Building a VPN on Cloud Servers: Practical Configuration of Security Groups, Firewalls, and Key Management

5/30/2026 · 3 min

1. Security Group Configuration: The First Line of Defense

When building a VPN on a cloud server, security groups are the core of network access control. First, log in to your cloud provider's console and locate the security group associated with your instance. When adding inbound rules, only open necessary ports:

  • SSH port (22): Restrict source IP to the administrator's IP to prevent brute force attacks.
  • VPN protocol ports:
    • OpenVPN: UDP 1194 (default)
    • WireGuard: UDP 51820 (default)
    • IPsec IKEv2: UDP 500, 4500
  • ICMP protocol: Optionally enable for network connectivity testing.

Outbound rules typically allow all traffic by default, but you can further restrict to only allow VPN tunnel traffic.

2. Firewall Rules: Fine-Grained Control at the OS Level

The internal firewall on the cloud server (e.g., iptables/nftables) provides a second layer of protection. Using Ubuntu 22.04 as an example:

  1. Enable UFW: sudo ufw enable
  2. Set default policies: sudo ufw default deny incoming, sudo ufw default allow outgoing
  3. Open VPN ports: sudo ufw allow 1194/udp
  4. Allow SSH: sudo ufw allow from <admin IP> to any port 22
  5. Enable IP forwarding: Edit /etc/sysctl.conf, uncomment net.ipv4.ip_forward=1, run sysctl -p.

For WireGuard, you also need to configure PostUp/PostDown scripts to add NAT rules:

PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

3. Key Management: Ensuring Communication Security

VPNs rely on encryption keys to secure data transmission.

3.1 Generating Strong Keys

  • OpenVPN: Use easy-rsa to generate CA certificates, server certificates, and client certificates. A key length of at least 2048 bits is recommended.
  • WireGuard: wg genkey | tee privatekey | wg pubkey > publickey, set private key permissions to 600.

3.2 Key Storage and Rotation

  • Store private keys in /etc/wireguard/ or /etc/openvpn/ with permissions 600.
  • Rotate keys periodically: WireGuard supports dynamic updates via wg set without restarting the service.
  • Use Hardware Security Modules (HSM) or Key Management Services (KMS) to protect critical keys.

3.3 Client Certificate Revocation

  • OpenVPN: Use easy-revoke to revoke certificates and update the CRL.
  • WireGuard: Delete the public key from the client configuration or restart the server.

4. Practical Verification and Monitoring

After configuration, perform the following verifications:

  1. Connect to the VPN from a client and check if the IP address changes to the server's IP.
  2. Use tcpdump to capture packets and confirm traffic encryption.
  3. Configure log monitoring: journalctl -u wg-quick@wg0 to view WireGuard logs.

Regularly review security group and firewall rules, removing unused ports.

Related reading

Related articles

Complete Guide to Self-Hosted VPN: From Server Configuration to Client Connection
This article provides a comprehensive guide to setting up your own VPN, covering server selection, OS configuration, protocol choices (WireGuard, OpenVPN), server installation and configuration, firewall rules, client connection methods, and security hardening tips. Ideal for tech users seeking full control over network privacy and access.
Read more
Hardening Self-Hosted VPN Nodes: A Full-Chain Guide from Certificate Management to Traffic Obfuscation
This article provides a comprehensive guide to hardening self-hosted VPN nodes, covering certificate management, protocol selection, traffic obfuscation, firewall rules, and log auditing to help operators build highly secure private network access points.
Read more
Anti-Interference Tactics for Self-Hosted VPN Nodes: Traffic Obfuscation and Protocol Camouflage with Xray
This article delves into anti-interference techniques for self-hosted VPN nodes using the Xray framework, focusing on traffic obfuscation and protocol camouflage, including TLS masquerading, WebSocket tunneling, gRPC transport, and XTLS Vision, to effectively evade Deep Packet Inspection (DPI) and network censorship.
Read more
VPN and Firewall Collaborative Defense: Building a Multi-Layer Network Perimeter Security System
This article delves into the principles and best practices of VPN and firewall collaboration, analyzing how multi-layer defense mechanisms build a robust network perimeter security system against modern cyber threats.
Read more
Building a Compliant VPN Architecture: Technical Solutions, Audit Points, and Risk Management
This article provides an in-depth exploration of building a VPN architecture that meets regulatory requirements. It covers the selection of mainstream technical solutions, key audit checkpoints, and comprehensive risk management strategies, aiming to offer practical guidance for enterprises in cross-border data transfer, privacy protection, and network security compliance.
Read more
From Technical Metrics to Business Value: Building an Enterprise VPN Effectiveness Assessment Framework
This article explores how to move beyond traditional VPN technical metric monitoring to build a comprehensive assessment framework that connects technical performance with business outcomes. It details multi-layered evaluation dimensions, from basic network metrics and security compliance to user experience and business impact, and provides practical steps for constructing the framework. The goal is to empower enterprise IT managers to quantify VPN ROI and transition from a cost center to a value driver.
Read more

FAQ

What is the difference between a security group and a firewall?
A security group is a virtual firewall provided by the cloud provider, controlling network access outside the VM. A firewall (e.g., iptables) runs inside the OS, offering more granular rule control. Combining both provides defense in depth.
How to securely store VPN private keys?
Store private keys in a secure directory (e.g., /etc/wireguard/) with permissions set to 600 (read/write only by owner). Rotate keys periodically and consider using a Hardware Security Module (HSM) or Key Management Service (KMS) for protection.
How to verify the VPN configuration after setup?
Connect from a client and check if the public IP changes to the server's IP. Use tcpdump to capture packets and confirm encryption. Review server logs (e.g., journalctl -u wg-quick@wg0) for errors.
Read more