Network & DNS¶
Network Configuration¶
Endpoint¶
The endpoint is the public IP address or domain name that clients use to connect to the server. It is auto-detected during installation but can be overridden:
For IPv6 endpoints:
Port and Protocol¶
| Setting | Default | Notes |
|---|---|---|
| Port | 1194 | Any port 1–65535 or --port-random |
| Protocol | UDP | TCP available for restrictive networks |
# TCP on port 443 (bypasses most firewalls)
sudo ./openvpn-install.sh install --port 443 --protocol tcp
Tip
Use TCP/443 only when UDP is blocked. UDP provides better performance for VPN traffic.
MTU¶
Default tunnel MTU is 1500. Adjust if you experience fragmentation issues:
Valid range: 576–65535.
IP Stack Configuration¶
The script supports flexible IPv4/IPv6 combinations:
| Client Stack | Options | Description |
|---|---|---|
| IPv4 only | --client-ipv4 (default) | Clients get IPv4 addresses only |
| IPv6 only | --no-client-ipv4 --client-ipv6 | Clients get IPv6 addresses only |
| Dual-stack | --client-ipv4 --client-ipv6 | Clients get both IPv4 and IPv6 |
VPN Subnets¶
| Subnet | Default | Option |
|---|---|---|
| IPv4 | 10.8.0.0/24 | --subnet-ipv4 10.8.0.0 |
| IPv6 | fd42:42:42:42::/112 | --subnet-ipv6 fd42:42:42:42:: |
Leak Prevention¶
When using a single-stack mode (IPv4-only or IPv6-only), the script automatically blocks the unused protocol to prevent traffic leaks. On Windows 10+ clients, block-outside-dns is enabled to prevent DNS leaks.
DNS Configuration¶
DNS Providers¶
Select a DNS provider during installation with --dns <provider>:
| Provider | Servers | Features |
|---|---|---|
cloudflare | 1.1.1.1, 1.0.0.1 | Fast, privacy-focused (default) |
google | 8.8.8.8, 8.8.4.4 | Widely used |
quad9 | 9.9.9.9 | Security-filtered |
quad9-uncensored | 9.9.9.10 | Unfiltered |
opendns | 208.67.222.222 | Content filtering |
adguard | 94.140.14.14 | Ad-blocking DNS |
nextdns | — | Customizable filtering |
yandex | 77.88.8.8 | — |
fdn | 80.67.169.12 | French Data Network |
dnswatch | 84.200.69.80 | Privacy-focused |
system | — | Uses system resolver |
unbound | — | Self-hosted resolver |
custom | — | Custom DNS servers |
Custom DNS¶
sudo ./openvpn-install.sh install \
--dns custom \
--dns-primary 192.168.1.1 \
--dns-secondary 192.168.1.2
Self-Hosted DNS with Unbound¶
Unbound provides a local recursive DNS resolver, improving privacy by not relying on third-party DNS servers:
The script handles:
- Unbound package installation
- Configuration at
/etc/unbound/unbound.conf.d/openvpn.conf - Integration with existing Unbound installations
- Automatic cleanup on uninstall
IP Forwarding¶
The script enables IP forwarding via /etc/sysctl.d/99-openvpn.conf:
These settings are applied immediately and persist across reboots.