Configuring OpenVPN on Ubuntu

OpenVPN is an open implementation of one of the VPN technologies, designed to organize secure virtual private networks between geographically remote local networks, as well as individual clients. Tunnel security is provided by encryption using OpenSSL.

How does OpenVPN work?

Upon completion of the server setup and its launch, it will enter the standby mode of receiving and redirecting external secure SSL connections to the virtual network adapter (tun/tap).

Optionally, server routing can be configured so that client Internet traffic passes through the server and becomes server traffic. In this case, OpenVPN will perform proxy traffic.

What is required from the operating system?

Before installing OpenVPN, you need to make sure that the basic parameters are correct.

  1. The server has at least one “white” static IP address. Those. The server must be accessible from the Internet. If the address is dynamic, but the server remains accessible from the global network, use the DynDNS services.
  2. Allowed to download and install packages from official repositories. To check, run cat /tc/apt/sources.list. Lines with instructions from the repositories should be uncommented (there should be no “#» sign at the beginning of the line).
  3. The network parameters must be correctly specified — hostname, parameters of DNS servers.

Getting to the installation.

All installation steps will be performed by the root user.

  1. Updating repository information:

apt-get update

  1. Install the current system updates and installed programs:

apt-get upgrade

  1. Install OpenVPN:

apt-get install openvpn

Important. In basic repositories, the latest version of a package is often missing. OpenVPN developers maintain their repository, how to configure it can be found on the official website of the.

  1. Install the easy-rsa package in the same way:

apt-get install easy-rsa

Post-installation steps

We place easy-rsa scripts:

cd /etc/openvpn/ && make-cadir easy-rsa

We prepare public keys (PKI — Public Key Infrastructure):

  1. Go to the / etc / openvpn / easy-rsa directory:

cd /etc/openvpn/easy-rsa

  1. Creating a symbolic link to the openssl configuration file:

ln -s openssl-1.0.0.cnf openssl.cnf

  1. We initialize the vars script:

source ./vars

The system will report: NOTE: If you run ./clean-all, I will be doing a rm -rf on / etc / openvpn / easy-rsa / keys

  1. We carry out ./clean-all
  2. To create a certification authority, run the script:


In the course of its work, the program will ask several questions. They should be answered in Latin letters. If you do not fill in any field, the program will substitute default values, usually indicated in parentheses.


Create the server key

To create the server key, execute the command:

./build-key-server server

It should be noted that the process is similar to generating a certificate of a certification authority, however, before signing the certificate, the program will ask 2 clarifying questions. If everything is correct, answer “y”.

Generation of client keys

Similarly to generating server keys, client keys are also created:

./build-key client1

It should be noted that the created client1.key does not have a password or cryptographic protection. This can lead to the fact that any user who has taken possession of the file can try to connect to the server. If such a threat exists, it is better to generate keys with another script:

./build-key-pass client2

The script will ask for a passphrase at the very beginning. Further, the process is no different from generating server keys and a simple client.

Keep in mind that key names must be unique. One user — one key with a unique name.

It happens that in the course of the server’s operation, after some time, it is necessary to create one or more certificates. To do this, you will need to reinitialize the vars script and only then start the key generation process:

cd /etc/openvpn/easy-rsa

source ./vars

./build-key client3

Diffie-Hellman key generation

Thanks to the Diffie-Hellman protocol, two or more parties can receive one secret key, which will allow building a secure communication channel. The keys are generated by the command:


The result will be something like this.

When the program is finished, the dh2048.pem file will appear in the /etc/openvpn/easy-rsa/keys/ directory

Moving certificates and keys


Keys and certificates created. It is time to distribute them to users, and copy server keys to the appropriate directories on the server.

  1. Go to the directory with the keys:

cd /etc/openvpn/easy-rsa/keys

  1. We copy only the files necessary for the server:

cp ca.crt ca.key dh2048.pem server.crt server.key /etc/openvpn

It is important to understand that the above files are the basis of the operation and security of the VPN server. Loss or substitution of these files can have extremely negative consequences. It is important to store them in a safe place and not transmit them over open communication channels.


The client will need only 3 files ca.crt, client1.crt, client1.key. Each client needs to give only his keys. These files can be placed in the / etc / openvpn directory on the client machine if it is running a Linux-like OS.

On Windows, they should be placed in the user directory.

Server and client setup


Most installed programs on Linux have so-called sample files. These files contain configuration examples and explanations of them. OpenVPN was no exception. Unpack the server configuration file into the / etc / openvpn directory:

gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf

The server is ready to work with the received file. It is configured with the possibility of tunneling, but cannot proxy, i.e. sending client traffic on its behalf. Fix this.

First, check which files are in the / etc / openvpn directory:

ls /etc/openvpn

Open the configuration file:

nano /etc/openvpn/server.conf

And we check the compliance of the files prescribed in the configuration with the files in the directory. Interesting lines after » SSL/TLS root certificate (ca), certificate (cert), and private key (key).”

If the names differ from the existing ones, the necessary corrections should be made. Exit the editor by pressing Ctrl + X.

We start the server:

/etc/init.d/openvpn start

Check the launch result:

/etc/init.d/openvpn status

Client settings.

It is assumed that the OpenVPN package is already installed on the client side.

  1. Copy the client settings file to the user’s home directory:

cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /root

  1. Copy the generated keys — client1.key, client1.crt, ca.crt:

cd /etc/openvpn/easy-rsa/keys

cp client1.key client1.crt ca.crt /root

  1. Editing the client configuration file:

nano /root/client.conf

  1. We find the commented out lines “# The hostname / IP and port of the server”. For the remote parameter, change my-server-1 to the IP address of the server or its domain name.
  2. In the same file, below, we find the block “# SSL / TLS parms.”. Editing key names.
  3. We exit editing with the combination Ctrl + X. We answer “Y” to the question of saving changes. The file name is left unchanged.
  4. Transfer the files client1.key, client1.crt, ca.crt and client.conf to the client computer from which the connection to the OpenVPN server will take place.

Important! Some client implementations of OpenVPN only work with * .ovpn files. In such cases, it is enough to change the file extension (rename) from client.conf to client.ovpn.

  1. We connect to the server with the command:

openvpn openvpn.conf

It should be noted that proxying is still not configured. At the same time, when the client machine is connected to the OpenVPN server, Internet access is terminated. This is because the created TUN adapter, and in the place with it the server itself, is the default gateway.

Configuring routing.

  1. On the server, edit the server.conf file:

nano /etc/openvpn/server.conf

  1. We find the following line in the file and delete the “;” symbol in front of it, thus uncommenting it:

push "redirect-gateway def1 bypass-dhcp"

  1. Save and close the editor.
  2. Editing the file /etc/sysctl:

nano /etc/sysctl.conf

  1. At the end of the file, add the following line:


This will allow the system to forward traffic between interfaces, but the changes will only take effect after a reboot. Save the file and close the editor.

  1. Allow forwarding packages without rebooting the server:

echo 1 > /proc/sys/net/ipv4/ip_forward

  1. Configure NAT in iptables. We enter the commands one by one:

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A FORWARD -s -j ACCEPT

iptables -A FORWARD -j REJECT

iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE

iptables -A INPUT -i tun+ -j ACCEPT

iptables -A FORWARD -i tun+ -j ACCEPT

iptables -A INPUT -i tap+ -j ACCEPT

iptables -A FORWARD -i tap+ -j ACCEPT

You can also simply enter them into the /etc/rc.local file up to the line “exit 0” or configure the firewall.

The server is ready to use. However, the task is to proxy all traffic, and therefore it is necessary to configure forwarding of DNS queries. Customize.

  1. Install dnsmasq

If the installation is performed on an Ubuntu OS:

apt-get install dnsmasq

Even though in most modern versions of the Ubuntu OS, dnsmasq is already preinstalled, in older versions you must do this:

apt-get install dnsmasq && dpkg-reconfigure resolvconf

The installation wizard dialogue box may start. There will be 2 questions in it. In the first case, the question “prepare /etc/resolv.conf for dynamic updates” is answered with “Yes”, and in the next, “Append original file to dynamic file?” answer “No”.

For Debian 7 OS:

apt-get install dnsmasq resolvconf

  1. Edit the dnsmasq settings file:

nano /etc/dnsmasq.conf

Add the following parameters:



Save the file and close the editor.

  1. Editing the network settings file:

nano /etc/network/interfaces

It is required to specify the address of DNS servers in the corresponding sections of the adapter settings:


Perhaps this action has already been performed. You do not need to perform it again.

  1. Considering the peculiarity of dnsmasq startup and subsequent operation — the possibility of crashing before initializing the virtual tun adapter, add the following line to the rc.local file, before “exit 0”:

/etc/init.d/dnsmasq restart

  1. Now let the OpenVPN server clients use DNS. Using the nano editor, uncomment the line:

push "dhcp-option DNS"

We fix the changes in the file.

  1. Reboot the server:


Checking the operation

We are reconnecting to the server. We are trying to open a website to check the IP address. The result should be the IP address of the server.