How to Set Up a VPN on a VPS?

A personal VPN server on a VPS is a convenient way to ensure connection privacy, bypass geographic restrictions, and protect transmitted data. Website owners, webmasters, and beginner developers often choose this approach to control network configuration thoroughly and not depend on third-party providers. This article will look at two popular VPN technologies: OpenVPN and WireGuard. You will learn how to prepare the virtual machine, install necessary packages, configure client devices, and enhance server security.

Choosing and Preparing a VPS

Before starting the setup, it is important to determine the parameters of the virtual server. For VPN solutions, 1–2 GB of RAM and one dedicated core are usually sufficient. However, it all depends on the number of connected users and the expected load. Pay attention to the following aspects:

• Data center location. The closer the server is to the end users, the lower the network latency;
• Bandwidth. For full-fledged file transfers, sufficient traffic is necessary;
• Ease of control panel. Many find it easier to work with ready-made templates (e.g., Ubuntu 20.04).

Our hosting offers a wide range of VPS plans that are perfectly suitable for this task. After selecting a plan, proceed with the standard preparation procedure. Make sure you have SSH access (login and password or key) and perform basic OS updates:

sudo apt-get update
sudo apt-get upgrade

or similar commands depending on the Linux distribution.

Installing and Configuring OpenVPN

OpenVPN is one of the most common options. It offers good compatibility with Windows, macOS, Linux, and mobile platforms.

Installing necessary components

sudo apt-get install openvpn easy-rsa

After that, the system will have the required files and utilities for generating certificates.

Preparing PKI (Public Key Infrastructure)

Go to the Easy-RSA directory and copy the template:

make-cadir ~/openvpn-ca
cd ~/openvpn-ca

Then, edit the vars file, specifying the organization name and country, and run commands to create the Certificate Authority (CA) and keys.

Creating the OpenVPN configuration

In the /etc/openvpn folder, edit the server file by specifying the port, protocol, and path to certificates. A common template is /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz.

Unzip it and make the necessary changes (for example, port 1194 and protocol udp).

Generating client profiles

Create a separate key and certificate for each user. The resulting .ovpn file will include all parameters, including the VPN server address (its IP address or hostname).

Starting and testing

sudo systemctl start openvpn@server
sudo systemctl enable openvpn@server

If set up correctly, the service will automatically start with the system.

Installing and Configuring WireGuard

WireGuard is a relatively new technology known for its high speed and simplicity. It uses modern cryptography and generally works faster than OpenVPN.

Installing WireGuard

On recent versions of Ubuntu and Debian, just run:

sudo apt-get install wireguard

On other distributions, additional repository configuration may be required.

Generating keys

Each WireGuard node has a pair of "privatekey" and "publickey." Create them with the command:

wg genkey | tee privatekey | wg pubkey > publickey

Similar keys will be needed for the client.

Configuration file

In /etc/wireguard/wg0.conf, enter the following parameters:

[Interface]
Address = 10.8.0.1/24
SaveConfig = true
ListenPort = 51820
PrivateKey = <Contents of the privatekey file>

[Peer]
PublicKey = <Client's public key>
AllowedIPs = 10.8.0.2/32

"Address" defines the virtual subnet, and "ListenPort" is the port WireGuard will listen on. "Peer" is the client.

Start and auto-start

sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0

"wg-quick" is a utility that simplifies working with WireGuard. After rebooting the server, the connection will automatically be restored.

Configuring Client Devices

On the user side, the appropriate software must be installed:

OpenVPN client

Download a GUI application (e.g., "OpenVPN GUI" for Windows or "Tunnelblick" for macOS) and import the .ovpn file. Make sure the configuration contains the correct server IP address and the correct paths to keys and certificates.

WireGuard client

On Windows, install "WireGuard for Windows," on macOS – "WireGuard.app," and on Linux – the "wireguard-tools" package. Create a profile (usually a .conf file) specifying [Interface] and [Peer], and add the client's "PrivateKey" and the server's "PublicKey." In the "Endpoint" field, enter your VPS address.

Click "Connect," and traffic will be routed through the VPN network after saving the configuration

Securing the VPN Server

To protect your server, follow these recommendations:

• Restrict SSH access. Set up key-based authentication and ensure the password login is disabled. Set a non-standard port if the network policy allows it;
• Use a firewall. Ensure only necessary ports are open: 1194 (OpenVPN), 51820 (WireGuard), and SSH. Close others using iptables or ufw;
• Update the system. Regular updates help eliminate vulnerabilities by timely receiving kernel and networking packages patches.

Testing and Troubleshooting

After setup, check if the connection works. Connect to the VPN from the client device and open a service that shows your IP address, such as whatismyip. You will see the VPS IP instead of your home IP if everything is done correctly. If problems arise, view the logs:

• OpenVPN: sudo journalctl -u openvpn@server
• WireGuard: sudo journalctl -u wg-quick@wg0

Common errors include incorrect keys, wrong server IP address, or unopened ports. Sometimes, people forget to enable packet forwarding in /etc/sysctl.conf (parameter net.ipv4.ip_forward=1).

Conclusion

Installing a VPN on a VPS is a very useful solution that provides full control over the communication channel and helps secure data transmission. You can choose OpenVPN as the classic option or WireGuard for faster performance. In both cases, ensuring the configuration is correctly set up, users have secure keys, and network ports are appropriately opened is essential. Regular system updates and careful log monitoring will help keep the server reliable and stable.

FAQ

How Is OpenVPN Different From WireGuard?

OpenVPN is a trusted and flexible protocol compatible with many platforms. WireGuard is a relatively new and fast protocol.

Why Is the VPN Client Configuration File Needed?

It contains the parameters for connecting to the VPN server: address, ports, keys. It is required to establish a secure connection.

What Is PKI in the Context of OpenVPN?

It is a public key infrastructure used to generate and manage certificates. It ensures secure authentication between the server and the client.

Why Is It Essential to Update the VPS Server?

Updates eliminate vulnerabilities and improve system security. Regular patching protects against potential attacks.

What Is "AllowedIPs" in the WireGuard Configuration?

It is a list of IP addresses allowed to pass through the VPN tunnel. It determines which traffic will be routed via the VPN.

How to Check That the VPN Is Working Correctly?

After connecting, visit a website that shows your IP address. If the VPS IP appears, then the VPN is working.

Why Is SSH Key-Based Authentication Important?

It is more secure to connect to the server than a password. Keys are harder to guess, reducing the risk of hacking.