Ubuntu 20.04 LTS Set Up OpenVPN Server In 5 Minutes

I am a new Ubuntu Linux 20.04 LTS server system administrator. How can I set up an OpenVPN Server on an Ubuntu Linux version 20.04 LTS server to shield my browsing activity from bad guys on public Wi-Fi, encrypt all traffic while connecting to 4G LTE network, and more?

Introduction OpenVPN is extremely popular and a full-featured SSL VPN (Virtual Private Network) software. It implements OSI layer 2 or 3 secure network extension using the SSL/TLS protocol. Like much other popular software, it is open-source, free software and distributed under the GNU GPL. A VPN allows you to connect securely to an insecure public network such as wifi network at the airport or hotel. In many enterprises and government offices, VPN is needed to access your corporate server resources. Another widespread usage to bypass the geo-blocked sites/apps and increase your privacy or safety online. This tutorial provides step-by-step instructions for configuring an OpenVPN server on Ubuntu Linux 20.04 LTS server.
Tutorial requirements
RequirementsUbuntu Linux 20.04 LTS
Root privileges Yes
Difficulty Intermediate
Est. reading time 5 minutes

Procedure: Ubuntu 20.04 LTS Set Up OpenVPN Server In 5 Minutes

The steps are as follows:

Step 1 – Update your system

First, run the apt command to apply security updates:
sudo apt update
sudo apt upgrade

Update software on Ubuntu 20.04 box

Step 2 – Find and note down your IP address

Use the ip command as follows:
ip a
ip a show eth0

ip command get my IP address on Ubuntu Linux 20.04 LTS
Alternatively we can run the following dig command/host command to find out our public IP address from Linux command line itself:
dig +short myip.opendns.com @resolver1.opendns.com
## Get IPv4 ##
dig -4 +short myip.opendns.com @resolver1.opendns.com
## Find IPv6 ##
dig -6 +short myip.opendns.com @resolver1.opendns.com
## OR ##
dig TXT +short o-o.myaddr.l.google.com @ns1.google.com | awk -F'"' '{ print $2}'

Find out my public IP address using the CLI

A note about IP address assigned to your server

Most cloud and bare-metal servers have two types of IP address provided by the ISP:

  1. Public static IP address directly assigned to your box and routed from the Internet. For example, Linode, Digital Ocean, and others give you direct public IP address.
  2. Private static IP address directly attached to your server and your server is behind NAT with public IP address. For example, AWS EC2/Lightsail give you this kind of NAT public IP address.

The script will automatically detect your networking setup. All you have to do is provide a correct IP address when asked for it.

Step 3 – Download and run openvpn-install.sh script

I am going to use the wget command as follows:
wget https://git.io/vpn -O openvpn-ubuntu-install.sh
Download openvpn-ubuntu-install.sh script to setup OpenVPN server in 5 minutes on Ubuntu

ATTENTION: Do you want password authentication along with certificates? Try the following:

wget https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh -O openvpn-ubuntu-install.sh

Now we downloaded the script and it is time to make it executable. Hence, set up permissions using the chmod command:
chmod -v +x openvpn-ubuntu-install.sh
mode of 'openvpn-ubuntu-install.sh' changed from 0644 (rw-r--r--) to 0755 (rwxr-xr-x)

One can view the script using a text editor such as nano/vim:
nano openvpn-ubuntu-install.sh

Run openvpn-ubuntu-install.sh script to install OpenVPN server

Now all you have to do is:
sudo ./openvpn-ubuntu-install.sh
Sample session from AWS/Lightsail where my cloud server is behind NAT:
Ubuntu 20.04 LTS Setup OpenVPN Server In 5 Minutes
Sample session from Linode/DO server where cloud server has direct public IPv4 address:
How To Setup OpenVPN Server In 5 Minutes on Ubuntu 20.04 LTS

If you downloaded the second script as per step #3, you could set up a password for the client too. Here is how it will look on your screen:

Tell me a name for the client.
The name must consist of alphanumeric character. It may also include an underscore or a dash.
Client name: linuxdesktop

Do you want to protect the configuration file with a password?
(e.g. encrypt the private key with a password)
1) Add a passwordless client
2) Use a password for the client
Select an option [1-2]: 2

⚠️ You will be asked for the client password below ⚠️

I strongly suggest that you always choose the DNS server option as 1.1.1.1 or Google DNS or any other DNS service provided that you trust as per your needs. Make sure you choose fast Geo-distributed DNS servers and reached from anywhere on the Internet. At the end we should see information as follows:

Your client configuration is available at: /root/linuxdesktop.ovpn
If you want to add more clients, just run this script again!

How do I start/stop/restart OpenVPN server on Ubuntu 20.04 LTS?

We need to use the systemctl command as follows:

Stop the OpenVPN server

sudo systemctl stop openvpn-server@server.service
## OR when using password to protect vpn ##
sudo systemctl stop openvpn@server.service

Start the OpenVPN server

sudo systemctl start openvpn-server@server.service
## OR when using password to protect vpn ##
sudo systemctl start openvpn@server.service

Restart the OpenVPN server after changing configuration options

sudo systemctl restart openvpn-server@server.service
## OR when using password to protect vpn ##
sudo systemctl restart openvpn@server.service

Show status of the OpenVPN server

sudo systemctl status openvpn-server@server.service
## OR when using password to protect vpn ##
sudo systemctl status openvpn@server.service

 openvpn-server@server.service - OpenVPN service for server
     Loaded: loaded (/lib/systemd/system/openvpn-server@.service; enabled; vendor preset: enabled)
     Active: active (running) since Tue 2020-06-16 09:01:19 UTC; 4min 39s ago
       Docs: man:openvpn(8)
             https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
             https://community.openvpn.net/openvpn/wiki/HOWTO
   Main PID: 1982 (openvpn)
     Status: "Initialization Sequence Completed"
      Tasks: 1 (limit: 2282)
     Memory: 1.1M
     CGroup: /system.slice/system-openvpn\x2dserver.slice/openvpn-server@server.service
             └─1982 /usr/sbin/openvpn --status /run/openvpn-server/status-server.log --status-version 2 --suppress-timestamps --config server.conf

Jun 16 09:01:19 sg-vpn-001 openvpn[1982]: Socket Buffers: R=[212992->212992] S=[212992->212992]
Jun 16 09:01:19 sg-vpn-001 openvpn[1982]: UDPv4 link local (bound): [AF_INET]172.104.177.197:1194
Jun 16 09:01:19 sg-vpn-001 openvpn[1982]: UDPv4 link remote: [AF_UNSPEC]
Jun 16 09:01:19 sg-vpn-001 openvpn[1982]: GID set to nogroup
Jun 16 09:01:19 sg-vpn-001 openvpn[1982]: UID set to nobody
Jun 16 09:01:19 sg-vpn-001 openvpn[1982]: MULTI: multi_init called, r=256 v=256
Jun 16 09:01:19 sg-vpn-001 openvpn[1982]: IFCONFIG POOL IPv6: (IPv4) size=252, size_ipv6=65536, netbits=64, base_ipv6=fddd:1194:1194:1194::1000
Jun 16 09:01:19 sg-vpn-001 openvpn[1982]: IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=1
Jun 16 09:01:19 sg-vpn-001 openvpn[1982]: IFCONFIG POOL LIST
Jun 16 09:01:19 sg-vpn-001 openvpn[1982]: Initialization Sequence Completed

Warning: AWS EC2/Lightsail users need to open the default OpenVPN port UDP/1194 using Amazon EC2 security groups for the Linux instances feature. Run the following ss command to see your OpenVPN port on EC2 cloud instance:
sudo ss -tulpn | grep -i openvpn

AWS EC2 Lightsail Open OpenVPN UDP port 1194 using Firewall

OpenVPN UDP port 1194 opened using AWS EC2/Lightsail Linux instance

Step 4 – Connect an OpenVPN server using iOS/Android/Linux/Windows desktop client

Note for Windows user: Please download scp clients such as PSCP or WinSCP to copy the .ovpn file to your Windows machine. Some versions of windows may come with both ssh/sftp/ssh clients.

On server your will find a client configuration file called /root/linuxdesktop.ovpn. All you have to do is copy this file to your local desktop using the scp command:
scp root@172.104.177.197:/root/linuxdesktop.ovpn .
If root is not allowed to log in into the server, try the following scp command:
ssh vivek@172.104.177.197 "sudo -S cat /root/linuxdesktop.ovpn" > linuxdesktop.ovpn
Next, provide this file to your OpenVPN client to connect:

  1. Apple iOS client
  2. Android client
  3. Apple MacOS (OS X) client
  4. Windows 8/10 client

Tip: Forgotten your .opvn file location on the Ubuntu 20.04 LTS server? Try locating by typing the following command:
sudo find / -iname "*.ovpn"

Unable to bind service to VPN port?

It would help if you force Linux to bind an IP address that doesn’t exist with net.ipv4.ip_nonlocal_bind Linux kernel option. For example, during Ubuntu 20.04 LTS startup (boot) time, OpenVPN IP addresses such as 10.8.0.1/32 may not be available to services such as HTTPD or SSHD. Edit the following file:
$ sudo nano /etc/sysctl.d/1000-force-openvpn-bind.conf
## OR when using password to protect vpn ##
$ sudo vim /etc/sysctl.d/1000-force-openvpn-bind.conf

Append the following:

net.ipv4.ip_nonlocal_bind=1

Reload changes using the sysctl command:
$ sudo sysctl -p /etc/sysctl.d/1000-force-openvpn-bind.conf

Linux Desktop: OpenVPN client configuration

First, install the openvpn client for your desktop using the yum command/dnf command/apt command:
sudo dnf install openvpn
OR
sudo apt install openvpn
Next, copy desktop.ovpn as follows:
sudo cp linuxdesktop.ovpn /etc/openvpn/client.conf
Test connectivity from the CLI:
sudo openvpn --client --config /etc/openvpn/client.conf
Your Linux system will automatically connect when computer restart using openvpn script/service:
sudo systemctl start openvpn@client # <--- start client service

Step 5 – Verify/test the connectivity

Simply visit this page to check your IP address and it much change to your VPN server IP address. Next, execute the following commands after connecting to OpenVPN server from your Linux desktop:
ping 10.8.0.1 #Ping to the OpenVPN server gateway
ip route #Make sure routing setup working
## the following must return public IP address of OpenVPN server ##
dig TXT +short o-o.myaddr.l.google.com @ns1.google.com

OpenVPN connectivity verification

Step 6 – How to add or remove a new VPN user with a certificate

You need to run the same script again for adding or removing a new VPN user to TLS certificate. For instance:
$ sudo ./openvpn-ubuntu-install.sh
You will see menu as follows:

OpenVPN is already installed.

Select an option:
   1) Add a new client
   2) Revoke an existing client
   3) Remove OpenVPN
   4) Exit
Option: 

Choose option # 1 to add a new VPN client/user and option # 2 to remove the existing VPN client and user. Let us add a new client/user called iphone:
How to Ubuntu 20.04 LTS OpenVPN add or remove a new user

A note about trouble shooting OpenVPN server and client issues

Type the following commands on your Ubuntu 20.04 Linux LTS server. First, check OpenVPN server for errors:
sudo journalctl --identifier openvpn

-- Logs begin at Tue 2020-06-16 08:53:36 UTC, end at Tue 2020-06-16 09:09:57 UTC. --
Jun 16 09:01:19 sg-vpn-001 openvpn[1982]: OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep  5 2019
Jun 16 09:01:19 sg-vpn-001 openvpn[1982]: library versions: OpenSSL 1.1.1f  31 Mar 2020, LZO 2.10
Jun 16 09:01:19 sg-vpn-001 openvpn[1982]: Diffie-Hellman initialized with 2048 bit key
Jun 16 09:01:19 sg-vpn-001 openvpn[1982]: Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Jun 16 09:01:19 sg-vpn-001 openvpn[1982]: Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Jun 16 09:01:19 sg-vpn-001 openvpn[1982]: Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Jun 16 09:01:19 sg-vpn-001 openvpn[1982]: Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Jun 16 09:01:19 sg-vpn-001 openvpn[1982]: TUN/TAP device tun0 opened
Jun 16 09:01:19 sg-vpn-001 openvpn[1982]: TUN/TAP TX queue length set to 100
Jun 16 09:01:19 sg-vpn-001 openvpn[1982]: /sbin/ip link set dev tun0 up mtu 1500
Jun 16 09:01:19 sg-vpn-001 openvpn[1982]: /sbin/ip addr add dev tun0 10.8.0.1/24 broadcast 10.8.0.255
Jun 16 09:01:19 sg-vpn-001 openvpn[1982]: /sbin/ip -6 addr add fddd:1194:1194:1194::1/64 dev tun0
Jun 16 09:01:19 sg-vpn-001 openvpn[1982]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Jun 16 09:01:19 sg-vpn-001 openvpn[1982]: Socket Buffers: R=[212992->212992] S=[212992->212992]
Jun 16 09:01:19 sg-vpn-001 openvpn[1982]: UDPv4 link local (bound): [AF_INET]45.79.125.234:1194
Jun 16 09:01:19 sg-vpn-001 openvpn[1982]: UDPv4 link remote: [AF_UNSPEC]
Jun 16 09:01:19 sg-vpn-001 openvpn[1982]: GID set to nogroup
Jun 16 09:01:19 sg-vpn-001 openvpn[1982]: UID set to nobody
Jun 16 09:01:19 sg-vpn-001 openvpn[1982]: MULTI: multi_init called, r=256 v=256
Jun 16 09:01:19 sg-vpn-001 openvpn[1982]: IFCONFIG POOL IPv6: (IPv4) size=252, size_ipv6=65536, netbits=64, base_ipv6=fddd:1194:1194:1194::1000
Jun 16 09:01:19 sg-vpn-001 openvpn[1982]: IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=1
Jun 16 09:01:19 sg-vpn-001 openvpn[1982]: IFCONFIG POOL LIST
Jun 16 09:01:19 sg-vpn-001 openvpn[1982]: Initialization Sequence Completed

Is firewall rule setup correctly on your server? Use the cat command to see rules:
sudo cat /etc/systemd/system/openvpn-iptables.service
## OR when using password to protect vpn ##
sudo cat /etc/systemd/system/iptables-openvpn.service

Config:

[Unit]
Before=network.target
[Service]
Type=oneshot
ExecStart=/sbin/iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to 172.104.177.197
ExecStart=/sbin/iptables -I INPUT -p udp --dport 1194 -j ACCEPT
ExecStart=/sbin/iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
ExecStart=/sbin/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
ExecStop=/sbin/iptables -t nat -D POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to 172.104.177.197
ExecStop=/sbin/iptables -D INPUT -p udp --dport 1194 -j ACCEPT
ExecStop=/sbin/iptables -D FORWARD -s 10.8.0.0/24 -j ACCEPT
ExecStop=/sbin/iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
ExecStart=/sbin/ip6tables -t nat -A POSTROUTING -s fddd:1194:1194:1194::/64 ! -d fddd:1194:1194:1194::/64 -j SNAT --to 2400:8901::f03c:92ff:fe3e:cf92
ExecStart=/sbin/ip6tables -I FORWARD -s fddd:1194:1194:1194::/64 -j ACCEPT
ExecStart=/sbin/ip6tables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
ExecStop=/sbin/ip6tables -t nat -D POSTROUTING -s fddd:1194:1194:1194::/64 ! -d fddd:1194:1194:1194::/64 -j SNAT --to 2400:8901::f03c:92ff:fe3e:cf92
ExecStop=/sbin/ip6tables -D FORWARD -s fddd:1194:1194:1194::/64 -j ACCEPT
ExecStop=/sbin/ip6tables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target

Another option is to run iptables command and sysctl command commands to verify NAT rule setup on your server:
sudo iptables -t nat -L -n -v
sysctl net.ipv4.ip_forward
sudo cat /etc/sysctl.d/30-openvpn-forward.conf
## OR when using password to protect vpn ##
sudo cat /etc/sysctl.d/99-openvpn.conf

OpenVPN verify NAT and firewall forwarding rules on Linux

NAT Firewall OpenVPN Rules Verification

Insert the rules if not inserted using the following command:
sudo systemctl start openvpn-iptables.service
## OR when using password to protect vpn ##
sudo systemctl start iptables-openvpn.service
sudo sysctl -w net.ipv4.ip_forward=1
sudo sysctl -p -f /etc/sysctl.d/30-openvpn-forward.conf
## OR when using password to protect vpn ##
sudo sysctl -p -f /etc/sysctl.d/99-openvpn.conf

Is OpenVPN server running and port is open? Use the ss command or netstat command and pidof command/ps command:
## 1194 is the openvpn server port ##
netstat -tulpn | grep :1194
## 1194 is the openvpn server port ##
ss -tulpn | grep :1194
## is the openvpn server running? ##
ps aux | grep openvpn
## is the openvpn server running? ##
ps -C openvpn
## find the openvpn server PID ##
pidof openvpn

Verify that OpenVPN server runnign and Port is Open on ubuntu Linux
If not running, restart the OpenVPN server:
sudo systemctl restart openvpn-server@server.service
Look out for errors:
sudo systemctl status openvpn-server@server.service
Can the Linux desktop client connect to the OpenVPN server machine? First you need to run a simple test to see if the OpenVPN server port (UDP 1194) accepts connections:
nc -vu 172.104.177.197 1194
Connection to 172.104.177.197 port [udp/openvpn] succeeded!

If not connected it means either a Linux desktop firewall or your router is blocking access to server. Make sure both client and server using same protocol and port, e.g. UDP port 1194.

Conclusion

Congratulations. You successfully set up an OpenVPN server on Ubuntu Linux 20.04 LTS server running in the cloud. See the OpenVPN website here, Ubuntu page here and Github script page here for additional information.


🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 57 comments so far... add one

CategoryList of Unix and Linux commands
Disk space analyzersdf ncdu pydf
File Managementcat tree
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
57 comments… add one
  • German boy Sep 13, 2020 @ 6:58

    Great work. Worked flawlessly on my Ubuntu 20.04 LTS AWS EC2 server. Thank you from Germany.

  • Terêncio Manuel da Conceição Sep 16, 2020 @ 0:00

    boa noite, eu gostaria de criar um certificado para cada usuário q fosse acessar o servidor VPN, na sua explicação não ta claro como criar certificados separadamente, me ajude por favor

    • 🐧 Vivek Gite Oct 12, 2020 @ 10:54

      Sorry about the delay. I added info about adding or deleting VPN client/user. See step # 6.

  • Anurag Bisht Oct 11, 2020 @ 19:33

    Does not work.

  • Paul Oct 17, 2020 @ 12:14

    Hi,

    great work. I have some problems first it says in sudo systemctl status openvpn-server@server.service
    – Could not determine IPv4/IPv6 protocol. Using AF_inet

    Second error is from portchecker(https://www.yougetsignal.com/tools/open-ports/) it says Port 443 is not open, although I allowed it on the firewall of my router(Port 443(UDP) and it is forwarded to the server)…any Ideas?

    And last question can I let it auto start when i startup ubuntu?

    Looking forward to hearing from you soon.

    kind regards
    Paul

    • Paul Oct 17, 2020 @ 13:55

      And another question: Can I change DNS into my internal DNS (172.16.155.x) and can I change IP-Adresses given to client to from 10.0.0.x to 172.16.155.x ?
      kind regards
      Paul

      • 🐧 Vivek Gite Oct 21, 2020 @ 1:10

        yes, you can change dns in config file such as /etc/openvpn/server/server.conf

        push "dhcp-option DNS 172.26.187.4"
        
        • Paul Oct 27, 2020 @ 17:30

          And can I change IP-Adresses given to client to from 10.0.0.x to 172.16.155.x (change the dhcp options,range…)

          • 🐧 Vivek Gite Oct 28, 2020 @ 4:57

            Yes, you can change it but remember you need to update firewall rules and open correct port/ip ranges too.

    • Paul Oct 17, 2020 @ 14:14

      This is the exact LOG:

      openvpn-server@server.service - OpenVPN service for server
           Loaded: loaded (/lib/systemd/system/openvpn-server@.service; enabled; vendor preset: enabled)
           Active: active (running) since Sat 2020-10-17 16:13:10 CEST; 4s ago
             Docs: man:openvpn(8)
                   https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
                   https://community.openvpn.net/openvpn/wiki/HOWTO
         Main PID: 7649 (openvpn)
           Status: "Initialization Sequence Completed"
            Tasks: 1 (limit: 7069)
           Memory: 1.0M
           CGroup: /system.slice/system-openvpn\x2dserver.slice/openvpn-server@server.service
                   └─7649 /usr/sbin/openvpn --status /run/openvpn-server/status-server.log --status-version 2 --suppress-timestamps --config server.conf
      
      Okt 17 16:13:10 VPN-SERVER openvpn[7649]: Could not determine IPv4/IPv6 protocol. Using AF_INET
      Okt 17 16:13:10 VPN-SERVER openvpn[7649]: Socket Buffers: R=[212992->212992] S=[212992->212992]
      Okt 17 16:13:10 VPN-SERVER openvpn[7649]: UDPv4 link local (bound): [AF_INET]172.16.155.20:443
      Okt 17 16:13:10 VPN-SERVER openvpn[7649]: UDPv4 link remote: [AF_UNSPEC]
      Okt 17 16:13:10 VPN-SERVER openvpn[7649]: GID set to nogroup
      Okt 17 16:13:10 VPN-SERVER openvpn[7649]: UID set to nobody
      Okt 17 16:13:10 VPN-SERVER openvpn[7649]: MULTI: multi_init called, r=256 v=256
      Okt 17 16:13:10 VPN-SERVER openvpn[7649]: IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=0
      Okt 17 16:13:10 VPN-SERVER openvpn[7649]: IFCONFIG POOL LIST
      Okt 17 16:13:10 VPN-SERVER openvpn[7649]: Initialization Sequence Completed
      
    • 🐧 Vivek Gite Oct 21, 2020 @ 1:11

      Is port 443 open on the server by the OpenVPN?

      Check your firewall config.

  • Juan Pablo Oct 25, 2020 @ 3:25

    Hi Dude! Awesome you script its run flawless but i have a problem when i add a 2nd autentication via PAM authentication….
    i put the “plugin /etc/openvpn/openvpn-plugin-auth-pam.so login” into /etc/openvpn/server.conf and edit the .ovpn file with “auth-user-pass” the client show the windows and i put any user any password and always connect!!! never show an error always connect using any user / password. i dont know why? i see in syslog this:

    Oct 25 00:15:27 ubuntu ovpn-server[33607]: PLUGIN_INIT: POST /etc/openvpn/openvpn-plugin-auth-pam.so '[/etc/openvpn/openvpn-plugin-auth-pam.so] [login]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY

    But never show the ERROR and the VPN always connect…. so i need the 2nd factor authentication for security reasons.
    Thanks you!

  • EvenJ Oct 26, 2020 @ 12:22

    I was having issues with my 20.04 after ugrading from 18.04, your post made my search for what was wrong easy. Thanks!

  • Frank Oct 29, 2020 @ 2:28

    I got issue , after change the path :
    ExecStart=/sbin/iptables
    work after change to this
    ExecStart= iptables

  • Frank Oct 29, 2020 @ 2:30

    ExecStart=/sbin/iptables
    probably should be
    ExecStart= iptables

    my vpn fixed after changed this one.

  • Joe Oct 30, 2020 @ 3:45

    i have some issue in here

    it’s said:

    I’d tried reinstall but it’s doesn’t work! Please help. Thanks you so much.

    • 🐧 Vivek Gite Oct 30, 2020 @ 6:14

      What issues? You need to provide details. I can’t guess it.

  • Camila Oct 30, 2020 @ 6:13

    This is so awesome. I configured my DigitalOcean server and it worked so good. I rebooted the box and it still works. Can I install Apache web server along with OpenVPN. I think it is possible as Apache will use the tcp-{443/80} ports and OpenVPN use the 1149/UDP port. please give advice.

  • Someone Nov 14, 2020 @ 2:03

    Thanks a lot it works great

  • Ihor Nov 18, 2020 @ 15:59

    What about WebUI by IP:943?

  • Big O Nov 23, 2020 @ 8:04

    Why do we use UDP protocol for OpenVPN server?

  • Michael Nov 23, 2020 @ 22:25

    Thanks Vivek. Works like a charm. Had it up and running within 5 minutes like advertised.

  • Pietro Nov 23, 2020 @ 23:42

    hello, thanks for the tool and help to the community. I have 2 public IP addresses on the server, is it possible to use one as entry and other as exit? cheers

    • 🐧 Vivek Gite Nov 24, 2020 @ 7:09

      OpenVPN do not provide such option but I guess one can configure firewall policy to route traffic using iptables.

  • Patik Dec 5, 2020 @ 23:45

    hey, thx for the help. It works but I want to ask, is this way of configuring the vpn secure enough? Digitalocean tutorial, keypairs and encrypts the hell out it while configuring. So this basic way of setup left me worrying about my passwords and data. What should I look for to understand if I’m safe enough? I would appreciate if you could enlighten me :)

    • 🐧 Vivek Gite Dec 6, 2020 @ 6:16

      yes, it is secure. DO tutorials good too but it takes lots of typing where scripts avoid typing stuff and typos.

  • Inderjeet Singh Dec 12, 2020 @ 10:25

    Is there a way I can share the OpenVPN server’s internet with client as well? After I connected with my OpenVPN server internet stopped on client

  • Amr Dec 13, 2020 @ 14:55

    First of all Thank you Vivek for this tutorial.

    When I installed it did not ask me for IPV4 or Public IP address. It automatically took my internal ip “1.1.1.70”
    Now it works when I am within the LAN, but outside the LAN I acnnot connect to it! Is there a fix?

    Thanks
    Amr

    • Dale Jan 15, 2021 @ 23:40

      Just edit the client configuration file (*.ovpn) and change the line that reads “remote …” to either your externally facing IP address (if you have a static external IP address) or your DDNS dynamically updated host name. You also need to open & forward port 1194 on your router/firewall to your internal OpenVPN server.

  • Dale Jan 15, 2021 @ 23:11

    This is a great tutorial. I would make one recommendation: The installation script should be changed to remove the “nopass” argument from the code locations where the client configuration is generated. One should absolutely always make the client configuration file password protected, otherwise anyone who gets their hand on it can connect to your VPN endpoint without needing anything else.
    In other words, change this:
    ./easyrsa build-client-full "$client" nopass
    to this:
    ./easyrsa build-client-full "$client"
    There are two locations in the script where this change should be made. Then when you run it, it will ask you for a client password at some point. Make that a strong one and keep it in mind.

  • Nagaraj Gurusamy Jan 28, 2021 @ 2:38

    Hi,
    Thanks for the awesome script.
    Vpn connected successfully. However, I can’t able to access other servers in the network using thier private IPs.

    Could help fix it?

    • 🐧 Vivek Gite Jan 28, 2021 @ 4:19

      You need to set up correct ufw rules so that traffic between VPN client can pass for tun0 interface.

  • Amar Feb 18, 2021 @ 1:57

    Hello, acutely great totorial it’s work’s for me But now I have some doubts. Is this free? if it is free for how many user it free is there any restrictions after this much of user you have to pay this much amount like that

    • 🐧 Vivek Gite Feb 18, 2021 @ 6:05

      No. There is no resection or money to pay. You are only limited by amount of resources on your server such as RAM, network speed, CPU and so on.

  • Gyata Feb 24, 2021 @ 7:25

    works perfectly but i think i have a problem.
    when the .ovpn file is viewed with nano, is it supposed to be empty?
    If not then i think the system is generating an empty .ovpn file.

    Can someone suggest a fix for me.
    Thank you.

    • 🐧 nixCraft Feb 24, 2021 @ 8:11

      No. What does ls -l *.ovpn says? Look for size.

  • halil Mar 6, 2021 @ 18:21

    it works but i cannot access lan network. What can i do ?

    • 🐧 Vivek Gite Mar 6, 2021 @ 18:34

      You need to adjust firewall rules. By default access is blocked as we don’t want every connect VPN users to access LAN.

      • halil Mar 7, 2021 @ 18:12

        i try like that;

        /etc/systemd/system/openvpn-iptables.service

        ExecStart=/usr/sbin/iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to 192.168.229.7
        ExecStart=/usr/sbin/iptables -I INPUT -p udp --dport 10101 -j ACCEPT
        ExecStart=/usr/sbin/iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
        ExecStart=/usr/sbin/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
        ExecStop=/usr/sbin/iptables -t nat -D POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to 192.168.229.7
        ExecStop=/usr/sbin/iptables -D INPUT -p udp --dport 10101 -j ACCEPT
        ExecStop=/usr/sbin/iptables -D FORWARD -s 10.8.0.0/24 -j ACCEPT
        ExecStop=/usr/sbin/iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
        
        ExecStop=/usr/sbin/iptables -t nat -A POSTROUTING -o 192.168.229.0/24 -j MASQUERADE
        ExecStop=/usr/sbin/iptables -A INPUT -i tun+ -j ACCEPT
        ExecStop=/usr/sbin/iptables -A FORWARD -i tun+ -o 192.168.229.0/24 -j ACCEPT
        ExecStop=/usr/sbin/iptables -A FORWARD -i 192.168.229.0/24 -o tun+ -j ACCEPT
        
  • Anonymous Mar 29, 2021 @ 17:11

    Hi,
    Thanks for the awesome script.
    I want to know how to view the created user list and connected user list.

    • 🐧 Vivek Gite Mar 30, 2021 @ 21:26

      For log see /var/log/openvpn/openvpn-status.log file:
      tail -f /var/log/openvpn/openvpn-status.log
      See created users list:
      cat /etc/openvpn/server/easy-rsa/pki/index.txt
      OR
      tail -n +2 /etc/openvpn/server/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | nl -s ') '

  • Anonymous Mar 30, 2021 @ 20:18

    Will this work with a freshly installed/created Linux 20.04 or will I have to take extra steps?

  • Kelley Apr 1, 2021 @ 16:12

    Hi,

    I’m using AWS on a Windows computer and I’m stuck on step 4. How do I get the .ovpn file to a place where my desktop client can access it? Or is there another way for me to connect using my desktop client?

    • 🐧 Vivek Gite Apr 13, 2021 @ 11:15

      Use scp client (or putty.exec that comes with scp) to copy that file to your Windows 10 system.

  • Marko Apr 12, 2021 @ 8:31

    Hi. I had openVPN on my ubuntu v 18 machine recently upgraded to v20.04. Followed your instructions and works flawlessly.

    I have one question: is it possible to limit (or bind) clients to specific IP (or even localhost)? For example, if I have SVN server on same machine, how can I limit some client to use only SVN from this machine and not have access to other IPs on same LAN?

    Thank you!

    Regards,
    Marko

    • 🐧 Vivek Gite Apr 13, 2021 @ 11:14

      You can block access to particularity port using ufw

  • Rattlehead Apr 23, 2021 @ 8:31

    Hi,
    Thanks for the tutorial, really helpful.
    Is there a way to change this from cert based to user/password based.
    Curious as I can use my router as a OVPN Client but only have a password/username option rather than importing a cert.

    Thanks
    /Rattle

    • 🐧 Vivek Gite May 1, 2021 @ 20:13

      I updated the page but you need to reinstall openvpn again.

  • Somprasong May 1, 2021 @ 16:09

    It’s perfect tutorial but i have some question if i need to create client with password

  • Naseer May 13, 2021 @ 18:07

    Not able to connect the OpenVPN Server installed on Ubuntu and Client on Windows 10. Below is the error

    Thu May 13 22:01:54 2021 MANAGEMENT: >STATE:1620928914,WAIT,,,,,,
    Thu May 13 22:02:54 2021 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Thu May 13 22:02:54 2021 TLS Error: TLS handshake failed
    Thu May 13 22:02:54 2021 SIGUSR1[soft,tls-error] received, process restarting
    Thu May 13 22:02:54 2021 MANAGEMENT: >STATE:1620928974,RECONNECTING,tls-error,,,,,
    Thu May 13 22:02:54 2021 Restart pause, 5 second(s)
    Thu May 13 22:02:59 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]87.201.172.199:1194
    Thu May 13 22:02:59 2021 Socket Buffers: R=[65536->65536] S=[64512->64512]
    Thu May 13 22:02:59 2021 UDP link local: (not bound)
    Thu May 13 22:02:59 2021 UDP link remote: [AF_INET]87.201.172.199:1194
    Thu May 13 22:02:59 2021 MANAGEMENT: >STATE:1620928979,WAIT,,,,,,
    • 🐧 Vivek Gite May 13, 2021 @ 20:36

      Check for firewall config on your local network and remote server.

  • marcus May 15, 2021 @ 2:38

    When i do the ssh comand on step4 my console returns SSH port 22 refused
    When trying scp my console returns Could not resolve hostname : Name or service not known
    why is it happenning?

  • Jose Laurentino III May 16, 2021 @ 2:56

    Fantastic!!!! Thanks for the great tutorial!

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum