Install OpenVPN on Ubuntu 16.04

by

Install OpenVPN on Ubuntu 16.04

In this tutorial, we will explain to you, how to install OpenVPN on Ubuntu 16.04. OpenVPN is one of the most popular VPN software solutions, on both server-side and client-side. OpenVPN implements virtual private network techniques for creating secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. This guide should work on other Linux VPS systems as well but was tested and written for Ubuntu 16.04 VPS. Installing OpenVPN on Ubuntu 16.04, is an easy task if you carefully follow the steps below.

1. Login to your VPS via SSH

ssh user@vps

2. Install necessary packages

Update the system

sudo apt-get update && sudo apt-get -y upgrade

and install OpenVPN.

sudo apt-get install openvpn openssl

3. Generate local certificate authority

First, generate the Diffie-Hellman parameters. This command can take a while to run depending on the server.

openssl dhparam -out /etc/openvpn/dh.pem 2048

Generate ca.pem  (certificate authority) file:

sudo openssl genrsa -out /etc/openvpn/ca-key.pem 2048
sudo chmod 600 /etc/openvpn/ca-key.pem
sudo openssl req -new -key /etc/openvpn/ca-key.pem -out /etc/openvpn/ca-csr.pem -subj /CN=OpenVPN-CA/
sudo openssl x509 -req -in /etc/openvpn/ca-csr.pem -out /etc/openvpn/ca.pem -signkey /etc/openvpn/ca-key.pem -days 365
sudo echo 01 > /etc/openvpn/ca.srl

4. Configure OpenVPN server

The following commands will generate a server certificate and key:

sudo openssl genrsa -out /etc/openvpn/server-key.pem 2048
sudo chmod 600 /etc/openvpn/server-key.pem
sudo openssl req -new -key /etc/openvpn/server-key.pem -out /etc/openvpn/server-csr.pem -subj /CN=OpenVPN/
sudo openssl x509 -req -in /etc/openvpn/server-csr.pem -out /etc/openvpn/server-cert.pem -CA /etc/openvpn/ca.pem -CAkey /etc/openvpn/ca-key.pem -days 365

Create server configuration file:

sudo nano /etc/openvpn/server.conf
server 10.8.0.0 255.255.255.0
verb 3
key server-key.pem
ca ca.pem
cert server-cert.pem
dh dh.pem
keepalive 10 120
persist-key
persist-tun
comp-lzo
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

user nobody
group nogroup

proto udp
port 1194
dev tun1194
status openvpn-status.log

save the file and enable and start the OpenVPN service with:

sudo systemctl enable openvpn@server
sudo systemctl start openvpn@server

Note: If you are running an openvz based VPS
open the /lib/systemd/system/openvpn\@.service file and comment the LimitNPROC=10 line

Add the following iptables rule so that traffic can leave the VPN. Change the eth0 with the public network interface of your server.

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

Note: If you are running an openvz based VPS
instead of the rule above add: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source <YOUR_SERVER_IP>

Finally, we also need to allow IP forwarding:

Need a fast and easy fix?
✔ Unlimited Managed Support
✔ Supports Your Software
✔ 2 CPU Cores
✔ 2 GB RAM
✔ 50 GB PCIe4 NVMe Disk
✔ 1854 GeekBench Score
✔ Unmetered Data Transfer
NVME 2 VPS

Now just $43 .99
/mo

GET YOUR VPS 
sed -i 's|#net.ipv4.ip_forward=1|net.ipv4.ip_forward=1|' /etc/sysctl.conf
echo 1 > /proc/sys/net/ipv4/ip_forward

5. OpenVPN client configuration

The following commands will generate a client certificate and key:

openssl genrsa -out /etc/openvpn/client-key.pem 2048
chmod 600 /etc/openvpn/client-key.pem
openssl req -new -key /etc/openvpn/client-key.pem -out /etc/openvpn/client-csr.pem -subj /CN=OpenVPN-Client/
openssl x509 -req -in /etc/openvpn/client-csr.pem -out /etc/openvpn/client-cert.pem -CA /etc/openvpn/ca.pem -CAkey /etc/openvpn/ca-key.pem -days 36525

Next, copy the following files to your client machine

/etc/openvpn/ca.pem
/etc/openvpn/client-cert.pem
/etc/openvpn/client-key.pem

and start your OpenVPN client with the following configuration.

client
nobind
dev tun
redirect-gateway def1 bypass-dhcp
remote  1194 udp
comp-lzo yes

key /etc/openvpn/client-key.pem
cert /etc/openvpn/client-cert.pem
ca /etc/openvpn/ca.pem

Do not forget to change <YOUR_SERVER_IP> with your OpenVPN server IP address.

That’s it. You have successfully installed a configured an OpenVPN server on your Ubuntu 16.04 VPS.

Of course, you don’t have to install  OpenVPN on Ubuntu 16.04 if you use one of our Managed Linux VPS Hosting services, in which case you can simply ask our expert Linux admins to Install and configure OpenVPN on Ubuntu 16.04, for you. They are available 24×7 and will OpenVPN on Ubuntu 16.04, or other Linux OS, immediately.

openvpn ubuntuPS. If you liked this post on how to Install and configure OpenVPN on Ubuntu 16.04 please share it with your friends on the social networks using the buttons on the left or simply leave a reply below. Thanks.

3 thoughts on “Install OpenVPN on Ubuntu 16.04”

  1. Now, what do I have to do to make it using a port and protocol that is SSH/TLS-compliant in order to look exactly like a real HTTPS connection, so that it goes through a firewall that does DPI (Deep Packet Inspection) ? Someone I know has an issue getting out of his office network through 443/TCP, because their firewall performs DPI to ensure that what goes through is HTTPS-compliant.

    Reply

    • What you are looking for is probably you will need to configure your OpenVPN server to use a third party PKI (Public Key Infrastructure) and use proper and valid SSL certificates.
      Of course this is out of the scope of this guide, but you may find more information reading the OpenVPN documentation: https://docs.openvpn.net/docs/access-server/openvpn-access-server-external-pki-guide.html

      Reply

  2. From all resources on the web, this is the one that actually works! Short, sweet, brilliant! Thank you, thank you, thank you!

    Reply

Leave a Comment