Building a VPN on Cloud Servers: Practical Configuration of Security Groups, Firewalls, and Key Management

5/30/2026 · 3 min

1. Security Group Configuration: The First Line of Defense

When building a VPN on a cloud server, security groups are the core of network access control. First, log in to your cloud provider's console and locate the security group associated with your instance. When adding inbound rules, only open necessary ports:

  • SSH port (22): Restrict source IP to the administrator's IP to prevent brute force attacks.
  • VPN protocol ports:
    • OpenVPN: UDP 1194 (default)
    • WireGuard: UDP 51820 (default)
    • IPsec IKEv2: UDP 500, 4500
  • ICMP protocol: Optionally enable for network connectivity testing.

Outbound rules typically allow all traffic by default, but you can further restrict to only allow VPN tunnel traffic.

2. Firewall Rules: Fine-Grained Control at the OS Level

The internal firewall on the cloud server (e.g., iptables/nftables) provides a second layer of protection. Using Ubuntu 22.04 as an example:

  1. Enable UFW: sudo ufw enable
  2. Set default policies: sudo ufw default deny incoming, sudo ufw default allow outgoing
  3. Open VPN ports: sudo ufw allow 1194/udp
  4. Allow SSH: sudo ufw allow from <admin IP> to any port 22
  5. Enable IP forwarding: Edit /etc/sysctl.conf, uncomment net.ipv4.ip_forward=1, run sysctl -p.

For WireGuard, you also need to configure PostUp/PostDown scripts to add NAT rules:

PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

3. Key Management: Ensuring Communication Security

VPNs rely on encryption keys to secure data transmission.

3.1 Generating Strong Keys

  • OpenVPN: Use easy-rsa to generate CA certificates, server certificates, and client certificates. A key length of at least 2048 bits is recommended.
  • WireGuard: wg genkey | tee privatekey | wg pubkey > publickey, set private key permissions to 600.

3.2 Key Storage and Rotation

  • Store private keys in /etc/wireguard/ or /etc/openvpn/ with permissions 600.
  • Rotate keys periodically: WireGuard supports dynamic updates via wg set without restarting the service.
  • Use Hardware Security Modules (HSM) or Key Management Services (KMS) to protect critical keys.

3.3 Client Certificate Revocation

  • OpenVPN: Use easy-revoke to revoke certificates and update the CRL.
  • WireGuard: Delete the public key from the client configuration or restart the server.

4. Practical Verification and Monitoring

After configuration, perform the following verifications:

  1. Connect to the VPN from a client and check if the IP address changes to the server's IP.
  2. Use tcpdump to capture packets and confirm traffic encryption.
  3. Configure log monitoring: journalctl -u wg-quick@wg0 to view WireGuard logs.

Regularly review security group and firewall rules, removing unused ports.

Related reading

Related articles

Complete Guide to Self-Hosted VPN: From Server Configuration to Client Connection
This article provides a comprehensive guide to setting up your own VPN, covering server selection, OS configuration, protocol choices (WireGuard, OpenVPN), server installation and configuration, firewall rules, client connection methods, and security hardening tips. Ideal for tech users seeking full control over network privacy and access.
Read more
Building Your Own VPN Node: From VPS Selection to WireGuard Deployment
This article provides a comprehensive guide to building your own VPN node, covering VPS selection, OS choice, WireGuard deployment, and configuration optimization for a secure and high-performance private VPN service.
Read more
VPN and Firewall Collaborative Defense: Building a Multi-Layer Network Perimeter Security System
This article delves into the principles and best practices of VPN and firewall collaboration, analyzing how multi-layer defense mechanisms build a robust network perimeter security system against modern cyber threats.
Read more
Enterprise VPN Deployment Guide: Building a High-Availability Remote Access Architecture from Scratch
This article provides a comprehensive guide to deploying enterprise VPNs, covering protocol selection, high-availability architecture, security hardening, and operational monitoring to help IT teams build a stable and reliable remote access system from scratch.
Read more
Enterprise VPN Packet Loss Diagnostic Guide: Precision Localization with MTR and Packet Capture Tools
This article provides a systematic diagnostic approach for common packet loss issues in enterprise VPN environments. Core tools include MTR (My Traceroute) and Wireshark/tcpdump packet capture tools, enabling precise localization of packet loss root causes through hop-by-hop path analysis, latency jitter detection, and protocol layer verification. The article covers the complete workflow from basic configuration checks to advanced packet capture analysis, along with resolution strategies for typical scenarios.
Read more
Breaking the VPN Speed Bottleneck: Practical Optimization from Protocol Selection to Multi-Link Aggregation
This article provides an in-depth analysis of common VPN speed bottlenecks, including encryption overhead, protocol efficiency, server load, and network path quality. It offers a complete practical optimization guide covering protocol selection (WireGuard vs OpenVPN), MTU tuning, multi-link aggregation, and server-side tuning to maximize VPN throughput without compromising security.
Read more

FAQ

What is the difference between a security group and a firewall?
A security group is a virtual firewall provided by the cloud provider, controlling network access outside the VM. A firewall (e.g., iptables) runs inside the OS, offering more granular rule control. Combining both provides defense in depth.
How to securely store VPN private keys?
Store private keys in a secure directory (e.g., /etc/wireguard/) with permissions set to 600 (read/write only by owner). Rotate keys periodically and consider using a Hardware Security Module (HSM) or Key Management Service (KMS) for protection.
How to verify the VPN configuration after setup?
Connect from a client and check if the public IP changes to the server's IP. Use tcpdump to capture packets and confirm encryption. Review server logs (e.g., journalctl -u wg-quick@wg0) for errors.
Read more