> ## Documentation Index
> Fetch the complete documentation index at: https://wiki.lumiweb.cc/llms.txt
> Use this file to discover all available pages before exploring further.

# OpenVPN

> A classic VPN server in one script

OpenVPN is a time-tested VPN protocol. It's slower and heavier than WireGuard, but practically every client and piece of corporate hardware understands it. On a Lumi VPS (Ubuntu 22.04 by default, you connect as root over SSH) it deploys with a single script.

<Note>
  Commands are current as of writing. Script names and flags change from time to time — check the official repo [angristan/openvpn-install](https://github.com/angristan/openvpn-install).
</Note>

## OpenVPN or WireGuard

| Pick OpenVPN if                                                                          | Pick WireGuard if                           |
| ---------------------------------------------------------------------------------------- | ------------------------------------------- |
| You need maximum compatibility with old software and routers                             | Speed and simplicity matter                 |
| You connect from networks that throttle non-standard protocols (it can run over TCP/443) | You want a lightweight, modern tunnel       |
| You already have OpenVPN infrastructure                                                  | You're setting up from scratch for yourself |

If there's no particular reason, [WireGuard](/en/vps/wireguard) is usually faster and simpler. People choose OpenVPN for compatibility and legacy reasons.

## Installation

Two paths: a ready-made script (quick) or manual (full control). The script is enough for most people.

<Tabs>
  <Tab title="Script — quick and easy">
    The script will install OpenVPN, set up the certificates, and hand you a ready client file.

    <Steps>
      <Step title="Connect to the server over SSH">
        Take the IP and root password from the server card in the bot.

        ```bash theme={"system"}
        ssh root@YOUR_SERVER_IP
        ```
      </Step>

      <Step title="Download and make the script executable">
        ```bash theme={"system"}
        curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh
        chmod +x openvpn-install.sh
        ```
      </Step>

      <Step title="Run the installer">
        ```bash theme={"system"}
        ./openvpn-install.sh
        ```

        The script will ask a few questions: the external IP, the protocol (UDP is faster, TCP gets through restrictions better), the port, DNS for clients, and the name of the first client. Not sure — leave the defaults.
      </Step>

      <Step title="Grab the client file">
        The ready `.ovpn` file appears in the home folder (for root — `/root`). The script shows the path on screen. Move the file to your device, for example via `scp`:

        ```bash theme={"system"}
        scp root@YOUR_SERVER_IP:/root/client_name.ovpn .
        ```
      </Step>
    </Steps>

    **Add or remove a client.** Each device gets its own `.ovpn`. Run the script again — a management menu appears:

    ```bash theme={"system"}
    ./openvpn-install.sh
    ```

    From the menu you can add a new client, revoke an existing one, or uninstall OpenVPN entirely.

    <Tip>
      The script works on: Ubuntu (≥ 18.04), Debian (≥ 11), CentOS Stream (≥ 8), AlmaLinux (≥ 8), Rocky Linux (≥ 8), Fedora (≥ 40), Oracle Linux (≥ 8), Amazon Linux 2023, Arch Linux, openSUSE. It needs root access, `systemd`, and the TUN module enabled — a Lumi VPS has all of this.
    </Tip>
  </Tab>

  <Tab title="Manual — full control">
    For those who want to understand every step.

    <Steps>
      <Step title="Install the packages">
        ```bash theme={"system"}
        apt update && apt install -y openvpn easy-rsa
        ```
      </Step>

      <Step title="Create the PKI and certificates">
        ```bash theme={"system"}
        make-cadir ~/openvpn-ca
        cd ~/openvpn-ca
        ./easyrsa init-pki
        ./easyrsa build-ca nopass
        ./easyrsa gen-req server nopass
        ./easyrsa sign-req server server
        ./easyrsa gen-dh
        ```
      </Step>

      <Step title="Copy the keys to /etc/openvpn">
        ```bash theme={"system"}
        cp pki/ca.crt pki/issued/server.crt pki/private/server.key pki/dh.pem /etc/openvpn/
        ```
      </Step>

      <Step title="Create the server config and start it">
        Copy the example config (`/usr/share/doc/openvpn/examples/`) to `/etc/openvpn/server.conf`, set the paths to the keys, and start the service:

        ```bash theme={"system"}
        systemctl enable --now openvpn@server
        ```
      </Step>
    </Steps>

    <Warning>
      The manual method also needs NAT rules and IP forwarding enabled. The script in the other tab does this for you — if you'd rather not fuss with it, pick the script.
    </Warning>
  </Tab>
</Tabs>

## Verify

Make sure the service is running:

```bash theme={"system"}
systemctl status openvpn
```

You should see `active (running)`.

<Warning>
  If you chose a non-standard port during installation, open it in the firewall. For the UDP protocol on the standard port:

  ```bash theme={"system"}
  ufw allow 1194/udp
  ```

  Substitute your own port and protocol (udp/tcp) if you changed them during installation. More details — [Firewall (ufw)](/en/vps/firewall).
</Warning>

## Connecting devices

Install the official **OpenVPN Connect** client and import the `.ovpn` file:

<CardGroup cols={2}>
  <Card title="Desktop" icon="desktop">
    **Windows / macOS / Linux** — [openvpn.net/client](https://openvpn.net/client/)

    In the app: **Import Profile** → select the `.ovpn` file → connect.
  </Card>

  <Card title="Mobile" icon="mobile-screen">
    **iOS** — App Store ("OpenVPN Connect")

    **Android** — Google Play ("OpenVPN Connect")
  </Card>
</CardGroup>

## What Lumi handles, and what you do

Lumi handles the server and network: the VPS is up, you have root access, and traffic is unlimited. Setting up the VPN software itself is on you — it's your personal service.

If a port won't open or the network won't come up on the server side, message support at [@lumisup\_robot](https://t.me/lumisup_robot).

## Where to next

<CardGroup cols={2}>
  <Card title="WireGuard" icon="bolt" href="/en/vps/wireguard">
    A fast, modern VPN with simple setup.
  </Card>

  <Card title="Amnezia" icon="user-shield" href="/en/vps/amnezia">
    A VPN with no terminal — the app sets everything up itself.
  </Card>
</CardGroup>
