Hey guys! Today, we're diving deep into setting up an OpenVPN server on Ubuntu 22.04 LTS. If you're looking to secure your internet connection, access resources remotely, or just want more control over your network traffic, then setting up your own VPN server is a fantastic move. We'll walk through the entire process step-by-step, making it as painless as possible. Trust me, by the end of this guide, you'll have a fully functional and secure OpenVPN server up and running on your shiny new Ubuntu 22.04 system. This guide is packed with all the nitty-gritty details, so grab a coffee, settle in, and let's get this server built!

Why Set Up Your Own OpenVPN Server?

So, why go through the hassle of setting up your own OpenVPN server on Ubuntu 22.04 when there are tons of commercial VPN services out there? Great question! While commercial VPNs are convenient, running your own server offers a level of privacy, security, and control that you just can't get elsewhere. Firstly, privacy is paramount. With a commercial VPN, you're trusting their logging policies and how they handle your data. When you run your own server, you control the logs, or decide not to log anything at all. This means your online activities remain truly private, known only to you. Secondly, enhanced security. OpenVPN is a robust and highly secure VPN protocol. By setting it up yourself, you can ensure it's configured with the strongest encryption and security settings, tailored specifically to your needs. You're not relying on a third party's implementation. Thirdly, remote access. Need to access files or services on your home or office network from afar? A VPN server is your golden ticket. It creates a secure tunnel back to your private network, making it feel like you're right there, no matter where you are in the world. This is invaluable for accessing shared drives, internal websites, or managing devices remotely. Fourthly, bypassing geo-restrictions (with a twist). While commercial VPNs are often used for this, running your own server from a location with different IP restrictions can also help, though it's generally more for accessing your own resources. Finally, cost-effectiveness. Once set up, running your own server can be significantly cheaper than paying a monthly subscription for a commercial VPN, especially if you have multiple users or devices. It's a one-time setup effort for long-term benefits. We'll be focusing on Ubuntu 22.04 LTS, which is the latest Long Term Support release from Canonical, ensuring stability and security for years to come. Getting this right means you’re building a solid foundation for your secure networking needs. So, let’s jump into the practical steps required to get this amazing setup rolling!

Prerequisites for Your Ubuntu 22.04 OpenVPN Server

Before we get our hands dirty with the actual OpenVPN server setup on Ubuntu 22.04, there are a few things you'll need to have squared away. Think of these as the essential ingredients for our VPN recipe. First off, you need a server running Ubuntu 22.04 LTS. This could be a virtual private server (VPS) from a provider like DigitalOcean, Linode, Vultr, or even a dedicated physical server. Crucially, this server needs a static public IP address. A dynamic IP address will cause connection issues as it changes, breaking your VPN tunnel. So, make sure your server provider assigns you a static IP, or you've configured one yourself. You'll also need root or sudo access to this Ubuntu server. This means you can execute commands with administrative privileges, which is necessary for installing software, configuring services, and modifying network settings. The easiest way to manage this is by using SSH to connect to your server from your local machine. So, ensure your SSH client is ready to go. We'll be running commands, so having a terminal window open connected to your server is key. It's also highly recommended to have a basic understanding of Linux command-line operations. While this guide aims to be comprehensive, familiarity with navigating directories, editing files with nano or vim, and understanding basic networking concepts will make the process smoother. Before we start installing anything, it's a good practice to update your server's package list and upgrade any installed packages to their latest versions. This ensures you're working with the most up-to-date software and minimizes potential conflicts or security vulnerabilities. You can do this by running:

sudo apt update && sudo apt upgrade -y

This command first updates the list of available packages from the repositories and then upgrades all installed packages. The -y flag automatically confirms any prompts during the upgrade process, saving you some clicks. Finally, you'll need a way to manage firewall rules. We'll be using ufw (Uncomplicated Firewall), which is typically pre-installed on Ubuntu. If it's not, you can install it with sudo apt install ufw. Make sure you're comfortable with basic firewall concepts, like opening ports. Having these prerequisites in place will ensure a smooth and successful OpenVPN server setup. Let's get ready to build our secure tunnel!

Installing OpenVPN and Easy-RSA on Ubuntu 22.04

Alright, guys, let's get down to the business of installing the core software for our OpenVPN server setup on Ubuntu 22.04. We need two main components: the OpenVPN package itself, which provides the VPN tunneling capabilities, and Easy-RSA, a toolset for managing our Public Key Infrastructure (PKI). This PKI is what allows us to create and manage the digital certificates that OpenVPN relies on for secure authentication and encryption. First things first, let's update our package lists to make sure we're fetching the latest available versions. We've already done this in the prerequisites, but it's always good practice to double-check:

sudo apt update

Now, let's install the OpenVPN package. It's straightforward:

sudo apt install openvpn -y

This command installs the OpenVPN daemon and related utilities. The -y flag ensures that the installation proceeds without asking for confirmation. Next, we need to set up Easy-RSA. Easy-RSA is used to build and manage a private Certificate Authority (CA). This CA will then sign the server and client certificates, essentially vouching for their authenticity. We'll download the latest stable version of Easy-RSA. You can find the latest release from the Easy-RSA GitHub repository. Let's navigate to a directory where we can download and unpack it. A good place is usually /usr/share/doc/openvpn/examples/ or creating a dedicated directory like /etc/openvpn/easy-rsa. Let's create a directory for Easy-RSA and download it there:

mkdir ~/easy-rsa
curl -L https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.8/easy-rsa-v3.0.8.tgz -o ~/easy-rsa/easy-rsa-v3.0.8.tgz
tar xzf ~/easy-rsa/easy-rsa-v3.0.8.tgz -C ~/easy-rsa/

Note: You might want to check the Easy-RSA GitHub page for the absolute latest version and update the v3.0.8 in the curl and tar commands accordingly. Now that we have the Easy-RSA archive, we need to copy its contents to a more permanent location and prepare it for use. A common and recommended location is /etc/openvpn/easy-rsa.

sudo cp -r ~/easy-rsa/easy-rsa-v3.0.8 /etc/openvpn/easy-rsa

Now, we need to switch to the Easy-RSA directory so we can start configuring it. We'll also need to create a symbolic link to the openssl-easyrsa.cnf file, which is essential for Easy-RSA to function correctly. This configuration file tells Easy-RSA how to interact with OpenSSL for certificate generation.

cd /etc/openvpn/easy-rsa/
ln -s openssl-easyrsa.cnf pki/openssl.cnf

Inside the pki directory, we'll initialize our PKI. This creates the necessary subdirectories like ca, issued, private, reqs, and crl where our certificates and keys will be stored. It also sets up the basic structure for our certificate authority.

./easyrsa init-pki

With the basic installation and PKI initialization done, we've laid the groundwork for generating the certificates that will secure our VPN connection. This is a crucial step, as the security of your entire VPN hinges on the integrity of your PKI and the certificates it generates. We're well on our way to having a fully operational OpenVPN server!

Setting Up the Certificate Authority (CA)

Now that we've got OpenVPN and Easy-RSA installed, the next vital step in our OpenVPN server setup on Ubuntu 22.04 is to establish our own Certificate Authority (CA). This CA will be the trusted root for all the certificates we generate – both for the server and for any clients that will connect. Think of it as the ultimate stamp of approval. We've already initialized the PKI in the previous step, creating the pki directory structure. Now, we need to build the actual CA certificate and its private key. This is a critical process, so pay close attention, guys. We'll be using the Easy-RSA scripts to do this. First, ensure you are still in the Easy-RSA directory:

cd /etc/openvpn/easy-rsa/

Now, we'll generate the CA request and then sign it to create the CA certificate. When prompted for a Common Name (CN), you can enter something descriptive like MyOpenVPNCA or MyCompanyVPNCA. This name doesn't directly affect functionality but is good for identification.

./easyrsa build-ca nopass

The nopass option is used here for simplicity during this setup guide. However, for production environments, it is strongly recommended to omit nopass and set a strong passphrase for your CA private key. This passphrase will be required every time you start the OpenVPN server or need to sign new certificates, adding an extra layer of security. If you choose to use a passphrase, you'll be prompted to enter it when running commands like build-ca, gen-req, or sign-req. Remember this passphrase securely!

Upon successful execution, Easy-RSA will create two important files in the pki directory:

• ca.crt: This is your CA's public certificate. You'll need to distribute this file to all your VPN clients so they can verify the server's identity.
• private/ca.key: This is your CA's private key. This is the most sensitive file. It should be kept extremely secure and never shared with anyone or copied to any client machine. If this key is compromised, your entire VPN's security is at risk.

Make sure to copy these essential files to the main OpenVPN configuration directory. The ca.crt file needs to be accessible by the OpenVPN server process, and we'll secure the ca.key shortly.

sudo cp pki/ca.crt /etc/openvpn/
sudo cp pki/private/ca.key /etc/openvpn/private/

We create a private subdirectory within /etc/openvpn to store the CA key securely. Then, we need to restrict permissions on the CA private key so that only the root user can read it. This is a critical security measure.

sudo chmod 600 /etc/openvpn/private/ca.key

Now that our CA is established and its critical key is secured, we've successfully created the foundation of trust for our VPN. This CA will be the backbone of our certificate-based authentication system. We're moving closer to having a fully functional and secure VPN tunnel!

Generating Server Certificate and Key

Alright, team, we've set up our trusted Certificate Authority. The next logical step in our OpenVPN server setup on Ubuntu 22.04 is to generate the actual certificate and private key for our OpenVPN server itself. This server certificate/key pair will identify our VPN server to connecting clients, ensuring they are connecting to the legitimate server and not an imposter. Again, we'll be using Easy-RSA for this, so make sure you're still in the /etc/openvpn/easy-rsa directory.

cd /etc/openvpn/easy-rsa/

We'll start by generating a Certificate Signing Request (CSR) and a private key for the server. When prompted for a 'Common Name', it's good practice to use a descriptive name, such as server or my-vpn-server. This name is important for identification purposes.

./easyrsa gen-req server nopass

Just like with the CA, the nopass option is used here for ease of setup. For a production environment, you should definitely remove nopass and assign a strong passphrase to the server's private key. This passphrase will be required when the OpenVPN server starts. After running the command, two files will be generated within the pki/private and pki/reqs directories:

• pki/private/server.key: The server's private key. Keep this secure!
• pki/reqs/server.req: The server's certificate signing request.

Now that we have the server's request and private key, we need to sign the request using our CA. This process officially issues the server certificate, making it trusted. We'll use the sign-req command, specifying server as the client name (even though it's a server, Easy-RSA uses the term 'client' here for any entity requesting a certificate).

./easyrsa sign-req server server

If you set a passphrase for your CA private key, you will be prompted to enter it here. Once signed, the server certificate will be generated in the pki/issued directory.

• pki/issued/server.crt: The server's public certificate.

Finally, we need to copy these crucial server files to the main OpenVPN configuration directory, similar to how we handled the CA files. These files will be read by the OpenVPN server daemon when it starts.

sudo cp pki/issued/server.crt /etc/openvpn/
sudo cp pki/private/server.key /etc/openvpn/private/

We also need to copy the CA certificate (ca.crt) to the OpenVPN configuration directory if you haven't already done so. This is essential for the server to present its identity and verify client certificates later on.

sudo cp pki/ca.crt /etc/openvpn/

By generating and signing the server's certificate and key, we've created the digital identity for our VPN server. This is a critical step in establishing a secure and authenticated connection. We're getting closer to the finish line, folks!

Generating Diffie-Hellman Parameters

We're on a roll with our OpenVPN server setup on Ubuntu 22.04! The next step involves generating Diffie-Hellman (DH) parameters. These parameters are used in the Diffie-Hellman key exchange protocol, which OpenVPN employs to allow the server and clients to securely establish a shared secret key over an insecure channel. This shared secret key is then used for encrypting the actual VPN traffic. Generating strong DH parameters is crucial for the security and performance of your VPN connection. It can take a little while, depending on your server's processing power, so be patient.

We'll generate these parameters using the OpenVPN command itself. The standard and recommended key size for Diffie-Hellman is 2048 bits. Let's execute the command:

sudo openvpn --genkey --secret ta.key

Wait, that's not quite right! The command above is for generating a TLS-Auth key, which we'll get to. The Diffie-Hellman parameters are generated using OpenSSL. Let's correct that. The command to generate Diffie-Hellman parameters is:

sudo openvpn --genkey secret /etc/openvpn/dh.pem

Correction: My apologies, guys! I seem to have gotten ahead of myself. The openvpn --genkey command is actually for generating a TLS-Auth key, which we'll need later. The Diffie-Hellman parameters are generated using the openssl dhparam command. Let's correct that crucial step.

First, ensure you're in the main OpenVPN configuration directory:

cd /etc/openvpn/

Now, generate the Diffie-Hellman parameters. A 2048-bit key is standard and recommended for a good balance between security and generation time. For higher security, you could use 4096 bits, but it will take significantly longer to generate.

sudo openssl dhparam -out dh2048.pem 2048

Alternatively, for a 4096-bit key (more secure, much slower generation):

sudo openssl dhparam -out dh4096.pem 4096

This command can take several minutes to complete, so grab another coffee! It's computationally intensive. Once finished, you'll have a dh2048.pem (or dh4096.pem) file in your /etc/openvpn/ directory. This file contains the prime numbers and generator used for the Diffie-Hellman key exchange. It's important for establishing secure session keys between the server and clients. Ensure that the permissions are set correctly, as this file is sensitive:

sudo chmod 600 /etc/openvpn/dh2048.pem

Generating these DH parameters is a vital step for secure key exchange. It ensures that the session keys used to encrypt your VPN traffic are negotiated securely, even if the communication channel itself is compromised. We're building a fortress here, folks!

Generating TLS-Auth Key

We're moving on to another critical security component for our OpenVPN server setup on Ubuntu 22.04: the TLS-Auth key. This key provides an additional layer of security by adding an extra HMAC (Hash-based Message Authentication Code) signature to the TLS handshake and all UDP data packets. Think of it as an extra lock on your VPN tunnel. It helps protect against certain types of denial-of-service attacks and helps OpenVPN detect corrupted packets. It's highly recommended for securing your OpenVPN server.

We generate this key using the OpenVPN command itself. We'll place it in the main OpenVPN configuration directory (/etc/openvpn/).

cd /etc/openvpn/
sudo openvpn --genkey --secret ta.key

This command generates a ta.key file in the /etc/openvpn/ directory. This key is a shared secret, meaning both the server and all connecting clients will need a copy of it to establish a connection. It's important to keep this key secure. We'll set the correct permissions for it:

sudo chmod 600 ta.key

This command ensures that only the root user can read or write this file, protecting it from unauthorized access. When we set up our client configurations later, we'll copy this ta.key file to each client's configuration directory. It plays a vital role in ensuring the integrity and authenticity of the data exchanged over the VPN tunnel. With the TLS-Auth key generated and secured, we've significantly bolstered the security posture of our OpenVPN server. This additional layer of authentication is a key reason why OpenVPN is so trusted in the security community. We're almost ready to configure the server itself!

Configuring the OpenVPN Server

Alright, guys, we've installed all the necessary software, generated our certificates, and prepared our security keys. Now it's time to actually configure the OpenVPN server on Ubuntu 22.04. This involves creating and editing the main server configuration file. OpenVPN's configuration file is typically located at /etc/openvpn/server.conf. If it doesn't exist, we'll create it. Let's open it with a text editor like nano.

sudo nano /etc/openvpn/server.conf

Now, we need to populate this file with the correct directives. Here’s a comprehensive configuration that you can adapt. I'll explain each important directive as we go:

port 1194
proto udp
dev tun

ca ca.crt
cert server.crt
key server.key
dh dh2048.pem

tls-auth ta.key 0

server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt

push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

keepalive 10 120

#cipher AES-256-CBC
#auth SHA256

user nobody
group nogroup

persist-key
persist-tun

status openvpn-status.log
verb 3
explicit-exit-notify 1

Let's break down some of these key directives:

• port 1194: This is the default OpenVPN port. You can change this to a different port if you wish, but remember to adjust your firewall rules accordingly. UDP is generally preferred for performance.
• proto udp: Specifies the protocol. UDP is faster than TCP for VPNs as it has less overhead, though TCP can be more reliable on unstable networks.
• dev tun: This creates a routed IP tunnel, which is the most common type for VPNs.
• ca ca.crt, cert server.crt, key server.key, dh dh2048.pem: These lines point to the certificate and key files we generated earlier. Make sure the filenames match exactly.
• tls-auth ta.key 0: This enables TLS-Auth. The 0 indicates that this is the server's key. Clients will use 1.
• server 10.8.0.0 255.255.255.0: This defines the virtual IP address pool that OpenVPN will assign to connecting clients. Clients will be on the 10.8.0.0/24 subnet.
• ifconfig-pool-persist ipp.txt: This file will store the IP addresses assigned to clients, ensuring they get the same IP address each time they connect.
• push "redirect-gateway def1 bypass-dhcp": This is a crucial directive. It tells the clients to route all their internet traffic through the VPN. This is what makes your VPN truly anonymize your traffic.
• push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4": These lines push Google's public DNS servers to the clients. You can replace these with your preferred DNS servers, like Cloudflare (1.1.1.1) or your own.
• keepalive 10 120: This directive keeps the connection alive by sending a ping every 10 seconds and expecting a response within 120 seconds. If no response is received, the connection is considered dead.
• user nobody group nogroup: These directives tell OpenVPN to drop root privileges after initialization and run as an unprivileged user (nobody) and group (nogroup). This is a significant security best practice.
• persist-key persist-tun: These options ensure that keys and TUN/TAP devices are not re-read or re-opened across restarts, which can prevent issues.
• status openvpn-status.log: This specifies a file to log the status of the VPN connections.
• verb 3: Sets the verbosity level for logging. 3 is a good balance between providing enough information and not flooding the logs.
• explicit-exit-notify 1: This helps clients know when the server restarts or shuts down gracefully.

After adding these lines to /etc/openvpn/server.conf, save and exit the editor (Ctrl+X, then Y, then Enter in nano). With the server configuration file in place, we're ready to enable and start the OpenVPN service.

Enabling and Starting the OpenVPN Service

We're in the home stretch, guys! We've successfully configured our OpenVPN server on Ubuntu 22.04. Now, we need to make sure the OpenVPN service starts automatically on boot and then actually start it. We'll use systemd, the standard init system in Ubuntu, for this.

First, let's enable the OpenVPN server service. By default, systemd looks for configuration files named openvpn@<config_name>.service. Since our configuration file is /etc/openvpn/server.conf, the service name will be openvpn@server.service. To enable it, we run:

sudo systemctl enable openvpn@server.service

This command creates a symbolic link that ensures the OpenVPN service starts automatically whenever your server boots up. It's crucial for maintaining an always-on VPN connection.

Next, let's start the OpenVPN service immediately:

sudo systemctl start openvpn@server.service

This command initiates the OpenVPN server process with our server.conf configuration. You can check the status of the service to make sure it's running without errors:

sudo systemctl status openvpn@server.service

If everything is configured correctly, you should see output indicating that the service is active (running). If there are any issues, the status output will often provide clues or error messages. You can also check the OpenVPN logs for more detailed information:

sudo journalctl -u openvpn@server.service

This command will display the logs specifically for our OpenVPN server instance. Look for any errors or warnings that might indicate a problem.

Important Firewall Configuration: Before clients can connect, we need to allow OpenVPN traffic through the firewall. We'll use ufw (Uncomplicated Firewall) for this. First, ensure ufw is enabled:

sudo ufw enable

If ufw was not enabled, you might need to reconnect via SSH after enabling it.

Now, allow traffic on the OpenVPN port (default is 1194 UDP):

sudo ufw allow 1194/udp

This command opens the UDP port 1194, allowing incoming VPN connections.

Enabling IP Forwarding: For the VPN to route client traffic to the internet, your server needs to forward IP packets. We need to enable this by editing the sysctl.conf file.

sudo nano /etc/sysctl.conf

Uncomment (remove the # symbol) the following line:

net.ipv4.ip_forward=1

Save and exit the file. Then, apply the changes immediately without rebooting:

sudo sysctl -p

NAT (Network Address Translation): We also need to configure NAT so that clients using the VPN can access the internet using the server's public IP address. This involves modifying ufw's rules. First, find your server's primary network interface name. You can usually do this with ip a or ifconfig. It's commonly eth0 or ens3.

Edit the ufw configuration file:

sudo nano /etc/ufw/before.rules

Add the following lines at the very top of the file, before the *filter section:

# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to eth0 (change to the interface you discovered)
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT
# END OPENVPN RULES

Make sure to replace eth0 with your server's actual public network interface name.

After saving these changes, reload ufw to apply the new rules:

sudo ufw disable
sudo ufw enable

With the service enabled, started, and the firewall configured, our OpenVPN server is now running and ready to accept connections! The last step is generating client configurations.

Generating Client Configurations

We've done the heavy lifting, folks! Our OpenVPN server is set up and running on Ubuntu 22.04. Now, we need to generate configuration files for our clients (laptops, phones, etc.) so they can connect to our shiny new VPN. Each client needs its own unique certificate and key pair, signed by our CA, and a configuration file (.ovpn) that tells the OpenVPN client software how to connect.

We'll use Easy-RSA again for generating client certificates and keys. Remember to navigate back to the Easy-RSA directory:

cd /etc/openvpn/easy-rsa/

For each client you want to connect, you'll need to generate a unique certificate request and private key. Let's say we're generating a config for a client named client1. It's crucial to use a unique name for each client.

./easyrsa gen-req client1 nopass

Again, nopass is for simplicity. You should use a passphrase for production clients.

Next, we sign this request using our CA:

./easyrsa sign-req client1 client1

If you used a passphrase for your CA key, you'll be prompted to enter it here. This process generates:

• pki/issued/client1.crt: The client's public certificate.
• pki/private/client1.key: The client's private key.

Now, we need to create the .ovpn configuration file for client1. This file will contain all the necessary information for the client to connect. We'll create a base template and then embed the necessary certificates and keys into it.

Let's create a directory to store our client configurations and copy the necessary files there:

mkdir ~/client-configs
chmod 700 ~/client-configs

We need the CA certificate (ca.crt), the client's certificate (client1.crt), and the client's private key (client1.key). Let's copy them to a temporary location and then embed them.

cp /etc/openvpn/easy-rsa/pki/ca.crt ~/client-configs/
cp /etc/openvpn/easy-rsa/pki/issued/client1.crt ~/client-configs/
cp /etc/openvpn/easy-rsa/pki/private/client1.key ~/client-configs/

Now, create a new file for the client configuration, for example, client1.ovpn, in the ~/client-configs directory.

cd ~/client-configs/
nano client1.ovpn

Paste the following template into the file, replacing YOUR_SERVER_IP with your server's actual public IP address:

client
dev tun
proto udp
remote YOUR_SERVER_IP 1194
resolv-retry infinite
nobind
remote-cert-tls server

user nobody
group nogroup

# Keepalive
keepalive 10 120

# Encryption and Authentication
# cipher AES-256-CBC
# auth SHA256

# TLS-Auth
<tls-auth>
# --- CONTENT OF ta.key WILL GO HERE ---
</tls-auth>

# Client Certificate and Key
<ca>
# --- CONTENT OF ca.crt WILL GO HERE ---
</ca>

<cert>
# --- CONTENT OF client1.crt WILL GO HERE ---
</cert>

<key>
# --- CONTENT OF client1.key WILL GO HERE ---
</key>

verb 3

Now, we need to embed the contents of ta.key, ca.crt, client1.crt, and client1.key into this .ovpn file.

Replace # --- CONTENT OF ta.key WILL GO HERE --- with the actual content of /etc/openvpn/ta.key:

sudo cat /etc/openvpn/ta.key >> client1.ovpn

Replace # --- CONTENT OF ca.crt WILL GO HERE --- with the actual content of ~/client-configs/ca.crt:

sudo cat ~/client-configs/ca.crt >> client1.ovpn

Replace # --- CONTENT OF client1.crt WILL GO HERE --- with the actual content of ~/client-configs/client1.crt:

sudo cat ~/client-configs/client1.crt >> client1.ovpn

Replace # --- CONTENT OF client1.key WILL GO HERE --- with the actual content of ~/client-configs/client1.key:

sudo cat ~/client-configs/client1.key >> client1.ovpn

After embedding all the keys and certificates, your client1.ovpn file is ready! You can now securely transfer this file to your client device. You can use scp (secure copy) for this. For example, from your local machine:

scp your_ssh_username@YOUR_SERVER_IP:~/client-configs/client1.ovpn .

(Replace your_ssh_username and YOUR_SERVER_IP).

Generating Keys for Additional Clients: To generate configurations for more clients (e.g., client2, client3), simply repeat the gen-req and sign-req steps for each new client name, then create a new .ovpn file by embedding the respective client keys and certificates along with the server's ta.key and ca.crt. You can automate this process with a script if you have many clients.

Your OpenVPN server is now fully set up and ready to provide secure connections to your clients. Congratulations, guys! You've successfully navigated the complexities of setting up your own VPN server.