OpenVPN is a full-featured SSL VPN (virtual private network). It implements OSI layer 2 or 3 secure network extension using the SSL/TLS protocol. It is an open source software and distributed under the GNU GPL. A VPN allows you to connect securely to an insecure public network such as wifi network at the airport or hotel. VPN is also required to access your corporate or enterprise or home server resources. You can bypass geo-blocked site and increase your privacy or safety online. This tutorial provides step-by-step instructions for configuring an OpenVPN “road warrior” server on Ubuntu Linux 18.04/20.04 LTS (20.10) version including ufw/iptables firewall configuration. The steps are as follows:
- Find and note down your public IP address
- Download openvpn-install.sh script
- Run openvpn-install.sh to install OpenVPN server
- Connect an OpenVPN server using iOS/Android/Linux/Windows client
- Verify your connectivity
NOTE: You need at least Ubuntu Linux 18.04 LTS or higher is needed to complete this tutorial. Older Ubuntu versions such as 14.04/16.04 LTS are no longer suported.
Find your public IP address
Use any one of the following command to find out your IPv4 public address. If your internface name is eth0 or eth1, enter:
$ ip addr show eth0
OR
$ ip addr show eth1
Or use the host command or dig command as follows:
$ host myip.opendns.com resolver1.opendns.com
## get IPv4 ##
$ host myip.opendns.com resolver1.opendns.com
OR
$ dig TXT +short o-o.myaddr.l.google.com @ns1.google.com
## see IPv4 instead of default IPv6 ##
$ dig -4 TXT +short o-o.myaddr.l.google.com @ns1.google.com
Download openvpn-install.sh script to set up OpenVPN server in 5 minutes on Ubuntu
Type the following wget command or curl command:
$ wget https://git.io/vpn -O openvpn-install.sh
wget grabbing the script:
--2020-12-09 09:15:57-- https://git.io/vpn Resolving git.io (git.io)... 34.195.187.253, 52.87.143.234, 34.205.238.171, ... Connecting to git.io (git.io)|34.195.187.253|:443... connected. HTTP request sent, awaiting response... 302 Found Location: https://raw.github.com/Nyr/openvpn-install/master/openvpn-install.sh [following] --2020-12-09 09:15:57-- https://raw.github.com/Nyr/openvpn-install/master/openvpn-install.sh Resolving raw.github.com (raw.github.com)... 151.101.124.133 Connecting to raw.github.com (raw.github.com)|151.101.124.133|:443... connected. HTTP request sent, awaiting response... 301 Moved Permanently Location: https://raw.githubusercontent.com/Nyr/openvpn-install/master/openvpn-install.sh [following] --2020-12-09 09:15:57-- https://raw.githubusercontent.com/Nyr/openvpn-install/master/openvpn-install.sh Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.124.133 Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.124.133|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 23079 (23K) [text/plain] Saving to: 'openvpn-install.sh' openvpn-install.sh 100%[==================>] 22.54K --.-KB/s in 0.001s 2020-12-09 09:15:57 (36.9 MB/s) - 'openvpn-install.sh saved [23079/23079]
We can verify script using a text editor such as nano command or vim command:
$ nano openvpn-install.sh
Running openvpn-install.sh to install OpenVPN server
Type the following command:
$ sudo chmod +x openvpn-install.sh
$ sudo bash openvpn-install.sh
Make sure you provide needed information:
Welcome to this OpenVPN road warrior installer! Which protocol should OpenVPN use? 1) UDP (recommended) 2) TCP Protocol [1]: 1 What port should OpenVPN listen to? Port [1194]: Select a DNS server for the clients: 1) Current system resolvers 2) Google 3) 1.1.1.1 4) OpenDNS 5) Quad9 6) AdGuard DNS server [1]: 2 Enter a name for the first client: Name [client]: iphone OpenVPN installation is ready to begin. Press any key to continue...
Once you press any key such as [Enter] key, you will see:
writing new private key to '/etc/openvpn/server/easy-rsa/pki/easy-rsa-1768.FjG9Gr/tmp.vQL9q8' ----- Using configuration from /etc/openvpn/server/easy-rsa/pki/easy-rsa-1768.FjG9Gr/tmp.FiauWW Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'server' Certificate is to be certified until Dec 7 09:22:17 2030 GMT (3650 days) Write out database with 1 new entries Data Base Updated Using SSL: openssl OpenSSL 1.1.1f 31 Mar 2020 Generating a RSA private key ....................................+++++ ...................+++++ writing new private key to '/etc/openvpn/server/easy-rsa/pki/easy-rsa-1843.4USwJm/tmp.lOecLW' ----- Using configuration from /etc/openvpn/server/easy-rsa/pki/easy-rsa-1843.4USwJm/tmp.5j0n6q Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'iphone' Certificate is to be certified until Dec 7 09:22:17 2030 GMT (3650 days) Write out database with 1 new entries Data Base Updated Using SSL: openssl OpenSSL 1.1.1f 31 Mar 2020 Using configuration from /etc/openvpn/server/easy-rsa/pki/easy-rsa-1899.k6zZtP/tmp.riZi2R An updated CRL has been created. CRL file: /etc/openvpn/server/easy-rsa/pki/crl.pem Created symlink /etc/systemd/system/multi-user.target.wants/openvpn-iptables.service → /etc/systemd/system/openvpn-iptables.service. Created symlink /etc/systemd/system/multi-user.target.wants/openvpn-server@server.service → /lib/systemd/system/openvpn-server@.service. Finished! The client configuration is available in: /root/iphone.ovpn New clients can be added by running this script again.
Viewing and Seting up OpenVPN Server In 5 Minutes on Ubuntu Firewall Rules
That is all. Your OpenVPN server has been configured and ready to use. You can see added firewall rules /etc/systemd/system/openvpn-iptables.service file:
$ sudo systemctl cat openvpn-iptables.service
Sample rules. Please do not edit them:
[Unit] Before=network.target [Service] Type=oneshot ExecStart=/usr/sbin/iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to 172.105.102.90 ExecStart=/usr/sbin/iptables -I INPUT -p udp --dport 1194 -j ACCEPT ExecStart=/usr/sbin/iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT ExecStart=/usr/sbin/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT ExecStop=/usr/sbin/iptables -t nat -D POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to 172.105.102.90 ExecStop=/usr/sbin/iptables -D INPUT -p udp --dport 1194 -j ACCEPT ExecStop=/usr/sbin/iptables -D FORWARD -s 10.8.0.0/24 -j ACCEPT ExecStop=/usr/sbin/iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT ExecStart=/usr/sbin/ip6tables -t nat -A POSTROUTING -s fddd:1194:1194:1194::/64 ! -d fddd:1194:1194:1194::/64 -j SNAT --to 2600:3c04::f03c:92ff:fe42:3d72 ExecStart=/usr/sbin/ip6tables -I FORWARD -s fddd:1194:1194:1194::/64 -j ACCEPT ExecStart=/usr/sbin/ip6tables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT ExecStop=/usr/sbin/ip6tables -t nat -D POSTROUTING -s fddd:1194:1194:1194::/64 ! -d fddd:1194:1194:1194::/64 -j SNAT --to 2600:3c04::f03c:92ff:fe42:3d72 ExecStop=/usr/sbin/ip6tables -D FORWARD -s fddd:1194:1194:1194::/64 -j ACCEPT ExecStop=/usr/sbin/ip6tables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT RemainAfterExit=yes [Install] WantedBy=multi-user.target
You can view your openvpn server config file generated by the script as follows (agin do not edit this file by hand as it will break things for you):
$ sudo more /etc/openvpn/server/server.conf
Sample openvpn config:
local 172.105.102.90 port 1194 proto udp dev tun ca ca.crt cert server.crt key server.key dh dh.pem auth SHA512 tls-crypt tc.key topology subnet server 10.8.0.0 255.255.255.0 server-ipv6 fddd:1194:1194:1194::/64 push "redirect-gateway def1 ipv6 bypass-dhcp" ifconfig-pool-persist ipp.txt push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" keepalive 10 120 cipher AES-256-CBC user nobody group nogroup persist-key persist-tun status openvpn-status.log verb 3 crl-verify crl.pem explicit-exit-notify
How do I start/stop/restart OpenVPN server on Ubuntu Linux 18.04/20.04 LTS and 20.10?
Run the following systemctl command to stop the OpenVPN service:
$ sudo systemctl stop openvpn-server@server.service
Want to start it again? Try:
$ sudo systemctl start openvpn-server@server.service
The command to restart the OpenVPN service:
$ sudo systemctl restart openvpn-server@server.service
View status of your OpenVPN systemd based service:
$ sudo systemctl status openvpn-server@server.service
● openvpn-server@server.service - OpenVPN service for server Loaded: loaded (/lib/systemd/system/openvpn-server@.service; enabled; vendor preset: enabled) Active: active (running) since Wed 2020-12-09 09:22:18 UTC; 7min ago Docs: man:openvpn(8) https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage https://community.openvpn.net/openvpn/wiki/HOWTO Main PID: 2017 (openvpn) Status: "Initialization Sequence Completed" Tasks: 1 (limit: 4610) Memory: 1.2M CGroup: /system.slice/system-openvpn\x2dserver.slice/openvpn-server@server.service └─2017 /usr/sbin/openvpn --status /run/openvpn-server/status-server.log --status-version 2 --suppress-timestamps --config server.conf Dec 09 09:22:18 nixcraft-ubuntu-vm openvpn[2017]: Socket Buffers: R=[212992->212992] S=[212992->212992] Dec 09 09:22:18 nixcraft-ubuntu-vm openvpn[2017]: UDPv4 link local (bound): [AF_INET]172.105.102.90:1194 Dec 09 09:22:18 nixcraft-ubuntu-vm openvpn[2017]: UDPv4 link remote: [AF_UNSPEC] Dec 09 09:22:18 nixcraft-ubuntu-vm openvpn[2017]: GID set to nogroup Dec 09 09:22:18 nixcraft-ubuntu-vm openvpn[2017]: UID set to nobody Dec 09 09:22:18 nixcraft-ubuntu-vm openvpn[2017]: MULTI: multi_init called, r=256 v=256 Dec 09 09:22:18 nixcraft-ubuntu-vm openvpn[2017]: IFCONFIG POOL IPv6: (IPv4) size=252, size_ipv6=65536, netbits=64, base_ipv6=fddd:1194:1194:1194::1000 Dec 09 09:22:18 nixcraft-ubuntu-vm openvpn[2017]: IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=1 Dec 09 09:22:18 nixcraft-ubuntu-vm openvpn[2017]: IFCONFIG POOL LIST Dec 09 09:22:18 nixcraft-ubuntu-vm openvpn[2017]: Initialization Sequence Completed
OpenVPN client configuration
On server your will find a client configuration file called ~/iphone.ovpn. Use the find command to locate OpenVPN config file:
$ sudo find / -type f -name "iphone.ovpn"
$ sudo find / -type f -name "*.ovpn"
Now, all you have to do is copy this file to your local desktop using the scp and provide this file to your OpenVPN client to connect:
$ scp root@172.105.102.90:~/iphone.ovpn .
Next, you need to download OpenVPN client as per your operating system or mobile device:
- Client for Apple iOS version 6.x or above
- Android client
- Apple MacOS (OS X)
- Windows 8/10 OpenVPN client
MacOS/OS X OpenVPN client configuration
Just double click on iphone.ovpn file and it will open in your tunnelblick client > Click on the “Only me” to install it:
Fig.03: MacOS / OS X openvpn client configuration
$ dig TXT +short o-o.myaddr.l.google.com @ns1.google.com
You can ping to OpenVPN server private IP:
$ ping 10.8.0.1
Linux OpenVPN client configuration
First, install the openvpn client, enter:
$ sudo yum install openvpn
OR
$ sudo apt install openvpn
Next, copy iphone.ovpn as follows:
$ sudo cp iphone.ovpn /etc/openvpn/client.conf
Test connectivity from the CLI:
$ sudo openvpn --client --config /etc/openvpn/client.conf
Your Linux system will automatically connect when computer restart using /etc/init.d/openvpn script:
$ sudo /etc/init.d/openvpn start
For systemd based system, use the following command:
$ sudo systemctl start openvpn@client
Test the OpenVPN connectivity on Linux desktop:
$ ping 10.8.0.1 #Ping to OpenVPN server gateway using the ping command
$ ip route #Make sure routing setup using the ip command
$ ip route get 10.8.0.1
#Make sure your public IP set to OpenVPN server
$ dig TXT +short o-o.myaddr.l.google.com @ns1.google.com
FreeBSD OpenVPN client configuration
First, install the openvpn client using the pkg command:
$ sudo pkg install openvpn
Next, copy iphone.ovpn as follows:
$ mkdir -p /usr/local/etc/openvpn/
$ sudo cp iphone.ovpn /usr/local/etc/openvpn/client.conf
Edit /etc/rc.conf and add the following:
openvpn_enable="YES" openvpn_configfile="/usr/local/etc/openvpn/client.conf"
Start the OpenVPN service:
$ sudo /usr/local/etc/rc.d/openvpn start
Verify it:
#Ping to OpenVPN server gateway from BSD
$ ping 10.8.0.1
#Make sure routing setup
$ netstat -nr
#Make sure your public IP set to OpenVPN server
$ drill myip.opendns.com @resolver1.opendns.com
How do I add a new client?
For demo purpose I added a new device called googlephone. Let us add one more device called googlephone by running the script again:
$ sudo bash openvpn-install.sh
Looks like OpenVPN is already installed What do you want to do? 1) Add a cert for a new user 2) Revoke existing user cert 3) Remove OpenVPN 4) Exit Select an option [1-4]:
Select option 1 and type googlephone as a client name:
Tell me a name for the client cert Please, use one word only, no special characters Client name: googlephone Generating a 2048 bit RSA private key .........+++ .................................................................................................+++ writing new private key to '/etc/openvpn/easy-rsa/pki/private/googlephone.key.FNaDMaP56c' ----- Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'googlephone' Certificate is to be certified until Sep 25 07:31:46 2027 GMT (3650 days) Write out database with 1 new entries Data Base Updated Client googlephone added, certs available at ~/googlephone.ovpn
Now you can use googlephone.ovpn with Google Android phone. You can add as many users you want using this method.
How do I delete/revoke existing user certificate?
Run the script:
$ sudo bash openvpn-install.sh
Here is how it looks:
Looks like OpenVPN is already installed What do you want to do? 1) Add a cert for a new user 2) Revoke existing user cert 3) Remove OpenVPN 4) Exit Select an option [1-4]:
Type 2 option and you will see a list of all the existing client certificate you want to revoke:
Select the existing client certificate you want to revoke 1) iphone6 2) googlephone 3) delllaptop 4) macbook Select one client [1-4]: 2
Sample outputs when I revoked googlephone certificate:
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.cnf Revoking Certificate 09. Data Base Updated Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.cnf An updated CRL has been created. CRL file: /etc/openvpn/easy-rsa/pki/crl.pem Certificate for client googlephone revoked
Conclusion
And there you have it, OpenVPN server installed in five minutes to increase your privacy. Please see OpenVPN project and road warrior installer Linux script. Let us know if you have any problems or comments in the comments section below.
- How To Setup OpenVPN Server In 5 Minutes on Ubuntu Server
- Install Pi-hole with an OpenVPN to block ads
- Update/upgrade Pi-hole with an OpenVPN
- OpenVPN server on Debian 9/8
- Import a OpenVPN .ovpn file with Network Manager
- Ubuntu 18.04 LTS Set Up OpenVPN Server In 5 Minutes
- CentOS 7 Set Up OpenVPN Server In 5 Minutes
- Pi-Hole and Cloudflare DoH config
- Debian 10 Set Up OpenVPN Server In 5 Minutes
- CentOS 8 OpenVPN server in 5 mintues
- Ubuntu 20.04 LTS OpenVPN server in 5 mintues
🐧 Get the latest tutorials on Linux, Open Source & DevOps via:
- RSS feed or Weekly email newsletter
- Share on Twitter • Facebook • 61 comments... add one ↓
Category | List of Unix and Linux commands |
---|---|
File Management | cat |
Firewall | Alpine Awall • CentOS 8 • OpenSUSE • RHEL 8 • Ubuntu 16.04 • Ubuntu 18.04 • Ubuntu 20.04 |
Network Utilities | dig • host • ip • nmap |
OpenVPN | CentOS 7 • CentOS 8 • Debian 10 • Debian 8/9 • Ubuntu 18.04 • Ubuntu 20.04 |
Package Manager | apk • apt |
Processes Management | bg • chroot • cron • disown • fg • jobs • killall • kill • pidof • pstree • pwdx • time |
Searching | grep • whereis • which |
User Information | groups • id • lastcomm • last • lid/libuser-lid • logname • members • users • whoami • who • w |
WireGuard VPN | Alpine • CentOS 8 • Debian 10 • Firewall • Ubuntu 20.04 |
5 minutes? It takes more time for sure. Where are keys.
Doesn’t look like 5 minutes to me and in fact it’s much, much simpler. Here is my cheat sheet (in Russian) http://eax.me/openvpn/ – this way it actually takes 5 minutes, I’ve checked many times.
Can we see a CentOS 7 version of this tutorial?
Cheers.
And… how to temporarily suspend a client?
no easy guide outsider there.
thx
Hey, what a great article you’ve written, has long sought something like this, I have many articles and information gathered on the subject of Open VPN for when it is their time to implement exactly what you suggest in this article, that just what I need, nothing more.
The option to download the article in pdf format of this blog is superior and much needed, although I use Pocket to store many items is very comfortable to save it to disk in a nicely formatted pdf.
Can you make the option “Download to PDF” print the comments and related posts? your blog provides highly valuable information and deserves this option.
A fan, Thanks.
Thanks for the feedback. It required too much programming or changes to include the comments and related post in pdf file. I can’t promise anything but I will look into it when I’ve some free time.
Nice guide, how about adding users as this only shows the one user during setup
I will add it soon. Thanks for the feedback.
Hello Vivek,
Please can you add a guide of how to add users/clients
I updated info about adding a new client and deleting existing one. HTH
First a brief note:
sudo openvpn-install.sh I not work for me
Openvpn-install.sh bash had to do to make it work.
Hi, I’m trying to do this in a Lubuntu 14.04 LTS 2007 MacBook Laptop connected to a WiFi network, is this possible? I know you specify that is a Ubuntu Server.
The script ran successfully, but the first step in where he had to enter the IP address, showed the local network address 192.168.0.25 and change it to the public IP address that showed me the command: dig + short myip \. opendns.com @ resolver1.opendns.com
When I try to connect another Asus Linux Client Lubuntu 14.04, I note that your public IP address Unchanging remains in
Here is some of the output produced by my client:
Mon 4 July 2016 3:10:25 SIGUSR1 [soft, tls-error] received, process restarting
Mon 4 July 2016 3:10:25 Restart pause, 2 second (s)
Mon 4 July 2016 3:10:27 Socket Buffers: R = [212992-> 212992] S = [212992-> 212992]
3:10:27 Mon 4 July 2016 Local UDPv4 link: [undef]
Mon 4 July 2016 3:10:27 UDPv4 link remote: [AF_INET] 82.250.240.108:1194
3:11:27 Mon 4 July 2016 TLS Error: TLS key negotiation failed to Occur Within 60 seconds (check your network connectivity)
3:11:27 Mon 4 July 2016 TLS Error: TLS handshake failed
Mon 4 July 2016 3:11:27 SIGUSR1 [soft, tls-error] received, process restarting
Mon 4 July 2016 3:11:27 Restart pause, 2 second (s)
Mon 4 July 2016 3:11:29 Socket Buffers: R = [212992-> 212992] S = [212992-> 212992]
3:11:29 Mon 4 July 2016 Local UDPv4 link: [undef]
Mon 4 July 2016 3:11:29 UDPv4 link remote: [AF_INET] 82.250.240.108:1194
3:12:29 Mon 4 July 2016 TLS Error: TLS key negotiation failed to Occur Within 60 seconds (check your network connectivity)
3:12:29 Mon 4 July 2016 TLS Error: TLS handshake failed
Mon 4 July 2016 3:12:29 SIGUSR1 [soft, tls-error] received, process restarting
Mon 4 July 2016 3:12:29 Restart pause, 2 second (s)
Mon 4 July 2016 3:12:31 Socket Buffers: R = [212992-> 212992] S = [212992-> 212992]
3:12:31 Mon 4 July 2016 Local UDPv4 link: [undef]
Mon 4 July 2016 3:12:31 UDPv4 link remote: [AF_INET] 82.250.240.108:1194
My goal is to assemble an experimental home domestic vpn, web traffic to route and connect via ssh as if it were a LAN network to Backups or systems management work.
Thanks greetings.
Sorry for the hasty and mistranslation, at the beginning I meant:
First a brief note:
$ sudo openvpn-install.sh I not work for me
$ bash openvpn-install.sh had to do to make it work
ASCII Diagram Fail
See Using routing and OpenVPN not running on the default gateway
https://community.openvpn.net/openvpn/wiki/BridgingAndRouting
AES-128? Replace that with AES-256.
hi. amazing tutorial. it took me less than 5 minutes in my server (192.168.1.1/24). now all remote clients(10.8.0.0/24) can easily access the server. i would like to have all the remote clients to be able to see the rest of the LAN where the server is (192.168.1.0/24). The server is ubuntu
I’m working on trying to configure that same setup now. From what I understand is you need to bridge the two networks under one subnet. Still not sure how to do that.
can you please also help me to resolve this issue? my scenario is like:
Public IP of VPN server: xxx.xxx.xxx.xxx
LAN IP of VPN server: 10.0.0.XXX
Clients are getting IP: 10.8.0.XXX
I want my client to connect all LAN network.
all help is appreciated in advance
has anyone resolved this problem yet?
Excellent Tutorial – Thanks !!!
this tutorial does not worked for me: the following is the log of my openvpn client:
could you assist me to resolve the problem?
I use ubuntu16.04
I failed start openvpen
This is error detail:
daemon() failed or unsupported: Resource temporarily unavailable (errno=11)
Thank you for the tutorial. That script it pretty awesome.
I’m running into an issue though. Under the client configuration part I don’t seem to have the .ovpn file that I am supposed to copy to the client machine. Where did I go wrong? Any tips or assistance would be greatly appreciate.
Wouldn’t use this script or guide guys. Sets up a hidden account on your server that you install openvpn on. Right after i set it up I got three logins from india. Even the IP he lists in the tutorial is India based. Just a heads up I wouldn’t use this.
The script is open source. There is no hidden account created on your server. You are just making claim out of /dev/null.
The script worked great.
Before that I tried it manually, but did not get the IPTABLES to work.
Thank you very much!
how to add user autentication
It works perfectly, thank you!!!!
Wow, not a tutorial (I like to understand what’s happening) but I was up and running in 5 minutes on my testserver. Thanks a lot!
Hah. Yes. You can read the script to understand what’s happening. Just use a text editor.
of course, I know and i did, to learn something and to see if there are no malicious parts (trust no one ;))
Excellent tutorial, really useful everything working perfectly fine for me.
Only one question, now I have access to my entire LAN with OpenVPN also to my router, which I would like to block for the client that will connect to my home server.
How can I block internal LAN static IP Addresses?
Thanks a lot again!
Hi @all,
you wan it in 5 min with routing and a good gui.
Look at http://pritunl.com/
you can use your standard openvpn client.
Moep
Thanks for this script!
Can anyone help me out
Hey, I just setup this with my DigitalOcean VPS server. As Vivek said, it took me exactly five minutes. Thanks boss.
Hi, how to add password for client?
Find a line of creating SSL certificate in the script and remove “nopass”:
Thanks, it works!
…But my client can’t see the samba shares on the openvpn server.
And yes, samba is set as a wins server.
Need help please.
Everything is up and running, all of your sample outputs match mine… Up to the point where I’ve moved the ovpn file to my desktop and opened it in Tunnelblick (mac osx), but it’s not connecting. It looks like I’m having the same error message as someone above that never got a response. Do you have any advice as to why the .ovpn file isn’t working to connect Tunnelblick?
2017-05-11 12:06:18 OpenVPN 2.3.14 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [PKCS11] [MH] [IPv6] built on Jan 28 2017
2017-05-11 12:06:18 library versions: OpenSSL 1.0.2k 26 Jan 2017, LZO 2.09
2017-05-11 12:06:18 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:1337
2017-05-11 12:06:18 Need hold release from management interface, waiting…
2017-05-11 12:06:18 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:1337
2017-05-11 12:06:18 *Tunnelblick: openvpnstart starting OpenVPN
2017-05-11 12:06:18 *Tunnelblick: Established communication with OpenVPN
2017-05-11 12:06:18 MANAGEMENT: CMD ‘pid’
2017-05-11 12:06:18 MANAGEMENT: CMD ‘state on’
2017-05-11 12:06:18 MANAGEMENT: CMD ‘state’
2017-05-11 12:06:18 MANAGEMENT: CMD ‘bytecount 1’
2017-05-11 12:06:18 MANAGEMENT: CMD ‘hold release’
2017-05-11 12:06:18 NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
2017-05-11 12:06:18 Control Channel Authentication: tls-auth using INLINE static key file
2017-05-11 12:06:18 Outgoing Control Channel Authentication: Using 160 bit message hash ‘SHA1’ for HMAC authentication
2017-05-11 12:06:18 Incoming Control Channel Authentication: Using 160 bit message hash ‘SHA1’ for HMAC authentication
2017-05-11 12:06:18 Socket Buffers: R=[196724->196724] S=[9216->9216]
2017-05-11 12:06:18 UDPv4 link local: [undef]
2017-05-11 12:06:18 UDPv4 link remote: [AF_INET]75.174.28.41:1194
2017-05-11 12:06:18 MANAGEMENT: >STATE:1494525978,WAIT,,,
2017-05-11 12:07:18 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2017-05-11 12:07:18 TLS Error: TLS handshake failed
How many total clients are allowed with this script setup? Thanks in advance.
There is no limit
Script works great. Thanks for your hard work
?
neil@Lexington:/etc/openvpn$ dig TXT +short o-o.myaddr.l.google.com @ns1.google.com
“104.3.156.194”
mark@Lexington:/etc/openvpn$ sudo openvpn –client –config /etc/openvpn/client.conf
Options error: In [CMD-LINE]:1: Error opening configuration file: /etc/openvpn/client.conf
Server is set up, nicely. Love It !!!
I spent the past “month” trying to get any/all the online examples of “How to” to work, but always had problems. this is so very nobrainer on the “Server Side”, it’s GREAT !!!
However,
Client shows “Active (exited)” when I $ sudo /etc/init.d/openvpn status
I can PING 10.8.0.1 from my client, though
$ dig TXT +short o-o.myaddr.l.google.com @ns1.google.com
just hangs, then times out.
I open Firefox, and goto “GOOGLE.com”, it times out,
“Server not found”.
I’ve played with “proxy” and “no proxy” in Firefox. No change.
How do I tell ALL my traffic is going via the “tunnel”?
Existed means something is wrong on your client.
That’s very true.
So after rebuilding my laptop (client, due to ALL the changes I had previously made to it over the past months following other “How To’s”, so I had a “clean slate” so to speak), I came up with the same behavior (Hey, at least I’m consistent !!!). So with the help of “other How To’s”, I noted I could get to google.com by IP address, but not by name (On the Server, I did a “PING GOOGLE.COM, got the IP address and entered it in a “PING” on the client). Ah Ha !!! DNS problem. So SEARCHing online, I found a solution that “worked”.
On the Client,
https://ubuntuforums.org/showthread.php?t=2352821&page=2
Edit ” /etc/resolvconf/resolv.conf.d/head ” and enter
nameserver 8.8.8.8
or whatever OpenDNS address you wish. I used
nameserver 208.67.222.123
nameserver 208.67.220.123
which is all throughout the OpenVPN code I set up for myself on the Server and my home gateways. Then I REBOOTed, to enable it all. I then did a ” PING GOOGLE.COM ” and it worked. So I brought up my browser and “Voala”, Google came up on the browser. It worked !!! Now, There’s a warning in the file you edited about it being overwritten. By what, I’d like to know, so it can be permanent and not overwritten. More SEARCHing …
Check this “How To: Make Sure /etc/resolv.conf Never Get Updated By DHCP Client“. HTH
I ran the script, and I can ping my servers local ip (192.168.1.227) but I cannot access the internet. I can’t connect to google by hostname or by just the ip
Hi,
Just want to say thank you very much! Like many others I have spent days trying to do this through all the manual guides there are online but I would always screw up a step.
This worked out the box minus the /etc/resolv.conf DNS entires not updating themselves.
I added
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
to the client.ovpn file. This is a script that updates your DNS entry for you. you can find the script online.
I’m wondering where the admin web UI address is?
Its usually accessed via port 1143 or 5280 or 943 but none of those work.
My openvpn is working just fine, but I cant access the admin console to control it.
Perfect and took less than 5 minutes , thanks for sharing .
anyone know how to create more clients
thx
A-MA-ZING article! After a month-long researching and Google’ing all around, that was the only useful article on setting and configuring OpenVPN, in entire the Internet! Many thanks for this!
Best.
Hi, I have 3 .OVPN file and I want to connect them all simultaneously. please help how to connect.
Is there a way to add the openVPN webif GUI to change settings etc?
Thanks for the great and simple guide got it running first time.
I don’t think so.
Outstanding script congrats!!!
Ive a problem it seems that the openvpn service is trying to open
the server.conf from the wrong folder
journalctl -xe –> Options error: In [CMD-LINE]:1: Error opening configuration file: /etc/openvpn/server.conf
it makes some sense because the folder structure is
ls /etc/openvpn/
client server
and in /lib/systemd/system/openvpn@.service
the line
ExecStart=/usr/sbin/openvpn –daemon ovpn-%i –status /run/openvpn/%i.status 10 –cd /etc/openvpn –script-security 2 –config /etc/openvpn/%i.conf –writepid /run/openvpn/%i.pid
shows: –config /etc/openvpn/%i.conf
and it should be
–config /etc/openvpn/server/%i.conf
I guess
Im new in this no experiencie at all what do you sugest to do
Editing the service ??
Thanks in advance!!
Daniel
Update
systemctl list-units
openvpn-iptables.service loaded active exited openvpn-iptables.service
openvpn-server@server.service loaded active running OpenVPN service for server
openvpn.service loaded active exited OpenVPN service
openvpn@server.service loaded activating auto-restart OpenVPN connection to server
I dont understand what are the diferences between the last three
can anyone help with this issue ?
I have installed the server as above but am getting many errors in the log.
It seems that 2 services have been defined and one fails every few seconds.
Nov 11 16:11:28 vm8 systemd[1]: openvpn-server@â¦: Service hold-off time over, scheduling restart.
Nov 11 16:11:28 vm8 systemd[1]: openvpn-server@â¦: Scheduled restart job, restart counter is at 4034009.
Nov 11 16:11:28 vm8 systemd[1]: Stopped OpenVPN service for server.service.
Nov 11 16:11:28 vm8 systemd[1]: Starting OpenVPN service for server.service…
Nov 11 16:11:28 vm8 openvpn[11582]: Options error: In [CMD-LINE]:1: Error opening configuration file: server.service.conf
Nov 11 16:11:28 vm8 openvpn[11582]: Use –help for more information.
Nov 11 16:11:28 vm8 systemd[1]: openvpn-server@â¦: Main process exited, code=exited, status=1/FAILURE
Nov 11 16:11:28 vm8 systemd[1]: openvpn-server@â¦: Failed with result ‘exit-code’.
Nov 11 16:11:28 vm8 systemd[1]: Failed to start OpenVPN service for server.service.
Ubuntu 18.04.4 LTS
openvpn candidate 2.4.4-2ubuntu1.3
Any ideas how to fix this ?
OpenVPN say its not a bug …
https://community.openvpn.net/openvpn/ticket/1353
root@vm8:~# sudo systemctl|grep openvpn
openvpn-iptables.service loaded active exited openvpn-iptables.service
openvpn-server@server.service loaded active running OpenVPN service for server
openvpn-server@server.service.service loaded activating auto-restart OpenVPN service for server.service
openvpn.service loaded active exited OpenVPN service
system-openvpn\x2dserver.slice loaded active active system-openvpn\x2dserver.slice