How To Install OpenVPN Server on Fedora 43

Setting up a secure VPN server gives you complete control over your network privacy and remote access capabilities. OpenVPN remains one of the most trusted and widely-deployed VPN solutions, offering robust encryption, cross-platform compatibility, and flexible configuration options. This comprehensive guide walks you through installing and configuring an OpenVPN server on Fedora 43, from initial setup to client connectivity and security hardening. By following these detailed instructions, you’ll create a fully functional VPN infrastructure that protects your data and enables secure remote access to your network.

What is OpenVPN and Why Use It?

OpenVPN is an open-source VPN protocol that creates secure point-to-point or site-to-site connections using SSL/TLS encryption. Unlike proprietary solutions, OpenVPN provides complete transparency through its open-source codebase, allowing security audits and community-driven improvements.

The platform supports industry-standard encryption algorithms including AES-256, ensuring your data remains protected against interception. OpenVPN works seamlessly across Linux, Windows, macOS, Android, and iOS devices, making it ideal for heterogeneous environments. The protocol operates over TCP or UDP, with UDP typically offering better performance for real-time applications.

Common use cases include securing remote work connections, protecting traffic on public Wi-Fi networks, creating encrypted tunnels between office locations, and accessing geo-restricted content. Compared to alternatives like WireGuard and IPsec, OpenVPN offers superior flexibility in complex network scenarios and works reliably through restrictive firewalls and NAT configurations.

Prerequisites and System Requirements

Before beginning the installation, ensure your Fedora 43 system meets these requirements. You’ll need a fresh or existing Fedora 43 installation with root or sudo privileges. The server should have at least 1GB of RAM and 10GB of available storage space for optimal performance.

A static IP address or dynamic DNS configuration is essential for clients to reliably connect to your VPN server. You’ll also need the ability to configure firewall rules and port forwarding if your server sits behind a router. Basic command-line familiarity helps you navigate the terminal efficiently during setup.

Fedora systems use SELinux by default, which may require additional configuration steps. Keep this in mind as you progress through the installation. Finally, ensure you have a stable internet connection for downloading packages and testing connectivity.

Step 1: Update Your Fedora 43 System

Start by updating all system packages to their latest versions. Open your terminal and execute:

sudo dnf update -y

This command refreshes the package repository cache and upgrades all installed packages, ensuring you have the latest security patches and bug fixes. The update process may take several minutes depending on how many packages require upgrades.

If kernel updates are installed, reboot your system to load the new kernel:

sudo reboot

After the system restarts, verify your Fedora version:

cat /etc/fedora-release

This should confirm you’re running Fedora 43. Starting with a fully updated system prevents compatibility issues and ensures optimal security posture.

Step 2: Install OpenVPN and Easy-RSA

Fedora’s official repositories include both OpenVPN and Easy-RSA packages, simplifying the installation process. Install both tools with a single command:

sudo dnf install openvpn easy-rsa -y

Easy-RSA serves as a certificate authority management utility, generating the SSL certificates and cryptographic keys required for secure VPN authentication. The installation automatically resolves and installs necessary dependencies including OpenSSL libraries.

Verify the installation succeeded by checking the OpenVPN version:

openvpn --version

You should see version information confirming OpenVPN is properly installed. The Easy-RSA scripts are typically located in /usr/share/easy-rsa/ directory.

Step 3: Set Up the Certificate Authority (CA)

Creating a certificate authority is fundamental to OpenVPN’s security model. The CA signs all server and client certificates, establishing a trust chain.

Create a dedicated directory for certificate management:

mkdir -p ~/openvpn-ca
cd ~/openvpn-ca

Copy the Easy-RSA scripts to your working directory:

cp -r /usr/share/easy-rsa/3/* ~/openvpn-ca/

Initialize the Public Key Infrastructure:

./easyrsa init-pki

This creates the PKI directory structure for storing certificates and keys. Next, configure the certificate parameters by creating a vars file:

nano ~/openvpn-ca/vars

Add these organizational details:

set_var EASYRSA_REQ_COUNTRY    "US"
set_var EASYRSA_REQ_PROVINCE   "California"
set_var EASYRSA_REQ_CITY       "San Francisco"
set_var EASYRSA_REQ_ORG        "YourOrganization"
set_var EASYRSA_REQ_EMAIL      "admin@yourorg.com"
set_var EASYRSA_REQ_OU         "IT Department"

Customize these values to match your organization. Build the certificate authority:

./easyrsa build-ca

You’ll be prompted to set a CA password. Choose a strong passphrase and store it securely. This password protects your CA’s private key, which signs all certificates in your infrastructure. Never share this password or the CA private key.

Step 4: Generate Server Certificates and Keys

With the CA established, create the cryptographic materials for your OpenVPN server. Generate a certificate request for the server:

./easyrsa gen-req server nopass

The nopass parameter creates a key without password protection, allowing the server to start automatically without manual password entry. For the common name, enter “server” when prompted.

Sign the server certificate with your CA:

./easyrsa sign-req server server

Confirm the signing operation by typing “yes” and entering your CA password. Generate Diffie-Hellman parameters for key exchange:

./easyrsa gen-dh

This process can take several minutes as it generates strong cryptographic parameters. Create an HMAC signature for additional TLS authentication:

openvpn --genkey secret ta.key

The TLS authentication key adds an extra security layer, protecting against DoS attacks and port scanning. Copy all generated files to OpenVPN’s configuration directory:

sudo mkdir -p /etc/openvpn/keys
sudo cp pki/ca.crt /etc/openvpn/keys/
sudo cp pki/issued/server.crt /etc/openvpn/keys/
sudo cp pki/private/server.key /etc/openvpn/keys/
sudo cp pki/dh.pem /etc/openvpn/keys/
sudo cp ta.key /etc/openvpn/keys/

Set appropriate permissions to protect private keys:

sudo chmod 600 /etc/openvpn/keys/server.key
sudo chmod 600 /etc/openvpn/keys/ta.key

Step 5: Configure the OpenVPN Server

Create a comprehensive server configuration file that defines how your VPN operates. Create the configuration file:

sudo nano /etc/openvpn/server.conf

Add this optimized configuration:

port 1194
proto udp
dev tun

ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh.pem

server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt

push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

keepalive 10 120

tls-auth /etc/openvpn/keys/ta.key 0
cipher AES-256-GCM
auth SHA256

user nobody
group nobody

persist-key
persist-tun

status openvpn-status.log
log-append /var/log/openvpn.log
verb 3

This configuration establishes several critical parameters. The server listens on UDP port 1194, which offers better performance than TCP for most use cases. The tun device creates a routed IP tunnel rather than a bridged interface.

The server allocates IP addresses from the 10.8.0.0/24 subnet to connected clients. The redirect-gateway directive routes all client traffic through the VPN tunnel, ensuring complete traffic encryption. DNS settings push Google’s public DNS servers to clients, though you can substitute your preferred DNS resolvers.

Security settings include AES-256-GCM encryption cipher and SHA256 authentication digest. The TLS authentication key (ta.key) provides an additional verification layer during the TLS handshake. Running as the nobody user reduces security risks by limiting privileges.

Step 6: Enable IP Forwarding

IP forwarding allows your server to route traffic between the VPN network and the internet. Edit the system control configuration:

sudo nano /etc/sysctl.conf

Add or uncomment this line:

net.ipv4.ip_forward = 1

Apply the change immediately without rebooting:

sudo sysctl -p

Verify forwarding is enabled:

cat /proc/sys/net/ipv4/ip_forward

The output should be 1, confirming IP forwarding is active. If you need IPv6 support, also enable net.ipv6.conf.all.forwarding = 1.

Step 7: Configure Firewall Rules with FirewallD

Fedora uses FirewallD for firewall management. Configure the necessary rules to allow VPN traffic. Add the OpenVPN service to the firewall:

sudo firewall-cmd --permanent --add-service=openvpn

Add the tun0 interface to the trusted zone:

sudo firewall-cmd --permanent --zone=trusted --add-interface=tun0

Enable masquerading for NAT functionality:

sudo firewall-cmd --permanent --add-masquerade

Get your default network interface name:

ip route | grep default

Assuming your interface is eth0 or enp0s3, enable packet forwarding:

sudo firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

Replace eth0 with your actual interface name. Reload the firewall to apply all changes:

sudo firewall-cmd --reload

Verify the configuration:

sudo firewall-cmd --list-all

These rules allow incoming VPN connections and properly route traffic from VPN clients to the internet. Masquerading performs Network Address Translation, making VPN client traffic appear to originate from the server’s public IP address.

Step 8: Start and Enable OpenVPN Service

Launch the OpenVPN server using systemd:

sudo systemctl start openvpn-server@server.service

The service name follows the pattern openvpn-server@configname.service, where configname matches your configuration file without the .conf extension. Enable automatic startup at boot:

sudo systemctl enable openvpn-server@server.service

Check the service status:

sudo systemctl status openvpn-server@server.service

You should see “active (running)” status. If the service fails to start, examine the logs:

sudo journalctl -xe -u openvpn-server@server.service

Common startup issues include syntax errors in the configuration file, missing certificate files, or SELinux denials. Verify the tun0 interface was created:

ip addr show tun0

This confirms OpenVPN successfully initialized the virtual network interface.

Step 9: Generate Client Certificates

Each VPN client requires unique certificates for authentication. Return to your Easy-RSA directory and generate a client certificate:

cd ~/openvpn-ca
./easyrsa gen-req client1 nopass

Use a descriptive name instead of “client1” to identify different users or devices. Sign the client certificate:

./easyrsa sign-req client client1

Enter your CA password to authorize the signing. Create a directory for client files:

mkdir -p ~/client-configs/keys
chmod 700 ~/client-configs/keys

Copy the necessary files:

cp pki/ca.crt ~/client-configs/keys/
cp pki/issued/client1.crt ~/client-configs/keys/
cp pki/private/client1.key ~/client-configs/keys/
sudo cp /etc/openvpn/keys/ta.key ~/client-configs/keys/

For additional clients, repeat the process with unique names. To revoke a client certificate later, use:

./easyrsa revoke client1
./easyrsa gen-crl

This generates a Certificate Revocation List (CRL) that blocks access for compromised or terminated users.

Step 10: Create Client Configuration Files

Build a client configuration that matches your server settings. Create a base configuration:

nano ~/client-configs/base.conf

Add this template:

client
dev tun
proto udp
remote YOUR_SERVER_IP 1194
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun

ca ca.crt
cert client1.crt
key client1.key
tls-auth ta.key 1

remote-cert-tls server
cipher AES-256-GCM
auth SHA256
verb 3

Replace YOUR_SERVER_IP with your server’s public IP address or domain name. The cipher and authentication settings must match your server configuration. The tls-auth directive uses direction 1 (clients use 1, servers use 0).

For easier distribution, create a unified configuration file that embeds all certificates:

nano ~/client-configs/make-config.sh

Add this script:

#!/bin/bash

KEY_DIR=~/client-configs/keys
OUTPUT_DIR=~/client-configs/files
BASE_CONFIG=~/client-configs/base.conf

mkdir -p ${OUTPUT_DIR}

cat ${BASE_CONFIG} \
    <(echo -e '<ca>') \
    ${KEY_DIR}/ca.crt \
    <(echo -e '</ca>\n<cert>') \
    ${KEY_DIR}/${1}.crt \
    <(echo -e '</cert>\n<key>') \
    ${KEY_DIR}/${1}.key \
    <(echo -e '</key>\n<tls-auth>') \
    ${KEY_DIR}/ta.key \
    <(echo -e '</tls-auth>') \
    > ${OUTPUT_DIR}/${1}.ovpn

Make the script executable:

chmod +x ~/client-configs/make-config.sh

Generate a unified configuration for client1:

cd ~/client-configs
./make-config.sh client1

This creates ~/client-configs/files/client1.ovpn containing all necessary credentials in a single file.

Step 11: Transfer Client Files Securely

Never send private keys through unencrypted channels. Use secure methods to deliver client configurations. The most secure approach uses SCP (Secure Copy):

scp ~/client-configs/files/client1.ovpn username@client-machine:/home/username/

Alternatively, use SFTP through an SFTP client like FileZilla. For remote users, encrypt the .ovpn file with GPG before emailing:

gpg -c client1.ovpn

This creates an encrypted client1.ovpn.gpg file. Share the decryption password through a separate communication channel. Consider using password managers with secure sharing features for credential distribution in organizational settings.

Step 12: Connect Clients to OpenVPN Server

Linux clients can connect using NetworkManager or the command line. For NetworkManager, install the OpenVPN plugin:

sudo dnf install NetworkManager-openvpn-gnome

Import the configuration through the NetworkManager GUI by navigating to Settings > Network > VPN and clicking the “+” button to add a VPN connection. Select “Import from file” and choose your .ovpn file.

For command-line connections, use:

sudo openvpn --config client1.ovpn

Keep the terminal window open while connected. For background operation, use systemd.

The modern OpenVPN 3 client offers improved security through unprivileged operation:

sudo dnf install openvpn3
openvpn3 session-start --config client1.ovpn

Windows users should download the official OpenVPN Connect client from the OpenVPN website. Import the .ovpn file and connect through the system tray icon.

After connecting, verify your VPN-assigned IP address:

ip addr show tun0

You should see an IP in the 10.8.0.0/24 range. Test internet connectivity through the VPN:

curl ifconfig.me

This should return your VPN server’s public IP address, confirming traffic routes through the tunnel.

Testing and Verification

Comprehensive testing ensures your VPN functions correctly. Check if the client received proper routing:

ip route

You should see routes directing traffic through the tun0 interface. Test DNS resolution:

nslookup google.com

This confirms DNS queries work through the VPN. Perform a bandwidth test to measure throughput:

sudo dnf install iperf3

Run iperf3 on both server and client to measure VPN performance. Monitor server logs for connection details:

sudo tail -f /var/log/openvpn.log

Check the status file for currently connected clients:

sudo cat /etc/openvpn/openvpn-status.log

Security Best Practices

Implementing security hardening protects your VPN infrastructure. Store your CA private key offline after generating all necessary certificates. This prevents unauthorized certificate issuance if your server is compromised.

Use strong encryption algorithms exclusively. AES-256-GCM provides authenticated encryption with better performance than CBC mode. Avoid deprecated ciphers like Blowfish or DES.

Enable TLS-auth or TLS-crypt to prevent port scanning and DoS attacks. The TLS authentication layer requires attackers to possess the shared key before even initiating a TLS handshake.

Consider using non-standard ports to reduce automated attack surface. Many organizations block port 1194, so using 443 (HTTPS) can improve connectivity while maintaining security through obscurity.

Implement regular certificate rotation policies. Set certificate expiration to reasonable timeframes and establish procedures for renewal. Maintain a current Certificate Revocation List and configure your server to check it.

Monitor your VPN logs for suspicious activity. Unusual connection patterns, authentication failures, or unexpected geographic locations may indicate compromise attempts. Disable compression to avoid VORACLE vulnerabilities.

Common Troubleshooting Issues

Connection failures often stem from firewall blocking. Verify your router forwards port 1194 to your server’s internal IP. Check that your ISP doesn’t block VPN traffic.

Authentication errors typically indicate certificate problems. Ensure certificate paths in configuration files are correct and files have proper permissions. Expired certificates require regeneration and redistribution.

TLS handshake failures suggest cipher or protocol mismatches. Verify client and server cipher settings match exactly. Check that the TLS-auth key direction is correct (0 for server, 1 for clients).

If clients connect but can’t access the internet, IP forwarding or NAT may be misconfigured. Recheck /proc/sys/net/ipv4/ip_forward and firewall masquerading rules.

DNS resolution problems indicate push settings aren’t reaching clients. Verify the push "dhcp-option DNS" directives in your server configuration. Some clients require manual DNS configuration.

Performance issues may result from MTU/MSS problems. Try adding mssfix 1450 and tun-mtu 1500 to both client and server configurations. UDP protocol typically outperforms TCP for VPN traffic.

SELinux denials on Fedora can prevent OpenVPN from functioning. Check SELinux alerts:

sudo ausearch -m avc -ts recent

Generate a policy module to allow denied actions:

sudo ausearch -m avc -ts recent | audit2allow -M openvpn-custom
sudo semodule -i openvpn-custom.pp

Service startup failures often indicate configuration syntax errors. Review your server.conf carefully for typos. Missing certificate files prevent startup, so verify all paths are correct.

Maintenance and Management

Adding new clients follows the established certificate generation process. Create a new certificate request, sign it with your CA, and generate a corresponding .ovpn file. This scalable approach supports unlimited clients without modifying server configuration.

Certificate revocation requires maintaining an updated CRL. After revoking a certificate, copy the CRL to your server:

sudo cp ~/openvpn-ca/pki/crl.pem /etc/openvpn/keys/

Add this line to your server configuration:

crl-verify /etc/openvpn/keys/crl.pem

Restart the OpenVPN service to enforce the revocation. Certificates approaching expiration need renewal. Easy-RSA generates certificates with default expiration periods, so track these dates and renew proactively.

System updates require careful planning. Before upgrading OpenVPN, backup your configuration and keys:

sudo tar -czf openvpn-backup.tar.gz /etc/openvpn

Test updates in a staging environment when possible. Critical files for backup include /etc/openvpn/server.conf, all certificates and keys in /etc/openvpn/keys/, and your CA directory at ~/openvpn-ca/.

Monitor server performance using system tools. High CPU usage may indicate excessive traffic or inefficient cipher selection. Track connected client counts and bandwidth consumption to plan capacity.

Congratulations! You have successfully installed OpenVPN. Thanks for using this tutorial for installing the OpenVPN server on your Fedora 43 Linux system. For additional help or useful information, we recommend you check the official OpenVPN website.