- OpenVPN offers strong security with TLS 1.2/1.3, AEAD, and tls-crypt.
- The choice between AES-GCM and ChaCha20 depends on the hardware and performance.
- PKI with Easy-RSA and per-client policies allow control and revocation.
- DNS/IPv6 leak testing and route tuning ensure surprise-free use.
If you're looking for a reliable way to protect your connections or access your network from anywhere, OpenVPN is one of the most secure and versatile protocols that you can implement at home or in your business. This guide will help you from the ground up: what it is, what you need, how to set it up in Linux, Windows and routers, and how to connect clients on different systems.
Beyond simple on and off, You will learn how to configure modern encryption, avoid typical failures, test for DNS/IPv6 leaks, and optimize performance.. Includes TUN and TAP modes, tls-crypt vs tls-auth, Access Server usage, deployments on Omada and ASUS, and Tricks key for CG-NAT, routes and firewalls.
What is a VPN and why OpenVPN?
An VPN creates an encrypted tunnel between your device and a server, so that Your real IP is hidden and your data travels protectedThis allows for secure remote work, access to internal resources, and responsibly circumventing geoblocks.
OpenVPN, on the other hand, is free software and a widely audited protocol that works on Windows, macOS, GNU/Linux, iOS y Android, as well as in many routersIt is based on SSL/TLS, supports digital certificates, and additional authentication via username and password.
Advantages and disadvantages of using a VPN
Among the clearest benefits you will find privacy and security: Traffic is encrypted, tracking is minimized, and you can browse with more peace of mind.It also enables secure remote access to internal networks, which is critical in professional environments.
Additionally, many people take advantage of VPN to access content available in other countries or on networks that apply blocks, always respecting the laws and terms of service of each platform.
On the less friendly side, Speed may be affected by encryption and packet bounce., especially in free services or if the algorithm is poorly chosen on hardware without acceleration. The source of the apps to avoid malicious software.
OpenVPN Performance: Speed, Latency, and Stability
With proper setup, OpenVPN offers consistent speeds, good latency, and high stability.In general, using UDP reduces overhead compared to TCP and is faster in most scenarios.
On computers without AES-NI (hardware acceleration), ChaCha20-Poly1305 generally performs better than AES-GCMIf your CPU does accelerate AES, try both to decide; sometimes AES-GCM wins in throughput.
What is the purpose of setting up OpenVPN at home or at work?
Setting up your own server allows you to browse securely even on public Wi-Fi, Go online as if you were at home and access internal services such as files, printers, IP cameras or NAS servers.
Of course, you will need your connection to have a public IP or a solution to Avoid CG-NAT (Carrier-Grade NAT), as without open ports you will not receive incoming connections.. Connections with good upload speeds (e.g., 30 Mbps or higher) greatly improve the experience.
TUN and TAP modes: which one do I choose?
OpenVPN can work at layer 3 (TUN) or layer 2 (TAP). TUN creates a point-to-point IP tunnel and is the most common mode to route separate subnets with less overhead.
TAP mode works as an Ethernet bridge and encapsulates L2 frames, useful if you need the endpoints to be on the same subnet, but it adds more traffic and potential conflicts when subnets overlap.
Recommended cryptography and TLS versions
For certificates, it is very common today to use EC (elliptic curves) with secp521r1 and SHA-512 as hash, as long as clients and servers are compatible and up to date.
On the control channel (TLS), minimize to TLS 1.2 and enable TLS 1.3 if available with suites like TLS_AES_256_GCM_SHA384 or TLS_CHACHA20_POLY1305_SHA256. PFS over ECDHE must be present.
For the data channel, AES-256-GCM or CHACHA20-POLY1305 are robust optionsBoth are AEAD, so they don't require separate authentication. Avoids legacy ciphers like BF-CBC.
Strengthens the first phase of negotiation with tls-crypt (or tls-crypt-v2 where applicable) to mitigate DoS and hide initial packet metadata. tls-auth provides legacy support, but tls-crypt provides HMAC channel encryption.
Essential preparations
Before starting: Check your public IP, open the port on the router and make sure you are not behind CG-NATIf you don't have a fixed IP address, consider DDNS to associate a domain with your dynamic IP address.
On Linux servers, prepare Easy-RSA 3 for PKI and keep OpenVPN and crypto libraries up to date. On Windows, the OpenVPN GUI installs drivers TAP and provides configuration examples.
Installation and configuration on GNU/Linux (Debian/Ubuntu) with Easy-RSA 3
Install the package with APT: sudo apt update && sudo apt install openvpn. Then download Easy-RSA 3, unzip it, and configure the vars file with the desired EC, curve, and hash parameters.
Useful examples: set_var EASYRSA_ALGO ec; set_var EASYRSA_CURVE secp521r1; set_var EASYRSA_DIGEST 'sha512'. Use cn_only mode if you prefer to simplify DNs to the Common Name.
Initialize the PKI with ./easyrsa init-pki, create your Certification Authority with ./easyrsa build-ca (with passphrase for the CA's private key, highly recommended) and generates requests and keys for the server and each client with ./easyrsa gen-req name.
Sign the server certificate with ./easyrsa sign-req server server_name and those of clients with ./easyrsa sign-req client client_name. Then, create the HMAC key with openvpn –genkey –secret ta.key for tls-crypt.
Organize folders so you don't get lost: server (ca.crt, server.crt, server.key, ta.key) and one per client with their crt, key, ca and ta.key.
OpenVPN Server Configuration Example (Linux)
Set the port and protocol (UDP recommended), Choose dev tun, define cipher and tls-ciphersuites, ECDH curve and minimum TLS version. It also sets the virtual subnet, DNS you'll be pushing, and user permissions on the daemon.
A server skeleton (adapt it to your environment): Use local routes, DNS, and encryption supported by your clients. Remember that with AEAD encryption you don't need separate auth.
port 1194
proto udp
dev tun
ca ca.crt
cert servidor.crt
key servidor.key
dh none
# HMAC y ocultación del canal inicial
tls-crypt ta.key
# Cifrado y TLS (comprobar compatibilidad)
cipher AES-256-GCM
tls-ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
tls-version-min 1.2
ecdh-curve secp521r1
reneg-sec 0
# Topología y red virtual
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
# Rutas y DNS para clientes
push 'route 192.168.1.0 255.255.255.0'
push 'redirect-gateway def1'
push 'dhcp-option DNS 208.67.222.222'
push 'dhcp-option DNS 208.67.220.220'
client-to-client
keepalive 10 120
max-clients 100
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1Start with sudo openvpn server.conf and wait for the Initialisation Sequence Completed message. If it doesn't, check file paths and cipher compatibility.
Client Configuration (Linux/Windows/macOS)
Create a profile per client with the same encryption and TLS settings as the server. The key differences are the 'client' directive, the 'remote' with IP or domain and its identity files.
client
dev tun
proto udp
remote ejemplo.dyndns.org 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert cliente1.crt
key cliente1.key
remote-cert-tls server
cipher AES-256-GCM
# Para TLS 1.3 si aplica
tls-ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
# HMAC/ocultación
tls-crypt ta.key
verb 3On Windows, place the .ovpn and certificates in the OpenVPN GUI folder (by default in 'C:\\Users\\YourUser\\OpenVPN\\config') and connect from the notification area iconOn macOS, use OpenVPN Connect or a compatible client.
Routes and NAT on your network
To make computers on the remote LAN accessible from the VPN, A static route may be required on your router pointing to the 10.8.0.0/24 subnet with the OpenVPN server as the gateway.
If you want to route all client traffic through the VPN, use 'push redirect-gateway def1' and offer DNS reliable. Prevent DNS leaks by adjusting client resolvers and firewalls.
Using OpenVPN Access Server on Linux
OpenVPN Access Server simplifies administration via a web console: You install the package, access https://IP:943/admin, accept the terms and activate the service.You can create users, download profiles, and clients for each system.
There are limits in the free version (for example, two simultaneous connections) and advanced options like automatic logon profiles or disabling compression if it causes problems.
Clients on Windows, macOS, Linux, Android and iOS
On Windows and macOS, you can use OpenVPN Connect or the community GUI; Import the .ovpn profile and authenticate. On Linux, install the openvpn package, place the profile in '/etc/openvpn' and start the service.
On Android and iOS, the OpenVPN Connect app allows Import the profile by server URL or by uploading the .ovpn. Make sure you enter the correct port, username, and, if applicable, password or 2FA.
Configuration on routers and controllers: ASUS and Omada
Many ASUS routers include a built-in OpenVPN server: Enable it on the router's website, choose the port, create users, and export the .ovpn. Works best with public WAN IP and updated firmware.
In Omada environments, you can set up a client-to-site VPN policy: Defines OpenVPN as server, port, full or split tunnel, DNS, and users. Export the .ovpn profile for clients.
Passionate writer about the world of bytes and technology in general. I love sharing my knowledge through writing, and that's what I'll do on this blog, show you all the most interesting things about gadgets, software, hardware, tech trends, and more. My goal is to help you navigate the digital world in a simple and entertaining way.