This guide walks you through the process of deploying a hardened OpenVPN server inside a TurnKey LXC container on a Proxmox host. The setup ensures secure access to a personal VPN endpoint using UDP on port 1194, with firewall protections and automated client generation.
Prerequisites
- Proxmox VE installed on your server.
- A valid domain name (e.g.,
vpn.example.com) pointing to your server’s public IP. - Basic familiarity with the Linux command line.
Step 1: Prepare the Proxmox Host
Enable TUN/TAP in the LXC Profile
pct set <CTID> -features keyctl=1,nesting=1Create the TUN device:
mkdir -p /dev/net
mknod /dev/net/tun c 10 200
chmod 600 /dev/net/tun
@lab02:~/.ssh# ls -la /dev/net/tun
crw-rw-rw- 1 root root 10, 200 May 25 15:35 /dev/net/tunStep 2: Deploy TurnKey OpenVPN LXC Container
Download and Create Container
pveam update
update successful
pveam available | grep openvpn
turnkeylinux debian-12-turnkey-openvpn_18.1-1_amd64.tar.gz
pveam download local debian-12-turnkey-openvpn_18.1-1_amd64.tar.gzpct create 100 local:vztmpl/debian-12-turnkey-openvpn_18.1-1_amd64.tar.gz \
--hostname node-vpn \
--net0 name=eth0,bridge=vmbr0,ip=192.168.10.100/24,gw=192.168.10.1 \
--memory 1024 --cores 2 --features keyctl=1,nesting=1
pct start 100Upgrade Container
apt update && apt upgrade -y- install and configure the tools you consider necessary
Update the container config at /etc/pve/lxc/<CTID>.conf:
lxc.cgroup2.devices.allow: c 10:200 rwm
lxc.mount.entry: /dev/net/tun dev/net/tun none bind,create=fileStep 3: Configure Networking and Security
Configure static ip address
auto lo
iface lo inet loopback
auto eth1
iface eth1 inet static
address 192.168.10.100/24
gateway 192.168.10.1
post-up iptables-restore < /etc/iptables.up.rulesDisable IPv6
vim /etc/sysctl.d/99-disable-ipv6.conf
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
sysctl -pConfigure iptables
apt install iptables-persistent -yEdit /etc/iptables.up.rules:
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
-A INPUT -p udp --dport 1194 -j ACCEPT
COMMITiptables-restore < /etc/iptables.up.rulesStep 4: Configure OpenVPN in the Container
Initialize and Generate PKI
cd /etc/openvpn/easy-rsa
./easyrsa clean-all
./easyrsa init-pki
./easyrsa build-ca nopass
./easyrsa gen-dh
./easyrsa build-server-full server nopass
openvpn --genkey secret /etc/openvpn/easy-rsa/keys/ta.keyUpdate OpenVPN Config
Edit /etc/openvpn/server.conf:
port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/issued/server.crt
key /etc/openvpn/easy-rsa/keys/private/server.key
dh /etc/openvpn/easy-rsa/keys/dh.pem
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
crl-verify /etc/openvpn/crl.pem
keepalive 10 120
persist-key
persist-tun
user nobody
group nogroup
server 192.168.10.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
verb 4Restart OpenVPN:
systemctl restart openvpn@serverStep 5: Configure Host Firewall
apt install firewalld -y
systemctl enable --now firewalld
firewall-cmd --permanent --zone=public --add-port=1194/udp
firewall-cmd --permanent --zone=public --add-forward-port=port=1194:proto=udp:toport=1194:toaddr=192.168.10.100
firewall-cmd --reloadStep 6: Create VPN Users
openvpn-addclient joker joker@example.comFind generated .ovpn files in /etc/openvpn/clients and distribute them securely.
Step 7: Connect from Client
Transfer .ovpn to client and test:
sudo openvpn --config joker.ovpnCheck logs for successful TLS handshake.
Troubleshooting
- TLS Errors: Confirm matching
ta.keyon client and server. - Packet Drops: Ensure TUN is active and firewall allows UDP 1194.
- Duplicate Clients: Use unique certs per client.
- Replay Errors: Try increasing
replay-windowsize or validate system clocks.
You now have a hardened OpenVPN server running in an LXC container, with secure key management, firewall protection, and automated client provisioning. Perfect for personal VPN or remote secure access.