This tutorial will explain how to setup and configure a DDoS protected OpenVPN server. This guide assumes you know how to setup an OpenVPN server or already have a server running (and you have access to it).

This guide does not cover providing DDoS protection via OpenVPN. We provide DDoS Protection via GRE and IP-ip-IP on Linux and Windows. As we feek this a superior and more reliable solution at this time we do not offer OpenVPN as a backend connection option.

Step 1: Backend Setup

Setup your OpenVPN on your server, this server will be from here on referred to as the "backend server". On the backend server you may use whichever Operating System you are most familiar with, however if unsure we recommend Debian Linux.

Please ensure that the service is running and connectable on the backend server.

Step 2: Purchase DDoS Protection Service

Pick a suitable package from the DDoS protection page. We suggest choosing a product with a point of presence (PoP) closest to your backend server and it's users.

During the purchase process you will be asked to:

  1. Name your service (important if you plan to have many services)
  2. Select the filtering location & tier (choose a location close to your backend server). If in doubt we recommend the Standard Anycast product tier.
  3. Select the amount of Clean Bandwidth required to run your service (not attack traffic)

Step 3: Encapsulation Setup (Required if listing server)

This step is only required if you are intending to use a GRE or IP-in-IP Tunnel. If you are intending to use a Reverse Proxy (RP) style connection (the easiest) then you can skip this step.

OpenVPN usually works best over a tunnel. If you choose to run your server behind a Reverse Proxy setup you will be unable to route outgoing traffic over the tunnel (if desired / wanted).

An encapsulated backend requires support on the Backend Server, currently Windows and Linux Operating Systems are fully supported, with partial support for FreeBSD. Most Enterprise or even SOHO Routers also support GRE or IP-in-IP tunneling, if supported you may be able to configure the router to terminate the encapsulated network.

Encapsulated networks can be created from your services "Tunnels" page, the link for which can be found in its Action menu. To create a Tunnel you need to specify the backend servers IP address, as well as depending on the encapsulation type chosen security keys (GRE) or passphrases (IPSec PSK). If unsure as to the appropriate encapsulation type we recommend using GRE. Alternatively to the form in your dashboard you may also use the form below to create a tunnel, just input details for your backend server and select your service.

Internal AddressTypeSecurity Key [?] MTUAction
New Tunnel
Backend AddressFiltering Endpoint
Please log in first

We provide scripts / software to install the encapsulated tunnel onto your backend server in the Dashboard. On your services Tunnels page you should see the list of tunnels which have been created. In the action menu for the tunnel there is a page titled "Setup Tunnel", here you can download the provided Linux setup script, or the Windows tunneling software with your configuration built-in.

For more information on GRE/IP-in-IP Tunnels including installation instructions click here.

Step 4: Add Ports

Add the ports required to run your service. OpenVPN by default uses port 1194 (TCP or UDP) as the main server port. The exact port you use and the most ideal depends on your desired setup. From us you may use any reasonable port. We do however advise against using ports that may have mitigation profiles applied to them such as UDP 53.

If unsure you can determine what port(s) the service bound to by using the ss or netstat commands as appropriate.

There is a form in the dashboard for creating ports, this can be found in your services action menu as the "Ports" page. To add a port click the "Add Port" button towards the bottom of the page. Then fill the created form with the values you can see below in the example / integrated form. Alternatively, you can also use the form below to create the port for your service, just configure the appropriate backend by either:

  1. Selecting the Encapsulated Type, and then the appropriate Tunnel (as created in Step 2); or
  2. Entering a Backend IP address for a Reverse Proxy style port.

PortsProtocolDomainBackend Actions

Step 5: Test

Once all steps are completed and the progress bar for deployment of the configuration reaches 100% you should be able to connect to your service on your Filtered IP.

This Filtered IP is the address that you should use in any DNS names, or supply to any connecting users. All traffic which arrives at configured ports on a Filtered IP will be filtered for attack, and then forwarded to your configured backend server.

Note: If you (or your network provider) run a firewall either ensure the Backend Communication address (unless otherwise specified, your filtered IP) is whitelisted or that the firewall is disabled.

Step 6: Outgoing connection support

If you desire outgoing connections to be routed out and over the protected service you will need to setup your protection using a GRE or IP-in-IP tunnel. Once setup you will need to bind the OpenVPN daemon to the network interface (Windows) or encapsulated 10.x.x.x IP (Linux).

For this particular application the Budget line services may be easier as they have only a single tunnel. For Anycast services you may choose to have either a single tunnel or multiple. When making an outgoing connection on an Anycast product you may notice a slight delay while the connection is initialized. This is us finding the correct PoP to handle your outgoing connection and creating the subsequent routes.

We do not recommend performing large amounts of ICMP or DNS over your protected IP as these may be filtered by the mitigation system.