Ubuntu 18.04 LTS Set Up OpenVPN Server In 5 Minutes

last updated in Categories , ,

I am a new Ubuntu Linux 18.04 LTS server user. How do I set up an OpenVPN Server on Ubuntu Linux version 18.04 LTS server to shield my browsing activity from bad guys on public Wi-Fi, and more?

Introduction OpenVPN is a full-featured SSL VPN (virtual private network). It implements OSI layer 2 or 3 secure network extension using the SSL/TLS protocol. It is an open source software and distributed under the GNU GPL. A VPN allows you to connect securely to an insecure public network such as wifi network at the airport or hotel. VPN is also required to access your corporate or enterprise or home server resources. You can bypass the geo-blocked site and increase your privacy or safety online. This tutorial provides step-by-step instructions for configuring an OpenVPN server on Ubuntu Linux 18.04 LTS server.


Procedure: Ubuntu 18.04 LTS Set Up OpenVPN Server In 5 Minutes

The steps are as follows:

Step 1 – Update your system

Run the apt command/apt-get command:
$ sudo apt update
$ sudo apt upgrade

Step 2 – Find and note down your IP address

Use the ip command as follows:
$ ip a
$ ip a show eth0

ip command get my IP address on Ubuntu Linux 18.04 LTS
Another option is to run the following dig command/host command to find out your public IP address from Linux command line:
$ dig +short myip.opendns.com @resolver1.opendns.com
dig TXT +short o-o.myaddr.l.google.com @ns1.google.com | awk -F'"' '{ print $2}'
Find out my public IP address using the CLI

A note about IP address

Most cloud servers have two types of IP address:

  1. Public static IP address directly assigned to your box and routed from the Internet. For example, Linode, Digital Ocean, and others gives you direct public IP address.
  2. Private static IP address directly attached to your server and your server is behind NAT with public IP address. For example, AWS EC2/Lightsail give you this kind of NAT public IP address.

The script will automatically detect your networking setup. All you have to do is provide correct IP address when asked for it.

Step 3 – Download and run openvpn-install.sh script

I am going to use the wget command:
$ wget https://git.io/vpn -O openvpn-install.sh
Download openvpn-install.sh script to setup OpenVPN server in 5 minutes on Ubuntu
Setup permissions using the chmod command
$ chmod +x openvpn-install.sh
One can view the script using a text editor such as nano/vim:
$ vim openvpn-install.sh

Run openvpn-install.sh to install OpenVPN server

Now all you have to do is:
$ sudo ./openvpn-install.sh
Sample session from AWS/Lightsail where my cloud server is behind NAT:
Ubuntu 18.04 LTS Setup OpenVPN Server In 5 Minutes
Sample session from Linode/DO server where cloud server has direct public IPv4 address:
How To Setup OpenVPN Server In 5 Minutes on Ubuntu Linux
To avoid problem always choose DNS as or Google DNS. Those are fast DNS server and reached from anywhere on the Internet.

How do I start/stop/restart OpenVPN server on Ubuntu 18.04 LTS?

$ sudo systemctl stop openvpn@server # <--- stop server
$ sudo systemctl start openvpn@server # <--- start server
$ sudo systemctl restart openvpn@server # <--- restart server
$ sudo systemctl status openvpn@server # <--- get server status

Step 4 – Connect an OpenVPN server using IOS/Android/Linux/Windows client

On server your will find a client configuration file called ~/desktop.ovpn. All you have to do is copy this file to your local desktop using the scp command:
$ scp vivek@ .
Next, provide this file to your OpenVPN client to connect:

  1. Apple iOS client
  2. Android client
  3. Apple MacOS (OS X) client
  4. Windows 8/10 client

Linux Desktop: OpenVPN client configuration

First, install the openvpn client for your desktop, enter:
$ sudo yum install openvpn
$ sudo apt install openvpn
Next, copy desktop.ovpn as follows:
$ sudo cp desktop.ovpn /etc/openvpn/client.conf
Test connectivity from the CLI:
$ sudo openvpn --client --config /etc/openvpn/desktop.conf
Your Linux system will automatically connect when computer restart using openvpn script/service:
$ sudo systemctl start openvpn@client # <--- start client service

Step 5 - Verify/test the connectivity

Execute the following commands after connecting to OpenVPN server from your Linux desktop:
$ ping #Ping to the OpenVPN server gateway
$ ip route #Make sure routing setup working
$ dig TXT +short o-o.myaddr.l.google.com @ns1.google.com #Must return public IP address of OpenVPN server

A note about trouble shooting OpenVPN server and client issues

Check OpenVPN server for errors:
$ journalctl --identifier ovpn-server

OpenVPN server log files and error
Click to enlarge image

Is firewall rule setup correctly on your server? Use the cat command to see rules:
$ cat /etc/rc.local

#!/bin/sh -e
iptables -t nat -A POSTROUTING -s ! -d -j SNAT --to
exit 0

Another option is to run iptables command and sysctl command commands to verify NAT rule setup on your server:
$ sudo iptables -t nat -L -n -v
$ sysctl net.ipv4.ip_forward

NAT Firewall OpenVPN Rules Verification
Insert the rules if not inserted from /etc/rc.local
$ sudo sh /etc/rc.local
$ sudo sysctl -w net.ipv4.ip_forward=1

Is OpenVPN server running and port is open? Use the ss command or netstat command and pidof command/ps command:
$ netstat -tulpn | grep :1194 ## 1194 is the openvpn server port ##
$ ss -tulpn | grep :1194 ## 1194 is the openvpn server port ##
$ ps aux | grep openvpn ## is the openvpn server running? ##
$ ps -C openvpn ## is the openvpn server running? ##
$ pidof openvpn ## find the openvpn server PID ##

Verify that OpenVPN server runnign and Port is Open on ubuntu Linux
If not running, restart the OpenVPN server:
$ sudo systemctl restart openvpn@server
Look out for errors:
$ sudo systemctl status openvpn@server
Can the Linux desktop client connect to the OpenVPN server machine? First you need to run a simple test to see if the OpenVPN server port (UDP 1194) accepts connections:
$ nc -vu 1194
Connection to 1194 port [udp/openvpn] succeeded!

If not connected it means either a Linux desktop firewall or your router is blocking access to server. Make sure both client and server using same protocol and port, e.g. UDP port 1194.


Congratulations. You successfully set up an OpenVPN server on Ubuntu Linux 18.04 LTS server running in the cloud. See the OpenVPN website here, Github script page here, and Ubuntu page here for additional information.


Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

Notable Replies

  1. I’m quite surprised you pull up this approach. That installer script is full of issues, and tries to do stuff which is really not good.

    First of all … The CA setup here is insecure. It leaves an unprotected (yupp, no passwords!) CA private key on a publicly available server. So if this host is broken into, issuing new client and server certificates is a breeze. And with server certificates, setting up a MITM host is even simpler and users of that VPN won’t even notice.

    Secondly your advice to use the openvpn@.service unit files is bad. OpenVPN 2.4 has added several patches which requires newer unit files to integrate better with systemd. Without these integration steps, OpenVPN will not behave well within a systemd environment. In addition, we’ve started the path to restrict the privileges the OpenVPN process has as well. So rather put server configs into /etc/openvpn/server and client configs into /etc/openvpn/client and use the new openvpn-{client,server}@.service unit files. If the package maintainer is doing the right thing, the OpenVPN package should now carry the upstream version of systemd unit files and not the package maintainers version, so fixes should now be handled more centrally make all distros behave more or less the same way.

    But in general, such “quick setup scripts” need to be used with utmost carefulness and carefully reviewed before running them. Running random scripts from the Internet as root is a receipt for disaster if not carefully reviewed. Which is why the OpenVPN community recommends to go through this “Getting Started How-To” instead of various blog posts or “simple scripts”.


  2. yes, I will cover direct setup. Did you look into another script https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh ? This one seems to address most of your concern. What do you think?

  3. Yes, look into OpenVPN log file named /var/log/openvpn/status.log on server:

    sudo tail -f /var/log/openvpn/status.log
    grep 'public-IPv4-OR-IPv6-address' /var/log/openvpn/status.log
    grep 'private-IPv4-address' /var/log/openvpn/status.log

    This is how it looks:

    Updated,Sat May  2 09:07:27 2020
    Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
    HomeLinuxDesktop,103.xxx.yyy.zzz:37719,153376,145685,Sat May  2 09:04:41 2020
    Virtual Address,Common Name,Real Address,Last Ref,HomeLinuxDesktop,103.xxx.yyy.zzz:37719,Sat May  2 09:07:26 2020
    fd42:42:42:42::1000,HomeLinuxDesktop,103.xxx.yyy.zzz:37719,Sat May  2 09:04:41 2020
    Max bcast/mcast queue length,0
  4. How to enable OpenVPN logs

    Add the following line in your /etc/openvpn/server.conf

    status /var/log/openvpn/status.log

    And restart the OpenVPN. You will have logs.

    Monitoring HTTPS URL

    This is tricky but doable. HTTPS by design encrypts everything, so there is no way to see what end users are doing. However, one can still see URLs if they want. Typically a proxy server such as SQUID is installed and it can do what you want (it is called SSL interception), but it put privacy and security of your users at risk due to MITM.

Continue the discussion www.nixcraft.com

3 more replies