While WireGuard (covered in our earlier guide) is the best choice for performance and simplicity, OpenVPN remains the standard for corporate VPN deployments requiring client certificate management, fine-grained access control, and compatibility with enterprise security policies. A Hong Kong VPS running OpenVPN gives remote teams secure, authenticated access to internal infrastructure — with CN2 GIA routing providing reliable connectivity for team members in mainland China.
OpenVPN vs WireGuard: Choosing the Right Protocol
| Factor | OpenVPN | WireGuard |
|---|---|---|
| Performance | Good (100–200 Mbps typical) | Excellent (500+ Mbps typical) |
| Enterprise features | Full (certificates, LDAP, MFA) | Basic (pre-shared keys) |
| Client compatibility | Universal (all platforms) | Modern platforms only |
| Certificate management | Yes (per-user revocation) | No (key rotation required) |
| Firewall traversal | Excellent (TCP mode) | UDP only (may be blocked) |
| Setup complexity | High | Low |
Choose OpenVPN when: you need per-user certificate revocation, LDAP/AD integration, MFA, or compatibility with enterprise VPN clients. Choose WireGuard when: performance is the priority and you manage a small technical team.
Step 1: Install OpenVPN and Easy-RSA
apt update && apt install -y openvpn easy-rsa
# Set up PKI (Certificate Authority)
mkdir -p /etc/openvpn/easy-rsa
cp -r /usr/share/easy-rsa/* /etc/openvpn/easy-rsa/
cd /etc/openvpn/easy-rsa
# Initialize PKI
./easyrsa init-pki
# Build CA (Certificate Authority)
./easyrsa build-ca nopass
# Enter Common Name: HongKongVPNCAStep 2: Generate Server Certificate and Keys
cd /etc/openvpn/easy-rsa
# Generate server certificate
./easyrsa gen-req server nopass
./easyrsa sign-req server server
# Generate Diffie-Hellman parameters (takes several minutes)
./easyrsa gen-dh
# Generate TLS authentication key (extra security layer)
openvpn --genkey secret /etc/openvpn/easy-rsa/pki/ta.key
# Copy server files to OpenVPN directory
cp pki/ca.crt pki/issued/server.crt pki/private/server.key pki/dh.pem pki/ta.key /etc/openvpn/Step 3: Create OpenVPN Server Configuration
nano /etc/openvpn/server.conf# Network configuration
port 1194
proto udp # Change to tcp if UDP is blocked (common in corporate networks)
dev tun
# Certificates
ca ca.crt
cert server.crt
key server.key
dh dh.pem
tls-auth ta.key 0
# VPN subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
# Push routes to clients
push "redirect-gateway def1 bypass-dhcp" # Route all traffic through VPN
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 8.8.8.8"
# For split tunnelling (only route specific subnets through VPN):
# Comment out redirect-gateway above and add:
# push "route 10.0.0.0 255.255.0.0"
# push "route 192.168.1.0 255.255.255.0"
# Security
cipher AES-256-GCM
auth SHA512
tls-version-min 1.2
# Performance
compress lz4-v2
push "compress lz4-v2"
# Keepalive and limits
keepalive 10 120
max-clients 50
# Logging
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
verb 3
mute 20
# Run as unprivileged user
user nobody
group nogroup
persist-key
persist-tunmkdir -p /var/log/openvpn
# Enable IP forwarding
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
sysctl -p
# Configure NAT for VPN clients to access internet
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
# Make persistent:
apt install -y iptables-persistent
netfilter-persistent save
# Open firewall port
ufw allow 1194/udp
# Start OpenVPN
systemctl enable openvpn@server
systemctl start openvpn@server
systemctl status openvpn@serverStep 4: Generate Client Certificates
cd /etc/openvpn/easy-rsa
# Generate certificate for each team member
./easyrsa gen-req alice nopass
./easyrsa sign-req client alice
./easyrsa gen-req bob nopass
./easyrsa sign-req client bobCreate client .ovpn configuration file
nano /etc/openvpn/make_client_config.sh#!/bin/bash
CLIENT=$1
VPS_IP="YOUR_VPS_IP"
VPS_PORT=1194
EASY_RSA_DIR="/etc/openvpn/easy-rsa"
OUTPUT_DIR="/etc/openvpn/client-configs"
mkdir -p $OUTPUT_DIR
cat > $OUTPUT_DIR/${CLIENT}.ovpn << EOF
client
dev tun
proto udp
remote $VPS_IP $VPS_PORT
resolv-retry infinite
nobind
persist-key
persist-tun
cipher AES-256-GCM
auth SHA512
verb 3
compress lz4-v2
key-direction 1
<ca>
$(cat $EASY_RSA_DIR/pki/ca.crt)
</ca>
<cert>
$(cat $EASY_RSA_DIR/pki/issued/${CLIENT}.crt)
</cert>
<key>
$(cat $EASY_RSA_DIR/pki/private/${CLIENT}.key)
</key>
<tls-auth>
$(cat /etc/openvpn/ta.key)
</tls-auth>
EOF
echo "Client config created: $OUTPUT_DIR/${CLIENT}.ovpn"chmod +x /etc/openvpn/make_client_config.sh
# Generate .ovpn files for each team member
/etc/openvpn/make_client_config.sh alice
/etc/openvpn/make_client_config.sh bob
# Transfer to team members securely (never send via unencrypted email)
# Use Signal, encrypted email (PGP), or a secure file transferStep 5: Revoking a Certificate (When Team Member Leaves)
cd /etc/openvpn/easy-rsa
# Revoke certificate
./easyrsa revoke alice
# Update CRL (Certificate Revocation List)
./easyrsa gen-crl
cp pki/crl.pem /etc/openvpn/
# Add CRL to server.conf if not already present
echo "crl-verify /etc/openvpn/crl.pem" >> /etc/openvpn/server.conf
systemctl restart openvpn@serverAlice’s certificate is now invalid — she cannot connect even if she still has the .ovpn file.
Conclusion
An OpenVPN server on a Hong Kong VPS provides enterprise-grade team VPN infrastructure with per-user certificate management, simple revocation, and reliable China connectivity via CN2 GIA routing. Remote team members in mainland China, Southeast Asia, and globally connect to internal resources securely through the Hong Kong relay.
Deploy your team VPN on Server.HK’s Hong Kong VPS plans — KVM virtualisation supports tun/tap devices required by OpenVPN without any additional configuration.
Frequently Asked Questions
Does OpenVPN on Hong Kong VPS work for team members in mainland China?
Yes, with an important caveat. OpenVPN in UDP mode may be blocked or throttled in China by DPI (Deep Packet Inspection). Switching to TCP mode (proto tcp) and using port 443 (HTTPS port) provides better connectivity from China as it is harder to distinguish from regular HTTPS traffic. For maximum reliability in China, consider WireGuard with obfuscation (AmneziaWG) as an alternative.
How many concurrent VPN users can a Hong Kong VPS support?
A 2 vCPU / 2 GB RAM VPS handles 20–30 concurrent OpenVPN clients comfortably for typical business traffic (SSH, HTTPS, light file transfer). Each connected client consumes approximately 20–50 MB of RAM for the TUN interface and connection state. For heavy VPN usage (large file transfers, video calls through the VPN), increase RAM and CPU allocation accordingly.
Is there a simpler way to manage OpenVPN users on a Hong Kong VPS?
Yes — OpenVPN Access Server (commercial, but with a 2-connection free tier) provides a web interface for user management, certificate generation, and client configuration download. Alternatively, use Pritunl (open-source OpenVPN management layer) which provides a web UI for managing users, servers, and organisations without manual certificate management.