openSUSE

How To Install OpenVPN on openSUSE

r00t
7 minutes read

Install OpenVPN on openSUSE

Running a self-hosted VPN is one of the most practical things a sysadmin can do. It keeps remote traffic encrypted, secures inter-office connections, and gives you full control over who connects to your infrastructure. If you want to install OpenVPN on openSUSE, you are in the right place.

This guide walks you through the entire process: installing the package, building a full PKI with Easy-RSA, writing a production-ready server configuration, locking down the firewall with firewalld, and connecting your first client. The steps cover both openSUSE Leap 15.x and openSUSE Tumbleweed.

By the end, you will have a working OpenVPN server running on openSUSE that you can use for remote access, site-to-site tunneling, or a secure gateway for developer workstations.

What Is OpenVPN and Why Run It on openSUSE?

OpenVPN is an open-source SSL/TLS VPN solution that operates at OSI layer 2 or layer 3, using the industry-standard OpenSSL library for encryption. It supports routed and bridged configurations, runs over UDP or TCP, and authenticates using certificates, pre-shared keys, or username and password.

openSUSE is a solid choice for hosting OpenVPN. The zypper package manager makes installation straightforward, firewalld integrates cleanly with VPN network interfaces, and openSUSE Leap’s long support cycle means your server stays stable without constant OS upgrades.

Common use cases for this setup include:

  • Remote employee access to a private network
  • Encrypting developer traffic over public Wi-Fi
  • Linking two branch offices over the internet securely
  • Creating a secure test environment accessible from anywhere

Prerequisites

Before you begin the OpenVPN on openSUSE setup, confirm you have the following in place:

  • openSUSE Leap 15.x or Tumbleweed installed on your server
  • Root or sudo access to the server
  • A static public IP address or a domain name pointing to the server
  • Basic comfort using the Linux terminal and zypper
  • Firewall access to open UDP port 1194 (the default OpenVPN port)
  • An internet connection on the server to download packages

If you are on a VPS, also confirm that TUN/TAP kernel drivers are available. Some VPS providers (especially OpenVZ-based ones) disable TUN/TAP by default and you need to enable it from the control panel first.

Step 1: Check TUN/TAP Support

TUN/TAP is a set of virtual network kernel drivers that OpenVPN requires to create tunnel interfaces. Without it, OpenVPN cannot start. Run this command to verify the driver is active:

cat /dev/net/tun

If TUN/TAP is enabled, you will see output like:

cat: /dev/net/tun: File descriptor in bad state

That specific message is actually a good sign. It confirms the device file exists and the driver is loaded. If you get a “No such file or directory” error instead, load the module manually:

modprobe tun

To make TUN load automatically on every boot, add it to the modules load directory:

echo "tun" > /etc/modules-load.d/tun.conf

Step 2: Install OpenVPN on openSUSE

OpenVPN is available in the default openSUSE repositories, so no extra repository is needed. Install it with zypper as root:

zypper in openvpn

Verify the installation worked and check which version is installed:

openvpn --version

You should see output beginning with something like OpenVPN 2.5.x. Now install Easy-RSA, the key management tool that will handle all certificate and PKI operations:

zypper in easy-rsa

Easy-RSA is a wrapper around OpenSSL that simplifies generating a Certificate Authority (CA), server certificates, and client certificates. It also stores all key material in an organized directory structure under /etc/easy-rsa/pki/.

After installation, your primary working directories will be:

  • /etc/openvpn/ for server and client configuration files
  • /etc/easy-rsa/ for the PKI and key generation tools
  • /usr/share/doc/packages/openvpn/ for sample config files

Step 3: Build the PKI with Easy-RSA

A Public Key Infrastructure (PKI) is the certificate system that allows OpenVPN to verify the identity of servers and clients. Every device that connects needs a certificate signed by a shared Certificate Authority (CA). This section builds that entire certificate chain.

3.1 Initialize the PKI Directory

Start by cleaning any previous PKI state and initializing a fresh directory:

easyrsa clean-all

Type yes when prompted. The output confirms the PKI directory is ready at /etc/easy-rsa/pki/.

Before generating any keys, optionally open the vars file and increase the key size to 4096 bits for stronger security:

vim /etc/easy-rsa/vars

Find EASYRSA_KEY_SIZE and change it to 4096. Note that this makes key generation slower, but it does not affect VPN bandwidth. The default of 2048 is acceptable for most environments.

3.2 Build the Certificate Authority

The CA is the root of trust. Every certificate you generate gets signed by this CA. Run:

easyrsa build-ca nopass

The nopass flag skips passphrase protection on the CA key, which is convenient for automation. For production environments with stricter security requirements, remove nopass and set a strong passphrase.

Press Enter to accept the default Common Name or enter your own (e.g., MyVPN-CA). The output ends with:

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/easy-rsa/pki/ca.crt

3.3 Generate the Server Certificate and Key

With the CA in place, generate the server’s certificate and private key:

easyrsa build-server-full server

This creates two files: server.crt (the certificate) and server.key (the private key). The certificate is valid for 3650 days (10 years) by default.

3.4 Generate Client Certificates

Each client needs its own unique certificate. Sharing certificates between clients is a security risk because you cannot revoke one client without affecting others. Generate a certificate for your first client:

easyrsa build-client-full client1

For additional clients, repeat this with a different name:

easyrsa build-client-full client2

3.5 Generate Diffie-Hellman Parameters

Diffie-Hellman (DH) parameters enable the server to perform cryptographic key exchange with clients. Generate the DH file:

easyrsa gen-dh

This step takes a few minutes on standard hardware. The DH file gets saved to /etc/easy-rsa/pki/dh.pem.

Key Files Reference

Once all certificates are generated, here is a summary of every file, where it goes, and whether it must stay secret:

File Needed By Purpose Keep Secret?
ca.crt Server + all clients Root CA certificate No
ca.key CA machine only Root CA private key Yes
dh.pem Server only Diffie-Hellman parameters No
server.crt Server only Server certificate No
server.key Server only Server private key Yes
client1.crt Client1 only Client certificate No
client1.key Client1 only Client private key Yes

Never transfer any .key file over an unencrypted channel. Treat them like passwords.

Step 4: Configure the OpenVPN Server

Now create the main server configuration file. This file tells OpenVPN which certificates to use, what IP range to assign VPN clients, which port to listen on, and how to handle routing.

4.1 Create the Server Config File

vim /etc/openvpn/server.conf

Paste in the following production-ready configuration:

port 1194
proto udp
dev tun
topology subnet

# Certificates
ca /etc/easy-rsa/pki/ca.crt
cert /etc/easy-rsa/pki/issued/server.crt
key /etc/easy-rsa/pki/private/server.key
dh /etc/easy-rsa/pki/dh.pem

# VPN subnet
server 10.8.0.0 255.255.255.0

# Route all client traffic through VPN
push "redirect-gateway def1"

# DNS servers pushed to clients
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

# Security
cipher AES-256-CBC
remote-cert-tls client

# Reduced privileges
user nobody
group nobody

# Keep alive and persistence
keepalive 20 60
comp-lzo
persist-key
persist-tun

# Run as daemon
daemon

# Logging
log-append /var/log/openvpn/openvpn.log
verb 3

Here is what the key directives do:

  • server 10.8.0.0 255.255.255.0 assigns IPs from this subnet to connecting clients
  • push "redirect-gateway def1" forces all client internet traffic through the VPN tunnel
  • cipher AES-256-CBC applies strong symmetric encryption
  • user nobody / group nobody drops root privileges after startup for security
  • keepalive 20 60 sends a ping every 20 seconds and assumes the connection is dead after 60 seconds of no reply

4.2 Enable IP Forwarding

vim /etc/sysctl.conf

Find or add this line:

net.ipv4.ip_forward = 1

Apply the change immediately without rebooting:

sysctl -p

4.3 Create the Log Directory

mkdir -p /var/log/openvpn

Step 5: Configure the Firewall with firewalld

openSUSE Leap 15.x and Tumbleweed use firewalld by default. You need to open the VPN port, add the tunnel interface to a trusted zone, and enable NAT masquerading so VPN clients can reach the internet.

# Open port 1194/UDP for OpenVPN
firewall-cmd --zone=public --add-service openvpn

# Trust the VPN tunnel interface
firewall-cmd --zone=trusted --add-interface tun0

# Enable masquerading for VPN clients
firewall-cmd --zone=trusted --add-masquerade

# NAT VPN client traffic through the server's network interface
firewall-cmd --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

# Save all rules permanently
firewall-cmd --runtime-to-permanent

Important: Replace eth0 with your actual network interface name. Run ip a to identify the correct one.

firewall-cmd --list-all

Step 6: Start and Enable the OpenVPN Service

openSUSE uses systemd to manage services. OpenVPN uses an instance-based naming convention where @server tells systemd to load /etc/openvpn/server.conf. Start the service:

systemctl start openvpn@server
systemctl enable openvpn@server
systemctl status openvpn@server

You should see Active: active (running) in green. If the service fails to start, check the logs:

journalctl -xe -u openvpn@server

Step 7: Transfer Client Files and Configure the Client

7.1 Transfer Files Securely

scp user@your-server-ip:/etc/easy-rsa/pki/ca.crt ~/myvpn/
scp user@your-server-ip:/etc/easy-rsa/pki/issued/client1.crt ~/myvpn/
scp user@your-server-ip:/etc/easy-rsa/pki/private/client1.key ~/myvpn/

7.2 Create the Client Configuration File

client
remote YOUR_SERVER_IP 1194
proto udp
dev tun

ca /path/to/ca.crt
cert /path/to/client1.crt
key /path/to/client1.key

cipher AES-256-CBC
comp-lzo yes
nobind
auth-nocache
script-security 2
persist-key
persist-tun
remote-cert-tls server

7.3 Connect from the Client

sudo openvpn --config ~/myvpn/client.conf
ip a show tun0
curl ifconfig.me

Step 8: Harden Your OpenVPN Security

  • Increase key size to 4096 bits: Edit EASYRSA_KEY_SIZE=4096 in /etc/easy-rsa/vars before generating any keys.
  • Use AES-256-GCM instead of AES-256-CBC: On OpenVPN 2.4+, GCM mode provides authenticated encryption. Replace with cipher AES-256-GCM.
  • Enable TLS authentication: Add tls-auth ta.key 0 to server.conf and tls-auth ta.key 1 on clients.
  • Drop privileges: Confirm user nobody and group nobody are present in server.conf.
  • Disable compression in high-security environments: Remove comp-lzo to prevent CRIME-style attacks.
  • Set up certificate revocation: Run easyrsa gen-crl and add crl-verify /etc/easy-rsa/pki/crl.pem to server.conf.
  • Keep OpenVPN updated: Run zypper update openvpn regularly to patch known CVEs.

Troubleshooting Common Issues

The OpenVPN service fails to start

tail -50 /var/log/openvpn/openvpn.log
journalctl -xe -u openvpn@server

The most common causes are a wrong file path in server.conf or incorrect permissions on a .key file. Key files should be readable only by root (chmod 600).

TUN device not found

Run modprobe tun and check if /dev/net/tun exists. If you are on a VPS, enable TUN/TAP from the control panel. OpenVZ containers require this step.

Clients connect but cannot reach the internet

sysctl net.ipv4.ip_forward

The output should be 1. If it shows 0, run sysctl -p again after checking /etc/sysctl.conf. Also confirm the MASQUERADE rule references the correct outbound interface.

Certificate verification errors on the client

This almost always means the ca.crt on the client does not match the CA used to sign the server certificate. Copy a fresh ca.crt from the server using SCP and retry.

Firewall blocks VPN traffic after reboot

Confirm you ran firewall-cmd --runtime-to-permanent. Without that command, firewalld rules only persist for the current session.

Congratulations! You have successfully installed OpenVPN. Thanks for using this tutorial for installing the OpenVPN server on your openSUSE system. For additional help or useful information, we recommend you check the official OpenVPN website.

VPS Manage Service Offer
If you don’t have time to do all of this stuff, or if this is not your area of expertise, we offer a service to do “VPS Manage Service Offer”, starting from $10 (Paypal payment). Please contact us to get the best deal!
Tags
r00t
7 minutes read
Photo of r00t

r00t

r00t is a dedicated and highly skilled Linux Systems Administrator with over a decade of progressive experience in designing, deploying, and maintaining enterprise-grade Linux infrastructure. His professional journey began in the telecommunications industry, where early exposure to Unix-based operating systems ignited a deep and enduring passion for open-source technologies and server administration.​ Throughout his career, r00t has demonstrated exceptional proficiency in managing large-scale Linux environments, overseeing more than 300 servers across development, staging, and production platforms while consistently achieving 99.9% system uptime. He holds advanced competencies in Red Hat Enterprise Linux (RHEL), Debian, and Ubuntu distributions, complemented by hands-on expertise in automation tools such as Ansible, Terraform, Bash scripting, and Python.
Copyright © 2026 idroot.us | All Rights Reserved | Follow us for more Linux tutorials!
Back to top button