How to Set Up an OpenVPN Server on Ubuntu (With Full Configurations)

Setting up an OpenVPN server on an Ubuntu machine requires several steps, from installing necessary packages to configuring server settings and client certificates. This tutorial will guide you through the process, ensuring that your OpenVPN server is configured securely and ready for use.

Prerequisites

Before starting, ensure that you have the following:

Ubuntu server (18.04 or newer)
Root or sudo access to the server
A static IP address or a hostname pointing to your server
Access to your firewall settings

Step 1: Install OpenVPN and Easy-RSA

The first step is to install OpenVPN and Easy-RSA, a tool that simplifies the process of creating your own Certificate Authority (CA).

sudo apt update
sudo apt install openvpn easy-rsa

Step 2: Set Up Easy-RSA for Certificate Generation

Now that Easy-RSA is installed, we will set it up to generate certificates for your server and clients.

make-cadir /openvpn-ca
cd /openvpn-ca

Edit the Easy-RSA variables to match your environment:

nano vars

Update the following lines with appropriate values for your server:

export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="MyVPN"
export KEY_EMAIL="youremail@example.com"
export KEY_OU="MyVPN

Step 3: Build the Certificate Authority

With the variables configured, you can now build the CA. This process will generate the public/private keys needed for your OpenVPN setup.

source vars
./clean-all
./build-ca

Step 4: Generate Server and Client Keys

After setting up the CA, you can generate keys for the server and client. First, generate the server key:

./build-key-server server

Next, generate the client key:

./build-key client

Step 5: Generate Diffie-Hellman Parameters

Next, generate the Diffie-Hellman parameters, which will be used for key exchange between the server and client:

./build-dh

Step 6: Set Up the OpenVPN Server Configuration

Now it’s time to create the OpenVPN server configuration file. Copy the sample server configuration to the OpenVPN directory:

sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
sudo gzip -d /etc/openvpn/server.conf.gz

Edit the configuration file to customize it for your setup:

sudo nano /etc/openvpn/server.conf

Uncomment and adjust the following lines as needed:

push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
user nobody
group nogroup

Step 7: Enable IP Forwarding

To allow traffic to pass between the VPN and your network, you need to enable IP forwarding:

sudo nano /etc/sysctl.conf

Uncomment the following line:

net.ipv4.ip_forward=1

Apply the changes:

sudo sysctl -p

Step 8: Configure the Firewall

Make sure your firewall allows OpenVPN traffic and forwards it appropriately. If you’re using UFW (Uncomplicated Firewall), use the following commands:

sudo ufw allow 1194/udp
sudo ufw allow OpenSSH
sudo ufw enable

To ensure that your firewall forwards the VPN traffic, add this rule:

sudo ufw route allow in on tun0 out on eth0

Step 9: Start the OpenVPN Server

Finally, start the OpenVPN server:

sudo systemctl start openvpn@server

To ensure the OpenVPN server starts automatically on boot, enable it using:

sudo systemctl enable openvpn@server

Step 10: Set Up Client Configuration

To connect to the OpenVPN server, the client needs its own configuration file. Copy the client configuration template to the client machine:

scp /etc/openvpn/client.conf user@client:/etc/openvpn

Edit the client configuration file to include the server’s IP address and adjust the paths to the client certificates:

sudo nano /etc/openvpn/client.conf

Step 11: Test the VPN Connection

Now that the server and client configurations are set up, you can test the VPN connection. On the client machine, run:

sudo openvpn --config /etc/openvpn/client.conf

If everything is set up correctly, you should be connected to the OpenVPN server, and your IP address should reflect the server’s IP.

We earn commissions using affiliate links.