This guide covers deployment strategies and best practices for running OpenVPN in production environments.
Installation methods
Install from package repositories
Use official OpenVPN repositories for the most up-to-date packages: # Debian/Ubuntu wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add - echo "deb http://build.openvpn.net/debian/openvpn/stable $( lsb_release -sc ) main" > /etc/apt/sources.list.d/openvpn-aptrepo.list apt update && apt install openvpn # RHEL/CentOS/Fedora yum install https://swupdate.openvpn.net/repos/openvpn-repo-pkg-key.pub yum install openvpn
Package repositories are available for CentOS/Fedora, Debian, and Ubuntu. See the OpenvpnSoftwareRepos wiki for details.
Build from source
For custom builds or the latest features: # From tarball ./configure make sudo make install # From source repository git clone https://github.com/OpenVPN/openvpn cd openvpn autoreconf -i -v -f ./configure make sudo make install
Verify installation
Test that OpenVPN is properly installed: openvpn --version openvpn --show-ciphers
System requirements Required components
A virtual network device driver is required for OpenVPN to function:
Linux 2.6+ : Built-in TUN/TAP drivermodprobe tun echo 1 > /proc/sys/net/ipv4/ip_forward
FreeBSD : TUN/TAP integrated in recent versions
OpenBSD : Dynamically created tun devices
Windows : TAP-Windows adapter included in installers
Choose one of the following:
Linux-specific requirements
On Linux systems, additional libraries are needed:
libnl-gen - Required for kernel netlink supportlibcap-ng - Required for Linux capability handling Optional components Compression is not supported when using DCO (Data Channel Offload). Use --compress migrate to transition away from compression.
Deployment modes Server deployment For multi-client server deployments:
# Basic server configuration openvpn --config /etc/openvpn/server.conf --daemon
Use systemd or init scripts for automatic startup: systemctl enable openvpn-server@server systemctl start openvpn-server@server
Client deployment For client connections:
# Connect to VPN server openvpn --config /etc/openvpn/client.conf
Point-to-point deployment For P2P tunnels without client/server architecture:
# Static key mode openvpn --remote server.example.com --dev tun --ifconfig 10.4.0.1 10.4.0.2 --secret static.key
P2P mode with DCO requires DATA_V2 support, available in OpenVPN 2.6+. Verify with: P2P mode NCP negotiation result: TLS_export=1, DATA_v2=1, peer-id 9484735, cipher=AES-256-GCM
Security best practices Certificate management
Generate certificate authority
Create a secure CA for signing certificates: # Using easy-rsa git clone https://github.com/OpenVPN/easy-rsa cd easy-rsa/easyrsa3 ./easyrsa init-pki ./easyrsa build-ca
Never use test certificates and keys from OpenVPN distributions in production environments.
Generate server certificates
./easyrsa gen-req server nopass ./easyrsa sign-req server server
Generate client certificates
./easyrsa gen-req client1 nopass ./easyrsa sign-req client client1
Generate Diffie-Hellman parameters
TLS authentication Add an HMAC authentication layer to protect against DoS attacks:
# Generate TLS auth key openvpn --genkey secret ta.key # Server configuration tls-auth ta.key 0 # Client configuration tls-auth ta.key 1
Consider using tls-crypt instead of tls-auth for additional packet encryption: openvpn --genkey tls-crypt tls-crypt.key
Privilege management Run OpenVPN with reduced privileges after initialization:
# In configuration file user nobody group nogroup persist-key persist-tun
High availability setup Multiple remote entries Configure fallback servers for clients:
remote primary.vpn.example.com 1194 udp remote secondary.vpn.example.com 1194 udp remote tertiary.vpn.example.com 1194 tcp remote-random # Randomize connection order
Server clustering For load balancing across multiple servers:
Load balancer configuration
Use a load balancer in front of multiple OpenVPN servers:
UDP load balancing requires session affinity
TCP connections can use round-robin
Share client certificate database across servers
Use consistent --server address ranges
Synchronize these files across all servers:
Server certificates and keys
CA certificates
DH parameters
TLS auth/crypt keys
Client configuration directory (if using --client-config-dir)
Configuration management Directory structure Organize configuration files systematically:
/etc/openvpn/ ├── server/ │ ├── server.conf │ ├── ca.crt │ ├── server.crt │ ├── server.key │ ├── dh.pem │ ├── ta.key │ └── ccd/ # Client-specific configs ├── client/ │ ├── client.conf │ ├── ca.crt │ ├── client.crt │ ├── client.key │ └── ta.key └── keys/ # Backup keys (secure separately)
Protect private keys with appropriate file permissions: chmod 600 /etc/openvpn/server/server.key chown root:root /etc/openvpn/server/server.key
Logging configuration Set up appropriate logging for production:
# Log to file log-append /var/log/openvpn/server.log # Or use syslog syslog openvpn-server # Set verbosity (3 recommended for production) verb 3 # Limit repeated messages mute 20
Service management Systemd integration Manage OpenVPN as a systemd service:
# Enable and start server systemctl enable openvpn-server@server systemctl start openvpn-server@server # Check status systemctl status openvpn-server@server # View logs journalctl -u openvpn-server@server -f
Graceful restarts Reload configuration without disconnecting clients:
# Send SIGHUP to reload systemctl reload openvpn-server@server # Or use kill kill -HUP $( pgrep openvpn )
SIGHUP causes OpenVPN to reload the configuration and reconnect. For servers, existing client connections will be preserved when possible.
Testing deployment Crypto self-test Verify encryption functionality:
openvpn --genkey secret key openvpn --test-crypto --secret key
TLS negotiation test Test SSL/TLS connections using loopback:
# Terminal 1 openvpn --config sample/sample-config-files/loopback-server # Terminal 2 openvpn --config sample/sample-config-files/loopback-client
These tests run for 2 minutes and verify TLS negotiation.
Connection verification After deployment, verify connections:
Check process status
ps aux | grep openvpn systemctl status openvpn-server@server
Verify interface creation
ip addr show tun0 ifconfig tun0
Test connectivity
# From client, ping server VPN address ping 10.8.0.1 # Check routing ip route