Professional Documents
Culture Documents
How To Set Up OpenVPN Server in 5 Minutes On Ubuntu Linux - Nixcraft
How To Set Up OpenVPN Server in 5 Minutes On Ubuntu Linux - Nixcraft
Ubuntu
ADVERTISEMENT
10W engraving machine
NOTE: You need at least Ubuntu Linux 18.04 LTS or higher is needed to
complete this tutorial. Older Ubuntu versions such as 14.04/16.04 LTS are
no longer suported.
Tutorial details
OR
OR
Fig.01: Find out your public IPv4 address using the CLI
We can verify script using a text editor such as nano command or vim command:
$ nano openvpn-install.sh
Once you press any key such as [Enter] key, you will see:
writing new private key to '/etc/openvpn/server/easy-rsa/pki/easy-rsa-176
-----
Using configuration from /etc/openvpn/server/easy-rsa/pki/easy-rsa-1768.Fj
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'server'
Certificate is to be certified until Dec 7 09:22:17 2030 GMT (3650 days)
Finished!
file:
[Unit]
Before=network.target
[Service]
Type=oneshot
ExecStart=/usr/sbin/iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT
ExecStart=/usr/sbin/iptables -I INPUT -p udp --dport 1194 -j ACCEPT
ExecStart=/usr/sbin/iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
ExecStart=/usr/sbin/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
ExecStop=/usr/sbin/iptables -t nat -D POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT
ExecStop=/usr/sbin/iptables -D INPUT -p udp --dport 1194 -j ACCEPT
ExecStop=/usr/sbin/iptables -D FORWARD -s 10.8.0.0/24 -j ACCEPT
ExecStop=/usr/sbin/iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
ExecStart=/usr/sbin/ip6tables -t nat -A POSTROUTING -s fddd:1194:1194:1194::/64 ! -d fddd:
ExecStart=/usr/sbin/ip6tables -I FORWARD -s fddd:1194:1194:1194::/64 -j ACCEPT
ExecStart=/usr/sbin/ip6tables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
ExecStop=/usr/sbin/ip6tables -t nat -D POSTROUTING -s fddd:1194:1194:1194::/64 ! -d fddd:
ExecStop=/usr/sbin/ip6tables -D FORWARD -s fddd:1194:1194:1194::/64 -j ACCEPT
ExecStop=/usr/sbin/ip6tables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
You can view your openvpn server config file generated by the script as follows
(agin do not edit this file by hand as it will break things for you):
local 172.105.102.90
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-crypt tc.key
topology subnet
server 10.8.0.0 255.255.255.0
server-ipv6 fddd:1194:1194:1194::/64
push "redirect-gateway def1 ipv6 bypass-dhcp"
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify crl.pem
explicit-exit-notify
Now, all you have to do is copy this file to your local desktop using the scp and
provide this file to your OpenVPN client to connect:
$ scp root@172.105.102.90:~/iphone.ovpn .
Next, you need to download OpenVPN client as per your operating system or
mobile device:
• Android client
Once installed click on Connect button and you will be online. Use the following
command on MacOS client to verify that your public IP changed to the VPN
server IP:
$ ping 10.8.0.1
OR
Your Linux system will automatically connect when computer restart using
/etc/init.d/openvpn script:
$ mkdir -p /usr/local/etc/openvpn/
$ sudo cp iphone.ovpn /usr/local/etc/openvpn/client.conf
openvpn_enable="YES"
openvpn_configfile="/usr/local/etc/openvpn/client.conf"
Verify it:
Now you can use googlephone.ovpn with Google Android phone. You can add
as many users you want using this method.
How do I delete/revoke existing user certificate?
Run the script:
Type 2 option and you will see a list of all the existing client certificate you want
to revoke:
Conclusion
And there you have it, OpenVPN server installed in five minutes to increase your
privacy. Please see OpenVPN project and road warrior installer Linux script. Let
us know if you have any problems or comments in the comments section below.
This entry is 1 of 13 in the OpenVPN Tutorial series. Keep reading the rest of the series:
About the author: Vivek Gite is the founder of nixCraft, the oldest running blog about Linux
and open source. He wrote more than 7k+ posts and helped numerous readers to master IT
topics. Join the nixCraft community via RSS Feed, Email Newsletter or follow on Twitter.
� Was this helpful? Please add your comment below to show your appreciation or feedback ↓
Related Tutorials
Ansible Check version • Fedora • FreeBSD • Linux • Ubuntu 18.04 • Ubuntu • macOS
Backup
Debian/Ubuntu • FreeBSD • RHEL
Management
Database Backup MySQL server • MariaDB Galera cluster • MariaDB TLS/SSL • MariaDB
Download
wget
managers
Driver
Linux Nvidia driver • lsmod
Management
Disk
df • duf • ncdu • pydf
Management
File
cat • cp • less • mkdir • more • tree
Management
KVM
CentOS/RHEL 7 • CentOS/RHEL 8 • Debian 9/10/11 • Ubuntu 20.04
Virtualization
Linux Desktop
Chrome • Chromium • GIMP • Skype • Spotify • VLC 3
apps
Network Monitoring tools • Network services • RHEL static IP • Restart network interface •
Management nmcli
Category List of Unix and Linux commands
Network
NetHogs • dig • host • ip • nmap • ping
Utilities
Power
upower
Management
Package
apk • apt-get • apt • yum
Manager
Processes bg • chroot • cron • disown • fg • glances • gtop • iotop • jobs • killall • kill • pidof •
System
reboot • shutdown
Management
Terminal/ssh tty
User
exit • who
Environment
Information •w
User
/etc/group • /etc/passwd • /etc/shadow • chsh
Management
Web Server Apache • Let's Encrypt certificate • Lighttpd • Nginx Security • Nginx
VPN qrencode
80 comments… add one ↓
reply link
Doesn’t look like 5 minutes to me and in fact it’s much, much simpler. Here is my
cheat sheet (in Russian) http://eax.me/openvpn/ – this way it actually takes 5
minutes, I’ve checked many times.
reply link
Cheers.
reply link
thx
reply link
Hey, what a great article you’ve written, has long sought something like this, I
have many articles and information gathered on the subject of Open VPN for
when it is their time to implement exactly what you suggest in this article, that
just what I need, nothing more.
The option to download the article in pdf format of this blog is superior and much
needed, although I use Pocket to store many items is very comfortable to save it
to disk in a nicely formatted pdf.
Can you make the option “Download to PDF” print the comments and related
posts? your blog provides highly valuable information and deserves this option.
A fan, Thanks.
reply link
reply link
Nice guide, how about adding users as this only shows the one user during
setup
reply link
reply link
Hello Vivek,
Please can you add a guide of how to add users/clients
reply link
I updated info about adding a new client and deleting existing one.
HTH
reply link
Hi, I’m trying to do this in a Lubuntu 14.04 LTS 2007 MacBook Laptop connected
to a WiFi network, is this possible? I know you specify that is a Ubuntu Server.
The script ran successfully, but the first step in where he had to enter the IP
address, showed the local network address 192.168.0.25 and change it to the
public IP address that showed me the command: dig + short myip \.
opendns.com @ resolver1.opendns.com
When I try to connect another Asus Linux Client Lubuntu 14.04, I note that your
public IP address Unchanging remains in
Thanks greetings.
reply link
+----------------+
(public IP) | |
{INTERNET}={ Router |
| |
| |
+------+---------+
| (192.168.0.1)
|
| +------------------+
| | |
| | OpenVPN | wlan0: 192.168
+--{wlan0 server | tun0: 10.8.0.1/2
I | |
| | {tun0} |
I +--------+---------+
|
+------------+-----------+
| |
| Other LAN clients |
| |
| 192.168.0.0/24 |
| (internal net) |
+---------------------------+
reply link
reply link
reply link
reply link
I’m working on trying to configure that same setup now. From what I
understand is you need to bridge the two networks under one subnet. Still
not sure how to do that.
reply link
can you please also help me to resolve this issue? my scenario is like:
reply link
reply link
reply link
this tutorial does not worked for me: the following is the log of my openvpn client:
reply link
You have to open firewall on the server side to allow incoming traffic (UDP
on port 1194). If is a machine on AWS, open the security group.
reply link
reply link
I’m running into an issue though. Under the client configuration part I don’t seem
to have the .ovpn file that I am supposed to copy to the client machine. Where
did I go wrong? Any tips or assistance would be greatly appreciate.
reply link
Wouldn’t use this script or guide guys. Sets up a hidden account on your server
that you install openvpn on. Right after i set it up I got three logins from india.
Even the IP he lists in the tutorial is India based. Just a heads up I wouldn’t use
this.
reply link
reply link
reply link
reply link
reply link
Wow, not a tutorial (I like to understand what’s happening) but I was up and
running in 5 minutes on my testserver. Thanks a lot!
reply link
Hah. Yes. You can read the script to understand what’s happening. Just use
a text editor.
reply link
of course, I know and i did, to learn something and to see if there are no
malicious parts (trust no one ;))
reply link
ExMM • Feb 1, 2017 @ 9:15
Excellent tutorial, really useful everything working perfectly fine for me.
Only one question, now I have access to my entire LAN with OpenVPN also to
my router, which I would like to block for the client that will connect to my home
server.
reply link
Hi @all,
Look at http://pritunl.com/
Moep
reply link
reply link
reply link
p3g • Mar 29, 2017 @ 19:16
Hey, I just setup this with my DigitalOcean VPS server. As Vivek said, it took me
exactly five minutes. Thanks boss.
reply link
reply link
Find a line of creating SSL certificate in the script and remove “nopass”:
reply link
Thanks, it works!
…But my client can’t see the samba shares on the openvpn server.
reply link
reply link
How many total clients are allowed with this script setup? Thanks in advance.
reply link
There is no limit
reply link
reply link
reply link
Chris • Jun 17, 2017 @ 5:26
I spent the past “month” trying to get any/all the online examples of “How to” to
work, but always had problems. this is so very nobrainer on the “Server Side”,
it’s GREAT !!!
However,
reply link
reply link
nameserver 8.8.8.8
nameserver 208.67.220.123
which is all throughout the OpenVPN code I set up for myself on the Server and
my home gateways. Then I REBOOTed, to enable it all. I then did a ” PING
GOOGLE.COM ” and it worked. So I brought up my browser and “Voala”,
Google came up on the browser. It worked !!! Now, There’s a warning in the file
you edited about it being overwritten. By what, I’d like to know, so it can be
permanent and not overwritten. More SEARCHing …
reply link
Check this “How To: Make Sure /etc/resolv.conf Never Get Updated By
DHCP Client“. HTH
reply link
I ran the script, and I can ping my servers local ip (192.168.1.227) but I cannot
access the internet. I can’t connect to google by hostname or by just the ip
reply link
Hi,
Just want to say thank you very much! Like many others I have spent days trying
to do this through all the manual guides there are online but I would always
screw up a step.
This worked out the box minus the /etc/resolv.conf DNS entires not updating
themselves.
I added
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
to the client.ovpn file. This is a script that updates your DNS entry for you. you
can find the script online.
reply link
My openvpn is working just fine, but I cant access the admin console to control
it.
reply link
reply link
thx
reply link
Best.
reply link
Hi, I have 3 .OVPN file and I want to connect them all simultaneously. please
help how to connect.
reply link
Is there a way to add the openVPN webif GUI to change settings etc?
Thanks for the great and simple guide got it running first time.
reply link
reply link
journalctl -xe –> Options error: In [CMD-LINE]:1: Error opening configuration file:
/etc/openvpn/server.conf
client server
and in /lib/systemd/system/openvpn@.service
the line
Daniel
reply link
Daniel Jacoby • Dec 3, 2020 @ 12:38
Update
systemctl list-units
openvpn-iptables.service loaded active exited openvpn-iptables.service
openvpn-server@server.service loaded active running OpenVPN service for
server
openvpn.service loaded active exited OpenVPN service
openvpn@server.service loaded activating auto-restart OpenVPN connection to
server
I dont understand what are the diferences between the last three
reply link
I have installed the server as above but am getting many errors in the log. It
seems that 2 services have been defined and one fails every few seconds.
reply link
reply link
reply link
Server is up and running. Just set up correct stuff and routing on your VPN
router at office/home and it will act as a vpn gateway too.
reply link
reply link
Any way of adding user authentication. If we use the app on an android device
the file will import fine but it asks for a username and password to work.
reply link
reply link
hi
thank you
i installed it but now i want change dns.
reply link
reply link
Maybe the problem is, the script creates a server config that uses IPv4 (1such
as “local 172.105.102.90”). How to allow connectoing to the server via IPv6 only
or even better v4 + v6 ?
reply link
Setup this script on my Google VM, openvpn running, however netstat does not
show it as LISTEN.
reply link
Run:
reply link
reply link
When I have copied the .ovpn file to my client (windows machine) and import it
into openvpn I get Error Message: static_key_parse_error
reply link
reply link
reply link
Hello,
## get IPv4 ##
$ host myip.opendns.com resolver1.opendns.com
And should probably be as follows:
## get IPv4 ##
$ host -4 myip.opendns.com resolver1.opendns.com
Greetings,
Felix
reply link
reply link
I wonder if you could add an optional section to generate a password for the
customer and a way to change it later. Suppose he forgets it.
Philip
reply link
You have to open firewall on the server side to allow incoming traffic (UDP on
port 1194). If is a machine on AWS, open the security group.
reply link
Leave a Reply
Your email address will not be published. Required fields are marked *
Comment *
Name
Website
Post Comment
Use HTML <pre>...</pre> for code samples. Your comment will appear only after approval by
the site admin.
Clube Hurb - Afiliados do
Hurb
Nada melhor do que ter liberdade para
escolher a melhor forma de trabalhar!
Multiplique.
Clube Hurb
Abrir
SEARCH
FEATURED ARTICLES
➔ RSS/Feed
➔ About nixCraft