OpenVPN is a free, open-source VPN (Virtual Private Network) software that allows you to securely connect to a remote network over the internet. In this article, we will guide you through the process of installing OpenVPN on an Ubuntu server 18.04/20.04/22.04.
Method 1:
Installing OpenVPN using a Script.
First, get the script and make it executable:
$ curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh
$ chmod +x openvpn-install.sh
Then run it:
$ ./openvpn-install.sh
You need to run the script as root and have the TUN module enabled.
The first time you run it, you’ll have to follow the assistant and answer a few questions to setup your VPN server.
When OpenVPN is installed, you can run the script again, and you will get the choice to:
root@ubuntu:~# ./openvpn-install.sh Welcome to OpenVPN-install! The git repository is available at: https://github.com/angristan/openvpn-install It looks like OpenVPN is already installed. What do you want to do? 1) Add a new user 2) Revoke existing user 3) Remove OpenVPN 4) Exit Select an option [1-4]:
you can add a new user or revoke an existant user .
Method 2 :
Step 1: Update and Upgrade Ubuntu
Before installing any new software, it is always recommended to update and upgrade your Ubuntu system. You can do this by running the following commands:
$ sudo apt update
$ sudo apt upgrade
Step 2: Install OpenVPN
You can install OpenVPN on Ubuntu by running the following command:
$ sudo apt install openvpn easy-rsa
Step 3: Generate Certificates and Keys
OpenVPN uses certificates and keys to authenticate clients and servers. You can generate these files by running the easy-rsa script included with OpenVPN. To do this, follow these steps:
$ make-cadir ~/openvpn-ca && cd ~/openvpn-ca
Edit the vars
file to set up the Certificate Authority (CA) variables:
$ nano ./vars
Edit the variables as needed, for example:
set_var EASYRSA_REQ_COUNTRY "US"
set_var EASYRSA_REQ_PROVINCE "California"
set_var EASYRSA_REQ_CITY "San Francisco"
set_var EASYRSA_REQ_ORG "Copyleft Certificate Co"
set_var EASYRSA_REQ_EMAIL "[email protected]"
set_var EASYRSA_REQ_OU "My Organizational Unit"
$ ./easyrsa init-pki
$ ./easyrsa build-ca
$ ./easyrsa gen-req server nopass
$ ./easyrsa sign-req server server
$ ./easyrsa gen-dh
$ openvpn --genkey --secret pki/ta.key
The certificates and keys will be created in the /root/openvpn-ca/pki
directory.
Step 4: Configure OpenVPN
After generating the certificates and keys, you need to configure OpenVPN. To do this, create a new configuration file with the following command:
$ sudo cp pki/dh.pem pki/ca.crt pki/ta.key pki/issued/server.crt pki/private/server.key /etc/openvpn/
$ sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf /etc/openvpn/server.conf
Edit the following content in the configuration file /etc/openvpn/server.conf
:
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh.pem
;tls-auth ta.key 0
tls-crypt ta.key
push "redirect-gateway def1 bypass-dhcp"
Save and close the file.
Enable IP Forwarding
$ sudo nano /etc/sysctl.conf
# Uncomment the following line:
net.ipv4.ip_forward=1
Then apply the changes:
$ sudo sysctl -p
Step 5: Start and Enable OpenVPN
You can start and enable the OpenVPN service with the following commands:
$ sudo systemctl start openvpn@server
$ sudo systemctl enable openvpn@server
The @server
part specifies the name of the configuration file you created earlier.
Step 6: Configure Firewall
You need to allow OpenVPN traffic through the firewall. You can do this by creating a new rule with the following command:
$ sudo ufw allow OpenVPN # ignore if you don't use firewall
Add iptables routing
$ ifconfig
.
.
.
venet0: flags=211<UP,BROADCAST,POINTOPOINT,RUNNING,NOARP> mtu 1500
inet 127.0.0.1 netmask 255.255.255.255 broadcast 0.0.0.0 destination 127.0.0.1
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 0 (UNSPEC)
RX packets 4825 bytes 467045 (467.0 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 3331 bytes 322185 (322.1 KB)
TX errors 0 dropped 1167 overruns 0 carrier 0 collisions 0
venet0:0: flags=211<UP,BROADCAST,POINTOPOINT,RUNNING,NOARP> mtu 1500
inet 7.249.98.8 netmask 255.255.255.0 broadcast 7.249.98.255 destination 7.249.98.8
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 0 (UNSPEC)
.
.
Our main network is venet0 you may have eth0 or something else
$ sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j MASQUERADE
Step 7: Connect to OpenVPN Server
Now that the OpenVPN server is up and running, you can connect to it from a client computer. To do this, you need to install the OpenVPN client software on your computer and download the client configuration file from the server. You can do this by running the following command on the server:
$ ./easyrsa gen-req client1 nopass
$ ./easyrsa sign-req client client1
$ sudo cp pki/private/client1.key /etc/openvpn/client/
$ sudo cp pki/issued/client1.crt /etc/openvpn/client/
$ sudo cp pki/{ca.crt,ta.key} /etc/openvpn/client/
Create a client configuration file into the /root/openvpn-ca
directory to use as your base configuration:
$ sudo cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /root/openvpn-ca/
Open this file using nano
and edit this variables:
remote 192.168.1.5 1194 # 192.168.1.5 is the server public IP
user nobody
group nogroup
;ca ca.crt
;cert client.crt
;key client.key
;tls-auth ta.key 1
key-direction 1
Now create a script to compile the base configuration with the necessary certificate, key, and encryption files.
$ nano config_gen.sh
Add the following content:
#!/bin/bash
# First argument: Client identifier
KEY_DIR=/etc/openvpn/client
OUTPUT_DIR=/root # change it to output directory
BASE_CONFIG=/root/openvpn-ca/client.conf # Change it to client.conf in your system
cat ${BASE_CONFIG} \
<(echo -e '<ca>') \
${KEY_DIR}/ca.crt \
<(echo -e '</ca>\n<cert>') \
${KEY_DIR}/${1}.crt \
<(echo -e '</cert>\n<key>') \
${KEY_DIR}/${1}.key \
<(echo -e '</key>\n<tls-crypt>') \
${KEY_DIR}/ta.key \
<(echo -e '</tls-crypt>') \
> ${OUTPUT_DIR}/${1}.ovpn
After writing the script, save and close the config_gen.sh file.
Don’t forget to make the file executable by running:
$ sudo chmod 700 /root/openvpn-ca/config_gen.sh
$ sudo ./config_gen.sh client1
This command will create a new file called client1.ovpn
in the /root/
directory.
Copy this file to your client computer and use it to connect to the OpenVPN server.
Conclusion
In this tutorial, we have shown you how to install and configure OpenVPN on an Ubuntu server. With OpenVPN, you can securely connect to a remote network and access its resources from anywhere in the world.
48 thoughts on - How to Install OpenVPN Server on Ubuntu
Did not work. Error code:
root@ubuntu:~# sudo systemctl start openvpn@server
Job for [email protected] failed because the control process exited with error code.
See “systemctl status [email protected]” and “journalctl -xeu [email protected]” for details.
Hi,
Did you try Method #1 , please try using the first method .
Best regards.
If you are using tcp:
Options error: –explicit-exit-notify can only be used with –proto udp
you need to comment this line ;explicit-exit-notify
Hi,
We didn’t get this error when we installed OpenVPN, please give us more specifics.
Best regards.
I have an error while starting service.
sudo systemctl start openvpn@server
Job for [email protected] failed because the control process exited with error code.
See “systemctl status [email protected]” and “journalctl -xeu [email protected]” for details.
What can be wrong?
Hi,
can you post the output of
journalctl -xe
so we can debug the problem.
Best regards.
using step 1 , after install .ovpn file in mobile says openvpn: waiting for server
Did you use Method 1 or the second Method
hi, thanks for your good post.
after installation of openvpn, i added a new user. then i want to delete that user. how to do it?
when i run ./openvpn-install.sh these lines printed:
What do you want to do?
1) Add a new user
2) Revoke existing user
3) Remove OpenVPN
4) Exit
Select an option [1-4]:
how to delete a user? is there any way?
To remove a user, you may choose the Revoke existing user and specify the user you want to remove.
Revoke a user just recreate another config for that user and can not remove the user with this option.
I can’t reproduce this and I’ve never seen it. Are you sure you are using the latest version of the script?
Where did you provide the server ip address & subnet and the client ip address & Subnet?
Where is the configuration such as rekeying is enabled or not, dead peer time configuration, ?
Please give me a more detailed question so we can help.
Best regards.
Awesome, used your method to setup on my Ubuntu 23.10. Thanks mate;
Hi there. Method 1 works really fine. Thanks.
Just wondering how many simultaneous are allowed like this. In the official documentation says only 2?
Yes you can use openvpn for multiple clients, but you’ll have to setup a CA Authority and issue a unique key/cert to each client.
What should i write instead “remote my-server-1 1194”
I really don’t understand it.
You need to subtitute my-server-1 with your server public IP exemple :
remote 192.168.1.24 1194
Tried the method 1 and it is amazing, thanks. Working in less than 5 minutes, wow
Hello, I am at a loss at this point, I installed Ubuntu 22.04 fresh completely clean. I used method one, ran the script and pretty much used all the defaults. At that point I pulled the .ovpn file and added it in my ubuntu 22.04 openvpn client PC, I put it in my documents folder. I did however ran a chown and changed ownership to NOT the root user… I haven’t tried that and maybe that is it but I changed ownership on the .ovpn file. I then tried to configure it using the VPN add + button in network manager in Ubuntu.
In syslog it is showing it timing out and am getting an error (1).
I dropped my firewall on my main ISP router completely, configured port triggering as well as port forwarding being forwarded to my Ubuntu openvpn server. and dropped UFW on both machines server/client.
I ran a tcpdump and I do see it hitting the openvpn server, any other information you may need I can provide.
To test I was using my hotspot which I noticed was giving a ipv6 address, I’m using ATT.
I followed the 1st method to a T but still am unable to connect, I’m at the point I cracked a beer open since I was so stressed out. I would appreciate any help or suggestions, everything on both machines was fully updated on Ubuntu.
Hi,
Your problem may be connected to IPV6 Support, when installing OpenVPN enable IPV6 Support:
Checking for IPv6 connectivity...
Your host does not appear to have IPv6 connectivity.
Do you want to enable IPv6 support (NAT)? [y/n]: y
Best regards.
Hello! I did everything step by step, but after successful connection i get this:
2024-04-01 00:36:53.589096 MANAGEMENT: >STATE:1711921013,CONNECTED,SUCCESS,10.8.0.6,62.133.63.26,1194,,
2024-04-01 00:36:54.707694 *Tunnelblick: Warning: Could not obtain a list of DNS addresses that are expected
2024-04-01 00:36:54.818303 *Tunnelblick: Routing info stdout:
route to: 192.168.1.1
destination: 192.168.1.1
interface: en0
flags:
recvpipe sendpipe ssthresh rtt,msec rttvar hopcount mtu expire
0 0 0 0 0 0 1500 1199
stderr:
2024-04-01 00:36:54.831454 *Tunnelblick: Warning: DNS server address 192.168.1.1 is not a public IP address and is not being routed through the VPN.
How can I fix it?
Hi,
The IP your are using is internal ip “192.168.1.1” please check if you are connected to intrenet.
Best regards.
I used method #1, but can’t access the browser interface any ideas
Please share with us more info to help you.
Hi,
When I run Step 6 (1st Method is working fine, this query is for the 2nd Method)
$ zcat \
/usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz \
| sudo tee /etc/openvpn/server.conf > /dev/null
I get the following error ?
gzip: /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz: No such file or directory
Hello,
We updated our tutorial following the latest OpenVPN updates , please follow this new steps.
Best regards.
hello!! I am having a problem, my openvpn says its not linking with remote address.. II have tried add remote so that maybe it would listen to external Ip address but nothing good.
● [email protected] – OpenVPN connection to server
Loaded: loaded (/etc/systemd/system/[email protected]; enabled; vendor preset: enabled)
Active: active (running) since Sat 2024-05-04 23:24:38 CAT; 1min 48s ago
Docs: man:openvpn(8)
https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
https://community.openvpn.net/openvpn/wiki/HOWTO
Main PID: 80149 (openvpn)
Status: “Initialization Sequence Completed”
Tasks: 1 (limit: 1977)
Memory: 924.0K
CGroup: /system.slice/system-openvpn.slice/[email protected]
└─80149 /usr/sbin/openvpn –daemon ovpn-server –status /run/openvpn/server.status 10 –cd /etc/openvpn –script-security 2 –co>
May 04 23:24:38 enkuya1 ovpn-server[80149]: /sbin/ip addr add dev tun0 10.8.0.1/24 broadcast 10.8.0.255
May 04 23:24:38 enkuya1 ovpn-server[80149]: Socket Buffers: R=[212992->212992] S=[212992->212992]
May 04 23:24:38 enkuya1 ovpn-server[80149]: UDPv4 link local (bound): [AF_INET][undef]:1194
May 04 23:24:38 enkuya1 ovpn-server[80149]: UDPv4 link remote: [AF_UNSPEC]
May 04 23:24:38 enkuya1 ovpn-server[80149]: GID set to nogroup
May 04 23:24:38 enkuya1 ovpn-server[80149]: UID set to nobody
May 04 23:24:38 enkuya1 ovpn-server[80149]: MULTI: multi_init called, r=256 v=256
May 04 23:24:38 enkuya1 ovpn-server[80149]: IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=0
May 04 23:24:38 enkuya1 ovpn-server[80149]: IFCONFIG POOL LIST
May 04 23:24:38 enkuya1 ovpn-server[80149]: Initialization Sequence Completed
root@enkuya1:/etc/openvpn# nano server.conf
root@enkuya1:/etc/openvpn#
everything looks good, just that I can not link it with remote address
Hi,
Your Service seems ok please check your configuration .
Best regards.
I have used your tutorials, and using step 2.
but still getting this error whenever I tried to connect from my client
“tls-crypt unwrap error: packet authentication failed”
Is there any way to fix this issue?
Hi,
Need to update the client and server to use either tls-crypt or tls-auth exclusively, and in both places.
Make sure you are using the same on both sides..
Best regards.
AD-Blocker problem with default DNS
After the installation my server config contains
push “dhcp-option DNS 94.140.14.14”
push “dhcp-option DNS 94.140.15.15”
The problem is this DNS has ad-blocker list that makes it return IP:0.0.0.0 for sites it blocks.
Server: dns.adguard.com
Address: 94.140.14.14
In my case I commented out the two lines as my OpenVPN service does not route traffic to the internet
The client config can ignore pushed DNS and use default by adding to the client config
pull-filter ignore “dhcp-option DNS”
..but that has not been tested
Forgot to add the OpenVPN setup I use is a split tunel
#Removing the default redirect
#push “redirect-gateway def1 bypass-dhcp”
#Adding route specific LAN for what traffic will target the VPN
push “route 192.168.200.0 255.255.255.0”
Great tutorial
Update “$ openvpn –genkey secret pki/ta.key” to “$ openvpn –genkey –secret pki/ta.key”
Thanks for your contribution we updated the commands.
Getting this:
root@ubuntu-s-1vcpu-1gb-fra1-01:~/openvpn-ca# sudo openvpn –config /etc/openvpn/server.conf –verb 4
2024-06-02 07:50:27 us=488082 WARNING: –topology net30 support for server configs with IPv4 pools will be removed in a future release. Please migrate to –topology subnet as soon as possible.
2024-06-02 07:50:27 us=491781 DEPRECATED OPTION: –cipher set to ‘AES-256-CBC’ but missing in –data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores –cipher for cipher negotiations.
2024-06-02 07:50:27 us=492150 Cannot pre-load keyfile (ta.key)
2024-06-02 07:50:27 us=492373 Exiting due to fatal error
Any Idea why ?
Please check your key file path if its correct.
method 2 works for me on Ubuntu 20. If you get error, please use journalctl -xe to check detail about the errors then fix them.
Hi,
I am using method 1 to create OpenVPN. the VPN service is working normally. But I have 1 problem:
My OpenVPN server has 2 network card: the 1st card connected to internet with public IP address and 2nd card with IP 192.168.1.10/24. I have 1 web server with IP 192.168.1.20/24, that is connected and reachable from the openVPN server.
My OpenVPN client network is 10.8.0.0/24. I connect my VPN client to the VPN server and push route 192.168.1.0/24 to the client successfully. And I also push the static route “10.8.0.0/24 -> next hop 192.168.10” in the web server. But from my VPN client can’t access the Web server. I see that the problem is: when the package go from the Client to the VPN server, the VPN server automatically NAT the source address of the package from 10.8.0.0/24 to the public IP address and forward the package out the interface connected to the internet. So please help me to fix this problem. Thank you very much.
Hello,
i’m afraid to say that Method 1 is for regular OpenVPN installation , for your specific use case you need to follow 2nd Method and apply it in your system.
Best regards.
Hello,
I have a question. I have used the first method and it worked, but I want to try to add 2fa to the server.
If anyone has a solution, please respond.
Thanks
Hi,
you can follow this guide:
https://www.webhi.com/how-to/how-to-add-2fa-to-linux-server-for-enhanced-security/
Best regards.
@webhi, hello friend, I have followed your guides, method #2, successfully setup the VPN server. Thanks a lot for your great work. I’ll with my 6 classmates want to setup a VPN server just for playing the LAN game thru internet at our home. We have been spend almost a year but still not success. Six of us are with zero knowledge on VPN or network. We copy and paste those guys coding or commands from forum and it is really quite a difficult task for us.
Meantime, we have a problem to enable the VPN server Port with IP address to LISTEN for client to logon. Can you please write some guides for us to follow, our internal Lan IP address we used is 10.101.2.0. The VPN virtual Server IP is 192.168.0.2. What is the codes or commands to enable TCP/UDP port 443/943/1194 with IP 192.168.0.2 to LISTEN for client side to logon.
thanks brother, you’re great.
Those who are getting below error while using method-2
Job for [email protected] failed because the control process exited with error code.
See “systemctl status [email protected]” and “journalctl -xeu [email protected]” for details.
Just run this command:
sudo cp /root/openvpn-ca/pki/ta.key /etc/openvpn/
and then again start the openvpn server
sudo systemctl start openvpn@server
FYI :
The author missed to copy the ta.key file from /root/openvpn-ca/pki/ folder to /etc/openvpn/ folder and hence openvpn was not starting as it couldn’t find the ta.key file
The updated command should be:
sudo cp pki/dh.pem pki/ca.crt pki/issued/server.crt pki/private/server.key pki/ta.key /etc/openvpn/
Also, Thanks a ton for this wonderful article, much appreciated
Hi,
thank you for the input We added the missed command .
Best regards.
Hi,
There is option to connect with 1 user on many devices simultaneously ?
If yes, what need to change and how ?
Yes, you can. By default, OpenVPN server doesn’t allow multiple clients to connect with the same pair of cert/key; each client must have its own cert/key with an unique common name. However, multiple clients are allowed to connect to the OpenVPN server using the same pair of cert/key if duplicate-cn (allowing duplicate common name) is present in OpenVPN server’s configuration file.