Running your own OpenVPN server gives you a VPN that no company logs, sells, or monitors — because you control the infrastructure. While commercial VPNs are convenient, self-hosted VPNs provide stronger privacy guarantees and can be configured exactly to your needs. This guide covers setting up OpenVPN on a VPS using the automated openvpn-install script.
Why Self-Host?
Advantages over commercial VPNs:
- Zero logs — you control the server, you control what’s logged (ideally: nothing)
- Custom configuration — protocols, ports, DNS, cipher suites
- No shared IP addresses with other users (no “dirty” IP reputation)
- Potential cost savings at scale
- Use as a secure tunnel for home network access
Disadvantages:
- Your VPS provider knows your IP (you trust them instead of a VPN provider)
- Single exit IP — websites can more easily fingerprint you
- You manage updates and security
Choosing a VPS
For a privacy-focused self-hosted VPN:
| Provider | Price | Notes |
|---|---|---|
| Mullvad VPS | ~€6/mo | Accepts crypto, privacy-focused |
| OrangeWebsite | ~$3/mo | Offshore (Iceland), accepts crypto |
| Njalla | ~$15/mo | Privacy-focused, anonymous registration |
| Hetzner | ~€4/mo | Cheap, reliable, German jurisdiction |
| Digital Ocean | ~$6/mo | Easy setup, US-based |
Recommended specs: 1 vCPU, 1GB RAM, 20GB SSD — more than sufficient for a personal VPN server.
OS: Ubuntu 22.04 LTS or Debian 12 recommended for this guide.
Installation with openvpn-install Script
The openvpn-install script by Nyr automates the entire server configuration:
# Download and run the installer
wget https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh
chmod +x openvpn-install.sh
sudo bash openvpn-install.shThe script asks:
- IP address: Auto-detects your server’s public IP — confirm or enter manually
- IPv6: Enable if your VPS supports it
- Port: Default 1194 (UDP) — or use 443 TCP to bypass firewalls
- Protocol: UDP (faster) or TCP (better for restricted networks)
- DNS: Choose a privacy-respecting resolver — Cloudflare (1.1.1.1), Quad9 (9.9.9.9), or AdGuard
- Cipher: Default AES-256-GCM is recommended
- Client name: Enter a name (e.g., your-laptop)
The script installs OpenVPN, generates a CA, server certificate, and client certificate, then outputs a .ovpn client configuration file.
Downloading the Client Config
Copy the .ovpn file from your server to your local machine:
# From your local machine:
scp root@YOUR_VPS_IP:/root/client-name.ovpn ./Connecting Clients
Linux
sudo apt install openvpn
sudo openvpn --config your-config.ovpnOr use NetworkManager: Import the .ovpn file via the VPN settings GUI.
Windows
Download OpenVPN GUI from openvpn.net. Right-click the tray icon → Import file → select .ovpn → Connect.
macOS
Download Tunnelblick (free) — drag the .ovpn file onto it.
Android/iOS
Install OpenVPN Connect from the app store. Import the .ovpn file.
Adding More Clients
Run the installer script again on the server:
sudo bash openvpn-install.shSelect Add a new client and enter a new name. Each client gets a unique certificate — you can revoke individual clients without affecting others.
Security Hardening
After installation, harden your server:
Firewall Configuration
# Allow only VPN traffic and SSH
ufw allow 22/tcp # SSH
ufw allow 1194/udp # OpenVPN (or your chosen port)
ufw enable
# Block all other inbound traffic
ufw default deny incoming
ufw default allow outgoingDisable Root SSH Login
# Edit /etc/ssh/sshd_config
PermitRootLogin no
PasswordAuthentication no # Use SSH keys only
sudo systemctl restart sshdAutomatic Security Updates
sudo apt install unattended-upgrades
sudo dpkg-reconfigure unattended-upgrades
# Select 'Yes' to enable automatic updatesMinimize Logging
Edit /etc/openvpn/server.conf:
verb 0 # Minimal verbosity (default is 3)
log /dev/null # Discard logs entirely
status /dev/nullRestart OpenVPN: sudo systemctl restart openvpn@server
Verify the VPN is Working
After connecting, verify your IP has changed:
curl ifconfig.me
# Should show your VPS IP, not your home IP
# Check for DNS leaks
curl https://dns.google/resolve?name=whoami.akamai.net&type=A
# Or visit dnsleaktest.comKill Switch (Linux)
Prevent traffic from leaking if the VPN drops:
# Add to your VPN connection script or NetworkManager config
iptables -A OUTPUT -j DROP
iptables -A OUTPUT -o tun0 -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -d YOUR_VPS_IP -j ACCEPT # Allow VPN traffic through
# Save rules
iptables-save > /etc/iptables/rules.v4Split Tunneling
Route only specific traffic through the VPN:
In your .ovpn file, comment out the default route redirect:
# route-nopull # Don't pull routing changes from server
# Add specific routes
route 10.0.0.0 255.0.0.0 # Only route 10.x.x.x through VPNSelf-hosting OpenVPN gives you a VPN that’s as private as your VPS provider and your own server hygiene — both of which you control. Combined with a privacy-respecting VPS provider and minimal logging, it’s a strong foundation for personal privacy infrastructure.