geek notes for advice seekers

Alvotech Vserver VPS with OpenVPN

Renting a server at Alvotech and thinking about installing OpenVPN? Then follow this tutorial.

This tutorial has been done on the default configuration of the Alvotech VPS: Debian 5 64bit, and on Debian 6 64bit.

The specs page of the vservers show that TUN/TAP is usable, but when you rent the VPS, no TUN interface is enabled.

The first thing is to ask the support to enable it, after they say they did, you need to reboot your server through the control panel.

Note that you don’t need any iptable rule, ip forwarding is enabled and you cannot add any iptable rule anyway, Alvotech will enable the necessary rules on the Host.

Then enter your server through ssh and check ifconfig, you might have something like this:

tun2391-136 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr: P-t-P: Mask:
RX packets:11782 errors:0 dropped:0 overruns:0 frame:0
TX packets:8389 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:1258182 (1.1 MiB) TX bytes:5467118 (5.2 MiB)

Great, now do:

apt-get install openvpn

cd /etc/openvpn

mkdir easy-rsa

cp -r /usr/share/doc/openvpn/examples/easy-rsa/* easy-rsa/

cd easy-rsa/2.0/

source ./vars


./build-key-server server

./build-key client1


ln -s /etc/openvpn/easy-rsa/2.0/keys /etc/openvpn/keys

cd /etc/openvpn

Now create a file server.conf with this content:

port 1194
proto udp
dev tun2391-136 #Your TUN device in ifconfig
ifconfig # your TUN interface settings in ifconfig
keepalive 10 120
verb 3
fragment 1200
mssfix 1200
ca keys/ca.crt
cert keys/server.crt
key keys/server.key
dh keys/dh1024.pem
user nobody
group nogroup
push “dhcp-option DNS”

Restart openvpn:

/etc/init.d/openvpn restart

Now copy the ca.crt client1.crt and client1.key on your client, and create a client.conf file (or client.ovpn) with this content:

dev tun
proto udp
remote 1194 #your server ip address/port
resolv-retry infinite
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
verb 3
ifconfig #change it according to the IPs of your TUN interface, notice it is the CONTRARY of the server config
fragment 1200
mssfix 1200

And now just run “sudo openvpn client.conf”, on Windows you might need to adjust the paths to something like this: “cert c:\\Users\\admin\\desktop\\client1.crt” (for the key+certs).

If you need another client to connect, just ask the support another TUN device (they added one on my server), copy server.conf to server2.conf, modify the TUN interface IPs/name + change the openvpn port in server2.conf, and don’t forget to generate a second client certificate!


(thanks to the support @ Alvotech for providing the details i was missing)

, ,

5 Responses to “Alvotech Vserver VPS with OpenVPN”

  • Mister Mango says:

    Thank you soooo much, I was trying to configure this for 72hours now! Thanks to your tutorial I have a real chance to get openVPN to work 🙂

    Thanks thanks thanks!

  • Mister Mango says:

    Hey, I got the VPN-Server up and running thanks to your tut. Really great! I also own a vServer from Alvotech. I want to use my openVPN as a gateway, because I need some security when I use public wifis. The problem is that I dont get it to work, there is a connection between Server and Client, but I guess the server doesnt redirect the traffic. I think I have to configure the firewall, but alvotech doesnt allow iptables-configuration and I have no idea, how to use the alvotech-firewall for this purose. 🙁

    Please, can you tell me if it is possible to use the openVPN as a gateway with an alvotech vServer? Or is it impossible because of the iptables-restriction?

    Thanks again and greets, Stefan

  • kevin says:

    Hi Stefan
    There is no need to redirect the traffic as the necessary rules are already set by Alvotech, re-check your configuration (especially the TUN IPs, put the ones of your interface, and the contrary on the client) or try to ask to the support, for them to check if the firewall rules are ok!
    Let me know if you succeed!


  • David S. says:

    Please DO NOT store your easy-rsa files on any server available on the internet. That is a security risk. If you loose control of your CA private key used by easy-rsa, you can no longer trust any certificate generated. And how do you tell if somebody did a copy of that file without your knowledge? Ideally the CA files should be stored on an offline medium as much as possible, only to be activated when you need to generate new certificates.

    Otherwise, for more info about setting up OpenVPN:

Leave a Reply

Your email address will not be published. Required fields are marked *