How to Install and Configure OpenVPN Server on Ubuntu

In this guide, we will together explore How to Install and Configure an OpenVPN server on Ubuntu.

What is OpenVPN?

OpenVPN is an open-source software used to establish a Virtual Private Network (VPN). It enables users to create secure and encrypted connections over the internet, safeguarding personal information from online threats.

Here are some key features and information about the OpenVPN Server:

  • Open Source and Free: OpenVPN is an open-source project, meaning its source code is publicly available and can be modified and developed freely.
  • Cross-Platform Support: OpenVPN supports multiple operating systems such as Windows, macOS, Linux, and mobile devices running platforms like Android and iOS.
  • High Security: OpenVPN employs robust encryption protocols like SSL/TLS to protect data transmitted over the network. This helps users avoid attacks such as Man-in-the-Middle (MITM) and keeps their data secure.
  • Strong Customization Support: OpenVPN allows administrators to configure and fine-tune various parameters such as IP address allocation, certificate management, and firewall rules.
  • Remote Access Support: OpenVPN supports remote access, enabling users to access their internal network securely from anywhere in the world via the Internet.
  • Powerful Authentication System: OpenVPN supports multiple authentication methods, including username/password and two-factor authentication (2FA), enhancing the security layer.
  • Multi-Channel Support and Automatic Reconnection: OpenVPN can run on multiple ports (including both TCP and UDP) and automatically reconnects in case of connection interruptions.
  • Easy Configuration and Management: OpenVPN provides graphical management tools and a command-line interface, making it easy for administrators to configure and manage the server.

Read more

Prerequisites

  • Server: A physical server or a VPS server with a public static IP address
  • OS: Ubuntu 23 | Ubuntu 22.04 LTS | Ubuntu 22.10 | Ubuntu 21.04 | Ubuntu 20.04 LTS | Ubuntu 18.04 LTS
  • User privileges: root or non-root user with root privileges.

Step 1 – Update system

Before installing, I will update the system packages to the new version.

sudo apt update

Step 2 – Check the IP of the system

ifconfig

install-openvpn-server-on-ubuntu

In this example, my server address is 45.76.193.205

Step 3 – Download the OpenVPN script

First, create a folder named OpenVPN in the /mnt directory using the following command:

sudo mkdir /mnt/OpenVPN

And, move to that folder

cd /mnt/OpenVPN

Next, download the openvpn-install.sh script

sudo wget https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh

install-openvpn-server-on-ubuntu

Step 4 – Install OpenVPN Server on Ubuntu

First, grant execute permissions to the openvpn-install.sh script

sudo chmod +x openvpn-install.sh

install-openvpn-server-on-ubuntu

And execute the openvpn-install.sh script to install the OpenVPN server on your system

./openvpn-install.sh

The first time you run it, you’ll need to answer some questions to set up your VPN server, as shown below.


root@ubuntu:~/OpenVPN# ./openvpn-install.sh
Welcome to the OpenVPN installer!
The git repository is available at: https://github.com/angristan/openvpn-instal

I need to ask you a few questions before starting the setup.
You can leave the default options and just press enter if you are ok with them.

I need to know the IPv4 address of the network interface you want OpenVPN listening to.
Unless your server is behind NAT, it should be your public IPv4 address.
IP address: 45.76.193.205 <= Verify the IP address in step 2, if correct, hit Enter

Checking for IPv6 connectivity…

Your host does not appear to have IPv6 connectivity.

Do you want to enable IPv6 support (NAT)? [y/n]: n

What port do you want OpenVPN to listen to?
1) Default: 1194
2) Custom
3) Random [49152-65535]
Port choice [1-3]: 1 <= Keep default and hit Enter

What protocol do you want OpenVPN to use?
UDP is faster. Unless it is not available, you shouldn’t use TCP.
1) UDP
2) TCP
Protocol [1-2]: 1 <= Keep default and hit Enter

What DNS resolvers do you want to use with the VPN?
1) Current system resolvers (from /etc/resolv.conf)
2) Self-hosted DNS Resolver (Unbound)
3) Cloudflare (Anycast: worldwide)
4) Quad9 (Anycast: worldwide)
5) Quad9 uncensored (Anycast: worldwide)
6) FDN (France)
7) DNS.WATCH (Germany)
8) OpenDNS (Anycast: worldwide)
9) Google (Anycast: worldwide)
10) Yandex Basic (Russia)
11) AdGuard DNS (Anycast: worldwide)
12) NextDNS (Anycast: worldwide)
13) Custom
DNS [1-12]: 9 <= Choose the DNS Server you want to use (I chose Google – type 9) and hit Enter.

Do you want to use compression? It is not recommended since the VORACLE attack makes use of it.
Enable compression? [y/n]
: n <= Keep default and hit Enter

Do you want to customize encryption settings?
Unless you know what you’re doing, you should stick with the default parameters provided by the script.
Note that whatever you choose, all the choices presented in the script are safe. (Unlike OpenVPN’s defaults)
See https://github.com/angristan/openvpn-install#security-and-encryption to learn more.

Customize encryption settings? [y/n]: y <= Type Y and hit Enter

Choose which cipher you want to use for the data channel:
1) AES-128-GCM (recommended)
2) AES-192-GCM
3) AES-256-GCM
4) AES-128-CBC
5) AES-192-CBC
6) AES-256-CBC
Cipher [1-6]: 1 <= Keep default and hit Enter

Choose what kind of certificate you want to use:
1) ECDSA (recommended)
2) RSA
Certificate key type [1-2]: 1 <= Keep default and hit Enter

Choose which curve you want to use for the certificate’s key:
1) prime256v1 (recommended)
2) secp384r1
3) secp521r1
Curve [1-3]: 1 <= Keep default and hit Enter

Choose which cipher you want to use for the control channel:
1) ECDHE-ECDSA-AES-128-GCM-SHA256 (recommended)
2) ECDHE-ECDSA-AES-256-GCM-SHA384
Control channel cipher [1-2]: 1 <= Keep default and hit Enter

Choose what kind of Diffie-Hellman key you want to use:
1) ECDH (recommended)
2) DH
DH key type [1-2]: 1 <= Keep default and hit Enter

Choose which curve you want to use for the ECDH key:
1) prime256v1 (recommended)
2) secp384r1
3) secp521r1
Curve [1-3]: 1 <= Keep default and hit Enter

The digest algorithm authenticates tls-auth packets from the control channel.
Which digest algorithm do you want to use for HMAC?

1) SHA-256 (recommended)
2) SHA-384
3) SHA-512
Digest algorithm [1-3]: 1 <= Keep default and hit Enter

You can add an additional layer of security to the control channel with tls-auth and tls-crypt
tls-auth authenticates the packets, while tls-crypt authenticate and encrypt them.

1) tls-crypt (recommended)
2) tls-auth
Control channel additional security mechanism [1-2]: 1 <= Keep default and hit Enter

… … …

Tell me a name for the client.
The name must consist of alphanumeric character. It may also include an underscore or a dash.
Client name: client-01 <= Create a new client profile (detail in step 5)

Do you want to protect the configuration file with a password?
(e.g. encrypt the private key with a password)
1) Add a passwordless client
2) Use a password for the client
Select an option [1-2]: 1 <= Keep default ( Don’t set a password for the configuration file) and hit Enter

  • Using SSL: openssl OpenSSL 3.0.8 7 Feb 2023 (Library: OpenSSL 3.0.8 7 Feb 2023)
  • Using Easy-RSA configuration: /etc/openvpn/easy-rsa/vars
  • The preferred location for ‘vars’ is within the PKI folder.
    To silence this message move your ‘vars’ file to your PKI

or declare your ‘vars’ file with option: –vars=

Notice

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/pki/reqs/client-01.req
key: /etc/openvpn/easy-rsa/pki/private/client-01.key
Using configuration from /etc/openvpn/easy-rsa/pki/3a799923/temp.3321711b
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
commonName :ASN.1 12:’client-01′
Certificate is to be certified until Jan 14 07:28:23 2026 GMT (825 days)

Write out database with 1 new entries
Data Base Updated

Notice

Certificate created at:

  • /etc/openvpn/easy-rsa/pki/issued/client-01.crt

Notice

Inline file created:

  • /etc/openvpn/easy-rsa/pki/inline/client-01.inline
    Client client-01 added. <= client-01 has been created

The configuration file has been written to /root/client-01.ovpn. <= Location to store client profile
Download the .ovpn file and import it in your OpenVPN client.
root@ubuntu:~/OpenVPN#

After running the openvpn-install.sh script, you have completed setting up the OpenVPN server on your system. Next, start and configure OpenVPN to launch with the system every time it reboots

sudo systemctl start [email protected]

sudo systemctl enable [email protected]

Check the status of the OpenVPN service to ensure it is running

sudo systemctl status [email protected]

install-openvpn-server-on-ubuntu

And if you want to stop the OpenVPN service, run the following command:

sudo systemctl stop [email protected]

Step 5 – Add new Client profiles

To create a new account, rerun the command bash openvpn-ubuntu-install.sh and set it up as follows:

root@ubuntu:~/OpenVPN# ./openvpn-install.sh
Welcome to OpenVPN-install!
The git repository is available at: https://github.com/angristan/openvpn-install

It looks like OpenVPN is already installed.

What do you want to do?
1) Add a new user
2) Revoke existing user
3) Remove OpenVPN
4) Exit
Select an option [1-4]: 1 <= Select 1 (Add a new user) and press Enter to create a new client

Tell me a name for the client.
The name must consist of alphanumeric character. It may also include an underscore or a dash.
Client name
: client-02 <= Enter a name for the client you want to create and press Enter

Do you want to protect the configuration file with a password?
(e.g. encrypt the private key with a password)
1) Add a passwordless client
2) Use a password for the client
Select an option [1-2]: 1 <= hit Enter

  • Using SSL: openssl OpenSSL 3.0.8 7 Feb 2023 (Library: OpenSSL 3.0.8 7 Feb 2023)
  • Using Easy-RSA configuration: /etc/openvpn/easy-rsa/vars
  • The preferred location for ‘vars’ is within the PKI folder.
    To silence this message move your ‘vars’ file to your PKI

or declare your ‘vars’ file with option: –vars=

Notice

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/pki/reqs/client-02.req
key: /etc/openvpn/easy-rsa/pki/private/client-02.key
Using configuration from /etc/openvpn/easy-rsa/pki/7acceada/temp.e8be78da
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
commonName :ASN.1 12:’client-02′
Certificate is to be certified until Jan 14 09:10:32 2026 GMT (825 days)

Write out database with 1 new entries
Data Base Updated

Notice

Certificate created at:

  • /etc/openvpn/easy-rsa/pki/issued/client-02.crt

Notice

Inline file created:

  • /etc/openvpn/easy-rsa/pki/inline/client-02.inline
    Client client-02 added. <= client-02 has been created

The configuration file has been written to /root/client-02.ovpn. <= Location to store client profile
Download the .ovpn file and import it in your OpenVPN client.
root@ubuntu:~/OpenVPN#

That’s all. Through this article, we have been able to create an OpenVPN server on Ubuntu by ourselves

Video

Leave a Reply

Your email address will not be published. Required fields are marked *