VPN server deployment requires selecting appropriate platforms and configurations based on use cases. Here's a detailed guide for mainstream deployment solutions:
Cloud Platform Deployment
1. AWS (Amazon Web Services)
Deployment Steps:
- Create EC2 instance (recommend t3.medium or higher)
- Select security group, open UDP 1194 (OpenVPN) or 51820 (WireGuard)
- Allocate Elastic IP
- Install VPN software
OpenVPN Installation Example:
# Update system sudo apt update && sudo apt upgrade -y # Install OpenVPN sudo apt install openvpn easy-rsa -y # Generate certificates and keys make-cadir ~/openvpn-ca cd ~/openvpn-ca source vars ./clean-all ./build-ca ./build-key-server server ./build-dh openvpn --genkey --secret keys/ta.key # Configure server sudo cp keys/ca.crt keys/server.crt keys/server.key keys/ta.key keys/dh2048.pem /etc/openvpn/
WireGuard Installation Example:
# Add WireGuard repository sudo apt install wireguard -y # Generate key pair wg genkey | sudo tee /etc/wireguard/privatekey | wg pubkey | sudo tee /etc/wireguard/publickey # Configure interface sudo nano /etc/wireguard/wg0.conf
2. Google Cloud Platform (GCP)
Deployment Steps:
- Create Compute Engine instance
- Configure firewall rules (VPC Firewall)
- Set up static external IP
- Install and configure VPN
Firewall Configuration:
gcloud compute firewall-rules create allow-vpn \ --allow udp:1194,tcp:1194,udp:51820 \ --source-ranges 0.0.0.0/0 \ --description "Allow VPN traffic"
3. Azure
Deployment Steps:
- Create virtual machine
- Configure Network Security Group (NSG)
- Set up public IP
- Deploy VPN gateway or manual installation
Self-Hosted Server Deployment
1. Hardware Requirements
Minimum Configuration:
- CPU: Dual-core 2.0GHz+
- RAM: 2GB
- Bandwidth: 100Mbps+
- Storage: 20GB SSD
Recommended Configuration:
- CPU: Quad-core 3.0GHz+ (with AES-NI support)
- RAM: 4GB+
- Bandwidth: 1Gbps+
- Storage: 50GB NVMe SSD
2. Operating System Selection
Linux Distributions:
- Ubuntu Server: Good community support, rich documentation
- Debian: Stable, suitable for production
- CentOS/Rocky Linux: Enterprise support
- Alpine Linux: Lightweight, minimal resource usage
3. Network Configuration
Port Forwarding (Router):
OpenVPN: UDP 1194 → Server internal IP WireGuard: UDP 51820 → Server internal IP
Firewall Configuration (UFW):
sudo ufw allow 1194/udp sudo ufw allow 51820/udp sudo ufw enable
Docker Deployment
1. OpenVPN Docker
Using kylemanna/openvpn:
# Pull image docker pull kylemanna/openvpn # Create config directory mkdir -p ~/openvpn-data cd ~/openvpn-data # Initialize configuration docker run -v $PWD:/etc/openvpn --rm kylemanna/openvpn ovpn_genconfig -u udp://VPN.SERVER.COM # Generate certificates docker run -v $PWD:/etc/openvpn --rm -it kylemanna/openvpn ovpn_initpki # Start server docker run -v $PWD:/etc/openvpn -d -p 1194:1194/udp --cap-add=NET_ADMIN kylemanna/openvpn
2. WireGuard Docker
Using linuxserver/wireguard:
docker run -d \ --name=wireguard \ --cap-add=NET_ADMIN \ --cap-add=SYS_MODULE \ -e PUID=1000 \ -e PGID=1000 \ -e TZ=Asia/Shanghai \ -e SERVERURL=your-domain.com \ -e SERVERPORT=51820 \ -e PEERS=1,2,3 \ -e PEERDNS=auto \ -v /path/to/config:/config \ -p 51820:51820/udp \ linuxserver/wireguard
Performance Optimization
1. Kernel Parameter Tuning
# Edit sysctl.conf sudo nano /etc/sysctl.conf # Add following configuration net.core.rmem_max = 16777216 net.core.wmem_max = 16777216 net.ipv4.tcp_rmem = 4096 87380 16777216 net.ipv4.tcp_wmem = 4096 65536 16777216 net.ipv4.tcp_congestion_control = bbr # Apply configuration sudo sysctl -p
2. MTU Optimization
# Test optimal MTU ping -c 4 -M do -s 1472 8.8.8.8 # Set MTU in VPN configuration # OpenVPN: mtu 1400 # WireGuard: MTU = 1420
3. Encryption Optimization
# Use AES-NI hardware acceleration # OpenVPN configuration cipher AES-256-GCM auth SHA256 ncp-ciphers AES-256-GCM:AES-128-GCM # WireGuard uses ChaCha20-Poly1305 by default
Security Hardening
1. Certificate Management
# Set certificate validity export CA_EXPIRE=3650 export KEY_EXPIRE=3650 # Regular certificate rotation # Update every 90-180 days
2. Access Control
# Restrict management access sudo ufw allow from YOUR_IP to any port 22 sudo ufw deny 22 # Use key authentication # Disable password login
3. Log Monitoring
# Configure log rotation sudo nano /etc/logrotate.d/openvpn
Monitoring and Maintenance
1. Performance Monitoring
# Monitor connection count netstat -an | grep :1194 | wc -l # Monitor bandwidth iftop -i eth0 # Monitor CPU htop
2. Automation Scripts
# Backup configuration #!/bin/bash DATE=$(date +%Y%m%d) tar -czf /backup/vpn-$DATE.tar.gz /etc/openvpn
Troubleshooting
Common Issues
- Connection Failed: Check firewall and ports
- Slow Speed: Optimize MTU and encryption settings
- DNS Issues: Configure correct DNS servers
- Certificate Errors: Check certificate validity and matching
Debug Commands
# OpenVPN logs sudo tail -f /var/log/openvpn.log # WireGuard status sudo wg show # Network diagnostics traceroute vpn-server-ip tcpdump -i eth0 port 1194
Best Practices
- Regular Backups: Configuration files and certificates
- Update Software: Keep system and VPN software up to date
- Monitor Performance: Set up alerting mechanisms
- Documentation: Record configurations and changes
- Test Recovery: Regularly test disaster recovery
- Security Audits: Regular security assessments