Building a VPN on Cloud Servers: Practical Configuration of Security Groups, Firewalls, and Key Management

5/30/2026 · 3 min

1. Security Group Configuration: The First Line of Defense

When building a VPN on a cloud server, security groups are the core of network access control. First, log in to your cloud provider's console and locate the security group associated with your instance. When adding inbound rules, only open necessary ports:

  • SSH port (22): Restrict source IP to the administrator's IP to prevent brute force attacks.
  • VPN protocol ports:
    • OpenVPN: UDP 1194 (default)
    • WireGuard: UDP 51820 (default)
    • IPsec IKEv2: UDP 500, 4500
  • ICMP protocol: Optionally enable for network connectivity testing.

Outbound rules typically allow all traffic by default, but you can further restrict to only allow VPN tunnel traffic.

2. Firewall Rules: Fine-Grained Control at the OS Level

The internal firewall on the cloud server (e.g., iptables/nftables) provides a second layer of protection. Using Ubuntu 22.04 as an example:

  1. Enable UFW: sudo ufw enable
  2. Set default policies: sudo ufw default deny incoming, sudo ufw default allow outgoing
  3. Open VPN ports: sudo ufw allow 1194/udp
  4. Allow SSH: sudo ufw allow from <admin IP> to any port 22
  5. Enable IP forwarding: Edit /etc/sysctl.conf, uncomment net.ipv4.ip_forward=1, run sysctl -p.

For WireGuard, you also need to configure PostUp/PostDown scripts to add NAT rules:

PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

3. Key Management: Ensuring Communication Security

VPNs rely on encryption keys to secure data transmission.

3.1 Generating Strong Keys

  • OpenVPN: Use easy-rsa to generate CA certificates, server certificates, and client certificates. A key length of at least 2048 bits is recommended.
  • WireGuard: wg genkey | tee privatekey | wg pubkey > publickey, set private key permissions to 600.

3.2 Key Storage and Rotation

  • Store private keys in /etc/wireguard/ or /etc/openvpn/ with permissions 600.
  • Rotate keys periodically: WireGuard supports dynamic updates via wg set without restarting the service.
  • Use Hardware Security Modules (HSM) or Key Management Services (KMS) to protect critical keys.

3.3 Client Certificate Revocation

  • OpenVPN: Use easy-revoke to revoke certificates and update the CRL.
  • WireGuard: Delete the public key from the client configuration or restart the server.

4. Practical Verification and Monitoring

After configuration, perform the following verifications:

  1. Connect to the VPN from a client and check if the IP address changes to the server's IP.
  2. Use tcpdump to capture packets and confirm traffic encryption.
  3. Configure log monitoring: journalctl -u wg-quick@wg0 to view WireGuard logs.

Regularly review security group and firewall rules, removing unused ports.

Related reading

Related articles

Building a Personal VPN from Scratch: A Secure, Stable, and Low-Cost Practical Solution
This article provides a complete guide for beginners to build a personal VPN, covering protocol selection, server deployment, client configuration, and security optimization, enabling secure and stable network connectivity at low cost.
Read more
Cross-Border Network Acceleration: Building Stable VPN Tunnels with IPsec and IKEv2
This article provides a detailed guide on building high-performance, stable VPN tunnels using IPsec and IKEv2 protocols for cross-border network acceleration. It covers protocol principles, server configuration, client connection, and performance optimization tips.
Read more
Self-Hosted VPN Security Hardening: From VPS Selection to WireGuard Tunnel Optimization
This article provides a comprehensive guide to hardening a self-hosted VPN, covering VPS selection, OS security configuration, WireGuard deployment and tunnel optimization, firewall rules, DDoS protection, and log auditing to build a highly secure private VPN service.
Read more
Building Your Own VPN Node: From VPS Selection to WireGuard Deployment
This article provides a comprehensive guide to building your own VPN node, covering VPS selection, OS choice, WireGuard deployment, and configuration optimization for a secure and high-performance private VPN service.
Read more
Enterprise VPN Compliance Audit: A Checklist from Log Retention to Encryption Strength
This article provides a comprehensive enterprise VPN compliance audit checklist covering log retention, encryption strength, access control, key management, and other critical areas to help organizations meet GDPR, SOX, HIPAA, and other regulatory requirements.
Read more
Complete Guide to Self-Hosted VPN: From Server Configuration to Client Connection
This article provides a comprehensive guide to setting up your own VPN, covering server selection, OS configuration, protocol choices (WireGuard, OpenVPN), server installation and configuration, firewall rules, client connection methods, and security hardening tips. Ideal for tech users seeking full control over network privacy and access.
Read more

FAQ

What is the difference between a security group and a firewall?
A security group is a virtual firewall provided by the cloud provider, controlling network access outside the VM. A firewall (e.g., iptables) runs inside the OS, offering more granular rule control. Combining both provides defense in depth.
How to securely store VPN private keys?
Store private keys in a secure directory (e.g., /etc/wireguard/) with permissions set to 600 (read/write only by owner). Rotate keys periodically and consider using a Hardware Security Module (HSM) or Key Management Service (KMS) for protection.
How to verify the VPN configuration after setup?
Connect from a client and check if the public IP changes to the server's IP. Use tcpdump to capture packets and confirm encryption. Review server logs (e.g., journalctl -u wg-quick@wg0) for errors.
Read more