X
    Categories Tutorials

Install and configure OpenVPN on Ubuntu 16.04

In this tutorial, we will explain how to install and configure an OpenVPN server which is one of the most popular VPN software solutions on an Ubuntu 16.04 VPS, on both server-side and client-side. This guide should work on other Linux VPS systems as well but was tested and written for Ubuntu 16.04 VPS.

Login to your VPS via SSH

ssh user@vps

Install necessary packages

Update the system

sudo apt-get update && sudo apt-get -y upgrade

and install OpenVPN.

sudo apt-get install openvpn openssl

Generate local certificate authority

First, generate the Diffie-Hellman parameters. This command can take a while to run depending on the server.

openssl dhparam -out /etc/openvpn/dh.pem 2048

Generate ca.pem  (certificate authority) file:

sudo openssl genrsa -out /etc/openvpn/ca-key.pem 2048
sudo chmod 600 /etc/openvpn/ca-key.pem
sudo openssl req -new -key /etc/openvpn/ca-key.pem -out /etc/openvpn/ca-csr.pem -subj /CN=OpenVPN-CA/
sudo openssl x509 -req -in /etc/openvpn/ca-csr.pem -out /etc/openvpn/ca.pem -signkey /etc/openvpn/ca-key.pem -days 365
sudo echo 01 > /etc/openvpn/ca.srl

Configure OpenVPN server

The following commands will generate a server certificate and key:

sudo openssl genrsa -out /etc/openvpn/server-key.pem 2048
sudo chmod 600 /etc/openvpn/server-key.pem
sudo openssl req -new -key /etc/openvpn/server-key.pem -out /etc/openvpn/server-csr.pem -subj /CN=OpenVPN/
sudo openssl x509 -req -in /etc/openvpn/server-csr.pem -out /etc/openvpn/server-cert.pem -CA /etc/openvpn/ca.pem -CAkey /etc/openvpn/ca-key.pem -days 365

Create server configuration file:

sudo nano /etc/openvpn/server.conf
server 10.8.0.0 255.255.255.0
verb 3
key server-key.pem
ca ca.pem
cert server-cert.pem
dh dh.pem
keepalive 10 120
persist-key
persist-tun
comp-lzo
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

user nobody
group nogroup

proto udp
port 1194
dev tun1194
status openvpn-status.log

save the file and enable and start the OpenVPN service with:

sudo systemctl enable openvpn@server
sudo systemctl start openvpn@server

Note: If you are running an openvz based VPS
open the /lib/systemd/system/openvpn\@.service file and comment the LimitNPROC=10 line

Add the following iptables rule so that traffic can leave the VPN. Change the eth0 with the public network interface of your server.

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

Note: If you are running an openvz based VPS
instead of the rule above add: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source <YOUR_SERVER_IP>

Finally, we also need to allow IP forwarding:

sed -i 's|#net.ipv4.ip_forward=1|net.ipv4.ip_forward=1|' /etc/sysctl.conf
echo 1 > /proc/sys/net/ipv4/ip_forward

OpenVPN client configuration

The following commands will generate a client certificate and key:

openssl genrsa -out /etc/openvpn/client-key.pem 2048
chmod 600 /etc/openvpn/client-key.pem
openssl req -new -key /etc/openvpn/client-key.pem -out /etc/openvpn/client-csr.pem -subj /CN=OpenVPN-Client/
openssl x509 -req -in /etc/openvpn/client-csr.pem -out /etc/openvpn/client-cert.pem -CA /etc/openvpn/ca.pem -CAkey /etc/openvpn/ca-key.pem -days 36525

Next, copy the following files to your client machine

/etc/openvpn/ca.pem
/etc/openvpn/client-cert.pem
/etc/openvpn/client-key.pem

and start your OpenVPN client with the following configuration.

client
nobind
dev tun
redirect-gateway def1 bypass-dhcp
remote  1194 udp
comp-lzo yes

key /etc/openvpn/client-key.pem
cert /etc/openvpn/client-cert.pem
ca /etc/openvpn/ca.pem


Do not forget to change <YOUR_SERVER_IP> with your OpenVPN server IP address.

That’s it. You have successfully installed a configured an OpenVPN server on your Ubuntu 16.04 VPS.


Of course, you don’t have to do any of this if you use one of our Linux VPS Hosting services, in which case you can simply ask our expert Linux admins to setup this for you. They are available 24×7 and will take care of your request immediately.

PS. If you liked this post please share it with your friends on the social networks using the buttons on the left or simply leave a reply below. Thanks.

View Comments

  • Now, what do I have to do to make it using a port and protocol that is SSH/TLS-compliant in order to look exactly like a real HTTPS connection, so that it goes through a firewall that does DPI (Deep Packet Inspection) ? Someone I know has an issue getting out of his office network through 443/TCP, because their firewall performs DPI to ensure that what goes through is HTTPS-compliant.

    • What you are looking for is probably you will need to configure your OpenVPN server to use a third party PKI (Public Key Infrastructure) and use proper and valid SSL certificates. Of course this is out of the scope of this guide, but you may find more information reading the OpenVPN documentation: https://docs.openvpn.net/docs/access-server/openvpn-access-server-external-pki-guide.html