How to Install OpenVPN Server on Ubuntu

Install Open VPN Server on Ubuntu 18.04 20.04 22.04

OpenVPN is a free, open-source VPN (Virtual Private Network) software that allows you to securely connect to a remote network over the internet. In this article, we will guide you through the process of installing OpenVPN on an Ubuntu server 18.04/20.04/22.04.

Method 1:

Installing OpenVPN using a Script.

First, get the script and make it executable:

$ curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh
$ chmod +x openvpn-install.sh

Then run it:

$ ./openvpn-install.sh

You need to run the script as root and have the TUN module enabled.

The first time you run it, you’ll have to follow the assistant and answer a few questions to setup your VPN server.

When OpenVPN is installed, you can run the script again, and you will get the choice to:

root@ubuntu:~# ./openvpn-install.sh
Welcome to OpenVPN-install!
The git repository is available at: https://github.com/angristan/openvpn-install
It looks like OpenVPN is already installed.
What do you want to do?
   1) Add a new user
   2) Revoke existing user
   3) Remove OpenVPN
   4) Exit
Select an option [1-4]:

you can add a new user or revoke an existant user .


Method 2 :

Step 1: Update and Upgrade Ubuntu

Before installing any new software, it is always recommended to update and upgrade your Ubuntu system. You can do this by running the following commands:

$ sudo apt update 
$ sudo apt upgrade

Step 2: Install OpenVPN

You can install OpenVPN on Ubuntu by running the following command:

$ sudo apt install openvpn easy-rsa

Step 3: Generate Certificates and Keys

OpenVPN uses certificates and keys to authenticate clients and servers. You can generate these files by running the easy-rsa script included with OpenVPN. To do this, follow these steps:

$ make-cadir ~/openvpn-ca && cd ~/openvpn-ca

 Edit the vars file to set up the Certificate Authority (CA) variables:

$ nano ./vars

Edit the variables as needed, for example:

set_var EASYRSA_REQ_COUNTRY    "US"
set_var EASYRSA_REQ_PROVINCE   "California"
set_var EASYRSA_REQ_CITY       "San Francisco"
set_var EASYRSA_REQ_ORG        "Copyleft Certificate Co"
set_var EASYRSA_REQ_EMAIL      "[email protected]"
set_var EASYRSA_REQ_OU         "My Organizational Unit"
$ ./easyrsa init-pki
$ ./easyrsa build-ca
$ ./easyrsa gen-req server nopass
$ ./easyrsa sign-req server server
$ ./easyrsa gen-dh
$ openvpn --genkey --secret pki/ta.key

The certificates and keys will be created in the /root/openvpn-ca/pki directory.

Step 4: Configure OpenVPN

After generating the certificates and keys, you need to configure OpenVPN. To do this, create a new configuration file with the following command:

$ sudo cp pki/dh.pem pki/ca.crt pki/ta.key pki/issued/server.crt pki/private/server.key /etc/openvpn/
$ sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf /etc/openvpn/server.conf

Edit the following content in the configuration file /etc/openvpn/server.conf:

ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh.pem
;tls-auth ta.key 0
tls-crypt ta.key
push "redirect-gateway def1 bypass-dhcp"

Save and close the file.

Enable IP Forwarding

$ sudo nano /etc/sysctl.conf
# Uncomment the following line:
net.ipv4.ip_forward=1

Then apply the changes:

$ sudo sysctl -p

Step 5: Start and Enable OpenVPN

You can start and enable the OpenVPN service with the following commands:

$ sudo systemctl start openvpn@server 
$ sudo systemctl enable openvpn@server

The @server part specifies the name of the configuration file you created earlier.

Step 6: Configure Firewall

You need to allow OpenVPN traffic through the firewall. You can do this by creating a new rule with the following command:

$ sudo ufw allow OpenVPN # ignore if you don't use firewall

Add iptables routing

$ ifconfig
.
.
.
venet0: flags=211<UP,BROADCAST,POINTOPOINT,RUNNING,NOARP>  mtu 1500
        inet 127.0.0.1  netmask 255.255.255.255  broadcast 0.0.0.0  destination 127.0.0.1
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 0  (UNSPEC)
        RX packets 4825  bytes 467045 (467.0 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 3331  bytes 322185 (322.1 KB)
        TX errors 0  dropped 1167 overruns 0  carrier 0  collisions 0
venet0:0: flags=211<UP,BROADCAST,POINTOPOINT,RUNNING,NOARP>  mtu 1500
        inet 7.249.98.8  netmask 255.255.255.0  broadcast 7.249.98.255  destination 7.249.98.8
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 0  (UNSPEC)
.
.

Our main network is venet0 you may have eth0 or something else

$ sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j MASQUERADE

Step 7: Connect to OpenVPN Server

Now that the OpenVPN server is up and running, you can connect to it from a client computer. To do this, you need to install the OpenVPN client software on your computer and download the client configuration file from the server. You can do this by running the following command on the server:

$ ./easyrsa gen-req client1 nopass
$ ./easyrsa sign-req client client1
$ sudo cp pki/private/client1.key /etc/openvpn/client/
$ sudo cp pki/issued/client1.crt /etc/openvpn/client/
$ sudo cp pki/{ca.crt,ta.key} /etc/openvpn/client/

 Create a client configuration file into the /root/openvpn-ca directory to use as your base configuration:

$ sudo cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /root/openvpn-ca/

Open this file using nano and edit this variables:

remote 192.168.1.5 1194 # 192.168.1.5 is the server public IP
user nobody
group nogroup
;ca ca.crt
;cert client.crt
;key client.key
;tls-auth ta.key 1
key-direction 1

Now create a script to compile the base configuration with the necessary certificate, key, and encryption files.

$ nano config_gen.sh

 Add the following content:

#!/bin/bash
# First argument: Client identifier
KEY_DIR=/etc/openvpn/client
OUTPUT_DIR=/root # change it to output directory
BASE_CONFIG=/root/openvpn-ca/client.conf # Change it to client.conf in your system
cat ${BASE_CONFIG} \
    <(echo -e '<ca>') \
    ${KEY_DIR}/ca.crt \
    <(echo -e '</ca>\n<cert>') \
    ${KEY_DIR}/${1}.crt \
    <(echo -e '</cert>\n<key>') \
    ${KEY_DIR}/${1}.key \
    <(echo -e '</key>\n<tls-crypt>') \
    ${KEY_DIR}/ta.key \
    <(echo -e '</tls-crypt>') \
    > ${OUTPUT_DIR}/${1}.ovpn

After writing the script, save and close the config_gen.sh file.

Don’t forget to make the file executable by running:

$ sudo chmod 700 /root/openvpn-ca/config_gen.sh
$ sudo ./config_gen.sh client1

This command will create a new file called client1.ovpn in the /root/ directory.

Copy this file to your client computer and use it to connect to the OpenVPN server.

Conclusion

In this tutorial, we have shown you how to install and configure OpenVPN on an Ubuntu server. With OpenVPN, you can securely connect to a remote network and access its resources from anywhere in the world.

48 thoughts on - How to Install OpenVPN Server on Ubuntu

  • If you are using tcp:
    Options error: –explicit-exit-notify can only be used with –proto udp
    you need to comment this line ;explicit-exit-notify

  • hi, thanks for your good post.
    after installation of openvpn, i added a new user. then i want to delete that user. how to do it?
    when i run ./openvpn-install.sh these lines printed:

    What do you want to do?
    1) Add a new user
    2) Revoke existing user
    3) Remove OpenVPN
    4) Exit
    Select an option [1-4]:

    how to delete a user? is there any way?

  • Where did you provide the server ip address & subnet and the client ip address & Subnet?
    Where is the configuration such as rekeying is enabled or not, dead peer time configuration, ?

  • Hi there. Method 1 works really fine. Thanks.
    Just wondering how many simultaneous are allowed like this. In the official documentation says only 2?

  • Hello, I am at a loss at this point, I installed Ubuntu 22.04 fresh completely clean. I used method one, ran the script and pretty much used all the defaults. At that point I pulled the .ovpn file and added it in my ubuntu 22.04 openvpn client PC, I put it in my documents folder. I did however ran a chown and changed ownership to NOT the root user… I haven’t tried that and maybe that is it but I changed ownership on the .ovpn file. I then tried to configure it using the VPN add + button in network manager in Ubuntu.

    In syslog it is showing it timing out and am getting an error (1).
    I dropped my firewall on my main ISP router completely, configured port triggering as well as port forwarding being forwarded to my Ubuntu openvpn server. and dropped UFW on both machines server/client.

    I ran a tcpdump and I do see it hitting the openvpn server, any other information you may need I can provide.

    To test I was using my hotspot which I noticed was giving a ipv6 address, I’m using ATT.

    I followed the 1st method to a T but still am unable to connect, I’m at the point I cracked a beer open since I was so stressed out. I would appreciate any help or suggestions, everything on both machines was fully updated on Ubuntu.

    • Hi,
      Your problem may be connected to IPV6 Support, when installing OpenVPN enable IPV6 Support:
      Checking for IPv6 connectivity...

      Your host does not appear to have IPv6 connectivity.

      Do you want to enable IPv6 support (NAT)? [y/n]: y
      Best regards.

  • Hello! I did everything step by step, but after successful connection i get this:
    2024-04-01 00:36:53.589096 MANAGEMENT: >STATE:1711921013,CONNECTED,SUCCESS,10.8.0.6,62.133.63.26,1194,,
    2024-04-01 00:36:54.707694 *Tunnelblick: Warning: Could not obtain a list of DNS addresses that are expected
    2024-04-01 00:36:54.818303 *Tunnelblick: Routing info stdout:
    route to: 192.168.1.1
    destination: 192.168.1.1
    interface: en0
    flags:
    recvpipe sendpipe ssthresh rtt,msec rttvar hopcount mtu expire
    0 0 0 0 0 0 1500 1199
    stderr:

    2024-04-01 00:36:54.831454 *Tunnelblick: Warning: DNS server address 192.168.1.1 is not a public IP address and is not being routed through the VPN.

    How can I fix it?

  • Hi,
    When I run Step 6 (1st Method is working fine, this query is for the 2nd Method)

    $ zcat \
    /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz \
    | sudo tee /etc/openvpn/server.conf > /dev/null

    I get the following error ?

    gzip: /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz: No such file or directory

  • hello!! I am having a problem, my openvpn says its not linking with remote address.. II have tried add remote so that maybe it would listen to external Ip address but nothing good.

    [email protected] – OpenVPN connection to server
    Loaded: loaded (/etc/systemd/system/[email protected]; enabled; vendor preset: enabled)
    Active: active (running) since Sat 2024-05-04 23:24:38 CAT; 1min 48s ago
    Docs: man:openvpn(8)
    https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
    https://community.openvpn.net/openvpn/wiki/HOWTO
    Main PID: 80149 (openvpn)
    Status: “Initialization Sequence Completed”
    Tasks: 1 (limit: 1977)
    Memory: 924.0K
    CGroup: /system.slice/system-openvpn.slice/[email protected]
    └─80149 /usr/sbin/openvpn –daemon ovpn-server –status /run/openvpn/server.status 10 –cd /etc/openvpn –script-security 2 –co>

    May 04 23:24:38 enkuya1 ovpn-server[80149]: /sbin/ip addr add dev tun0 10.8.0.1/24 broadcast 10.8.0.255
    May 04 23:24:38 enkuya1 ovpn-server[80149]: Socket Buffers: R=[212992->212992] S=[212992->212992]
    May 04 23:24:38 enkuya1 ovpn-server[80149]: UDPv4 link local (bound): [AF_INET][undef]:1194
    May 04 23:24:38 enkuya1 ovpn-server[80149]: UDPv4 link remote: [AF_UNSPEC]
    May 04 23:24:38 enkuya1 ovpn-server[80149]: GID set to nogroup
    May 04 23:24:38 enkuya1 ovpn-server[80149]: UID set to nobody
    May 04 23:24:38 enkuya1 ovpn-server[80149]: MULTI: multi_init called, r=256 v=256
    May 04 23:24:38 enkuya1 ovpn-server[80149]: IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=0
    May 04 23:24:38 enkuya1 ovpn-server[80149]: IFCONFIG POOL LIST
    May 04 23:24:38 enkuya1 ovpn-server[80149]: Initialization Sequence Completed
    root@enkuya1:/etc/openvpn# nano server.conf
    root@enkuya1:/etc/openvpn#
    everything looks good, just that I can not link it with remote address

  • I have used your tutorials, and using step 2.

    but still getting this error whenever I tried to connect from my client

    “tls-crypt unwrap error: packet authentication failed”

    Is there any way to fix this issue?

    • Hi,
      Need to update the client and server to use either tls-crypt or tls-auth exclusively, and in both places.
      Make sure you are using the same on both sides..
      Best regards.

  • AD-Blocker problem with default DNS

    After the installation my server config contains

    push “dhcp-option DNS 94.140.14.14”
    push “dhcp-option DNS 94.140.15.15”

    The problem is this DNS has ad-blocker list that makes it return IP:0.0.0.0 for sites it blocks.
    Server: dns.adguard.com
    Address: 94.140.14.14

    In my case I commented out the two lines as my OpenVPN service does not route traffic to the internet

    The client config can ignore pushed DNS and use default by adding to the client config

    pull-filter ignore “dhcp-option DNS”

    ..but that has not been tested

  • Forgot to add the OpenVPN setup I use is a split tunel

    #Removing the default redirect
    #push “redirect-gateway def1 bypass-dhcp”

    #Adding route specific LAN for what traffic will target the VPN
    push “route 192.168.200.0 255.255.255.0”

  • Great tutorial

    Update “$ openvpn –genkey secret pki/ta.key” to “$ openvpn –genkey –secret pki/ta.key”

  • Getting this:

    root@ubuntu-s-1vcpu-1gb-fra1-01:~/openvpn-ca# sudo openvpn –config /etc/openvpn/server.conf –verb 4
    2024-06-02 07:50:27 us=488082 WARNING: –topology net30 support for server configs with IPv4 pools will be removed in a future release. Please migrate to –topology subnet as soon as possible.
    2024-06-02 07:50:27 us=491781 DEPRECATED OPTION: –cipher set to ‘AES-256-CBC’ but missing in –data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores –cipher for cipher negotiations.
    2024-06-02 07:50:27 us=492150 Cannot pre-load keyfile (ta.key)
    2024-06-02 07:50:27 us=492373 Exiting due to fatal error

    Any Idea why ?

  • method 2 works for me on Ubuntu 20. If you get error, please use journalctl -xe to check detail about the errors then fix them.

  • Hi,
    I am using method 1 to create OpenVPN. the VPN service is working normally. But I have 1 problem:
    My OpenVPN server has 2 network card: the 1st card connected to internet with public IP address and 2nd card with IP 192.168.1.10/24. I have 1 web server with IP 192.168.1.20/24, that is connected and reachable from the openVPN server.
    My OpenVPN client network is 10.8.0.0/24. I connect my VPN client to the VPN server and push route 192.168.1.0/24 to the client successfully. And I also push the static route “10.8.0.0/24 -> next hop 192.168.10” in the web server. But from my VPN client can’t access the Web server. I see that the problem is: when the package go from the Client to the VPN server, the VPN server automatically NAT the source address of the package from 10.8.0.0/24 to the public IP address and forward the package out the interface connected to the internet. So please help me to fix this problem. Thank you very much.

    • Hello,
      i’m afraid to say that Method 1 is for regular OpenVPN installation , for your specific use case you need to follow 2nd Method and apply it in your system.
      Best regards.

  • Hello,
    I have a question. I have used the first method and it worked, but I want to try to add 2fa to the server.
    If anyone has a solution, please respond.
    Thanks

  • @webhi, hello friend, I have followed your guides, method #2, successfully setup the VPN server. Thanks a lot for your great work. I’ll with my 6 classmates want to setup a VPN server just for playing the LAN game thru internet at our home. We have been spend almost a year but still not success. Six of us are with zero knowledge on VPN or network. We copy and paste those guys coding or commands from forum and it is really quite a difficult task for us.

    Meantime, we have a problem to enable the VPN server Port with IP address to LISTEN for client to logon. Can you please write some guides for us to follow, our internal Lan IP address we used is 10.101.2.0. The VPN virtual Server IP is 192.168.0.2. What is the codes or commands to enable TCP/UDP port 443/943/1194 with IP 192.168.0.2 to LISTEN for client side to logon.
    thanks brother, you’re great.

  • Those who are getting below error while using method-2
    Job for [email protected] failed because the control process exited with error code.
    See “systemctl status [email protected]” and “journalctl -xeu [email protected]” for details.

    Just run this command:
    sudo cp /root/openvpn-ca/pki/ta.key /etc/openvpn/

    and then again start the openvpn server
    sudo systemctl start openvpn@server

    FYI :
    The author missed to copy the ta.key file from /root/openvpn-ca/pki/ folder to /etc/openvpn/ folder and hence openvpn was not starting as it couldn’t find the ta.key file

    The updated command should be:
    sudo cp pki/dh.pem pki/ca.crt pki/issued/server.crt pki/private/server.key pki/ta.key /etc/openvpn/

    Also, Thanks a ton for this wonderful article, much appreciated

    • Yes, you can. By default, OpenVPN server doesn’t allow multiple clients to connect with the same pair of cert/key; each client must have its own cert/key with an unique common name. However, multiple clients are allowed to connect to the OpenVPN server using the same pair of cert/key if duplicate-cn (allowing duplicate common name) is present in OpenVPN server’s configuration file.

LEAVE A COMMENT