How to Set Up a VPN (OpenVPN/WireGuard) on Arch Linux

Virtual Private Networks (VPNs) are essential tools in today’s internet landscape, providing secure, encrypted connections over untrusted networks. Whether you’re accessing sensitive data remotely, circumventing regional restrictions, or simply enhancing privacy, setting up a VPN on your system is a smart move.

Arch Linux, being a highly customizable rolling-release distribution, allows you to configure VPN servers and clients with great flexibility. In this article, we’ll walk through the steps to set up both OpenVPN and WireGuard on Arch Linux—two of the most popular VPN solutions available today

Why Use a VPN on Arch Linux?

Arch Linux users often value security, privacy, and control. A VPN on Arch Linux allows you to:

• Encrypt internet traffic on public or untrusted networks.
• Host your own secure access point to private resources.
• Bypass geographical restrictions and censorship.
• Create secure tunnels between remote systems or networks.

With OpenVPN and WireGuard both supported on Arch Linux, you can choose a VPN protocol that best matches your needs in terms of performance, compatibility, and security.

Installing Prerequisites

Before you begin, make sure your Arch Linux system is up to date:

sudo pacman -Syu

Install the necessary packages:

# For OpenVPN
sudo pacman -S openvpn easy-rsa

# For WireGuard
sudo pacman -S wireguard-tools

Ensure systemd-resolved or NetworkManager is running if DNS resolution is required.

Setting Up OpenVPN

Step 1: Generate Certificates Using Easy-RSA

Navigate to a working directory:

mkdir -p ~/openvpn-ca
cd ~/openvpn-ca
cp -r /usr/share/easy-rsa/* .

Initialize the PKI and build CA:

./easyrsa init-pki
./easyrsa build-ca

Then generate the server certificate:

./easyrsa gen-req server nopass
./easyrsa sign-req server server

Generate Diffie-Hellman parameters and TLS key:

./easyrsa gen-dh
openvpn --genkey --secret ta.key

Similarly, create client certificates:

./easyrsa gen-req client1 nopass
./easyrsa sign-req client client1

Step 2: Server Configuration

Create a server configuration file:

sudo mkdir -p /etc/openvpn/server
sudo nano /etc/openvpn/server/server.conf

Example server.conf:

port 1194
proto udp
dev tun
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.crt
key /etc/openvpn/server/server.key
dh /etc/openvpn/server/dh.pem
tls-auth /etc/openvpn/server/ta.key 0
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 1.1.1.1"
keepalive 10 120
cipher AES-256-CBC
persist-key
persist-tun
status openvpn-status.log
log-append /var/log/openvpn.log
verb 3

Enable IP forwarding:

echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.d/99-sysctl.conf
sudo sysctl -p

Start and enable the service:

sudo systemctl start openvpn-server@server
sudo systemctl enable openvpn-server@server

Step 3: Client Configuration

Create a .ovpn config file:

client
dev tun
proto udp
remote YOUR_SERVER_IP 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
tls-auth ta.key 1
cipher AES-256-CBC
verb 3

Place the necessary certs and keys alongside this config on the client.

To connect:

sudo openvpn --config client.ovpn

Setting Up WireGuard

WireGuard is a newer VPN protocol that is lightweight, fast, and secure.

Step 1: Generate Keys

On both the server and client, generate key pairs:

wg genkey | tee privatekey | wg pubkey > publickey

Note the contents of both privatekey and publickey.

Step 2: Server Configuration

Edit the configuration:

sudo nano /etc/wireguard/wg0.conf

Example wg0.conf:

[Interface]
PrivateKey = SERVER_PRIVATE_KEY
Address = 10.200.200.1/24
ListenPort = 51820

[Peer]
PublicKey = CLIENT_PUBLIC_KEY
AllowedIPs = 10.200.200.2/32

Enable IP forwarding:

echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.d/wg.conf
sudo sysctl -p

Start the WireGuard interface:

sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0

Step 3: Client Configuration

Example client configuration (wg-client.conf):

[Interface]
PrivateKey = CLIENT_PRIVATE_KEY
Address = 10.200.200.2/24

[Peer]
PublicKey = SERVER_PUBLIC_KEY
Endpoint = YOUR_SERVER_IP:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25

Bring up the interface:

sudo wg-quick up wg-client

Check the status:

sudo wg

Firewall Configuration

If you’re using iptables or nftables, you’ll need to allow the respective ports.

For OpenVPN (UDP 1194):

sudo iptables -A INPUT -p udp --dport 1194 -j ACCEPT

For WireGuard (UDP 51820):

sudo iptables -A INPUT -p udp --dport 51820 -j ACCEPT

Also, allow forwarding:

sudo iptables -A FORWARD -i wg0 -j ACCEPT
sudo iptables -A FORWARD -i tun0 -j ACCEPT

Make the rules persistent (e.g., via iptables-save or nftables configs).

Testing the VPN Connection

To ensure everything is functioning:

OpenVPN

ping 10.8.0.1  # Ping the server from client

Check logs:

journalctl -u openvpn-server@server

WireGuard

sudo wg show
ping 10.200.200.1  # Ping server from client

Conclusion

Both OpenVPN and WireGuard are excellent choices for running a VPN on Arch Linux. OpenVPN is widely supported and robust, while WireGuard offers a leaner, faster alternative that’s easier to configure and maintain.

If you prioritize compatibility and mature features, OpenVPN might be your go-to. On the other hand, if you want modern performance and simplicity, WireGuard is a compelling choice.

Regardless of the method you choose, setting up a VPN on Arch Linux provides increased control, privacy, and security. With proper configuration and key management, you can enjoy a secure, private internet experience tailored to your exact needs.