OpenVPN is a free, open-source VPN (Virtual Private Network) software that allows you to securely connect to a remote network over the internet. In this article, we will guide you through the process of installing OpenVPN on an Ubuntu server 18.04/20.04/22.04.
Method 1:
Installing OpenVPN using a Script.
First, get the script and make it executable:
$ curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh
$ chmod +x openvpn-install.sh
Then run it:
$ ./openvpn-install.sh
You need to run the script as root and have the TUN module enabled.
The first time you run it, you’ll have to follow the assistant and answer a few questions to setup your VPN server.
When OpenVPN is installed, you can run the script again, and you will get the choice to:
root@ubuntu:~# ./openvpn-install.sh Welcome to OpenVPN-install! The git repository is available at: https://github.com/angristan/openvpn-install It looks like OpenVPN is already installed. What do you want to do? 1) Add a new user 2) Revoke existing user 3) Remove OpenVPN 4) Exit Select an option [1-4]:
you can add a new user or revoke an existant user .
Method 2 :
Step 1: Update and Upgrade Ubuntu
Before installing any new software, it is always recommended to update and upgrade your Ubuntu system. You can do this by running the following commands:
$ sudo apt update
$ sudo apt upgrade
Step 2: Install OpenVPN
You can install OpenVPN on Ubuntu by running the following command:
$ sudo apt install openvpn easy-rsa
Step 3: Generate Certificates and Keys
OpenVPN uses certificates and keys to authenticate clients and servers. You can generate these files by running the easy-rsa script included with OpenVPN. To do this, follow these steps:
$ make-cadir ~/openvpn-ca && cd ~/openvpn-ca
Edit the vars
file to set up the Certificate Authority (CA) variables:
$ nano ./vars
Edit the variables as needed, for example:
set_var EASYRSA_REQ_COUNTRY "US"
set_var EASYRSA_REQ_PROVINCE "California"
set_var EASYRSA_REQ_CITY "San Francisco"
set_var EASYRSA_REQ_ORG "Copyleft Certificate Co"
set_var EASYRSA_REQ_EMAIL "[email protected]"
set_var EASYRSA_REQ_OU "My Organizational Unit"
$ ./easyrsa init-pki
$ ./easyrsa build-ca
$ ./easyrsa gen-req server nopass
$ ./easyrsa sign-req server server
$ ./easyrsa gen-dh
$ openvpn --genkey secret pki/ta.key
The certificates and keys will be created in the /root/openvpn-ca/pki
directory.
Step 4: Configure OpenVPN
After generating the certificates and keys, you need to configure OpenVPN. To do this, create a new configuration file with the following command:
$ sudo cp pki/dh.pem pki/ca.crt pki/issued/server.crt pki/private/server.key /etc/openvpn/
$ sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf /etc/openvpn/server.conf
Edit the following content in the configuration file /etc/openvpn/server.conf
:
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh.pem
;tls-auth ta.key 0
tls-crypt ta.key
push "redirect-gateway def1 bypass-dhcp"
Save and close the file.
Enable IP Forwarding
$ sudo nano /etc/sysctl.conf
# Uncomment the following line:
net.ipv4.ip_forward=1
Then apply the changes:
$ sudo sysctl -p
Step 5: Start and Enable OpenVPN
You can start and enable the OpenVPN service with the following commands:
$ sudo systemctl start openvpn@server
$ sudo systemctl enable openvpn@server
The @server
part specifies the name of the configuration file you created earlier.
Step 6: Configure Firewall
You need to allow OpenVPN traffic through the firewall. You can do this by creating a new rule with the following command:
$ sudo ufw allow OpenVPN # ignore if you don't use firewall
Add iptables routing
$ ifconfig
.
.
.
venet0: flags=211<UP,BROADCAST,POINTOPOINT,RUNNING,NOARP> mtu 1500
inet 127.0.0.1 netmask 255.255.255.255 broadcast 0.0.0.0 destination 127.0.0.1
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 0 (UNSPEC)
RX packets 4825 bytes 467045 (467.0 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 3331 bytes 322185 (322.1 KB)
TX errors 0 dropped 1167 overruns 0 carrier 0 collisions 0
venet0:0: flags=211<UP,BROADCAST,POINTOPOINT,RUNNING,NOARP> mtu 1500
inet 7.249.98.8 netmask 255.255.255.0 broadcast 7.249.98.255 destination 7.249.98.8
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 0 (UNSPEC)
.
.
Our main network is venet0 you may have eth0 or something else
$ sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j MASQUERADE
Step 7: Connect to OpenVPN Server
Now that the OpenVPN server is up and running, you can connect to it from a client computer. To do this, you need to install the OpenVPN client software on your computer and download the client configuration file from the server. You can do this by running the following command on the server:
$ ./easyrsa gen-req client1 nopass
$ ./easyrsa sign-req client client1
$ sudo cp pki/private/client1.key /etc/openvpn/client/
$ sudo cp pki/issued/client1.crt /etc/openvpn/client/
$ sudo cp pki/{ca.crt,ta.key} /etc/openvpn/client/
Create a client configuration file into the /root/openvpn-ca
directory to use as your base configuration:
$ sudo cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /root/openvpn-ca/
Open this file using nano
and edit this variables:
remote 192.168.1.5 1194 # 192.168.1.5 is the server public IP
user nobody
group nogroup
;ca ca.crt
;cert client.crt
;key client.key
;tls-auth ta.key 1
key-direction 1
Now create a script to compile the base configuration with the necessary certificate, key, and encryption files.
$ nano config_gen.sh
Add the following content:
#!/bin/bash
# First argument: Client identifier
KEY_DIR=/etc/openvpn/client
OUTPUT_DIR=/root # change it to output directory
BASE_CONFIG=/root/openvpn-ca/client.conf # Change it to client.conf in your system
cat ${BASE_CONFIG} \
<(echo -e '<ca>') \
${KEY_DIR}/ca.crt \
<(echo -e '</ca>\n<cert>') \
${KEY_DIR}/${1}.crt \
<(echo -e '</cert>\n<key>') \
${KEY_DIR}/${1}.key \
<(echo -e '</key>\n<tls-crypt>') \
${KEY_DIR}/ta.key \
<(echo -e '</tls-crypt>') \
> ${OUTPUT_DIR}/${1}.ovpn
After writing the script, save and close the config_gen.sh file.
Don’t forget to make the file executable by running:
$ sudo chmod 700 /root/openvpn-ca/config_gen.sh
$ sudo ./config_gen.sh client1
This command will create a new file called client1.ovpn
in the /root/
directory.
Copy this file to your client computer and use it to connect to the OpenVPN server.
Conclusion
In this tutorial, we have shown you how to install and configure OpenVPN on an Ubuntu server. With OpenVPN, you can securely connect to a remote network and access its resources from anywhere in the world.
28 thoughts on - How to Install OpenVPN Server on Ubuntu
Did not work. Error code:
root@ubuntu:~# sudo systemctl start openvpn@server
Job for [email protected] failed because the control process exited with error code.
See “systemctl status [email protected]” and “journalctl -xeu [email protected]” for details.
Hi,
Did you try Method #1 , please try using the first method .
Best regards.
If you are using tcp:
Options error: –explicit-exit-notify can only be used with –proto udp
you need to comment this line ;explicit-exit-notify
Hi,
We didn’t get this error when we installed OpenVPN, please give us more specifics.
Best regards.
I have an error while starting service.
sudo systemctl start openvpn@server
Job for [email protected] failed because the control process exited with error code.
See “systemctl status [email protected]” and “journalctl -xeu [email protected]” for details.
What can be wrong?
Hi,
can you post the output of
journalctl -xe
so we can debug the problem.
Best regards.
using step 1 , after install .ovpn file in mobile says openvpn: waiting for server
Did you use Method 1 or the second Method
hi, thanks for your good post.
after installation of openvpn, i added a new user. then i want to delete that user. how to do it?
when i run ./openvpn-install.sh these lines printed:
What do you want to do?
1) Add a new user
2) Revoke existing user
3) Remove OpenVPN
4) Exit
Select an option [1-4]:
how to delete a user? is there any way?
To remove a user, you may choose the Revoke existing user and specify the user you want to remove.
Revoke a user just recreate another config for that user and can not remove the user with this option.
I can’t reproduce this and I’ve never seen it. Are you sure you are using the latest version of the script?
Where did you provide the server ip address & subnet and the client ip address & Subnet?
Where is the configuration such as rekeying is enabled or not, dead peer time configuration, ?
Please give me a more detailed question so we can help.
Best regards.
Awesome, used your method to setup on my Ubuntu 23.10. Thanks mate;
Hi there. Method 1 works really fine. Thanks.
Just wondering how many simultaneous are allowed like this. In the official documentation says only 2?
Yes you can use openvpn for multiple clients, but you’ll have to setup a CA Authority and issue a unique key/cert to each client.
What should i write instead “remote my-server-1 1194”
I really don’t understand it.
You need to subtitute my-server-1 with your server public IP exemple :
remote 192.168.1.24 1194
Tried the method 1 and it is amazing, thanks. Working in less than 5 minutes, wow
Hello, I am at a loss at this point, I installed Ubuntu 22.04 fresh completely clean. I used method one, ran the script and pretty much used all the defaults. At that point I pulled the .ovpn file and added it in my ubuntu 22.04 openvpn client PC, I put it in my documents folder. I did however ran a chown and changed ownership to NOT the root user… I haven’t tried that and maybe that is it but I changed ownership on the .ovpn file. I then tried to configure it using the VPN add + button in network manager in Ubuntu.
In syslog it is showing it timing out and am getting an error (1).
I dropped my firewall on my main ISP router completely, configured port triggering as well as port forwarding being forwarded to my Ubuntu openvpn server. and dropped UFW on both machines server/client.
I ran a tcpdump and I do see it hitting the openvpn server, any other information you may need I can provide.
To test I was using my hotspot which I noticed was giving a ipv6 address, I’m using ATT.
I followed the 1st method to a T but still am unable to connect, I’m at the point I cracked a beer open since I was so stressed out. I would appreciate any help or suggestions, everything on both machines was fully updated on Ubuntu.
Hi,
Your problem may be connected to IPV6 Support, when installing OpenVPN enable IPV6 Support:
Checking for IPv6 connectivity...
Your host does not appear to have IPv6 connectivity.
Do you want to enable IPv6 support (NAT)? [y/n]: y
Best regards.
Hello! I did everything step by step, but after successful connection i get this:
2024-04-01 00:36:53.589096 MANAGEMENT: >STATE:1711921013,CONNECTED,SUCCESS,10.8.0.6,62.133.63.26,1194,,
2024-04-01 00:36:54.707694 *Tunnelblick: Warning: Could not obtain a list of DNS addresses that are expected
2024-04-01 00:36:54.818303 *Tunnelblick: Routing info stdout:
route to: 192.168.1.1
destination: 192.168.1.1
interface: en0
flags:
recvpipe sendpipe ssthresh rtt,msec rttvar hopcount mtu expire
0 0 0 0 0 0 1500 1199
stderr:
2024-04-01 00:36:54.831454 *Tunnelblick: Warning: DNS server address 192.168.1.1 is not a public IP address and is not being routed through the VPN.
How can I fix it?
Hi,
The IP your are using is internal ip “192.168.1.1” please check if you are connected to intrenet.
Best regards.
I used method #1, but can’t access the browser interface any ideas
Please share with us more info to help you.
Hi,
When I run Step 6 (1st Method is working fine, this query is for the 2nd Method)
$ zcat \
/usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz \
| sudo tee /etc/openvpn/server.conf > /dev/null
I get the following error ?
gzip: /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz: No such file or directory
Hello,
We updated our tutorial following the latest OpenVPN updates , please follow this new steps.
Best regards.