Technology Encyclopedia Home >How to Set Up OpenVPN on a Cloud Server — A Complete Self-Hosted VPN Guide

How to Set Up OpenVPN on a Cloud Server — A Complete Self-Hosted VPN Guide

Tencent Cloud Community 2026-04-2129

OpenVPN is the protocol I reach for when I need VPN access from networks where WireGuard might be blocked. Corporate firewalls and hotel networks sometimes block UDP traffic, which is WireGuard's only option. OpenVPN supports both TCP and UDP, which means it works in nearly every network environment.

I run OpenVPN on a cloud server to give myself a consistent, private network path when I'm traveling or working from public networks. The openvpn-install script makes the setup process fast — the manual configuration approach would take much longer.

This guide covers the full setup from a clean Ubuntu server to a working VPN with client configurations ready to import into the OpenVPN app.

This guide sets up an OpenVPN server on Ubuntu 22.04 using the widely-used openvpn-install script, which handles the complex PKI (Public Key Infrastructure) setup automatically.

I run OpenVPN on Tencent Cloud Lighthouse. The entry-level plan (2 vCPU / 2 GB RAM) handles OpenVPN for personal use easily — it uses minimal CPU and RAM at idle. The key advantage for a VPN server specifically is global data center coverage: Lighthouse has regions in North America, Europe, Singapore, Tokyo, and more, so you can place your VPN exit point wherever suits your use case. The fixed monthly bandwidth allowance also means routing your browsing traffic through the VPN doesn't generate per-GB charges that accumulate unexpectedly.

Table of Contents

  1. OpenVPN vs WireGuard — Choosing the Right Protocol
  2. Prerequisites
  3. Part 1 — Server Setup
  4. Part 2 — Install OpenVPN with the Automated Script
  5. Part 3 — Create Client Profiles
  6. Part 4 — Connect from Each Device
  7. Part 5 — Manage Clients
  8. Part 6 — Configure the Firewall
  9. The Gotcha: TCP vs UDP Mode
  10. Troubleshooting Connection Issues
  • Key Takeaways
  • Use the appropriate Lighthouse application image to skip manual installation steps where available
  • Lighthouse snapshots provide one-click full-server backup before major changes
  • OrcaTerm browser terminal lets you manage the server from any device
  • CBS cloud disk expansion handles growing storage needs without server migration
  • Console-level firewall + UFW = two independent protection layers

OpenVPN vs WireGuard — Choosing the Right Protocol {#openvpn-vs-wireguard}

OpenVPN WireGuard
Protocol TCP or UDP UDP only
Connection speed Good Excellent
Firewall traversal Excellent (TCP mode on port 443 mimics HTTPS) Limited (UDP only)
Config complexity Higher Lower
Client compatibility All platforms All modern platforms
Code size ~70,000 lines ~4,000 lines

Choose OpenVPN when:

  • Connecting from networks that block UDP (corporate, hotel, some ISPs)
  • You need TCP-based VPN that looks like HTTPS traffic (port 443 TCP)
  • You need broad legacy device compatibility

Choose WireGuard when:

  • Performance is the priority
  • UDP isn't blocked on your network
  • Simplest possible configuration

Prerequisites {#prerequisites}

Requirement Notes
Cloud server Tencent Cloud Lighthouse Ubuntu 22.04
Root/sudo access Required for network configuration
UDP port 1194 (or TCP 443) Must be open in firewall

Cost: A Lighthouse Starter plan (~$5–6/month) is more than sufficient for a personal VPN. Check current promotions.

Part 1 — Server Setup {#part-1}

ssh ubuntu@YOUR_SERVER_IP
sudo apt update && sudo apt upgrade -y

# Open VPN port in firewall
# UDP is default and recommended
sudo ufw allow 1194/udp

# If using TCP mode (e.g., port 443 to bypass firewalls):
# sudo ufw allow 443/tcp

sudo ufw allow ssh
sudo ufw enable

Also open the VPN port in the Lighthouse console firewall tab.

Part 2 — Install OpenVPN with the Automated Script {#part-2}

The openvpn-install script automates the PKI setup, server configuration, and service management — saving several hours of manual work:

# Download the script
wget https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh
chmod +x openvpn-install.sh

# Run it as root
sudo bash openvpn-install.sh

The script asks several questions:

IP address: [auto-detected — verify it's your public IP]
Protocol [UDP/TCP]: UDP (recommended)
Port [1194]: 1194 (or 443 for TCP mode)
DNS [1]: 1 (current system DNS) or 3 (1.1.1.1) or 8 (Google)
Client name: myfirstclient

The script:

  1. Installs OpenVPN and EasyRSA
  2. Creates a Certificate Authority (CA)
  3. Generates server and client certificates
  4. Configures the OpenVPN server
  5. Creates a .ovpn client profile file
  6. Starts the OpenVPN service

After completion:

sudo systemctl status openvpn-server@server
# Should show: Active: active (running)

The client profile is saved at: /root/myfirstclient.ovpn

Part 3 — Create Client Profiles {#part-3}

Run the script again to add more clients:

sudo bash openvpn-install.sh
# Choose option 1: Add a new client
# Enter client name: laptop, phone, etc.

Each client gets its own .ovpn file containing the client certificate and keys.

Download the .ovpn file to your local machine:

# On your local machine:
scp ubuntu@YOUR_SERVER_IP:/root/myfirstclient.ovpn ~/Downloads/

Or use OrcaTerm (Lighthouse browser terminal) to view and copy the file content.

Part 4 — Connect from Each Device {#part-4}

Linux

sudo apt install -y openvpn
sudo openvpn --config myfirstclient.ovpn

# Or as a system service:
sudo cp myfirstclient.ovpn /etc/openvpn/client/myfirstclient.conf
sudo systemctl start openvpn-client@myfirstclient

Verify the VPN is working:

curl ifconfig.me
# Should return your Lighthouse server IP, not your real IP

macOS

Download Tunnelblick (free). Double-click the .ovpn file to import it.

Windows

Download OpenVPN Connect or OpenVPN GUI. Import the .ovpn file.

iOS

App Store → "OpenVPN Connect". Transfer the .ovpn file to your phone (via email or AirDrop), then open it with OpenVPN Connect.

Android

Google Play → "OpenVPN Connect" or "OpenVPN for Android". Import the .ovpn file.

Part 5 — Manage Clients {#part-5}

Revoke a client

sudo bash openvpn-install.sh
# Choose option 2: Revoke an existing client
# Select the client name to revoke

This invalidates the client's certificate — they can no longer connect.

View connected clients

sudo cat /etc/openvpn/server/openvpn-status.log
# Shows currently connected clients with their assigned IPs

View OpenVPN logs

sudo journalctl -u openvpn-server@server -f

Part 6 — Configure the Firewall {#part-6}

OpenVPN needs IP forwarding (to route traffic from VPN clients to the internet):

# Verify IP forwarding is enabled
cat /proc/sys/net/ipv4/ip_forward
# Should return: 1

# If not enabled:
echo "net.ipv4.ip_forward = 1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

The openvpn-install script handles iptables NAT rules automatically. Verify:

sudo iptables -t nat -L POSTROUTING -n -v
# Should show a MASQUERADE rule for the VPN subnet

The Gotcha: TCP vs UDP Mode {#gotcha}

OpenVPN over UDP (default) offers the best performance. But some networks aggressively block or throttle UDP traffic.

If you can't connect from a corporate or hotel network:

  1. Re-run the setup script
  2. Choose TCP mode
  3. Use port 443 (same as HTTPS — almost never blocked)

The drawback: OpenVPN over TCP is slower than UDP because TCP handles retransmission at two layers (the VPN protocol and the underlying transport). For most uses it's fine; for latency-sensitive tasks like gaming or video calls, use UDP.

Check which mode your server is using:

grep "^proto" /etc/openvpn/server/server.conf
# proto udp  or  proto tcp

Troubleshooting Connection Issues {#troubleshooting}

Issue Check Fix
Can't connect at all Port accessible? nc -zv YOUR_SERVER_IP 1194 from client
Connects but no internet IP forwarding cat /proc/sys/net/ipv4/ip_forward should be 1
DNS leaks DNS config Set DNS to 1.1.1.1 in setup
Blocked on corporate network UDP blocked Switch to TCP mode on port 443
Certificate expired Cert validity Check cert expiry, re-run script to regenerate

Frequently Asked Questions {#faq}

How many simultaneous connections can a VPN server on a VPS handle?
For personal or small team use, a VPS handles 10–30 simultaneous VPN connections comfortably. Bandwidth is usually the limiting factor, not CPU or RAM.

Will a self-hosted VPN make all my traffic private?
Your traffic is encrypted between your device and the VPN server. After the VPN server, traffic goes to its destination normally. The VPN protects against network-level eavesdropping but doesn't make you anonymous on the public internet.

What region should I choose for my VPN server?
Choose based on your use case: for low latency, pick the region closest to you. For a specific exit IP location (e.g., to access a region-specific service), pick accordingly. Lighthouse has data centers in North America, Europe, and Asia-Pacific.

Is WireGuard more secure than OpenVPN?
Both are considered secure. WireGuard's codebase is substantially smaller (4,000 lines vs 70,000+), making it easier to audit. OpenVPN has a longer track record. For most users, WireGuard is the better choice for new deployments.

Can I use the VPN on mobile devices?
Yes — WireGuard and OpenVPN both have official mobile apps for iOS and Android. Client configuration is imported via QR code (WireGuard) or .ovpn file (OpenVPN).

Set up your OpenVPN server today:
👉 Tencent Cloud Lighthouse — Global data center regions for your VPN exit point
👉 View current pricing and promotions
👉 Explore all active deals and offers