How To Install OpenVPN Server on AlmaLinux 10
Setting up a secure VPN server gives you complete control over your online privacy and enables secure remote access to your network resources. OpenVPN stands as one of the most trusted open-source VPN solutions, offering robust encryption and cross-platform compatibility. AlmaLinux 10, with its enterprise-grade stability and enhanced security features including post-quantum cryptography support and Secure Boot capabilities, provides an ideal foundation for hosting your OpenVPN server. This comprehensive guide walks you through every step of installing and configuring OpenVPN on AlmaLinux 10, from initial setup to client connectivity, ensuring you can establish a fully functional VPN infrastructure.
Prerequisites and Requirements
Before diving into the installation process, ensure your system meets the necessary requirements. You’ll need an AlmaLinux 10 server with root or sudo privileges and at least 1GB of RAM with 10GB of available disk space. A static public IP address or properly configured dynamic DNS is essential for reliable client connections. Basic familiarity with Linux command-line operations and networking concepts will help you navigate this tutorial smoothly.
Your firewall must allow traffic on UDP port 1194, which serves as OpenVPN’s default port, though you can customize this later. Secure SSH access to your server is required for remote configuration. Having these prerequisites in place ensures a smooth installation experience without interruptions.
Understanding OpenVPN Architecture
OpenVPN operates on a client-server model where the server authenticates clients and manages encrypted tunnels for secure data transmission. Unlike legacy VPN protocols, OpenVPN leverages SSL/TLS for establishing secure connections, making it highly resistant to various attack vectors and capable of traversing NAT and firewalls effectively.
The system relies on Public Key Infrastructure (PKI) for authentication. Each server and client possesses unique certificates signed by a Certificate Authority (CA), ensuring that only authorized devices can connect. This certificate-based approach provides superior security compared to simple password authentication methods.
When selecting between UDP and TCP protocols, UDP typically delivers better performance due to lower overhead, making it ideal for most VPN deployments. The AES-256-GCM cipher has become the encryption standard in 2025, offering authenticated encryption with associated data that protects against both confidentiality and integrity attacks.
Step 1: Update System and Prepare Environment
Begin by ensuring your AlmaLinux 10 system runs the latest packages and security updates. Open your terminal and execute:
sudo dnf update -yThis command refreshes your package repositories and installs available updates. Verify your AlmaLinux version to confirm you’re running version 10:
cat /etc/almalinux-releaseCheck your server’s public IP address, which you’ll need for client configuration:
curl -4 icanhazip.comInstall essential dependencies required for the installation process:
sudo dnf install -y wget curl nano tar net-toolsEnable IP forwarding to allow your VPN server to route traffic between clients and the internet. This critical step ensures proper packet forwarding:
echo "net.ipv4.ip_forward = 1" | sudo tee -a /etc/sysctl.confApply the changes immediately without rebooting:
sudo sysctl -pDocument your server’s public IP address in a secure location. You’ll reference it multiple times during client configuration.
Step 2: Install EPEL Repository
The Extra Packages for Enterprise Linux (EPEL) repository provides additional software packages not included in the standard AlmaLinux repositories. OpenVPN and its dependencies require EPEL for installation.
Install the EPEL repository:
sudo dnf install epel-release -yVerify the EPEL repository appears in your system’s repository list:
dnf repolistYou should see epel listed among the enabled repositories. Update the repository cache to ensure your system recognizes newly available packages:
sudo dnf makecacheStep 3: Install OpenVPN and Easy-RSA
With EPEL configured, proceed to install OpenVPN and Easy-RSA, the certificate management utility:
sudo dnf install -y openvpn easy-rsaThis command installs both packages along with their dependencies. Confirm successful installation by checking the OpenVPN version:
openvpn --versionThe output displays version information and compiled-in features. Verify that systemd recognizes OpenVPN services:
systemctl list-unit-files | grep openvpnInstall additional network management tools for firewall configuration:
sudo dnf install -y iptables-servicesEasy-RSA simplifies PKI management by providing scripts that generate and sign certificates without requiring deep cryptography knowledge. The package installs to /usr/share/easy-rsa/ by default.
Step 4: Set Up Easy-RSA and Build Certificate Authority
Create a dedicated directory structure for Easy-RSA to maintain organized certificate management:
mkdir -p ~/easy-rsa
cp -r /usr/share/easy-rsa/3/* ~/easy-rsa/
cd ~/easy-rsaInitialize the PKI directory structure that stores all certificates and keys:
./easyrsa init-pkiConfigure your certificate details by creating a vars file. This file defines default values for certificate fields:
nano ~/easy-rsa/varsAdd the following configuration, customizing values to match your organization:
set_var EASYRSA_REQ_COUNTRY "US"
set_var EASYRSA_REQ_PROVINCE "California"
set_var EASYRSA_REQ_CITY "San Francisco"
set_var EASYRSA_REQ_ORG "YourOrganization"
set_var EASYRSA_REQ_EMAIL "[email protected]"
set_var EASYRSA_REQ_OU "IT Department"
set_var EASYRSA_ALGO "ec"
set_var EASYRSA_DIGEST "sha512"Build your Certificate Authority, which serves as the trusted root for all certificates:
./easyrsa build-caThe system prompts for a CA passphrase. Choose a strong password and store it securely—you’ll need it when signing certificates. You can also set a common name for your CA or press Enter to accept the default.
The CA certificate validates all server and client certificates, forming the foundation of your VPN’s trust model.
Step 5: Generate Server Certificate and Key
Generate a certificate request for your VPN server without a passphrase (the nopass option prevents password prompts during server startup):
./easyrsa gen-req server nopassPress Enter to accept the default common name “server” or specify a custom name. Sign the server certificate using your CA:
./easyrsa sign-req server serverEnter your CA passphrase when prompted and type “yes” to confirm certificate signing. Generate Diffie-Hellman parameters, which enable secure key exchange:
./easyrsa gen-dhThis process may take several minutes depending on your server’s processing power. Create a TLS authentication key for an additional security layer:
openvpn --genkey --secret ~/easy-rsa/pki/ta.keyCopy all generated certificates and keys to OpenVPN’s server directory:
sudo cp ~/easy-rsa/pki/ca.crt /etc/openvpn/server/
sudo cp ~/easy-rsa/pki/issued/server.crt /etc/openvpn/server/
sudo cp ~/easy-rsa/pki/private/server.key /etc/openvpn/server/
sudo cp ~/easy-rsa/pki/dh.pem /etc/openvpn/server/
sudo cp ~/easy-rsa/pki/ta.key /etc/openvpn/server/Secure these sensitive files by restricting permissions:
sudo chmod 600 /etc/openvpn/server/*.keyStep 6: Create OpenVPN Server Configuration File
Create the main server configuration file that defines how your VPN operates:
sudo nano /etc/openvpn/server/server.confAdd the following comprehensive configuration:
# Network Settings
port 1194
proto udp
dev tun
# SSL/TLS Settings
ca ca.crt
cert server.crt
key server.key
dh dh.pem
tls-auth ta.key 0
# Encryption Settings
cipher AES-256-GCM
auth SHA256
tls-version-min 1.2
# Network Configuration
server 10.8.0.0 255.255.255.0
topology subnet
# Push Routes to Clients
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
# Client Connection Settings
keepalive 10 120
max-clients 100
# Security and Privileges
user nobody
group nobody
persist-key
persist-tun
# Logging
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3
mute 20Save and exit the file. Understanding key directives helps you customize your setup:
server 10.8.0.0 255.255.255.0: Defines the VPN subnet assigned to clientspush "redirect-gateway": Routes all client traffic through the VPN tunnelcipher AES-256-GCM: Implements 2025’s recommended encryption standarduser nobodyandgroup nobody: Drop privileges after initialization, enhancing securitykeepalive 10 120: Maintains connection stability by sending pings every 10 seconds
Create the logging directory:
sudo mkdir -p /var/log/openvpnStep 7: Configure Network Routing and NAT
Enable Network Address Translation (NAT) to allow VPN clients to access the internet through your server. Determine your primary network interface:
ip route | grep defaultThe output shows your default interface, typically eth0, ens3, or similar. Create a routing script:
sudo nano /etc/openvpn/server/route-up.shAdd the following iptables rules, replacing eth0 with your actual interface name:
#!/bin/bash
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPTMake the script executable:
sudo chmod +x /etc/openvpn/server/route-up.shThese rules enable IP masquerading, making VPN client traffic appear to originate from your server’s public IP. The FORWARD rules permit bidirectional traffic flow between the VPN tunnel and your network interface.
Step 8: Configure Firewall Rules
AlmaLinux 10 uses firewalld by default for managing firewall rules. Configure it to allow OpenVPN traffic:
sudo firewall-cmd --permanent --add-service=openvpn
sudo firewall-cmd --permanent --add-port=1194/udpDesignate the VPN interface as trusted:
sudo firewall-cmd --permanent --zone=trusted --add-service=openvpn
sudo firewall-cmd --permanent --zone=trusted --add-interface=tun0Enable masquerading for NAT functionality:
sudo firewall-cmd --permanent --add-masqueradeApply all changes by reloading the firewall:
sudo firewall-cmd --reloadVerify your firewall configuration:
sudo firewall-cmd --list-allThe output should display OpenVPN service and UDP port 1194 among allowed services and ports.
Step 9: Start and Enable OpenVPN Service
Launch your OpenVPN server using systemd:
sudo systemctl start openvpn-server@serverThe @server portion references your configuration file name (server.conf). Enable automatic startup on system boot:
sudo systemctl enable openvpn-server@serverCheck the service status to confirm successful operation:
sudo systemctl status openvpn-server@serverA green “active (running)” status indicates successful startup. Verify the TUN interface creation:
ip addr show tun0You should see the tun0 interface with IP address 10.8.0.1. Confirm OpenVPN listens on the configured port:
sudo ss -tulpn | grep 1194Monitor real-time logs for any issues:
sudo tail -f /var/log/openvpn/openvpn.logPress Ctrl+C to exit log monitoring. If you encounter errors, check certificate paths, permissions, and configuration syntax.
Step 10: Generate Client Certificates
Each VPN client requires unique certificates for authentication. Navigate to your Easy-RSA directory:
cd ~/easy-rsaGenerate a certificate request for your first client:
./easyrsa gen-req client1 nopassThe nopass option creates a certificate without a password, simplifying client configuration. Sign the client certificate:
./easyrsa sign-req client client1Enter your CA passphrase and confirm signing by typing “yes”. For additional clients, repeat these steps with unique names like client2, client3, etc.
Organize client files in a dedicated directory:
mkdir -p ~/client-configs/keys
chmod 700 ~/client-configs/keysCopy necessary files for client distribution:
cp ~/easy-rsa/pki/ca.crt ~/client-configs/keys/
cp ~/easy-rsa/pki/issued/client1.crt ~/client-configs/keys/
cp ~/easy-rsa/pki/private/client1.key ~/client-configs/keys/
cp ~/easy-rsa/pki/ta.key ~/client-configs/keys/Maintain a log of issued certificates for tracking and potential revocation needs. Never reuse client certificates across multiple devices—generate unique certificates for each device to maintain security and enable selective revocation.
Step 11: Create Client Configuration File
Build a base client configuration template:
nano ~/client-configs/base.confAdd the following configuration, replacing YOUR_SERVER_IP with your actual server public IP:
client
dev tun
proto udp
remote YOUR_SERVER_IP 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-GCM
auth SHA256
verb 3
key-direction 1Create a script to generate unified .ovpn files with embedded certificates:
nano ~/client-configs/make_config.shAdd this script content:
#!/bin/bash
KEY_DIR=~/client-configs/keys
OUTPUT_DIR=~/client-configs/files
BASE_CONFIG=~/client-configs/base.conf
mkdir -p ${OUTPUT_DIR}
cat ${BASE_CONFIG} \
<(echo -e '<ca>') \
${KEY_DIR}/ca.crt \
<(echo -e '</ca>\n<cert>') \
${KEY_DIR}/${1}.crt \
<(echo -e '</cert>\n<key>') \
${KEY_DIR}/${1}.key \
<(echo -e '</key>\n<tls-auth>') \
${KEY_DIR}/ta.key \
<(echo -e '</tls-auth>') \
> ${OUTPUT_DIR}/${1}.ovpnMake the script executable:
chmod +x ~/client-configs/make_config.shGenerate your first client configuration:
cd ~/client-configs
./make_config.sh client1The resulting client1.ovpn file in ~/client-configs/files/ contains everything needed for client connection. Transfer this file securely to your client device using SCP, SFTP, or encrypted email:
scp ~/client-configs/files/client1.ovpn user@client-machine:/path/to/destination/Never transmit .ovpn files over unencrypted channels—they contain sensitive private keys.
Step 12: Connect from Client Devices
Windows Client Setup
Download OpenVPN GUI from the official OpenVPN website. Install the application with administrator privileges. Copy your client1.ovpn file to:
C:\Program Files\OpenVPN\config\Right-click the OpenVPN GUI system tray icon and select “Connect.” The connection establishes within seconds, displaying a green icon upon success.
Linux Client Setup
Install OpenVPN on your client system:
# Debian/Ubuntu
sudo apt install openvpn
# Fedora/AlmaLinux
sudo dnf install openvpnConnect using the command line:
sudo openvpn --config client1.ovpnFor graphical management, install NetworkManager OpenVPN plugin:
sudo apt install network-manager-openvpn-gnomeImport your configuration through NetworkManager’s VPN settings.
macOS Client Setup
Install Tunnelblick or OpenVPN Connect from the App Store. Drag your .ovpn file onto the Tunnelblick icon or import it through the OpenVPN Connect interface. Click “Connect” to establish the VPN tunnel.
Mobile Devices
Download OpenVPN Connect from Google Play Store or Apple App Store. Import your configuration file by selecting “Import” and choosing your .ovpn file, or generate a QR code for easy transfer. Tap the connection toggle to connect instantly.
Step 13: Verify VPN Connection
Once connected, verify your VPN functions correctly. Check your public IP address:
curl ifconfig.meThe returned IP should match your VPN server’s public IP, confirming traffic routes through the tunnel. Test DNS resolution:
nslookup google.comVisit DNS leak test websites to ensure your DNS queries don’t bypass the VPN tunnel. On your server, monitor active connections:
sudo cat /var/log/openvpn/openvpn-status.logThis file lists connected clients with their virtual IP addresses and connection times. Ping the VPN gateway from your client:
ping 10.8.0.1Successful replies confirm proper tunnel configuration and routing.
Step 14: Security Hardening Best Practices
Enhance your VPN security beyond basic configuration. Consider upgrading from tls-auth to tls-crypt for improved packet authentication:
openvpn --genkey --secret ~/easy-rsa/pki/tls-crypt.keyUpdate your server configuration to use:
tls-crypt tls-crypt.keyRegularly update OpenVPN and system packages:
sudo dnf update openvpnImplement certificate revocation capabilities. When you need to revoke a compromised certificate:
cd ~/easy-rsa
./easyrsa revoke client1
./easyrsa gen-crlCopy the Certificate Revocation List to your OpenVPN directory:
sudo cp ~/easy-rsa/pki/crl.pem /etc/openvpn/server/Add to server.conf:
crl-verify crl.pemInstall and configure fail2ban to protect against brute force attacks:
sudo dnf install fail2ban
sudo systemctl enable --now fail2banMonitor your logs regularly for unauthorized access attempts:
sudo grep -i 'failed\|error\|authentication' /var/log/openvpn/openvpn.logConsider implementing two-factor authentication using plugins like openvpn-auth-pam for enterprise environments requiring additional security layers.
Troubleshooting Common Issues
Service Fails to Start
Test your configuration syntax before starting the service:
sudo openvpn --config /etc/openvpn/server/server.confReview systemd journal entries for specific errors:
sudo journalctl -xe -u openvpn-server@serverVerify all certificate paths exist and permissions are correct:
ls -la /etc/openvpn/server/Client Cannot Connect
Test port accessibility from an external network:
telnet YOUR_SERVER_IP 1194Confirm your firewall allows traffic. Check for typos in the client configuration file, particularly the server IP address and port number.
No Internet Access Through VPN
Verify IP forwarding is enabled:
cat /proc/sys/net/ipv4/ip_forwardThe output should be 1. Review your NAT rules:
sudo iptables -t nat -L -n -vEnsure you see MASQUERADE rules for your VPN subnet. Confirm DNS servers are correctly pushed to clients by checking client logs.
SELinux Issues on AlmaLinux 10
AlmaLinux 10 includes enhanced SELinux policies. If you encounter permission errors, check SELinux status:
getenforceReview recent SELinux denials:
sudo ausearch -m avc -ts recentFor persistent issues, you may need to create custom SELinux policies or temporarily set SELinux to permissive mode for testing (not recommended for production):
sudo setenforce 0Congratulations! You have successfully installed OpenVPN. Thanks for using this tutorial for installing the OpenVPN server on your AlmaLinux OS 10 system. For additional help or useful information, we recommend you check the official OpenVPN website.
