How to Set Up a Personal VPN Server on Arch Linux

In today’s digitally connected world, privacy and security are paramount. Whether you’re using public Wi-Fi networks or accessing geo-restricted content, a Virtual Private Network (VPN) offers a secure and encrypted tunnel for your internet traffic. While many people subscribe to commercial VPN services, setting up your own personal VPN server gives you full control over your data, better privacy, and often better speeds.

This guide walks you through setting up a personal VPN server on Arch Linux, using OpenVPN, a widely respected and open-source VPN solution. We’ll cover installation, configuration, firewall rules, certificate generation, and client setup.

Why Set Up Your Own VPN Server?

There are several reasons to host your own VPN:

• Privacy: You control the server and its logs (or lack thereof).
• Security: Protect your connection, especially on public Wi-Fi.
• Access: Reach your home network and resources remotely.
• Bypass Restrictions: Access content blocked in specific regions or networks.
• Learning Opportunity: Running your own VPN teaches you valuable sysadmin skills.

Prerequisites

Before diving into the installation, ensure you have the following:

• A machine running Arch Linux (can be a VPS, home server, or Raspberry Pi).
• Root or sudo privileges.
• A public IP address or a domain name (for ease of connection).
• Basic familiarity with Linux command line.

Step 1: System Update

Always start with a fully updated system:

sudo pacman -Syu

Reboot if needed after kernel or system updates.

Step 2: Install OpenVPN and Easy-RSA

Install the necessary packages:

sudo pacman -S openvpn easy-rsa

• openvpn: The core VPN server and client software.
• easy-rsa: A CLI utility to manage a public key infrastructure (PKI), which you’ll use to create keys and certificates.

Step 3: Set Up Easy-RSA PKI

First, set up the directory structure for your PKI:

mkdir -p ~/openvpn-ca
cp -r /usr/share/easy-rsa/* ~/openvpn-ca/
cd ~/openvpn-ca

Initialize the PKI environment:

./easyrsa init-pki

Build the certificate authority (CA):

./easyrsa build-ca

You’ll be prompted to enter a common name (CN), e.g., MyVPN-CA. This CA will sign the server and client certificates.

Step 4: Generate Server Keys and Certificates

Generate the server certificate and key:

./easyrsa gen-req server nopass

Sign the server certificate with your CA:

./easyrsa sign-req server server

Generate Diffie-Hellman parameters:

./easyrsa gen-dh

Create a certificate revocation list (CRL):

./easyrsa gen-crl

Step 5: Generate Client Keys and Certificates

Repeat the process for each client:

./easyrsa gen-req client1 nopass
./easyrsa sign-req client client1

You can create multiple clients by changing the name (e.g., client2, laptop, etc.).

Step 6: Move Keys and Certificates to OpenVPN Directory

Create the OpenVPN server directory and copy the required files:

sudo mkdir -p /etc/openvpn/server
cd ~/openvpn-ca/pki

sudo cp ca.crt issued/server.crt private/server.key dh.pem crl.pem /etc/openvpn/server/

Ensure proper permissions:

sudo chown root:root /etc/openvpn/server/*
sudo chmod 600 /etc/openvpn/server/server.key

Step 7: Create OpenVPN Server Configuration

Create the server configuration file:

sudo nano /etc/openvpn/server/server.conf

Paste the following:

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
crl-verify crl.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 8.8.8.8"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log-append /var/log/openvpn.log
verb 3

Save and exit the file.

Step 8: Enable IP Forwarding

Enable IPv4 forwarding:

sudo sysctl -w net.ipv4.ip_forward=1

Make it persistent across reboots:

echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.d/99-sysctl.conf

Step 9: Set Up Firewall with iptables or nftables

If using iptables, apply the following:

sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

Make it persistent:

sudo pacman -S iptables-nft
sudo iptables-save | sudo tee /etc/iptables/iptables.rules
sudo systemctl enable iptables
sudo systemctl start iptables

Replace eth0 with your actual network interface (use ip a to check).

Alternatively, for nftables:

sudo pacman -S nftables

Create rules in /etc/nftables.conf:

#!/usr/bin/nft -f

table inet filter {
  chain input {
    type filter hook input priority 0;
    policy drop;

    ct state established,related accept
    iif "lo" accept
    ip protocol icmp accept
    tcp dport 22 accept
    udp dport 1194 accept
  }

  chain forward {
    type filter hook forward priority 0;
    policy drop;

    ct state established,related accept
    iifname "tun0" accept
  }
}

table ip nat {
  chain postrouting {
    type nat hook postrouting priority 100;
    ip saddr 10.8.0.0/24 oifname "eth0" masquerade
  }
}

Enable and start nftables:

sudo systemctl enable nftables
sudo systemctl start nftables

Step 10: Start and Enable OpenVPN

Start and enable the OpenVPN server:

sudo systemctl enable openvpn-server@server
sudo systemctl start openvpn-server@server

Check the status:

sudo systemctl status openvpn-server@server

Step 11: Create Client Configuration File

On your local machine or client, create a .ovpn file:

nano client1.ovpn

Paste the following:

client
dev tun
proto udp
remote your_server_ip_or_domain 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
verb 3

<ca>
# insert ca.crt contents here
</ca>

<cert>
# insert client1.crt contents here
</cert>

<key>
# insert client1.key contents here
</key>

You can also use inline <tls-auth> and other security enhancements as needed.

Transfer the necessary certificate files (ca.crt, client1.crt, and client1.key) securely to the client device.

Step 12: Test the Connection

On your client device, install OpenVPN and run:

sudo openvpn --config client1.ovpn

Check for successful connection logs and verify the IP address with an online service.

Optional: Use Dynamic DNS

If your home server doesn’t have a static IP, use a dynamic DNS (DDNS) provider like:

• DuckDNS
• No-IP
• Dynu

Install and configure the DDNS client to always map your domain to your current IP.

Optional: Harden Your OpenVPN Configuration

• Use TLS-Auth or TLS-Crypt for additional packet validation.
• Add firewall rules to limit exposure.
• Monitor logs regularly.
• Use strong ciphers and avoid deprecated settings.

Conclusion

Setting up a personal VPN server on Arch Linux with OpenVPN is an excellent way to enhance your privacy, secure your connections, and learn more about Linux networking. While the process requires a few detailed steps, the reward is a robust and fully private VPN solution under your control.

Whether you’re a digital nomad, a security enthusiast, or just someone who values privacy, your own VPN server is a powerful tool in your arsenal.