VPN is a server that acts as a relay for all your traffic. With VPN, criminals won’t be able to capture your traffic, insert a virus into it or simply find out what you do on the Web.

OpenVPN is a free VPN server with an open source. You can install it on any server or VPS.

In this article, we will explain how to install Open VPN on Ubuntu Server.

Requirements

  • A server or a VPS on Ubuntu Server 16.04 with OpenSSH
  • An account on the server with sudo rights (but not the initial account).
  • A UFW firewall (optionally).

How to install OpenVPN

In order to create a VPN, we will need openvpn and easy-rsa packages. Both are available in Ubuntu standard repository, so let’s update the list of packages on the server and install them.

sudo apt-get update
sudo apt-get install openvpn easy-rsa

How to install the Certificate Authority

OpenVPN utilizes SSL and TSL certificates to encrypt traffic. In order for the tow work, you need to create a certificate authority center. For maximum security, this center should be located on a separate server, but modern system allow you to locate it on the same PC as the VPN server.

First of all, let’s create a folder for the certificate authority center.

make-cadir ~/openvpn-ca
cd ~/openvpn-ca

Now let’s open the vars file, to change the certificate creation preferences.

nano vars

Find the lines:

export KEY_COUNTRY="US"

export KEY_PROVINCE="CA"

export KEY_CITY="SanFrancisco"

export KEY_ORG="Fort-Funston"

export KEY_EMAIL="me@myhost.mydomain"

export KEY_OU="MyOrganizationalUnit"

Put your own data in them:

export KEY_COUNTRY="RU"

export KEY_PROVINCE="NA"

export KEY_CITY="Moscow City"

export KEY_ORG="Unihost"

export KEY_EMAIL="admin@example.com"

export KEY_OU="TechSupport"

Find the line:

export KEY_NAME=

Change it to:

export KEY_NAME="server"

Create an installation script for the certificate authority center and the root certificate:

cd ~/openvpn-ca
source vars

Launch it:

./build-ca

Press ENTER on all the requests.

How to install the server certificate and key

First of all, you need an OpenVPN certificate and the RSA keys for it. RSA keys are used to authenticate the user.

./build-key-server server

Press ENTER at all the requests.

Once you see the request:

Certificate is to be certified until May  1 17:51:16 2026 GMT (3650 days)

Sign the certificate? [y/n]:

Press Y.

Once you see the request:

1 out of 1 certificate requests certified, commit? [y/n]

Press Y.

Create the Diffie-Hellman keys. They are used to encrypt the contents of the packages. The keys are very complicated, so you may have to wait a couple of minutes for it to finish.

./build-dh

Create an HMAC signature, to give your server an ability to check whether the packages have been tempered with. 

openvpn --genkey --secret keys/ta.key

How to setup OpenVPN

First of all, copy the server’s keys to the openvpn folder.

cd ~/openvpn-ca/keys
sudo cp ca.crt ca.key server.crt server.key ta.key dh2048.pem /etc/openvpn

Now download and unpack the test configuration file for OpenVPN. We will use it as a basis for our own configuration file.

gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | sudo tee /etc/openvpn/server.conf

Open the downloaded file:

sudo nano /etc/openvpn/server.conf\

Exchange its contents to:

port 1194

# Protocol can be either TCP or UDP.

proto udp

dev tun

# The location for the server keys

ca /etc/openvpn/keys/ca.crt

cert /etc/openvpn/keys/server.crt

key /etc/openvpn/keys/server.key  # This file should be kept secret

dh /etc/openvpn/keys/dh2048.pem

# An IP and a mask for the virtual network. If you don't know what you are doing, don't change them.

server 10.8.0.0 255.255.255.0

# Where the files for the client's IP settings are located.

client-config-dir ccd

# Make the VPN remember which dynamically issued IP belongs to which client.

ifconfig-pool-persist ipp.txt

# The range for IPs that require tunnel connections. By default, the list contains all the networks there are.

route 192.168.0.0 255.255.255.0

# TLS configuration

tls-server

tls-auth /etc/openvpn/keys/ta.key 0

tls-timeout 120

auth SHA256

cipher AES-128-CBC

# If you need the client's PC to think that they are in the same LAN and see each other, remove the ; in the next line.

;client-to-client

keepalive 10 120

# Turn on the traffic compression.

comp-lzo

# Define the maximum amount of the simultaneous clients.

max-clients 10

user nobody

group nogroup

# Forbids the system from recreating the keys and open/close the TUN/TAP device after the SIGUSR1 and ping-restart.

persist-key

persist-tun

# Defines where the log files are kept

status openvpn-status.log

log /var/log/openvpn.log

# Defines the detalization of the log files

verb 3

# Defines the number of the consecutive similar messages allowed

mute 20

# To call a certificate off, remove the ; in the next line and change the default name to the certificate name.

;crl-verify /etc/openvpn/crl.pem

# Allows the VPN-server to force the VPN-connection on the clients.

push "redirect-gateway def1 bypass-dhcp"

# Allows the VPN-server to transfer the address of the internal DNS-server to switch clients to the VPN-connection

push "dhcp-option DNS 208.67.222.222"

push "dhcp-option DNS 208.67.220.220"

If you need to, change the settings according to the comments.

How to setup the server’s network configuration

Open the file with the network settings:

sudo nano /etc/sysctl.conf

Find the line:

# net.ipv4.ip_forward

Delete the #:

net.ipv4.ip_forward

Save and close the file. Apply the settings with:

sudo sysctl -p

Setup the UFW (optionally)

The UFW firewall has to be installed on every Ubuntu Server, in order to protect it from hackers, DDoS and other undesirable connections. But by default, it also forbids the connections we are going to use for the VPN.

First of all, we need to find out the network’s public interface. To do this, run the command:

ip route | grep default

You will receive the routing scheme for your network. You public interface will be there right after the dev parameter. In our case, it’s enp3s0:

default via 192.168.1.254 dev enp3s0  proto static  metric 100

Now open the file with the firewall’s rules:

sudo nano /etc/ufw/before.rules

Paste this into the file. Don’t forget to change our interface to yours:

# START OPENVPN RULES

# NAT table rules

*nat

:POSTROUTING ACCEPT [0:0] 

# Allow traffic from OpenVPN client to enp3s0

-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE

COMMIT

# END OPENVPN RULES

Save and close the file.

Now open the UFW config file:

sudo nano /etc/default/ufw

Find the line:

DEFAULT_FORWARD_POLICY="DROP"

Change it to:

DEFAULT_FORWARD_POLICY="ACCEPT"

Save and close the file.

Now open the ports for OpenVPN and OpenSSH:

sudo ufw allow 1194/udp
sudo ufw allow OpenSSH

And restart the firewall:

sudo ufw disable
sudo ufw enable

Firewall has been configured.

How to turn the OpenVPN on

Run the command:

sudo systemctl start openvpn@server

See, whether the OpenVPN-server has been enabled:

sudo systemctl status openvpn@server

The correct response is:

openvpn@server.service - OpenVPN connection to server

Loaded: loaded (/lib/systemd/system/openvpn@.service; disabled; vendor preset: enabled)

Active: active (running) since Tue 2016-05-03 15:30:05 EDT; 47s ago

Docs: man:openvpn(8)

Make OpenVPN server to the start automatically on every server launch:

sudo systemctl enable openvpn@server

How to create the certificate and the keys for the client

Client is any device that connects to the server. Every client needs its own separate key.

For the first client we will utilize the name client1. You can use any other name, but be aware that you will need to modify the other commands too.

  • If you want to create the certificated that are not password protected:
    cd ~/openvpn-ca
    
    source vars
    
    ./build-key client1
  • If you want to create the certificates that are password protected:
    cd ~/openvpn-ca
    
    source vars
    
    ./build-key-pass client1

Press ENTER to all the requests.

Once you see this request:

Certificate is to be certified until May  1 17:51:16 2026 GMT (3650 days)

Sign the certificate? [y/n]:

Press Y.

Once you see this request:

1 out of 1 certificate requests certified, commit? [y/n]

Press Y too.

The keys are successfully created.

How to create the infrastructure for the creation of client configuration files

First of all, you need a folder to keep the client configuration files:

mkdir -p ~/client-configs/files

Then you need to give the owner a right to access files there:

chmod 700 ~/client-configs/files

You could create the config files right now, but first of all let’s create the base configuration. It will simplify the creation of the rest of the files.

cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client-configs/base.conf

Open the default config file in the text editor:

nano ~/client-configs/base.conf

Change the contents of the file to:

client

dev tun

proto udp

# External IP, where your OpenVPN server is located and the port for connections

remote 111.222.333.444 1194

# required for DynDNS

resolv-retry infinite

user nobody
group nogroup

# Those lines are commented because the certificates and keys will be located in the config file itself.

#ca /etc/openvpn/keys/ca.crt

#cert /etc/openvpn/keys/client.crt

#key /etc/openvpn/keys/client.key

tls-client

tls-auth /etc/openvpn/keys/ta.key 1

auth SHA256

cipher AES-128-CBC

remote-cert-tls server

comp-lzo

persist-key

persist-tun

key-direction 1

status openvpn-status.log

log /var/log/openvpn.log

verb 3

mute 20

# If your clients use Linux and utilize the file /etc/openvpn/update-resolv-conf — uncomment those lines.

# script-security 2

# up /etc/openvpn/update-resolv-conf

# down /etc/openvpn/update-resolv-conf

Change the IP in the file (in red), to the IP address of your server.

Save and close the file.

Now create and open a script that will generate the config files for the clients based on those settings.

nano ~/client-configs/make_config.sh

Change the contents of the file to:

#!/bin/bash

# First argument: Client identifier

KEY_DIR=~/openvpn-ca/keys

OUTPUT_DIR=~/client-configs/files

BASE_CONFIG=~/client-configs/base.conf

cat ${BASE_CONFIG} \

    <(echo -e '<ca>') \

    ${KEY_DIR}/ca.crt \

    <(echo -e '</ca>\n<cert>') \

    ${KEY_DIR}/${1}.crt \

    <(echo -e '</cert>\n<key>') \

    ${KEY_DIR}/${1}.key \

    <(echo -e '</key>\n<tls-auth>') \

    ${KEY_DIR}/ta.key \

    <(echo -e '</tls-auth>') \

    > ${OUTPUT_DIR}/${1}.ovpn

Save and close the file. Make it executable:

chmod 700 ~/client-configs/make_config.sh

How to create the config files for the clients

Launch the script and create the config file for the client1.

cd ~/client-configs
./make_config.sh client1

Check whether it is created correctly:

ls ~/client-configs/files

The correct response is:

client1.ovpn

How to transfer the configuration files to the client

There are many ways to transfer the config files to the client device. The most safe one are SFTP and SCP. Luckily, we already have OpenSSH on the server and it supports SFTP.

  • If your client is a PC on Linux or Mac, then you can simply run a command to transfer your config file to client’s home folder:
sftp USERNAME_ON_THE_SERVER@SERVER's_IP_ADDRESS:client-configs/files/client1.ovpn ~/
  • If your client is a Windows PC, you should use FileZilla.
    • Open FileZilla.
    • Find the panel Quick Connection on top of the screen.
    • Under Host, enter sftp.SERVER’s_IP_ADDRESS.
    • Under Username, enter the username for Ubuntu account on the server.
    • Under Password, enter the password for Ubuntu account on the server.
    • Under Port, enter 22.
    • Press Quick Connection.
    • Press OK, when the system warns you that it doesn’t recognize the hosts’s key.
    • Go to client-configs/files/
    • Download the file client1.ovpn to your PC.
  • If your client is an iOS device, download FTPmanager. Afterwards, go to: sftp://USERNAME_ON_THE_SERVER@SERVER’s_IP_ADDRESS:client-configs/files/ and download client1.ovpn on your device.
  • If your client is an Android device, install andFTP. Afterwards, go to: sftp://USERNAME_ON_THE_SERVER@SERVER’s_IP_ADDRESS:client-configs/files/ and download client1.ovpn on your device.