*ARGS.TECH | BLOG | OpenVPN Configuration Samples (Cheat Sheet)
BLOG

OpenVPN Configuration Samples (Cheat Sheet)

A collection of production-ready, minimal configuration files for OpenVPN servers and clients (Linux, Windows, Android, and pfSense).


Introduction


This article serves as a repository of working, battle-tested OpenVPN configurations. These samples are designed to strike a balance between security (using modern AES-256-GCM encryption) and speed (using UDP and optimized topology).


Unlike complex setups scripts, these are the raw configuration files you need to get a tunnel running quickly.


If you haven't set up the server daemon yet, please refer to our full tutorial on how to install and configure OpenVPN Server on Debian first.


Server side configuration


This is the main configuration file for a Linux-based OpenVPN server (usually located at /etc/openvpn/server.conf). It sets up a UDP tunnel on port 1194, uses a secure subnet topology, and pushes necessary network settings (like DNS) to the client.


Configuration (server.conf):

# ----- Network & Protocol -----

port 1194

proto udp          # UDP is faster and preferred for VPNs

dev tun            # Create a routed IP tunnel


# ----- IP Configuration -----

# The VPN internal subnet. Server will be 10.8.0.1

server 10.8.0.0 255.255.255.0

topology subnet    # Modern topology, clearer addressing than 'net30'


# Maintain a record of client virtual IP addresses

ifconfig-pool-persist /etc/openvpn/ipp.txt


# ----- Push Settings to Client -----

# Force all client traffic through the VPN (Full Tunnel)

push "redirect-gateway def1 bypass-dhcp"


# Push DNS servers (OpenDNS examples shown)

push "dhcp-option DNS 208.67.222.222"

push "dhcp-option DNS 208.67.220.220"


# ----- Connection Reliability -----

# Ping every 10 sec, assume lost after 120 sec

keepalive 10 120


# ----- Security & Encryption -----

# AES-256-GCM is modern, fast (hardware accelerated), and secure

cipher AES-256-GCM


# Run as unprivileged user for security

user nobody

group nogroup


# Keep keys and tunnel interface active during restarts

persist-key

persist-tun


# ----- Logging -----

status /etc/openvpn/openvpn-status.log

log /etc/openvpn/openvpn.log

verb 3 # standard verbosity level


# ----- Crypto Files -----

# Paths to your generated keys (EasyRSA)

ca /etc/openvpn/ca.crt

cert /etc/openvpn/server.crt

key /etc/openvpn/server.key

dh /etc/openvpn/dh.pem


# TLS-Auth for DDoS protection (0 = server side)

tls-auth /etc/openvpn/ta.key 0


# ----- Optional Settings -----

# Uncomment to verify client certificate revocation list

# crl-verify /etc/openvpn/crl.pem


# Uncomment to assign static IPs to specific clients

# client-config-dir /etc/openvpn/ccd


Desktop client (Linux & Windows)


This configuration works for standard OpenVPN clients on Linux (NetworkManager or terminal) and Windows (OpenVPN GUI). It assumes you have the certificate files (ca.crt, client.crt, etc.) in the same folder as the config file.


Configuration (client.ovpn):

client

dev tun

proto udp


# Replace X.X.X.X with your server's public IP

remote X.X.X.X 1194


# Keep trying to resolve the hostname indefinitely

resolv-retry infinite


# Do not bind to a specific local port

nobind


# Keep state across restarts

persist-key

persist-tun


keepalive 10 120


# Must match server's cipher

cipher AES-256-GCM


# ----- Keys -----

ca ca.crt

cert client.crt

key client.key


# TLS-Auth (1 = client side)

tls-auth ta.key 1


Desktop client (pfSense server)


Important Note: If your OpenVPN server is running on a pfSense router/firewall, the default settings often require a stronger Hashing Algorithm for authentication. Without the auth SHA512 line, the connection will likely fail or drop, even if keys are correct.


Configuration (pfsense-client.ovpn):

client

dev tun

proto udp

remote X.X.X.X 1194


# Cipher must match pfSense setting

cipher AES-256-GCM


# CRITICAL: Required for many pfSense configurations

auth SHA512


keepalive 10 120


# ----- Keys -----

ca ca.crt

cert pfsense-client.crt

key pfsense-client.key

tls-auth ta.key 1


Android / Mobile client (inline keys)


Mobile apps (like "OpenVPN Connect" for Android or iOS) work best with a single file. Instead of referencing external .crt and .key files, we embed the file contents directly into the configuration using XML-style tags.


Configuration (android-client.ovpn):

# Direction 1 indicates client-side for tls-auth

key-direction 1


client

dev tun

proto udp

remote X.X.X.X 1194

cipher AES-256-GCM


# ----- Inline Keys -----

# Copy the content of your files between these tags


<ca>

-----BEGIN CERTIFICATE-----

... (Content of ca.crt) ...

-----END CERTIFICATE-----

</ca>


<cert>

-----BEGIN CERTIFICATE-----

... (Content of client.crt) ...

-----END CERTIFICATE-----

</cert>


<key>

-----BEGIN PRIVATE KEY-----

... (Content of client.key) ...

-----END PRIVATE KEY-----

</key>


<tls-auth>

-----BEGIN OpenVPN Static key V1-----

... (Content of ta.key) ...

-----END OpenVPN Static key V1-----

</tls-auth>

Top button