After you install OpenVPN, it's time to configure it.
![Lock][1]
OpenVPN creates an encrypted tunnel between two points, preventing a third party from accessing your network traffic. By setting up your virtual private network (VPN) server, you become your own VPN provider. Many popular VPN services already use [OpenVPN][2], so why tie your connection to a specific provider when you can have complete control?
The [first article][3] in this series set up a server for your VPN, and the [second article][4] demonstrated how to install and configure the OpenVPN server software. This third article shows how to start OpenVPN with authentication in place.
To set up an OpenVPN server, you must:
* Create a configuration file.
* Set the `sysctl` value `net.ipv4.ip_forward = 1` to enable routing.
* Set up appropriate ownership for all configuration and authentication files to run the OpenVPN server daemon under a non-root account.
* Set OpenVPN to start with the appropriate configuration file.
* Configure your firewall.
### Configuration file
You must create a server config file in `/etc/openvpn/server/`. You can start from scratch if you want, and OpenVPN includes several sample configuration files to use as a starting point. Have a look in `/usr/share/doc/openvpn/sample/sample-config-files/` to see them all.
If you want to build a config file by hand, start with either `server.conf` or `roadwarrior-server.conf` (as appropriate), and place your config file in `/etc/openvpn/server`. Both files are extensively commented, so read the comments and decide which makes the most sense for your situation.
You can save time and aggravation by using my prebuilt server and client configuration file templates and `sysctl` file to turn on network routing. This configuration also includes customization to log connects and disconnects. It keeps logs on the OpenVPN server in `/etc/openvpn/server/logs`.
If you use my templates, you'll need to edit them to use your IP addresses and hostnames.
To use my prebuilt config templates, scripts, and `sysctl` to turn on IP forwarding, download my script:
# Turn on IP forwarding. OpenVPN servers need to do routing
net.ipv4.ip_forward = 1
```
Edit `OVPNserver2020.conf` and `OVPNclient2020.ovpn` to include your IP addresses. Also, edit `OVPNserver2020.conf` to include your server certificate names from earlier. Later, you will rename and edit a copy of `OVPNclient2020.ovpn` for use with your client computers. The blocks that start with `***?` show you where to edit.
### File ownership
If you used the automated script from my website, file ownership is already in place. If not, you must ensure that your system has a user called `openvpn` that is a member of a group named `openvpn`. You must set the ownership of everything in `/etc/openvpn` to that user and group. It's safe to do this if you're unsure whether the user and group already exist because `useradd` will refuse to create a user with the same name as one that already exists:
```
$ sudo useradd openvpn
$ sudo chown -R openvpn.openvpn /etc/openvpn
```
### Firewall
If you decided not to disable the firewalld service in step 1, then your server's firewall service might not allow VPN traffic by default.Using the [`firewall-cmd` command][5], you can enable the OpenVPN service, which opens the necessary ports and routes traffic as necessary:
