commit the changes.

Step 5: Generate Diffie-Hellman Parameters

Diffie-Hellman parameters are used to establish a secure connection between the server and clients. Generate the parameters with this command:


Step 6: Configure OpenVPN Server

Copy the necessary files to the OpenVPN directory:

sudo cp ~/easy-rsa/keys/{ca.crt,server.crt,server.key,dh.pem} /etc/openvpn/

Create a new OpenVPN server configuration file:

sudo nano /etc/openvpn/server.conf

This example uses nano. You can use the text editor of your choice.

Add the following lines to the file:

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
push “redirect-gateway def1 bypass-dhcp”
push “dhcp-option DNS”
push “dhcp-option DNS”
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
status openvpn-status.log
verb 3

Save the file and exit the text editor.

Step 7: Enable IP Forwarding

To allow VPN traffic to be forwarded between the server and clients, enable IP forwarding:

sudo nano /etc/sysctl.conf

Uncomment or add the following line:

net.ipv4.ip_forward = 1

Save the file and exit the text editor. Apply the changes with the following command:

sudo sysctl -p

Step 8: Configure Firewall Rules

Adjust your firewall settings to allow VPN traffic and enable NAT for IP forwarding:

On Debian/Ubuntu-based systems:

sudo ufw allow 1194/udp && sudo nano /etc/ufw/before.rules

Add the following lines at the beginning of the file:


Replace eth0 with the name of your network interface, if necessary. Save the file and exit the text editor.

On Fedora/RPM-based systems:

sudo firewall-cmd –add-service=openvpn && sudo firewall-cmd –add-masquerade && sudo firewall-cmd –permanent –add-service=openvpn && sudo firewall-cmd –permanent –add-masquerade

Step 9: Start and Enable OpenVPN Service

Start and enable the OpenVPN service:

sudo systemctl start openvpn@server && sudo systemctl enable openvpn@server

Step 10: Create Client Certificates and Configuration Files

For each client that will connect to your VPN server, create a client certificate and configuration file:

Generate a client certificate:

cd ~/easy-rsa && ./build-key client1

Replace client1 with a unique name for each client.

Create a client configuration file:

sudo mkdir -p /etc/openvpn/client-configs && sudo nano /etc/openvpn/client-configs/client1.ovpn

Add the following lines to the file:

dev tun
proto udp
remote YourServerPublicIP 1194
resolv-retry infinite
remote-cert-tls server
cipher AES-256-CBC
verb 3

Copy the contents of ca.crt from ~/easy-rsa/keys/ca.crt and paste it after the <ca> line. Add the following lines:


Copy the contents of client1.crt from ~/easy-rsa/keys/client1.crt and paste it after the <cert> line.

Add the following lines:


Copy the contents of client1.key from ~/easy-rsa/keys/client1.key and paste it after the <key> line.

Add the following line:


Save the file and exit the text editor.

Step 11: Distribute Client Configuration Files

Distribute the client configuration files to your clients. They can use these files to connect to the VPN server using an OpenVPN client application.


You have now successfully set up an OpenVPN server on your Linux system. By following this guide, you can provide secure, encrypted connections for your devices and protect your data from unauthorized access.

Please Leave Feedback and Corrections in the Comments

More to Explore


When it comes to choosing a laptop, you have numerous options from well-known brands like Dell, HP, Lenovo, and Apple. Each of these companies offers a range of products designed to meet the diverse needs of their customers. However, if you’re looking for a brand that stands out in terms

Read More »

How to Dual Boot Windows and Linux

Dual booting allows you to run two separate operating systems on a single computer, providing the flexibility to switch between different OS environments according to your needs. By setting up a dual-boot system with Windows and Linux, you can enjoy the robust performance and extensive software library of Windows alongside

Read More »

Table of Contents

Leave a Reply


We wish to inform our valued customers that, due to significant business growth and existing supply chain constraints, our laptop inventory is expected to be sold out this holiday season.

To secure a laptop for your personal or professional needs in anticipation of Christmas, we recommend placing your order at your earliest convenience.

Upon order placement, the estimated delivery date will be clearly indicated on the cart page, assuring the receipt of your purchase well ahead of the holiday festivities.

We appreciate your understanding and are dedicated to serving you with excellence.

What are you looking for?

Type in a question or keyword below


Frequently Asked Questions


In a marketplace dominated by large corporations, MALIBAL offers a refreshing alternative that focuses on open-source support, the right to repair, hardware integration in the USA, personalized US-based customer support, and the unique combination of customization and high-performance technology in sleek, user-friendly designs. For those who value these qualities, MALIBAL stands out as a distinct and appealing choice among laptop brands.

Learn More

Are all the parts soldered to the motherboard?

In many modern laptops, especially thin and light models (like Apple’s MacBook Air or Pro, Dell’s XPS 13, or many of Lenovo’s ThinkPad X1 Carbon models), the memory, storage, battery, and wireless module are often soldered directly onto the motherboard. This is done to save space and allow the laptop to be thinner, but it means that the RAM and SSD are not user-upgradeable.

However, as part of our commitment to the Right to Repair Movement, the memory, storage, battery, and wireless module all MALIBAL laptops are user-upgradeable or user-replaceable.

Do any of your laptops support coreboot?

Coreboot is an open-source project aimed at replacing the proprietary BIOS (Basic Input/Output System) firmware found in most computers. BIOS firmware is the first piece of software that runs when a computer is turned on. It initializes the hardware and starts the operating system.

Coreboot is designed to perform only the minimum amount of hardware initialization necessary to load and run a modern 32-bit or 64-bit operating system. This minimalist approach not only reduces the complexity and potential attack surface of the firmware, but it can also speed up the system boot time significantly.

Coreboot can be used with payloads such as a Linux kernel, SeaBIOS, or UEFI firmware to provide a complete firmware solution. It’s appreciated by users who want to have more control over their hardware, value the transparency and security that come from open-source software, or have specialized requirements.

Coreboot with EDK II is supported on our Aon line of laptops.

Can your laptops be charged or powered via USB-C?

USB-C is revolutionizing the way we charge laptops. As a universal charging standard, USB-C has a number of advantages that make it particularly suited for this task.

First and foremost, it offers high power delivery capability – up to 100 watts – which is sufficient to charge even power-hungry laptops. This eliminates the need for proprietary laptop chargers and allows for charging via common adapters, power banks, or even other laptops.

Additionally, USB-C is a reversible connector, meaning it can be inserted either way, making it more user-friendly.

It also supports data transfer and display output, allowing for a single cable to provide power, transfer data, and connect to external monitors.

All MALIBAL laptops can be powered via the Thunderbolt 4 port.

MALIBAL is an innovative technology company that produces high-performance, custom linux laptops for developers and content creators; mobile workstations for engineers, scientists, video editors, 3D modelers, and animators; and mobile servers for enterprise applications. On our site, you will find information about the best linux laptops, such as our Aon S1 and Aon L1 models, our customers, new articles, latest news, guides, features, and more.
How do I get a quote?

If you need a quote for any reason, e.g., to submit to accounting for approval, before ordering, simply add the laptop(s) you want to purchase to the Cart, then click Checkout, and on the checkout page, click Convert Cart to Quote. We will email you a PDF of the quote with a link to make payment once you are ready to complete the order.

How do I cancel an order?

You may cancel an order any time up until it ships. After it ships, you will not be able to cancel it, but will instead have to use our return policy in order to return the laptop for a refund. To cancel an order, simply open a sales ticket or sales chat and give the representative your order information, and they will cancel the order for you and send you confirmation via email and text.

How do I make a change to my order?

You may make changes to your order up until it ships. To modify an order, simply open a sales ticket or sales chat and give the representative your order information and specify which changes you want to make.

When is my order shipping?

If all parts are in stock, the average build time for laptops is 5-7 business days. This means laptops will ship 5-7 business days after the order is placed. If a component is backordered, it will say which parts are backordered in your order confirmation email.

To see the estimated delivery date of your laptop, please check your order confirmation email for the Estimated Delivery Date. You can also see this information on your My Account > Order Details page. The estimated delivery date is the build time (plus backorder delay, if applicable) plus the shipping time.

Once your laptop ships out, we will email you the tracking information. An adult will need to be at the address to sign for the package when it arrives.

How do I track my order after it ships?

You can view your tracking status via the order details page in your account.