How to Configure OpenVPN on Ubuntu 16.04

August 23, 2016 | By in UBUNTU HOWTO
| 5 Replies More

Continuing the series of VPN articles, we now install OpenVPN on Ubuntu 16.04 Server. OpenVPN is well know VPN software from company of the same name. It is is somewhat harder to configure than other VPN software, so we will concentrate on server side configuration, and making ovpn files in this article. This guide is designed to run as non-root user. If you are logged in as root, first we start with adding the non-root user.

adduser newuser

Then we give him sudo rights and login as the user

usermod -aG sudo newuser

su newuser

You can skip those steps if you already have non-root users, and most likely you do.

Now loged in as newuser or any other non-root user, we will install openvpn

sudo apt-get install openvpn easy-rsa

Server and client Certificates

First of all, we need to make dir for certificate authority and edit vars file is

make-cadir ~/openvpn-ca
cd ~/openvpn-ca
nano vars

Find the lines that have export KEY_ in them and make them like this

export KEY_PROVINCE="New York State"
export KEY_CITY="New York City"
export KEY_ORG="Linoxide"
export KEY_EMAIL=""
export KEY_OU="LinuxGeeks"

There is also line named KEY_NAME in same file, so we will just put there server as the name

export KEY_NAME="server"

After saving the vars file, next thing we type is:

source vars

which should give you the note about ./clean-all command. So therefore, lets type it to be sure we are running the clean environment.


Now we move to certificate creation part:


It will prompt you some questions but since we edited vars the new defaults should be ok so you can press enter on all counts.

./build-key-server server

Again enter, but not on all counts this time. When it asks you to put password, don't put it, and in the end pres y to create certificate. Next is diffie hellman:


It will take some time, so be patient. Next we need the ta.key to improve the security of the server.

openvpn --genkey --secret keys/ta.key

And then we copy all the relevant files to /etc/openvpn directory, as openvpn only reads from there.

cd ~/openvpn-ca/keys
sudo cp ca.crt ca.key server.crt server.key ta.key dh2048.pem /etc/openvpn

We are done with server certificate, so we now create a certificate for client100.

cd ~/openvpn-ca

source vars
./build-key client100

The sourced defaults are ok again, so just press enter and y at the end.

Server Configuration

For the starting point we copy the sample configuration with following command:

gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | sudo tee /etc/openvpn/server.conf

Next we need to edit server.conf to make our server workable. You can use any editor but we will use sed command now

sudo sed -i 's/;push "redirect-gateway def1 bypass-dhcp"/push "redirect-gateway def1 bypass-dhcp"/g' /etc/openvpn/server.conf
sudo sed -i 's/;push "dhcp-option DNS"/push "dhcp-option DNS"/g' /etc/openvpn/server.conf
sudo sed -i 's/;push "dhcp-option DNS"/push "dhcp-option DNS"/g' /etc/openvpn/server.conf
sudo sed -i 's/;user nobody/user nobody/g' /etc/openvpn/server.conf
sudo sed -i 's/;group nogroup/group nogroup/g' /etc/openvpn/server.conf

sudo sed -i 's/;log-append/log-append/g' /etc/openvpn/server.conf

Things what we did here: We set all trafic to go over OpenVPN, we set group and user to nogroup and nobody, and we set logs to go to /etc/openvpn/openvpn.log. Following that we need one more change about ta.key:

sudo nano /etc/openvpn/server.conf

And find this line

tls-auth ta.key 0 # This file is secret
key-direction 0

That is about it for server.conf, next we need to enable packet forwarding for our Ubuntu server

sudo sed -i 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/g' /etc/sysctl.conf
sudo sysctl -p

ufw rules also need to be changed to allow masquerading, so add this at the start, before *filter

sudo nano /etc/ufw/before.rules

# NAT table rules
# Allow traffic from OpenVPN client to eth0

Note that eth0 part most likely you need to change to reflect real name of your internet-facing network interface, so I highlighted it. Next we enable forwarding in ufw like we did in sysctl:


We configure the firewall

sudo ufw allow 1194/udp
sudo ufw disable

sudo ufw enable

sudo systemctl start openvpn@server
sudo systemctl status -l openvpn


If all went well enable start of openvpn at bootup

sudo systemctl enable openvpn@server

Client Configuration

With client configuration part, we use certificates that we made already, for example client100. We also need client config files

mkdir -p ~/client-configs/files
chmod 700 ~/client-configs/files
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client-configs/base.conf

The file we copied is basic setup, therefore it needs to be edited.

nano ~/client-configs/base.conf

And then find a line that says remote. Change it too point to your server IP address of FQDN.

remote your.serv.ipor.fqdn 1194

Save that, as rest of editing we will do with sed and echo commands:

sudo sed -i 's/;user nobody/user nobody/g' ~/client-configs/base.conf
sudo sed -i 's/;group nogroup/group nogroup/g' ~/client-configs/base.conf

sudo sed -i 's/ca ca.crt/#ca ca.crt/g' ~/client-configs/base.conf
sudo sed -i 's/cert client.crt/#cert client.crt/g' ~/client-configs/base.conf
sudo sed -i 's/key client.key/#key client.key/g' ~/client-configs/base.conf

sudo echo key-direction 1 >> ~/client-configs/base.conf

So what we did here? We first set user and group to nobody and nogroup. Then we commented out certificate paths, as we will integrate inline certificates in .ovpn file. Then we added key-direction 1 parameter.

Script for making client configs

For embedding the client configuration, keys and certificates into single .ovpn file for easer transfer to remote clients, we are going to usesimple script. Lets do

nano ~/client-configs/

And then paste this pastebin there. After saving this, we need to add the executable bit, so run this command:

chmod +x ~/client-configs/

Then we can easily create config files

cd ~/client-configs
./ client100
ls ~/client-configs/files

Syntax of the command is easy, you need to be inside client-configs dir and run the command with argument that says name of the client that you created earlier. If you need more clients, create more client certificates with another name and rerun this command. If all went well, in client-configs/files directory should have ovpn file(s) in it. You need to transfer those to your client or clients, and connect. I will do it with scp, from my Fedora laptop I did command like this

 scp /home/miki/Documents/

From there you can load it on Android phone with an USB cable or over AirDroid, or on Windows VM, or on a Mac. For Linux network manager you would need to disassemble the file


This is it about the server config, next we would need to connect from various clients. For Android we can use OpenVPN Connect, for Mac Tunnelblick, for Windows there is OpenVPN from the official site, and for Linux there is network manager. In some of the following articles we will cover all this.


Share This :

Free Linux Ebook to Download

Comments (5)

Trackback URL | Comments RSS Feed

  1. Evren says:

    Hi... It's very very good tutorial... Thank you... but perhabs it must be set on network manager... can you help me about these settings... Good days...

  2. Evren says:

    ok... how to create .raw certificates? if these are .ca .cert .keys?... how to load these in network manager?

    • Mihajlo Milenovic says:

      Yes, those files are already created if you followed the guide. Instead of fusing them in single .ovpn file with a script from the pastebin, you can install network manager package for openvpn. Eg i ubuntu it is apt install network-manager-openvpn

Leave a Reply

Commenting Policy:
Promotion of your products ? Comment gets deleted.
All comments are subject to moderation.