How To Set up OpenVPN Server In 5 Minutes on Ubuntu Linux

last updated December 22, 2018 in Iptables, Networking, OpenVPN, Security, Ubuntu Linux

I am a new Ubuntu Linux server user. How do I setup an OpenVPN Server on Ubuntu Linux version 14.04 or 16.04/18.04 LTS server to shield my browsing activity from bad guys on public Wi-Fi, and more?

OpenVPN is a full-featured SSL VPN (virtual private network). It implements OSI layer 2 or 3 secure network extension using the SSL/TLS protocol. It is an open source software and distributed under the GNU GPL. A VPN allows you to connect securely to an insecure public network such as wifi network at the airport or hotel. VPN is also required to access your corporate or enterprise or home server resources. You can bypass geo-blocked site and increase your privacy or safety online. This tutorial provides step-by-step instructions for configuring an OpenVPN “road warrior” server on Ubuntu Linux v14.04/16.04 LTS version including ufw/iptables firewall configuration. The steps are as follows:

Find and note down your public IP address
Download openvpn-install.sh script
Run openvpn-install.sh to install OpenVPN server
Connect an OpenVPN server using IOS/Android/Linux/Windows client
Verify your connectivity

Find your public IP address

Use any one of the following command to find out your IPv4 public address. If your internface name is eth0 or eth1, enter:
$ ip addr show eth0
OR
$ ip addr show eth1
Or use the host command or dig command as follows:
$ host myip.opendns.com resolver1.opendns.com
OR
$ dig TXT +short o-o.myaddr.l.google.com @ns1.google.com
Sample outputs:

Fig.01: Find out your public IPv4 address using the CLI

Note down the public IP address 139.59.1.155 i.e. public ip address of your OpenVPN server.

Download openvpn-install.sh script to set up OpenVPN server in 5 minutes on Ubuntu

Type the following wget command or curl command:
$ wget https://git.io/vpn -O openvpn-install.sh
Sample outputs:

--2018-07-25 17:17:22--  https://git.io/vpn
Resolving git.io (git.io)... 52.3.63.2, 52.44.230.61, 52.4.95.48, ...
Connecting to git.io (git.io)|52.3.63.2|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://raw.github.com/Nyr/openvpn-install/master/openvpn-install.sh [following]
--2018-07-25 17:17:22--  https://raw.github.com/Nyr/openvpn-install/master/openvpn-install.sh
Resolving raw.github.com (raw.github.com)... 151.101.48.133
Connecting to raw.github.com (raw.github.com)|151.101.48.133|:443... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://raw.githubusercontent.com/Nyr/openvpn-install/master/openvpn-install.sh [following]
--2018-07-25 17:17:22--  https://raw.githubusercontent.com/Nyr/openvpn-install/master/openvpn-install.sh
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.48.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.48.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 14196 (14K) [text/plain]
Saving to: ‘openvpn-install.sh’
 
openvpn-install.sh                                   100%[=====================================================================================================================>]  13.86K  --.-KB/s    in 0s      
 
2018-07-25 17:17:22 (39.0 MB/s) - ‘openvpn-install.sh’ saved [14196/14196]

Run openvpn-install.sh to install OpenVPN server

Type the following command:
$ sudo bash openvpn-install.sh
When prompted set IP address to 139.59.1.155 and Port to 1194. Use Google or OpenDNS DNS servers with the vpn. Next, type client name (such as iPhone, Nexus6, LinuxRouter etc). Finally, press [Enter] key to install and set up OpenVPN on your system:

Fig.02: Setting up OpenVPN Server In 5 Minutes on Ubuntu — Fig.02: Setting up OpenVPN server on an Ubuntu Linux server v16.04 LTS

The script will now generate keys, DH parameters and more as follows:

Okay, that was all I needed. We are ready to setup your OpenVPN server now
Press any key to continue...
Get:1 http://security.ubuntu.com 
......
...
..
--2016-06-27 17:10:38--  https://github.com/OpenVPN/easy-rsa/releases/download/3.0.1/EasyRSA-3.0.1.tgz
Resolving github.com (github.com)... 192.30.252.120
Connecting to github.com (github.com)|192.30.252.120|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://github-cloud.s3.amazonaws.com/releases/4519663/9dab10e8-7b6a-11e5-91af-0660987e9192.tgz?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAISTNZFOVBIJMK3TQ%2F20160627%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20160627T114040Z&X-Amz-Expires=300&X-Amz-Signature=717ae4f606d1999b4c7c164ae06d163c494197f04aafffa9f760a8e0bf136136&X-Amz-SignedHeaders=host&actor_id=0&response-content-disposition=attachment%3B%20filename%3DEasyRSA-3.0.1.tgz&response-content-type=application%2Foctet-stream [following]
--2016-06-27 17:10:40--  https://github-cloud.s3.amazonaws.com/releases/4519663/9dab10e8-7b6a-11e5-91af-0660987e9192.tgz?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAISTNZFOVBIJMK3TQ%2F20160627%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20160627T114040Z&X-Amz-Expires=300&X-Amz-Signature=717ae4f606d1999b4c7c164ae06d163c494197f04aafffa9f760a8e0bf136136&X-Amz-SignedHeaders=host&actor_id=0&response-content-disposition=attachment%3B%20filename%3DEasyRSA-3.0.1.tgz&response-content-type=application%2Foctet-stream
Resolving github-cloud.s3.amazonaws.com (github-cloud.s3.amazonaws.com)... 54.231.72.3
Connecting to github-cloud.s3.amazonaws.com (github-cloud.s3.amazonaws.com)|54.231.72.3|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 40960 (40K) [application/octet-stream]
Saving to: â€˜/root/EasyRSA-3.0.1.tgzâ€™
 
/root/EasyRSA-3.0.1.tgz       100%[================================================>]  40.00K  38.8KB/s   in 1.0s   
 
2016-06-27 17:10:43 (38.8 KB/s) - â€˜/root/EasyRSA-3.0.1.tgzâ€™ saved [40960/40960]
 
 
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa/pki
Generating a 2048 bit RSA private key
........+++
...............................................................................................+++
writing new private key to '/etc/openvpn/easy-rsa/pki/private/ca.key.BjRh5frdDd'
-----
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
....+.....+................................................................................+..................................................................................................................................................................+......................................
...
..
.................................................................................................................+........................................................................................................................................+.................................+......................................................+...++*++*
 
DH parameters of size 2048 created at /etc/openvpn/easy-rsa/pki/dh.pem
 
Generating a 2048 bit RSA private key
.......................................................................+++
..................................................+++
writing new private key to '/etc/openvpn/easy-rsa/pki/private/server.key.9ieuluTC2R'
-----
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'server'
Certificate is to be certified until Jun 25 11:55:48 2026 GMT (3650 days)
 
Write out database with 1 new entries
Data Base Updated
Generating a 2048 bit RSA private key
.........+++
.........+++
writing new private key to '/etc/openvpn/easy-rsa/pki/private/iphone.key.lokNfOiobc'
-----
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'iphone'
Certificate is to be certified until Jun 25 11:55:48 2026 GMT (3650 days)
 
Write out database with 1 new entries
Data Base Updated
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.cnf
 
An updated CRL has been created.
CRL file: /etc/openvpn/easy-rsa/pki/crl.pem
 
244
 
Looks like your server is behind a NAT!
 
If your server is NATed (e.g. LowEndSpirit), I need to know the external IP
If that's not the case, just ignore this and leave the next field blank
External IP:

Okay, that was all I needed. We are ready to setup your OpenVPN server now Press any key to continue... Get:1 http://security.ubuntu.com ...... ... .. --2016-06-27 17:10:38-- https://github.com/OpenVPN/easy-rsa/releases/download/3.0.1/EasyRSA-3.0.1.tgz Resolving github.com (github.com)... 192.30.252.120 Connecting to github.com (github.com)|192.30.252.120|:443... connected. HTTP request sent, awaiting response... 302 Found Location: https://github-cloud.s3.amazonaws.com/releases/4519663/9dab10e8-7b6a-11e5-91af-0660987e9192.tgz?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAISTNZFOVBIJMK3TQ%2F20160627%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20160627T114040Z&X-Amz-Expires=300&X-Amz-Signature=717ae4f606d1999b4c7c164ae06d163c494197f04aafffa9f760a8e0bf136136&X-Amz-SignedHeaders=host&actor_id=0&response-content-disposition=attachment%3B%20filename%3DEasyRSA-3.0.1.tgz&response-content-type=application%2Foctet-stream [following] --2016-06-27 17:10:40-- https://github-cloud.s3.amazonaws.com/releases/4519663/9dab10e8-7b6a-11e5-91af-0660987e9192.tgz?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAISTNZFOVBIJMK3TQ%2F20160627%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20160627T114040Z&X-Amz-Expires=300&X-Amz-Signature=717ae4f606d1999b4c7c164ae06d163c494197f04aafffa9f760a8e0bf136136&X-Amz-SignedHeaders=host&actor_id=0&response-content-disposition=attachment%3B%20filename%3DEasyRSA-3.0.1.tgz&response-content-type=application%2Foctet-stream Resolving github-cloud.s3.amazonaws.com (github-cloud.s3.amazonaws.com)... 54.231.72.3 Connecting to github-cloud.s3.amazonaws.com (github-cloud.s3.amazonaws.com)|54.231.72.3|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 40960 (40K) [application/octet-stream] Saving to: â€˜/root/EasyRSA-3.0.1.tgzâ€™ /root/EasyRSA-3.0.1.tgz 100%[================================================>] 40.00K 38.8KB/s in 1.0s 2016-06-27 17:10:43 (38.8 KB/s) - â€˜/root/EasyRSA-3.0.1.tgzâ€™ saved [40960/40960] init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /etc/openvpn/easy-rsa/pki Generating a 2048 bit RSA private key ........+++ ...............................................................................................+++ writing new private key to '/etc/openvpn/easy-rsa/pki/private/ca.key.BjRh5frdDd' ----- Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time ....+.....+................................................................................+..................................................................................................................................................................+...................................... ... .. .................................................................................................................+........................................................................................................................................+.................................+......................................................+...++*++* DH parameters of size 2048 created at /etc/openvpn/easy-rsa/pki/dh.pem Generating a 2048 bit RSA private key .......................................................................+++ ..................................................+++ writing new private key to '/etc/openvpn/easy-rsa/pki/private/server.key.9ieuluTC2R' ----- Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'server' Certificate is to be certified until Jun 25 11:55:48 2026 GMT (3650 days) Write out database with 1 new entries Data Base Updated Generating a 2048 bit RSA private key .........+++ .........+++ writing new private key to '/etc/openvpn/easy-rsa/pki/private/iphone.key.lokNfOiobc' ----- Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'iphone' Certificate is to be certified until Jun 25 11:55:48 2026 GMT (3650 days) Write out database with 1 new entries Data Base Updated Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.cnf An updated CRL has been created. CRL file: /etc/openvpn/easy-rsa/pki/crl.pem 244 Looks like your server is behind a NAT! If your server is NATed (e.g. LowEndSpirit), I need to know the external IP If that's not the case, just ignore this and leave the next field blank External IP:

That is all. Your OpenVPN server has been configured and ready to use. You can see added firewall rules /etc/rc.local file:
$ cat /etc/rc.local
Sample outputs:

iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -I INPUT -p udp --dport 1194 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to 139.59.1.155

You can view your openvpn server config file generated by the script as follows (do not edit this file by hand):
$ sudo more /etc/openvpn/server.conf $ sudo vi /etc/openvpn/server.conf
Sample outputs:

port 1194
proto udp
dev tun
sndbuf 0
rcvbuf 0
ca ca.crt
cert server.crt
key server.key
dh dh.pem
tls-auth ta.key 0
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
cipher AES-128-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify crl.pem

How do I start/stop/restart OpenVPN server on Ubuntu Linux 16.04/18.04 LTS?

Type the following command stop the OpenVPN service:
$ sudo systemctl stop openvpn@server
Type the following command start the OpenVPN service:
$ sudo systemctl start openvpn@server
Type the following command restart the OpenVPN service:
$ sudo systemctl restart openvpn@server

How do I start/stop/restart OpenVPN server on Ubuntu Linux 14.04 LTS?

Type the following command stop the OpenVPN service:
$ sudo /etc/init.d/openvpn stop
Type the following command start the OpenVPN service:
$ sudo /etc/init.d/openvpn start
Type the following command restart the OpenVPN service:
$ sudo /etc/init.d/openvpn restart

{Optional} How to configure and use the ufw firewall rules for the OpenVPN server

The default rules added to the /etc/rc.local file should work out of the box. However, if you have complicated firewall settings or prefer ufw to control all firewall settings on Ubuntu Linux server, try the following. First, edit the /etc/rc.local file using a text editor and comment out all firewall rules added by the script. Type the following ufw command to open port 1194 and 22 (ssh):
$ sudo ufw allow 1194/udp $ sudo ufw allow 22/tcp
Edit the file /etc/ufw/before.rules, enter:
$ sudo vi /etc/ufw/before.rules
At top of the file add the following rules:

# START OPENVPN RULES by vg
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
#****************************************[README]*****************************************************#
# Allow traffic from OpenVPN client to 139.59.1.155. Replace 139.59.1.155 with your actual IP address*#
#****************************************[README]*****************************************************#
-A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source  139.59.1.155
COMMIT
# END OPENVPN RULES by vg

Next scroll down and find the comment that read s follows

# ok icmp code for FORWARD

Append the following rules:

#OpenVPN Forward by vg
-A ufw-before-forward -m state --state RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -s 10.8.0.0/24 -j ACCEPT
-A ufw-before-forward -i tun+ -j ACCEPT
-A ufw-before-forward -i tap+ -j ACCEPT
#OpenVPN END by vg

Save and close the file. Next edit the /etc/ufw/sysctl.conf file, enter:
$ sudo vi /etc/ufw/sysctl.conf
Find and uncomment the following line to allow this host to route packets between interfaces
net/ipv4/ip_forward=1
Save and close the file. Enable ufw or reload if already running:
$ sudo ufw enable
OR
$ sudo ufw reload
Verify new firewall rules:
$ sudo ufw status $ sudo iptables -t nat -L -n -v $ sudo iptables -L FORWARD -n -v $ sudo iptables -L ufw-before-forward -n -v

Client configuration

On server your will find a client configuration file called ~/iphone.ovpn. All you have to do is copy this file to your local desktop using the scp and provide this file to your OpenVPN client to connect:
$ scp vivek@139.59.1.155:~/iphone.ovpn .
Next, you need to download OpenVPN client as per your operating system:

Download OpenVPN client for Apple IOS version 6.x or above and install it.
Download OpenVPN client for Android and install it.
Download OpenVPN client for Apple MacOS (OS X) and install it.
Download OpenVPN client for Windows 8/10 and install it.

MacOS/OS X OpenVPN client configuration

Just double click on iphone.ovpn file and it will open in your tunnelblick client > Click on the “Only me” to install it.

Once installed click on Connect button and you will be online. Use the following command on MacOS client to verify that your public IP changed to the VPN server IP:
$ dig TXT +short o-o.myaddr.l.google.com @ns1.google.com
You can ping to OpenVPN server private IP:
$ ping 10.8.0.1

Linux OpenVPN client configuration

First, install the openvpn client, enter:
$ sudo yum install openvpn
OR
$ sudo apt install openvpn
Next, copy iphone.ovpn as follows:
$ sudo cp iphone.ovpn /etc/openvpn/client.conf
Test connectivity from the CLI:
$ sudo openvpn --client --config /etc/openvpn/client.conf
Your Linux system will automatically connect when computer restart using /etc/init.d/openvpn script:
$ sudo /etc/init.d/openvpn start
For systemd based system, use the following command:
$ sudo systemctl start openvpn@client
Test the connectivity:
$ ping 10.8.0.1 #Ping to OpenVPN server gateway $ ip route #Make sure routing setup $ dig TXT +short o-o.myaddr.l.google.com @ns1.google.com #Make sure your public IP set to OpenVPN server

FreeBSD OpenVPN client configuration

First, install the openvpn client, enter:
$ sudo pkg install openvpn
Next, copy iphone.ovpn as follows:
$ mkdir -p /usr/local/etc/openvpn/ $ sudo cp iphone.ovpn /usr/local/etc/openvpn/client.conf
Edit /etc/rc.conf and add the following:

openvpn_enable="YES"
openvpn_configfile="/usr/local/etc/openvpn/client.conf"

Start the OpenVPN service:
$ sudo /usr/local/etc/rc.d/openvpn start
Verify it:
$ ping 10.8.0.1 #Ping to OpenVPN server gateway $ $ netstat -nr #Make sure routing setup $ $ drill myip.opendns.com @resolver1.opendns.com #Make sure your public IP set to OpenVPN server

How do I add a new client?

For demo purpose I added a new device called iphone. Let us add one more device called googlephone by running the script again:
$ sudo bash openvpn-install.sh
Sample outputs:

Looks like OpenVPN is already installed

What do you want to do?
   1) Add a cert for a new user
   2) Revoke existing user cert
   3) Remove OpenVPN
   4) Exit
Select an option [1-4]:

Select option 1 and type googlephone as a client name:

Tell me a name for the client cert
Please, use one word only, no special characters
Client name: googlephone
Generating a 2048 bit RSA private key
.........+++
.................................................................................................+++
writing new private key to '/etc/openvpn/easy-rsa/pki/private/googlephone.key.FNaDMaP56c'
-----
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'googlephone'
Certificate is to be certified until Sep 25 07:31:46 2027 GMT (3650 days)
 
Write out database with 1 new entries
Data Base Updated
 
Client googlephone added, certs available at ~/googlephone.ovpn

Now you can use googlephone.ovpn with Google Android phone. You can add as many users you want using this method.

How do I delete/revoke existing user certificate?

Run the script:
$ sudo bash openvpn-install.sh
Sample outputs:

Looks like OpenVPN is already installed

What do you want to do?
   1) Add a cert for a new user
   2) Revoke existing user cert
   3) Remove OpenVPN
   4) Exit
Select an option [1-4]:

Type 2 option and you will see a list of all the existing client certificate you want to revoke:

Select the existing client certificate you want to revoke
     1) iphone6
     2) googlephone
     3) delllaptop
     4) macbook
Select one client [1-4]: 2

Sample outputs when I revoked googlephone certificate:

Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.cnf
Revoking Certificate 09.
Data Base Updated
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.cnf

An updated CRL has been created.
CRL file: /etc/openvpn/easy-rsa/pki/crl.pem


Certificate for client googlephone revoked

References

And there you have it, OpenVPN server installed in five minutes to increase your privacy.

This entry is 1 of 8 in the OpenVPN Tutorial series. Keep reading the rest of the series:

How To Setup OpenVPN Server In 5 Minutes on Ubuntu Server
Install Pi-hole with an OpenVPN to block ads
How to update/upgrade Pi-hole with an OpenVPN
How to install an OpenVPN server on Debian 9/8
How to import a OpenVPN .ovpn file with Network Manager
Ubuntu 18.04 LTS Set Up OpenVPN Server In 5 Minutes
CentOS 7.0 Set Up OpenVPN Server In 5 Minutes
Pi-Hole and Cloudflare DoH config

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

Notable Replies

nixcraft says:
Can you ping public IP address such as 8.8.8.8?
```
ping 8.8.8.8
ping 1.1.1.1
```

You can verify NAT rules with:

iptables -t nat -L -n -v
## the following must be 1 ##
sysctl net.ipv4.ip_forward

Usually, script adds rule to /etc/rc.local that does the magic:

cat /etc/rc.local

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to 139.xxx.yyy.zzz

139.xxx.yyy.zzz is my VPN server IP address.

nixcraft says:
Yes, it looks correct. My guess is DNS server at your hosting causing such issue. Can you remove OpenVPN and reinstall it again and choose 1.1.1.1 or Google DNS when asked?
```
sudo ./openvpn-install.sh
```
First remove OpenVPN. Again run script and make sure you choose 1.1.1.1 or Google DNS:
```
sudo ./openvpn-install.sh
```
For example:
Ubuntu 18.04 LTS Setup OpenVPN Server In 5 Minutes.png599×574 237 KB

Do show your screenshot when you run above screen.
nixcraft says:

Did you installed it as service and starting using the systemctl command?
khosango says:

change ip for that
sàn g?

Continue the discussion www.nixcraft.com

7 more replies

Participants

Historical Comment Archive

68 comment

MacTom says:
June 27, 2016 at 1:28 pm
5 minutes? It takes more time for sure. Where are keys.
Alexander Alekseev says:
June 27, 2016 at 2:02 pm
Doesn’t look like 5 minutes to me and in fact it’s much, much simpler. Here is my cheat sheet (in Russian) http://eax.me/openvpn/ – this way it actually takes 5 minutes, I’ve checked many times.
Raju T says:
June 27, 2016 at 6:10 pm
Can we see a CentOS 7 version of this tutorial?
Cheers.
Matteo Trentin says:
June 27, 2016 at 9:23 pm
And… how to temporarily suspend a client?
no easy guide outsider there.
thx
jesusguevarautomotriz says:
June 28, 2016 at 3:33 am
Hey, what a great article you’ve written, has long sought something like this, I have many articles and information gathered on the subject of Open VPN for when it is their time to implement exactly what you suggest in this article, that just what I need, nothing more.
The option to download the article in pdf format of this blog is superior and much needed, although I use Pocket to store many items is very comfortable to save it to disk in a nicely formatted pdf.
Can you make the option “Download to PDF” print the comments and related posts? your blog provides highly valuable information and deserves this option.
A fan, Thanks.
1. Vivek Gite says:
  June 28, 2016 at 10:49 am
  Thanks for the feedback. It required too much programming or changes to include the comments and related post in pdf file. I can’t promise anything but I will look into it when I’ve some free time.
Ben Gillam says:
June 28, 2016 at 8:38 am
Nice guide, how about adding users as this only shows the one user during setup
1. Vivek Gite says:
  June 28, 2016 at 10:47 am
  I will add it soon. Thanks for the feedback.
  1. Tony says:
    September 26, 2017 at 2:17 pm
    Hello Vivek,
    Please can you add a guide of how to add users/clients
    1. Vivek Gite says:
      September 27, 2017 at 7:39 am
      I updated info about adding a new client and deleting existing one. HTH
jesusguevarautomotriz says:
July 4, 2016 at 7:20 am
First a brief note:
sudo openvpn-install.sh I not work for me
Openvpn-install.sh bash had to do to make it work.
Hi, I’m trying to do this in a Lubuntu 14.04 LTS 2007 MacBook Laptop connected to a WiFi network, is this possible? I know you specify that is a Ubuntu Server.
The script ran successfully, but the first step in where he had to enter the IP address, showed the local network address 192.168.0.25 and change it to the public IP address that showed me the command: dig + short myip \. opendns.com @ resolver1.opendns.com
When I try to connect another Asus Linux Client Lubuntu 14.04, I note that your public IP address Unchanging remains in
Here is some of the output produced by my client:
Mon 4 July 2016 3:10:25 SIGUSR1 [soft, tls-error] received, process restarting
Mon 4 July 2016 3:10:25 Restart pause, 2 second (s)
Mon 4 July 2016 3:10:27 Socket Buffers: R = [212992-> 212992] S = [212992-> 212992]
3:10:27 Mon 4 July 2016 Local UDPv4 link: [undef]
Mon 4 July 2016 3:10:27 UDPv4 link remote: [AF_INET] 82.250.240.108:1194
3:11:27 Mon 4 July 2016 TLS Error: TLS key negotiation failed to Occur Within 60 seconds (check your network connectivity)
3:11:27 Mon 4 July 2016 TLS Error: TLS handshake failed
Mon 4 July 2016 3:11:27 SIGUSR1 [soft, tls-error] received, process restarting
Mon 4 July 2016 3:11:27 Restart pause, 2 second (s)
Mon 4 July 2016 3:11:29 Socket Buffers: R = [212992-> 212992] S = [212992-> 212992]
3:11:29 Mon 4 July 2016 Local UDPv4 link: [undef]
Mon 4 July 2016 3:11:29 UDPv4 link remote: [AF_INET] 82.250.240.108:1194
3:12:29 Mon 4 July 2016 TLS Error: TLS key negotiation failed to Occur Within 60 seconds (check your network connectivity)
3:12:29 Mon 4 July 2016 TLS Error: TLS handshake failed
Mon 4 July 2016 3:12:29 SIGUSR1 [soft, tls-error] received, process restarting
Mon 4 July 2016 3:12:29 Restart pause, 2 second (s)
Mon 4 July 2016 3:12:31 Socket Buffers: R = [212992-> 212992] S = [212992-> 212992]
3:12:31 Mon 4 July 2016 Local UDPv4 link: [undef]
Mon 4 July 2016 3:12:31 UDPv4 link remote: [AF_INET] 82.250.240.108:1194
My goal is to assemble an experimental home domestic vpn, web traffic to route and connect via ssh as if it were a LAN network to Backups or systems management work.
Thanks greetings.
jesusguevarautomotriz says:
July 4, 2016 at 3:42 pm
Sorry for the hasty and mistranslation, at the beginning I meant:
First a brief note:
$ sudo openvpn-install.sh I not work for me
$ bash openvpn-install.sh had to do to make it work

+----------------+
  (public IP)        |                      |
  {INTERNET}={ Router          |
                            |                      |
                            |                       |
                           +------+---------+
                                      | (192.168.0.1)
                                      |
                                      |   +------------------+
                                      |   |                        |
                                      |   |  OpenVPN    |  wlan0: 192.168.0.10/24
                                     +--{wlan0 server |  tun0: 10.8.0.1/24
                                      I   |                        |
                                      |   | {tun0}             |
                                      I  +--------+---------+
                                      |
                  +------------+-----------+
                  |                                  |
                  |  Other LAN clients |
                  |                                  |
                  |   192.168.0.0/24    |
                  |      (internal net)     |
                +---------------------------+

jesusguevarautomotriz says:
July 4, 2016 at 11:56 pm
ASCII Diagram Fail
See Using routing and OpenVPN not running on the default gateway
https://community.openvpn.net/openvpn/wiki/BridgingAndRouting

geeknik says:
July 24, 2016 at 7:57 am
AES-128? Replace that with AES-256.
john says:
September 5, 2016 at 9:35 am
hi. amazing tutorial. it took me less than 5 minutes in my server (192.168.1.1/24). now all remote clients(10.8.0.0/24) can easily access the server. i would like to have all the remote clients to be able to see the rest of the LAN where the server is (192.168.1.0/24). The server is ubuntu
1. justin says:
  September 17, 2016 at 3:31 am
  I’m working on trying to configure that same setup now. From what I understand is you need to bridge the two networks under one subnet. Still not sure how to do that.
  1. Achal says:
    November 22, 2016 at 11:04 am
    can you please also help me to resolve this issue? my scenario is like:
    Public IP of VPN server: xxx.xxx.xxx.xxx
    LAN IP of VPN server: 10.0.0.XXX
    Clients are getting IP: 10.8.0.XXX
    I want my client to connect all LAN network.
    all help is appreciated in advance
    1. Christopher says:
      April 5, 2017 at 4:20 am
      has anyone resolved this problem yet?
Ingo says:
September 22, 2016 at 10:08 am
Excellent Tutorial – Thanks !!!

this tutorial does not worked for me: the following is the log of my openvpn client:

Thu Oct 06 15:26:41 2016 OpenVPN 2.3.12 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Oct  3 2016
Thu Oct 06 15:26:41 2016 Windows version 6.2 (Windows 8 or greater) 64bit
Thu Oct 06 15:26:41 2016 library versions: OpenSSL 1.0.1u  22 Sep 2016, LZO 2.09
Enter Management Password:
Thu Oct 06 15:26:41 2016 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
Thu Oct 06 15:26:41 2016 Need hold release from management interface, waiting...
Thu Oct 06 15:26:41 2016 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25341
Thu Oct 06 15:26:41 2016 MANAGEMENT: CMD 'state on'
Thu Oct 06 15:26:41 2016 MANAGEMENT: CMD 'log all on'
Thu Oct 06 15:26:41 2016 MANAGEMENT: CMD 'hold off'
Thu Oct 06 15:26:41 2016 MANAGEMENT: CMD 'hold release'
Thu Oct 06 15:26:41 2016 Control Channel Authentication: tls-auth using INLINE static key file
Thu Oct 06 15:26:41 2016 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Oct 06 15:26:41 2016 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Oct 06 15:26:41 2016 Socket Buffers: R=[65536->65536] S=[65536->65536]
Thu Oct 06 15:26:41 2016 UDPv4 link local: [undef]
Thu Oct 06 15:26:41 2016 UDPv4 link remote: [AF_INET]52.59.243.92:1194
Thu Oct 06 15:26:41 2016 MANAGEMENT: >STATE:1475760401,WAIT,,,
Thu Oct 06 15:27:41 2016 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Oct 06 15:27:41 2016 TLS Error: TLS handshake failed
Thu Oct 06 15:27:41 2016 SIGUSR1[soft,tls-error] received, process restarting
Thu Oct 06 15:27:41 2016 MANAGEMENT: >STATE:1475760461,RECONNECTING,tls-error,,
Thu Oct 06 15:27:41 2016 Restart pause, 2 second(s)
Thu Oct 06 15:27:43 2016 Socket Buffers: R=[65536->65536] S=[65536->65536]
Thu Oct 06 15:27:43 2016 UDPv4 link local: [undef]
Thu Oct 06 15:27:43 2016 UDPv4 link remote: [AF_INET]52.59.243.92:1194
Thu Oct 06 15:27:43 2016 MANAGEMENT: >STATE:1475760463,WAIT,,,
Thu Oct 06 15:28:43 2016 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Oct 06 15:28:43 2016 TLS Error: TLS handshake failed
Thu Oct 06 15:28:43 2016 SIGUSR1[soft,tls-error] received, process restarting
Thu Oct 06 15:28:43 2016 MANAGEMENT: >STATE:1475760523,RECONNECTING,tls-error,,
Thu Oct 06 15:28:43 2016 Restart pause, 2 second(s)
Thu Oct 06 15:28:45 2016 Socket Buffers: R=[65536->65536] S=[65536->65536]
Thu Oct 06 15:28:45 2016 UDPv4 link local: [undef]
Thu Oct 06 15:28:45 2016 UDPv4 link remote: [AF_INET]52.59.243.92:1194
Thu Oct 06 15:28:45 2016 MANAGEMENT: >STATE:1475760525,WAIT,,,
Thu Oct 06 15:28:47 2016 SIGTERM[hard,] received, process exiting
Thu Oct 06 15:28:47 2016 MANAGEMENT: >STATE:1475760527,EXITING,SIGTERM,,

could you assist me to resolve the problem?

YipengXiao says:
October 9, 2016 at 2:24 am
I use ubuntu16.04
I failed start openvpen
This is error detail:
daemon() failed or unsupported: Resource temporarily unavailable (errno=11)
Drew says:
October 18, 2016 at 6:26 am
Thank you for the tutorial. That script it pretty awesome.
I’m running into an issue though. Under the client configuration part I don’t seem to have the .ovpn file that I am supposed to copy to the client machine. Where did I go wrong? Any tips or assistance would be greatly appreciate.
drake says:
October 23, 2016 at 3:02 pm
Wouldn’t use this script or guide guys. Sets up a hidden account on your server that you install openvpn on. Right after i set it up I got three logins from india. Even the IP he lists in the tutorial is India based. Just a heads up I wouldn’t use this.
1. Vivek Gite says:
  October 23, 2016 at 5:50 pm
  The script is open source. There is no hidden account created on your server. You are just making claim out of /dev/null.
feri says:
November 18, 2016 at 1:53 am
The script worked great.
Before that I tried it manually, but did not get the IPTABLES to work.
Thank you very much!
jasson says:
November 22, 2016 at 9:00 pm
how to add user autentication
Francesco says:
November 25, 2016 at 12:48 pm
It works perfectly, thank you!!!!
mason says:
January 23, 2017 at 12:32 pm
Wow, not a tutorial (I like to understand what’s happening) but I was up and running in 5 minutes on my testserver. Thanks a lot!
1. Vivek Gite says:
  January 23, 2017 at 5:19 pm
  Hah. Yes. You can read the script to understand what’s happening. Just use a text editor.
  1. mason says:
    February 2, 2017 at 7:54 am
    of course, I know and i did, to learn something and to see if there are no malicious parts (trust no one ;))
ExMM says:
February 1, 2017 at 9:15 am
Excellent tutorial, really useful everything working perfectly fine for me.
Only one question, now I have access to my entire LAN with OpenVPN also to my router, which I would like to block for the client that will connect to my home server.
How can I block internal LAN static IP Addresses?
Thanks a lot again!
Moep says:
February 2, 2017 at 11:28 am
Hi @all,
you wan it in 5 min with routing and a good gui.
Look at http://pritunl.com/
you can use your standard openvpn client.
Moep
xav says:
February 19, 2017 at 3:23 pm
Thanks for this script!

Sat Mar 04 16:32:50 2017 OpenVPN 2.4.0 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Jan 31 2017
Sat Mar 04 16:32:50 2017 Windows version 6.2 (Windows 8 or greater) 64bit
Sat Mar 04 16:32:50 2017 library versions: OpenSSL 1.0.2k  26 Jan 2017, LZO 2.09
Enter Management Password:
Sat Mar 04 16:32:50 2017 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Sat Mar 04 16:32:50 2017 Need hold release from management interface, waiting...
Sat Mar 04 16:32:51 2017 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Sat Mar 04 16:32:51 2017 MANAGEMENT: CMD 'state on'
Sat Mar 04 16:32:51 2017 MANAGEMENT: CMD 'log all on'
Sat Mar 04 16:32:51 2017 MANAGEMENT: CMD 'hold off'
Sat Mar 04 16:32:51 2017 MANAGEMENT: CMD 'hold release'
Sat Mar 04 16:32:51 2017 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Mar 04 16:32:51 2017 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Mar 04 16:32:51 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]10.16.10.14:1194
Sat Mar 04 16:32:51 2017 Socket Buffers: R=[65536->65536] S=[64512->64512]
Sat Mar 04 16:32:51 2017 UDP link local: (not bound)
Sat Mar 04 16:32:51 2017 UDP link remote: [AF_INET]10.16.10.14:1194
Sat Mar 04 16:32:51 2017 MANAGEMENT: >STATE:1488666771,WAIT,,,,,,
Sat Mar 04 16:33:51 2017 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Mar 04 16:33:51 2017 TLS Error: TLS handshake failed
Sat Mar 04 16:33:51 2017 SIGUSR1[soft,tls-error] received, process restarting
Sat Mar 04 16:33:51 2017 MANAGEMENT: >STATE:1488666831,RECONNECTING,tls-error,,,,,
Sat Mar 04 16:33:51 2017 Restart pause, 5 second(s)
Sat Mar 04 16:33:56 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]10.16.10.14:1194
Sat Mar 04 16:33:56 2017 Socket Buffers: R=[65536->65536] S=[64512->64512]
Sat Mar 04 16:33:56 2017 UDP link local: (not bound)
Sat Mar 04 16:33:56 2017 UDP link remote: [AF_INET]10.16.10.14:1194
Sat Mar 04 16:33:56 2017 MANAGEMENT: >STATE:1488666836,WAIT,,,,,,

Can anyone help me out

p3g says:
March 29, 2017 at 7:16 pm
Hey, I just setup this with my DigitalOcean VPS server. As Vivek said, it took me exactly five minutes. Thanks boss.
Raul says:
April 25, 2017 at 6:47 pm
Hi, how to add password for client?
Julien says:
May 1, 2017 at 3:04 am
Thanks, it works!
…But my client can’t see the samba shares on the openvpn server.
And yes, samba is set as a wins server.
Need help please.
Nicholas says:
May 11, 2017 at 6:13 pm
Everything is up and running, all of your sample outputs match mine… Up to the point where I’ve moved the ovpn file to my desktop and opened it in Tunnelblick (mac osx), but it’s not connecting. It looks like I’m having the same error message as someone above that never got a response. Do you have any advice as to why the .ovpn file isn’t working to connect Tunnelblick?
2017-05-11 12:06:18 OpenVPN 2.3.14 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [PKCS11] [MH] [IPv6] built on Jan 28 2017
2017-05-11 12:06:18 library versions: OpenSSL 1.0.2k 26 Jan 2017, LZO 2.09
2017-05-11 12:06:18 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:1337
2017-05-11 12:06:18 Need hold release from management interface, waiting…
2017-05-11 12:06:18 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:1337
2017-05-11 12:06:18 *Tunnelblick: openvpnstart starting OpenVPN
2017-05-11 12:06:18 *Tunnelblick: Established communication with OpenVPN
2017-05-11 12:06:18 MANAGEMENT: CMD ‘pid’
2017-05-11 12:06:18 MANAGEMENT: CMD ‘state on’
2017-05-11 12:06:18 MANAGEMENT: CMD ‘state’
2017-05-11 12:06:18 MANAGEMENT: CMD ‘bytecount 1’
2017-05-11 12:06:18 MANAGEMENT: CMD ‘hold release’
2017-05-11 12:06:18 NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
2017-05-11 12:06:18 Control Channel Authentication: tls-auth using INLINE static key file
2017-05-11 12:06:18 Outgoing Control Channel Authentication: Using 160 bit message hash ‘SHA1’ for HMAC authentication
2017-05-11 12:06:18 Incoming Control Channel Authentication: Using 160 bit message hash ‘SHA1’ for HMAC authentication
2017-05-11 12:06:18 Socket Buffers: R=[196724->196724] S=[9216->9216]
2017-05-11 12:06:18 UDPv4 link local: [undef]
2017-05-11 12:06:18 UDPv4 link remote: [AF_INET]75.174.28.41:1194
2017-05-11 12:06:18 MANAGEMENT: >STATE:1494525978,WAIT,,,
2017-05-11 12:07:18 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2017-05-11 12:07:18 TLS Error: TLS handshake failed
RAPTORMAN says:
May 19, 2017 at 4:05 am
How many total clients are allowed with this script setup? Thanks in advance.
1. Vivek Gite says:
  May 19, 2017 at 8:49 am
  There is no limit
  1. RAPTORMAN says:
    May 21, 2017 at 2:13 pm
    Script works great. Thanks for your hard work
Neil Niekerk says:
June 6, 2017 at 8:40 pm
?
neil@Lexington:/etc/openvpn$ dig TXT +short o-o.myaddr.l.google.com @ns1.google.com
“104.3.156.194”
mark@Lexington:/etc/openvpn$ sudo openvpn –client –config /etc/openvpn/client.conf
Options error: In [CMD-LINE]:1: Error opening configuration file: /etc/openvpn/client.conf
Chris says:
June 17, 2017 at 5:26 am
Server is set up, nicely. Love It !!!
I spent the past “month” trying to get any/all the online examples of “How to” to work, but always had problems. this is so very nobrainer on the “Server Side”, it’s GREAT !!!
However,
Client shows “Active (exited)” when I $ sudo /etc/init.d/openvpn status
I can PING 10.8.0.1 from my client, though
$ dig TXT +short o-o.myaddr.l.google.com @ns1.google.com
just hangs, then times out.
I open Firefox, and goto “GOOGLE.com”, it times out,
“Server not found”.
I’ve played with “proxy” and “no proxy” in Firefox. No change.
How do I tell ALL my traffic is going via the “tunnel”?
1. Vivek Gite says:
  June 17, 2017 at 7:30 am
  Existed means something is wrong on your client.
Chris says:
June 18, 2017 at 5:47 pm
That’s very true.
So after rebuilding my laptop (client, due to ALL the changes I had previously made to it over the past months following other “How To’s”, so I had a “clean slate” so to speak), I came up with the same behavior (Hey, at least I’m consistent !!!). So with the help of “other How To’s”, I noted I could get to google.com by IP address, but not by name (On the Server, I did a “PING GOOGLE.COM, got the IP address and entered it in a “PING” on the client). Ah Ha !!! DNS problem. So SEARCHing online, I found a solution that “worked”.
On the Client,
https://ubuntuforums.org/showthread.php?t=2352821&page=2
Edit ” /etc/resolvconf/resolv.conf.d/head ” and enter
nameserver 8.8.8.8
or whatever OpenDNS address you wish. I used
nameserver 208.67.222.123
nameserver 208.67.220.123
which is all throughout the OpenVPN code I set up for myself on the Server and my home gateways. Then I REBOOTed, to enable it all. I then did a ” PING GOOGLE.COM ” and it worked. So I brought up my browser and “Voala”, Google came up on the browser. It worked !!! Now, There’s a warning in the file you edited about it being overwritten. By what, I’d like to know, so it can be permanent and not overwritten. More SEARCHing …
1. Vivek Gite says:
  June 19, 2017 at 11:05 am
  Check this “How To: Make Sure /etc/resolv.conf Never Get Updated By DHCP Client“. HTH
Dustin says:
August 8, 2017 at 5:05 pm
I ran the script, and I can ping my servers local ip (192.168.1.227) but I cannot access the internet. I can’t connect to google by hostname or by just the ip
Asad says:
August 17, 2017 at 7:15 pm
Hi,
Just want to say thank you very much! Like many others I have spent days trying to do this through all the manual guides there are online but I would always screw up a step.
This worked out the box minus the /etc/resolv.conf DNS entires not updating themselves.
I added
script-security 2 up /etc/openvpn/update-resolv-conf down /etc/openvpn/update-resolv-conf
to the client.ovpn file. This is a script that updates your DNS entry for you. you can find the script online.
EP says:
September 15, 2017 at 8:58 pm
I’m wondering where the admin web UI address is?
Its usually accessed via port 1143 or 5280 or 943 but none of those work.
My openvpn is working just fine, but I cant access the admin console to control it.
John Isaac says:
September 26, 2017 at 1:27 pm
Perfect and took less than 5 minutes , thanks for sharing .
Tony says:
September 26, 2017 at 4:32 pm
anyone know how to create more clients
thx
Özgür says:
October 7, 2017 at 2:12 pm
A-MA-ZING article! After a month-long researching and Google’ing all around, that was the only useful article on setting and configuring OpenVPN, in entire the Internet! Many thanks for this!
Best.
vishnu says:
November 29, 2017 at 11:32 am
Hi, I have 3 .OVPN file and I want to connect them all simultaneously. please help how to connect.
Rik says:
December 13, 2017 at 11:10 pm
Is there a way to add the openVPN webif GUI to change settings etc?
Thanks for the great and simple guide got it running first time.
1. Vivek Gite says:
  December 14, 2017 at 6:08 am
  I don’t think so.

Still, have a question? Get help on our forum!

Tagged as: /etc/rc.local, Network manager openvpn, ufw /etc/ufw/before.rules, ufw command, Advanced

Adblock detected 😱