By Hafiz Ali | Linux System Administrator with 8+ years experience managing Ubuntu servers and VPN infrastructure. Certified RHCE and Ubuntu Server Specialist.
OpenVPN Server Setup on Ubuntu 22.04/24.04: Complete 2025 Guide
Last updated: December 2024 | Tested on Ubuntu 22.04 LTS and 24.04 LTS
`OpenVPN is one of the most reliable and secure VPN solutions for Linux servers. This comprehensive guide walks you through setting up a production-ready OpenVPN server on Ubuntu with proper security configurations and client management.
Prerequisites
- Ubuntu 22.04 or 24.04 server with root/sudo access
- Static IP address configured on your server
- Port 1194/UDP open in firewall (or customize to your preferred port)
- Domain name or static public IP for client connections
Step 1: Update System and Install OpenVPN
First, ensure your system is updated and install OpenVPN along with Easy-RSA for certificate management:
# Update package list and upgrade system
sudo apt update && sudo apt upgrade -y
# Install OpenVPN and Easy-RSA
sudo apt install openvpn easy-rsa -yStep 2: Set Up PKI (Public Key Infrastructure)
OpenVPN uses certificates for authentication. Set up the PKI directory structure:
# Make PKI directory
mkdir -p ~/easy-rsa
# Copy Easy-RSA templates
cp -r /usr/share/easy-rsa/* ~/easy-rsa/
# Navigate to directory
cd ~/easy-rsaConfigure PKI Variables
Edit the vars file to set your certificate details:
# Edit the vars file
nano vars
# Add these lines at the end (customize for your organization):
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="San Francisco"
export KEY_ORG="Your Organization"
export KEY_EMAIL="admin@yourdomain.com"
export KEY_OU="IT"
export KEY_NAME="server"Step 3: Generate Certificates and Keys
Initialize and build the Certificate Authority (CA) and server certificates:
# Source the vars file
source vars
# Clean up any existing PKI
./clean-all
# Build the Certificate Authority
./build-ca
# Build the server certificate
./build-key-server server
# Generate Diffie-Hellman parameters
./build-dh
# Generate HMAC signature
openvpn --genkey secret keys/ta.keyStep 4: Configure OpenVPN Server
Copy certificates to OpenVPN directory and create server configuration:
# Copy certificates to OpenVPN
sudo cp ~/easy-rsa/keys/ca.crt ~/easy-rsa/keys/server.crt ~/easy-rsa/keys/server.key ~/easy-rsa/keys/ta.key ~/easy-rsa/keys/dh2048.pem /etc/openvpn/server/Create server configuration file:
# Create server configuration
sudo nano /etc/openvpn/server/server.confAdd the following configuration:
# Basic Configuration
port 1194
proto udp
dev tun
# Certificate Files
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
# Network Settings
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
# DNS Settings
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
# Security
tls-auth ta.key 0
cipher AES-256-CBC
auth SHA256
tls-version-min 1.2
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
# Performance
user nobody
group nogroup
persist-key
persist-tun
# Logging
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3
# Security Hardening
reneg-sec 3600
remote-cert-tls clientStep 5: Enable IP Forwarding and Configure Firewall
Enable IP forwarding for VPN traffic routing:
# Enable IP forwarding
echo 'net.ipv4.ip_forward=1' | sudo tee -a /etc/sysctl.conf
sudo sysctl -pConfigure UFW firewall to allow OpenVPN traffic:
# Allow OpenVPN port
sudo ufw allow 1194/udp
# Allow SSH (important - don't lock yourself out!)
sudo ufw allow ssh
# Configure NAT for VPN traffic
sudo nano /etc/ufw/before.rulesAdd these lines at the top of before.rules:
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
COMMIT
# Don't delete these required lines, otherwise rules will be deleted
*filterEnable UFW and start OpenVPN:
# Enable UFW
sudo ufw enable
# Start and enable OpenVPN service
sudo systemctl start openvpn@server
sudo systemctl enable openvpn@serverStep 6: Generate Client Configuration
Create client certificates and configuration files:
# Navigate to Easy-RSA directory
cd ~/easy-rsa
# Generate client certificate
source vars
./build-key client1
# Create client configuration directory
mkdir -p ~/client-configs/filesCreate a base client configuration:
# Create base client config
nano ~/client-configs/base.conf
# Add this configuration:
client
dev tun
proto udp
remote YOUR_SERVER_IP 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
auth SHA256
verb 3
key-direction 1Step 7: Create Client OVPN Files
Use this script to generate complete client configuration files:
# Create script to generate client configs
nano ~/client-configs/make_config.sh
# Add this script:
#!/bin/bash
# First argument: Client identifier
KEY_DIR=~/easy-rsa/keys
OUTPUT_DIR=~/client-configs/files
BASE_CONFIG=~/client-configs/base.conf
cat ${BASE_CONFIG} \
<(echo -e '<ca>') \
${KEY_DIR}/ca.crt \
<(echo -e '</ca>\n<cert>') \
${KEY_DIR}/${1}.crt \
<(echo -e '</cert>\n<key>') \
${KEY_DIR}/${1}.key \
<(echo -e '</key>\n<tls-auth>') \
${KEY_DIR}/ta.key \
<(echo -e '</tls-auth>') \
> ${OUTPUT_DIR}/${1}.ovpn
# Make script executable
chmod +x ~/client-configs/make_config.sh
# Generate client1 configuration
./make_config.sh client1Step 8: Test and Verify Installation
Check if OpenVPN is running properly:
# Check OpenVPN status
sudo systemctl status openvpn@server
# Check if tun interface is created
ip addr show tun0
# Check OpenVPN logs for errors
sudo tail -f /var/log/openvpn/openvpn.logSecurity Best Practices
- Change default port: Consider using port 443/tcp to bypass restrictive firewalls
- Use strong ciphers: Always use AES-256-GCM for best performance and security
- Certificate revocation: Set up CRL (Certificate Revocation List) for compromised clients
- Regular updates: Keep OpenVPN and system packages updated
- Firewall rules: Restrict VPN access to specific IP ranges if possible
Troubleshooting Common Issues
Client Cannot Connect
- Verify port 1194/udp is open in firewall
- Check server IP/DNS resolution from client
- Verify client certificate is properly generated
- Check server logs for connection attempts
No Internet Access Through VPN
- Verify IP forwarding is enabled (sysctl net.ipv4.ip_forward)
- Check NAT rules in firewall are correct
- Ensure “push redirect-gateway” is in server config
Frequently Asked Questions
Can I run OpenVPN on a different port?
Yes, you can change the port in server.conf and update firewall rules accordingly. Port 443/tcp is commonly used to bypass restrictive networks.
How many clients can OpenVPN support?
OpenVPN can handle hundreds of concurrent clients on modern hardware. Performance depends on server resources, network bandwidth, and encryption settings.
What’s the difference between UDP and TCP?
UDP is faster and recommended for VPNs. TCP is more reliable but can cause performance issues due to “TCP over TCP” problem. Use UDP unless you have specific requirements.
Next Steps and Further Reading
Now that your OpenVPN server is running, consider these enhancements:
- Set up WireGuard for higher performance
- Compare VPN protocols for your use case
- Implement monitoring and alerting for your VPN service
- Set up automated backup for certificates and configurations
Need Help With Your VPN Setup?
Our complete VPN Server Guide category has everything you need for enterprise-grade VPN infrastructure.