Install and configure OpenVPN on Ubuntu 16.04


In this tutorial, we will explain how to install and configure an OpenVPN server which is one of the most popular VPN software solutions on an Ubuntu 16.04 VPS, on both server-side and client-side. This guide should work on other Linux VPS systems as well but was tested and written for Ubuntu 16.04 VPS.

Login to your VPS via SSH

ssh user@vps

Install necessary packages

Update the system

sudo apt-get update && sudo apt-get -y upgrade

and install OpenVPN.

sudo apt-get install openvpn openssl

Generate local certificate authority

First, generate the Diffie-Hellman parameters. This command can take a while to run depending on the server.

openssl dhparam -out /etc/openvpn/dh.pem 2048

Generate ca.pem  (certificate authority) file:

sudo openssl genrsa -out /etc/openvpn/ca-key.pem 2048
sudo chmod 600 /etc/openvpn/ca-key.pem
sudo openssl req -new -key /etc/openvpn/ca-key.pem -out /etc/openvpn/ca-csr.pem -subj /CN=OpenVPN-CA/
sudo openssl x509 -req -in /etc/openvpn/ca-csr.pem -out /etc/openvpn/ca.pem -signkey /etc/openvpn/ca-key.pem -days 365
sudo echo 01 > /etc/openvpn/

Configure OpenVPN server

The following commands will generate a server certificate and key:

sudo openssl genrsa -out /etc/openvpn/server-key.pem 2048
sudo chmod 600 /etc/openvpn/server-key.pem
sudo openssl req -new -key /etc/openvpn/server-key.pem -out /etc/openvpn/server-csr.pem -subj /CN=OpenVPN/
sudo openssl x509 -req -in /etc/openvpn/server-csr.pem -out /etc/openvpn/server-cert.pem -CA /etc/openvpn/ca.pem -CAkey /etc/openvpn/ca-key.pem -days 365

Create server configuration file:

sudo nano /etc/openvpn/server.conf
verb 3
key server-key.pem
ca ca.pem
cert server-cert.pem
dh dh.pem
keepalive 10 120
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS"
push "dhcp-option DNS"

user nobody
group nogroup

proto udp
port 1194
dev tun1194
status openvpn-status.log

save the file and enable and start the OpenVPN service with:

sudo systemctl enable openvpn@server
sudo systemctl start openvpn@server

Note: If you are running an openvz based VPS
open the /lib/systemd/system/openvpn\@.service file and comment the LimitNPROC=10 line

Add the following iptables rule so that traffic can leave the VPN. Change the eth0 with the public network interface of your server.

iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE

Note: If you are running an openvz based VPS
instead of the rule above add: iptables -t nat -A POSTROUTING -s -j SNAT --to-source <YOUR_SERVER_IP>

Finally, we also need to allow IP forwarding:

sed -i 's|#net.ipv4.ip_forward=1|net.ipv4.ip_forward=1|' /etc/sysctl.conf
echo 1 > /proc/sys/net/ipv4/ip_forward

OpenVPN client configuration

The following commands will generate a client certificate and key:

openssl genrsa -out /etc/openvpn/client-key.pem 2048
chmod 600 /etc/openvpn/client-key.pem
openssl req -new -key /etc/openvpn/client-key.pem -out /etc/openvpn/client-csr.pem -subj /CN=OpenVPN-Client/
openssl x509 -req -in /etc/openvpn/client-csr.pem -out /etc/openvpn/client-cert.pem -CA /etc/openvpn/ca.pem -CAkey /etc/openvpn/ca-key.pem -days 36525

Next, copy the following files to your client machine


and start your OpenVPN client with the following configuration.

dev tun
redirect-gateway def1 bypass-dhcp
remote  1194 udp
comp-lzo yes

key /etc/openvpn/client-key.pem
cert /etc/openvpn/client-cert.pem
ca /etc/openvpn/ca.pem

Do not forget to change <YOUR_SERVER_IP> with your OpenVPN server IP address.

That’s it. You have successfully installed a configured an OpenVPN server on your Ubuntu 16.04 VPS.

Of course, you don’t have to do any of this if you use one of our Linux VPS Hosting services, in which case you can simply ask our expert Linux admins to setup this for you. They are available 24×7 and will take care of your request immediately.

PS. If you liked this post please share it with your friends on the social networks using the buttons on the left or simply leave a reply below. Thanks.

How to install phpMyAdmin with HHVM, Nginx and MariaDB on an Ubuntu 14.04 VPS
Install Joomla on a CentOS 7 Linux VPS
How to use rsync on a Linux VPS
  • Jean-Francois Messier

    Now, what do I have to do to make it using a port and protocol that is SSH/TLS-compliant in order to look exactly like a real HTTPS connection, so that it goes through a firewall that does DPI (Deep Packet Inspection) ? Someone I know has an issue getting out of his office network through 443/TCP, because their firewall performs DPI to ensure that what goes through is HTTPS-compliant.