Published on August 15, 2020 by SatoshiVPN in How To.


How to install OpenVPN on your own Ubuntu server from scratch.

How to install OpenVPN on your own server from scratch

OpenVPN is an open source VPN project that creates a secure connection between your device and the internet by encrypting and routing your data through a private VPN server. Your data transmits securely to and from the OpenVPN server by passing through a Secure Socket Layer (SSL) encryption process that uses trusted certificates to verify that requests are only readable for your client device. This ensures your data privacy and security particularly when using nonsecure, public networks like when in a library or restaurant.

Perhaps the most compelling aspect of OpenVPN is hinted at right in the name--its code base is open source, meaning there are no third parties that you’ll need to trust with your data. Simply set up a server in the location of your choice and you’ll be in complete control over your data. If you’re not sure how to do that, you’re in the right place. This tutorial will provide you with step by step instructions on how to install OpenVPN to create your own VPN server from scratch. Enjoy!


To install OpenVPN, first and foremost you require a server. For this tutorial, we will be demonstrating on an Ubtuntu server. You need to have a non-root account with sudo privileges in the server.

Installing OpenVPN

SSH on to your Ubuntu server with the following command:
ssh <user>@<IP address>

Depending on how you have set up your SSH access you may have to enter a public key or a password. Please provide the required credentials.

To make sure that your server is having the latest version, let’s run the following command.
sudo apt-get update

The command will take several minutes to run as it will update all your packages. Once the update process is completed we can go ahead and install OpenVPN with the following command.
sudo apt-get install openvpn

How to set up a CA?

As mentioned previously, OpenVPN is a TLS/SSL VPN. Therefore you have to create your own Certificate Authority (CA) to issue trusted certificates and build your Public Key Infrastructure (PKI).

The following command will install the easy-rsa package which will help you in building the CA:
sudo apt-get install easy-rsa

Once completed, you can copy the template directory of easy-rsa to the home directory using the following command:
make-cadir ~/openvpn-ca

Navigate into the created directory:
cd ~/openvpn-ca

You are required to change some values of the vars configuration file. Let’s open a terminal text editor so that we can make the changes.
nano vars

You'll see many configuration parameters with their default values. Keep them as is for now. Navigate towards the bottom of the config file to find a list of parameters that look like below.
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="[email protected]"
export KEY_OU="MyOrganizationalUnit"

These parameters should be changed to match your information.

Just below this section, there is a parameter called KEY_NAME. You can give it a name of your liking.
export KEY_NAME="server"

Once completed, exit the text editor. Make sure you are still in the CA directory and source the vars file:
cd ~/openvpn-ca
source vars

If you come across an error such as the message below,

"No /root/openvpn-ca/openssl.cnf file could be found"

...further invocations will fail. To resolve the problem, create a symbolic link.
ln -s openssl-1.0.0.cnf openssl.cnf

Once you run source vars again, the problem should have resolved and the output should say:
"NOTE: If you run ./clean-all, I will be doing a rm -rf on /root/openvpn-ca/keys"

To clean up the operating environment, let’s run

After these steps are completed, we can go ahead and build our CA using the following command

Press enter for all the options to leave the default values that we configured in the vars config file.

Great! Now you have successfully created a CA that can be used to create the rest of the files required for your OpenVPN server.

Creating a server certificate, key, and encryption files

Continue by creating the OpenVPN server certificate and key pair with the following command:
./build-key-server server

The certificate will build on the values we entered in the vars configuration file. Do not enter a challenge password for the setup.

Building the DH Keys

This might take several minutes to complete. We will generate an HMAC signature to add an extra layer of security
openvpn --genkey --secret keys/ta.key

Creating a client certificate and key pair

Ideally, this step should be performed at the client machine and should be signed by the CA. For the sake of demonstration, in this tutorial, this step will be performed on the server-side as well.

The following command will build client credentials without a password to facilitate automated connections
./build-key client

If you would want to build client credentials with a password, use the following command
./build-key-pass client

If you have more than one client, repeat the steps mentioned making sure that you enter a unique name for each client.

Configure your OpenVPN service

In the previous steps, we created many certificates and keys. All of these are placed in the ~/openvpn-ca/keys directory. We need to move the CA cert, server cert and key, the DH file and the HMAC key to /etc/openvpn directory.

To do so, let’s go into the keys directory, copy the content and paste at the location.
cd ~/openvpn-ca/keys
cp ca.crt server.crt server.key ta.key dh2048.pem /etc/openvpn

Open a sample configuration file using the following command:
gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | /etc/openvpn/server.conf

Open the configuration file in an editor:
vi /etc/openvpn/server.conf

Find the HMAC section by looking for the tls-auth directive. Remove the “;” to uncomment the tls-auth line.

Find the cipher line and below it and add the following line to add an auth line to select the HMAC message digest algorithm:
auth SHA256

Find the user and group settings and remove the “;” at the beginning to uncomment the following lines.
user nobody
group nogroup

Tuning your server configuration

We need to allow the server to forward traffic. Let’s adjust this by modifying the /etc/sysctl.conf file:
sudo nano /etc/sysctl.conf

Look for the line which sets net.ipv4.ip_forward. Uncomment the setting. Save and close the file. Run the following command to read the updated file and adjust the values accordingly.
sudo sysctl -p

How to start your OpenVPN service?

Once all the steps are followed, we are finally able to start the VPN service. Use the command below.
sudo systemctl start [email protected]

(It is important to note that server is the name of the server configuration file in /etc/openvpn directory. If you have a different name, please use that name instead)

You can check if OpenVPN is running successfully by entering the following command:
sudo systemctl status [email protected]

And that's it! Nice job. Now that everything is up and running, your VPN clients can download the client certificates that you created and connect to your server.