ManagedCloud Servers

High performance handled and monitored by us 24/7/365. A complete solution to provide you with our in house expertise 24/7 tailored to your specific needs. We'll setup a bespoke server for your site using the latest tehnologies so you can get the most out of your hardware and get your website loading quickly and reliably. Find out more..

cPanelCloud Servers

Recommended - High performance cloud servers with no technical knowledge required. If you're hosting multiple websites already and you're looking to consolidate, or if you're looking to isolate yourself from the shared hosting environment but you don't have the time or knoweldge to manage a server, then the Managed cPanel Servers are for you. Find out more..

UnmanagedCloud Servers

Our unmanaged range gives you complete control at rock bottom prices and our cloud platform boasts super fast multipath 40Gb/s network, the latest Intel Xeon V3 CPUs and enterprise grade redundant SSDs. If you're a sysadmin look no further, we offer some of the best specification to price ratio servers available. Find out more..

Want your very own server? Get our 1GB memory, Xeon V4, 20GB SSD VPS for £10.00 / month.

View Plans

How to Install OpenVPN Server on Ubuntu 16.04

OpenVPN is an open source application which is widely used to create secure virtual private networks over unsecured public Internet. OpenVPN is SSL VPN solution which tunnels your network connection securely through the Internet. OpenVPN works on client server architecture. All the devices connected to a virtual private network behaves as if they are connected to a local area network. The packets sent through the VPN tunnel are encrypted with 256 bit AES encryption making data theft impossible.

In this tutorial we will learn to install OpenVPN server on Ubuntu 16.04. By the end of the guide you will be able to deploy your own VPN server using OpenVPN. We will also learn to setup a client machine using OpenVPN client configuration.

Requirements

To install OpenVPN, there are no specific hardware requirements. You will only need a Cloud Server or VPS running on Ubuntu 16.04. You will also need access to the root user. If you are logged in as non root user, run sudo -i to switch to root user or you can also use sudo command before all administrative commands.

Install OpenVPN Server

Before installing any package it is recommended to update the system and installed packages using the following command.

    apt-get update && apt-get -y upgrade

Now we will install required packages needs to set up OpenVPN server. OpenVPN is available in ubuntu's default repository. We will also easy-rsa package, which will be used for setting up generate SSL/TLS certificates to secure OpenVPN tunnel connections.

    apt-get install -y openvpn easy-rsa

Now we will be copying easy-rsa templates into a new directory in which we will be storing our certificates. CA or Certificate Authority is capable of generating certificates, but in our case we will generate self signed certificates using our own simple CA.

    make-cadir /var/openvpn-ca
    cd /var/openvpn-ca

Now we will need to configure CA variables. These variable will be used to generate CSR or Code Signing Request. CSR will be used to generate SSL/TLS certificate.

To edit variable files you can use your favorite text editor. In this tutorial we will be using nano editor. If you do not have nano editor, you can install it using apt-get -y install nano.

Scroll down to find the following lines.

    # These are the default values for fields
    # which will be placed in the certificate.
    # Don't leave any of these fields blank.
    export KEY_COUNTRY="US"
    export KEY_PROVINCE="CA"
    export KEY_CITY="SanFrancisco"
    export KEY_ORG="Fort-Funston"
    export KEY_EMAIL="me@myhost.mydomain"
    export KEY_OU="MyOrganizationalUnit"

# X509 Subject Field export KEY_NAME="EasyRSA"

Change the values accordingly. In KEY_NAME field choose a name using which your private key will be generated. You can see demo values below.

    # These are the default values for fields
    # which will be placed in the certificate.
    # Don't leave any of these fields blank.
    export KEY_COUNTRY="IN"
    export KEY_PROVINCE="RJ"
    export KEY_CITY="Bikaner"
    export KEY_ORG="MyOrganisation"
    export KEY_EMAIL="me@liptanbiswas.com"
    export KEY_OU="MyOrganizationalUnit"

# X509 Subject Field export KEY_NAME="vpn-server"

Once done we can use the variable values to generate CA certificates. Now source the variable using the following command.

    source ./vars

You will see following output.

    root@ip-172-31-31-250:/var/openvpn-ca# source vars
    NOTE: If you run ./clean-all, I will be doing a rm -rf on /var/openvpn-ca/keys

Now clean the environment and previously generated key using the following command.

    ./clean-all

Now we can build the root Certificate Authorities using the following command.

    ./build-ca

It will prompt you if you want to change the default values for variables. Simply press enter to proceed further. It will also ask you a challenge password, leave it blank by simply pressing enter. You will see following output.

    root@ip-172-31-31-250:/var/openvpn-ca# ./build-ca
    Generating a 2048 bit RSA private key
    ...+++
    ....................................+++
    writing new private key to 'ca.key'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [IN]:
    State or Province Name (full name) [RJ]:
    Locality Name (eg, city) [Bikaner]:
    Organization Name (eg, company) [MyOrganisation]:
    Organizational Unit Name (eg, section) [MyOrganizationalUnit]:
    Common Name (eg, your name or your server's hostname) [MyOrganisation CA]:
    Name [vpn-server]:
    Email Address [me@liptanbiswas.com]:

The above command will generate root certificate and key, ca.crt and ca.key to /var/openvpn-ca/keys. Once the CA certificate is generated, we can create server certificate and keys using the following command.

    source ./vars
    ./build-key-server server

You will see following output.

    root@ip-172-31-31-250:/var/openvpn-ca# ./build-key-server server
    Generating a 2048 bit RSA private key
    ..........................+++
    ............+++
    writing new private key to 'server.key'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [IN]:
    State or Province Name (full name) [RJ]:
    Locality Name (eg, city) [Bikaner]:
    Organization Name (eg, company) [MyOrganisation]:
    Organizational Unit Name (eg, section) [MyOrganizationalUnit]:
    Common Name (eg, your name or your server's hostname) [server]:
    Name [vpn-server]:
    Email Address [me@liptanbiswas.com]:

Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /var/openvpn-ca/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'IN' stateOrProvinceName :PRINTABLE:'RJ' localityName :PRINTABLE:'Bikaner' organizationName :PRINTABLE:'MyOrganisation' organizationalUnitName:PRINTABLE:'MyOrganizationalUnit' commonName :PRINTABLE:'server' name :PRINTABLE:'vpn-server' emailAddress :IA5STRING:'me@liptanbiswas.com' Certificate is to be certified until Sep 12 09:10:55 2026 GMT (3650 days) Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated

This command will create few server certificates and keys in /var/openvpn-ca/keys.

Now you will need to generate strong Diffie-Hellman key, which will be used during key exchange.

    source ./vars
    ./build-dh

This will generate dh2048.pem file in /var/openvpn-ca/keys.

Once we have generated certificates and keys for server, we will also create the certificate and keys for clients. In this tutorial we will generate the certificates client. We have used client for demonstration purpose only. In actual scenario you may use any name. Run the following commands to do so.

    source ./vars
    ./build-key client

If you want to set a passphrase for the private key of client's private key, you can use the following command.

    ./build-key-pass client

Now copy the CA and server certificates and keys to OpenVPN directory using the following command.

    cd /var/openvpn-ca/keys
    cp ca.crt ca.key server.crt server.key dh2048.pem /etc/openvpn

Now extract the sample OpenVPN configuration and copy it to OpenVPN directory.

    gunzip -d /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz
    cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf /etc/openvpn

Now modify the configuration file using your favorite text editor.

    nano /etc/openvpn/server.conf

Find the following lines

    # It's a good idea to reduce the OpenVPN
    # daemon's privileges after initialization.
    #
    # You can uncomment this out on
    # non-Windows systems.
    ;user nobody
    ;group nogroup

Now remove ; from user nobody and group nobody line.

Now we will need to modify the configuration file /etc/sysctl.conf for setting up system variable using your favorite editor.

    nano /etc/sysctl.conf

Find the following lines.

    # Uncomment the next line to enable packet forwarding for IPv4
    #net.ipv4.ip_forward=1

Uncomment the line net.ipv4.ip_forward=1. Now save the file and adjust the system variables for current session using the following command.

    sysctl -p

Now you can start VPN server using following command.

    systemctl start openvpn@server

You can enable OpenVPN server to start at boot time, you can run this command.

    systemctl enable openvpn@server

You can check the status of OpenVPN server using the following command.

    systemctl status openvpn@server

You should see following output.

    root@ip-172-31-31-250:~# systemctl status openvpn@server
    ● openvpn@server.service - OpenVPN connection to server
       Loaded: loaded (/lib/systemd/system/openvpn@.service; enabled; vendor preset: enabled)
       Active: active (running) since Wed 2016-09-14 17:57:12 UTC; 8min ago
         Docs: man:openvpn(8)
               https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
               https://community.openvpn.net/openvpn/wiki/HOWTO
     Main PID: 4688 (openvpn)
       CGroup: /system.slice/system-openvpn.slice/openvpn@server.service
               └─4688 /usr/sbin/openvpn --daemon ovpn-server --status /run/openvpn/server.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/server.co

Sep 14 17:57:12 ip-172-31-31-250 ovpn-server[4688]: /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2 Sep 14 17:57:12 ip-172-31-31-250 ovpn-server[4688]: /sbin/ip route add 10.8.0.0/24 via 10.8.0.2 Sep 14 17:57:12 ip-172-31-31-250 ovpn-server[4688]: GID set to nogroup Sep 14 17:57:12 ip-172-31-31-250 ovpn-server[4688]: UID set to nobody Sep 14 17:57:12 ip-172-31-31-250 ovpn-server[4688]: UDPv4 link local (bound): [undef] Sep 14 17:57:12 ip-172-31-31-250 ovpn-server[4688]: UDPv4 link remote: [undef] Sep 14 17:57:12 ip-172-31-31-250 ovpn-server[4688]: MULTI: multi_init called, r=256 v=256 Sep 14 17:57:12 ip-172-31-31-250 ovpn-server[4688]: IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0 Sep 14 17:57:12 ip-172-31-31-250 ovpn-server[4688]: IFCONFIG POOL LIST Sep 14 17:57:12 ip-172-31-31-250 ovpn-server[4688]: Initialization Sequence Completed

As we have our VPN server up and running we can now connect the clients to the server.

Connecting Clients

While generating the certificates and keys for server, we have already generated the certificates for client too. You can use FTP or SCP to transfer the files from server to client machine. You will need to copy three files for each client. For client you will need to copy ca.crt, client.crt and client.key.

For windows client machine you can download OpenVPN client from here. Once you install the software, copy client.ovpn from C:/Program Files/OpenVPN/sample-config to config directory. Also move the client certificate and key file with CA certificate into this directory. Now open client.ovpn using notepad and find the following lines.

    # The hostname/IP and port of the server.
    # You can have multiple remote entries
    # to load balance between the servers.
    remote my-server-1 1194
    ;remote my-server-2 1194

Change my-server-1 to the IP address or hostname of your remote server. As we have not configured or changed the port in server, hence the port number will remain same, a sample configuration is given below.

    remote 52.66.151.53 1194

In case if you have generated your client certificates with name other than client.crt or client.key. You will also need to change these lines accordingly.

    # SSL/TLS parms.
    # See the server config file for more
    # description.  It's best to use
    # a separate .crt/.key file pair
    # for each client.  A single ca
    # file can be used for all clients.
    ca ca.crt
    cert client.crt
    key client.key

Once done save the file. To start OpenVPN with this configuration, right click on client.ovpn file to see options and select Start OpenVPN on this config file. You will see your command prompt will start connecting to your VPN server.

For Linux client machine you can install OpenVPN using the following command.

For CentOS/RHEL/Fedora, run the following commands.

    sudo yum -y install epel-release
    sudo yum -y update
    sudo yum -y install openvpn

For Ubuntu/Debian run the following commands.

    sudo apt-get install openvpn

Now copy the client certificates and keys along with CA certificate on your client machine using SCP or FTP. Move the files into /etc/openvpn/ directory. Now create a new file using your favorite text editor.

    nano /etc/openvpn/client.ovpn

Enter the following content in the file. Change your remote address and client file names accordingly.

    client
    dev tun
    proto udp
    remote 52.66.151.53 1194
    resolv-retry infinite
    nobind
    group nobody
    persist-key
    persist-tun
    comp-lzo
    verb 3
    ca ca.crt
    cert client.crt
    key client.key

Now save the file and run OpenVPN client with client configuration using the following command.

    sudo openvpn --config client.ovpn

This should run OpenVPN using your client configuration and you will be connected to the remote server using the VPN tunnel.

Conclusion

In this tutorial we have learned to install OpenVPN server into a VPS running Ubuntu 16.04. We also learned to use easy-rsa to build CA and then generate certificates for server and client. You can now successfully deploy and run OpenVPN server on Ubuntu 16.04. OpenVPN client software is available for many platforms, you can connect the clients to your private network easily.

Want your very own server? Get our 1GB memory, Xeon V4, 20GB SSD VPS for £10.00 / month.

View Plans