OpenVPN#

For deployments of the VPN server starting on 2025-12-08, OpenVPN is not enabled “out of the box”.

This document explains how to enable OpenVPN in case you want it.

Portal Configuration#

You need to modify /etc/vpn-user-portal/config.php to enable OpenVPN. See the “OpenVPN” section of Profile Config for all OpenVPN configuration options.

You need to at least set the oRangeFour and oRangeSix options to a valid IPv4 and IPv6 prefixes.

NOTE: if you have both WireGuard and OpenVPN enabled for a VPN profile, OpenVPN will be the default, unless you set the Preferred Protocol to wireguard with the preferredProto option!

To generate some prefixes, you can use the included generate-prefix script, e.g.:

$ /usr/libexec/vpn-user-portal/generate-prefix
10.167.20.0/24
fd0f:f819:9320:dd8a::/64

All other (OpenVPN) settings are optional. By default OpenVPN will listen on port 1194 both on UDP and TCP.

Firewall#

Next, you need to update the firewall to open the relevant ports, and to forward the OpenVPN traffic.

Modify /etc/sysconfig/nftables.conf on Fedora / Enterprise Linux, or /etc/nftables.conf on Debian / Ubuntu.

Inside the input chain, make sure that port 1194 is opened for both UDP and TCP. Inside the forward chain, make sure you add "tun*" to the iifname map:

table inet filter {
    chain input {

        // other rules...

        tcp dport { 22, 80, 443, 1194 } accept
        udp dport { 1194, 51820 } accept

    }

    chain forward {

        // other rules...

        iifname { "tun*", "wg0" } oifname $EXTERNAL_IF accept
    }

    // other chains...

}

If you decided to use other OpenVPN ports, you need to obviously reflect that in the firewall rules. If you are deploying on Fedora / Enterprise Linux, you MAY also need to update the SELinux configuration.

Apply Changes#

$ sudo vpn-maint-apply-changes
$ sudo systemctl restart nftables

Now OpenVPN should be enabled and working!