Hello, here is an example of how to build your own VPN server using a VPS server. Currently, I am using OVH to get a VPS. I have been using this exact VPS for email for over three years now. So, I have just expanded it to also control VPN for my entire network. Why, well I wanted full network control. This allows my VPN to control my nework access point and that is globally. I will always appear to be reaching the net from that on ip no matter where in the world I am. I may add more servers in the future for content restricted access but for now. This is all a proof of concept.

Setup the Server Side

Prerequisites

• VPS Provider: A small VPS (e.g., 1GB RAM) from providers like DigitalOcean, Vultr, Linode, or OVH.
• Operating System: Ubuntu 22.04 or 24.04 LTS is recommended.
• SSH Client: Terminal (macOS/Linux) or PuTTY (Windows).

1. Log in to your VPS: Connect as root using SSH: ssh root@vps_ip_address.
2. Update your System: Run the following commands to ensure your server is updated:bashapt update && apt upgrade -y
3. Run the Installation Script: Use the popular, open-source script by Nyr:
4. bash wget https://git.io/vpn -O openvpn-install.sh && bash openvpn-install.sh
5. Configure the VPN: The script will ask for protocol (UDP is recommended), port (default is fine), and DNS settings. Press enter to accept defaults.
6. Create a Client: Once installed, the script asks to add a new client (e.g., “phone” or “laptop”).
7. Download the Configuration File: The script creates a .ovpn file (e.g., client.ovpn). Use an FTP client like FileZilla to download this file from your VPS to your computer.
8. Connect: Install the OpenVPN Connect client on your device, import the .ovpn file, and connect.

Setup the Client Side OpnSense

Phase 1: OpenVPN Client Instance Setup 

1. Create Instance: Navigate to VPN > OpenVPN > Instances and click + to add a new instance.
2. Configuration: Enable ‘Advanced Mode’. Set the role to Client. Enter the server address, port, and protocol (UDP/TCP) from your provider’s configuration file.
3. Authentication: Choose the appropriate Certificate Authority (CA) and client certificate. Enter your VPN provider’s username and password.
4. Prevent Local Routing Conflicts: Under “Miscellaneous Options,” select root no pull to prevent the VPN server from hijacking your default gateway before you are ready.
5. Save and apply changes.

Phase 2: Interface and Gateway Configuration 

1. Assign Interface: Go to Interfaces > Assignments. Assign the new OpenVPN instance (e.g., ovpnc1) to a new interface (e.g., VPN_CLIENT).
2. Enable Interface: Click on the new interface, check Enable Interface, and save.
3. Gateway Check: Navigate to System > Gateways > Single to ensure a gateway was created for the VPN. OPNsense Forum +4

Phase 3: Outbound NAT

1. Navigate to Firewall > NAT > Outbound.
2. Set Mode to Hybrid outbound NAT rule generation and Save.
3. Add a new rule:
   • Interface: VPN_CLIENT (the interface created in Phase 2)
   • Source Address: LAN net
   • Translation / Target: Interface Address
4. Save and Apply. 

Phase 4: Firewall Rules (Route Traffic)

Save and Apply. 

Go to Firewall > Rules > LAN.

Add a new rule to the top:

Action: Pass

Interface: LAN

Protocol: Any

Source: LAN net

Destination: Any

Gateway: Select the OpenVPN Gateway created in Phase 2.