VPN allow to connect securely to an insecure public network such as wifi network at the airport or hotel or any publicly used internet. In many enterprises and government offices, VPN is needed to access corporate server resources. A widespread usage to bypass the blocked sites/apps and increase your privacy or safety online. Here step-by-step process to setup OpenVPN server on Ubuntu 20.04 LTS server.OpenVPN is extremely popular and a full-featured SSL VPN (Virtual Private Network) software. It implements OSI layer 2 or 3 secure network extension using the SSL/TLS protocol. Like much other popular software, it is open-source, free software and distributed under the GNU GPL.
Step 1 – Update your system
First, run the apt command to apply security updates:sudo apt update
sudo apt upgrade
Step 2 – Find and note down your IP address
Use the ip command as follows:ip a
ip a show eth0
Step 3 – Download and run openvpn-install.sh script
Use the wget command as follows:
#wget https://git.io/vpn -O openvpn-ubuntu-install.sh
For password authentication along with certificates: #wget https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh -O openvpn-ubuntu-install.sh Make it executable. Set up permissions using the chmod command: #chmod -v +x openvpn-ubuntu-install.sh One can view the script using a text editor such as nano/vim: #nano openvpn-ubuntu-install.sh Run openvpn-ubuntu-install.sh script to install OpenVPN server Now do this: #sudo ./openvpn-ubuntu-install.sh Do you want to protect the configuration file with a password? (e.g. encrypt the private key with a password) 1) Add a passwordless client 2) Use a password for the client Select an option [1-2]: 2 (You will be asked for the client password below) I strongly suggest that you always choose the DNS server option as 1.1.1.1 or Google DNS or any other DNS service provided that you trust as per your needs. At the end see information as follows: Your client configuration is available at: /root/clientname.ovpn If you want to add more clients, just run this script again! How to start/stop/restart OpenVPN server on Ubuntu 20.04: Use the systemctl command as follows: Stop the OpenVPN server #sudo systemctl stop openvpn-server@server.service OR when using password to protect vpn #sudo systemctl stop openvpn@server.service Start the OpenVPN server: #sudo systemctl start openvpn-server@server.service OR when using password to protect vpn #sudo systemctl start openvpn@server.service Restart the OpenVPN server after changing configuration options #sudo systemctl restart openvpn-server@server.service OR when using password to protect vpn #sudo systemctl restart openvpn@server.service Show status of the OpenVPN server #sudo systemctl status openvpn-server@server.service OR when using password to protect vpn #sudo systemctl status openvpn@server.service Warning: AWS EC2/Lightsail users need to open the default OpenVPN port UDP/1194 using Amazon EC2 security groups for the Linux instances feature. Run the following ss command to see your OpenVPN port on EC2 cloud instance: #sudo ss -tulpn | grep -i openvpn Step 4 – Connect an OpenVPN server using iOS/Android/Linux/Windows desktop client Note for Windows user: Please download scp clients such as PSCP or WinSCP to copy the .ovpn file to your Windows machine. Some versions of windows may come with both ssh/sftp/ssh clients. On server your will find a client configuration file called /root/clientname.ovpn. All you have to do is copy this file to your local desktop using the scp command: #scp root@172.104.177.127:/root/clientname.ovpn . Next, provide this file to your OpenVPN client to connect: Apple iOS client Android client Apple MacOS (OS X) client Windows 8/10 client Tip: Forgotten your .opvn file location on the Ubuntu 20.04 LTS server? Try locating by typing the following command: sudo find / -iname "*.ovpn" Unable to bind service to VPN port? It would help if you force Linux to bind an IP address that doesn’t exist with net.ipv4.ip_nonlocal_bind Linux kernel option. For example, during Ubuntu 20.04 LTS startup (boot) time, OpenVPN IP addresses such as 10.8.0.1/32 may not be available to services such as HTTPD or SSHD. Edit the following file: # sudo nano /etc/sysctl.d/1000-force-openvpn-bind.conf OR when using password to protect vpn ## # sudo vim /etc/sysctl.d/1000-force-openvpn-bind.conf Append the following: net.ipv4.ip_nonlocal_bind=1 Reload changes using the sysctl command: # sudo sysctl -p /etc/sysctl.d/1000-force-openvpn-bind.conf Linux Desktop: OpenVPN client configuration: First, install the openvpn client for your desktop using the yum command/dnf command/apt command: #sudo dnf install openvpn OR #sudo apt install openvpn Next, copy desktop.ovpn as follows: #sudo openvpn --client --config /etc/openvpn/client.conf Your Linux system will automatically connect when computer restart using openvpn script/service: #sudo systemctl start openvpn@client # <--- start client service Step 5 – Verify/test the connectivity: Simply visit this page to check your IP address and it much change to your VPN server IP address. Next, execute the following commands after connecting to OpenVPN server from your Linux desktop: #ping 10.8.0.1 (Ping to the OpenVPN server gateway) #ip route (Make sure routing setup working) Step 6 – How to add or remove a new VPN user with a certificate: You need to run the same script again for adding or removing a new VPN user to TLS certificate. For instance: # sudo ./openvpn-ubuntu-install.sh You will see menu as follows: OpenVPN is already installed. Select an option: 1) Add a new client 2) Revoke an existing client 3) Remove OpenVPN 4) Exit Option: Choose option : # 1 to add a new VPN client/user and option # 2 to remove the existing VPN client and user. Let us add a new client/user called "mining" A note about trouble shooting OpenVPN server and client issues: Type the following commands on your Ubuntu 20.04 Linux LTS server. First, check OpenVPN server for errors: #sudo journalctl --identifier openvpn Is firewall rule setup correctly on your server? Use the cat command to see rules: sudo cat /etc/systemd/system/openvpn-iptables.service ## OR when using password to protect vpn ## sudo cat /etc/systemd/system/iptables-openvpn.service Config: [Unit] Before=network.target [Service] Type=oneshot ExecStart=/sbin/iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to 172.104.177.197 ExecStart=/sbin/iptables -I INPUT -p udp --dport 1194 -j ACCEPT ExecStart=/sbin/iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT ExecStart=/sbin/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT ExecStop=/sbin/iptables -t nat -D POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to 172.104.177.197 ExecStop=/sbin/iptables -D INPUT -p udp --dport 1194 -j ACCEPT ExecStop=/sbin/iptables -D FORWARD -s 10.8.0.0/24 -j ACCEPT ExecStop=/sbin/iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT ExecStart=/sbin/ip6tables -t nat -A POSTROUTING -s fddd:1194:1194:1194::/64 ! -d fddd:1194:1194:1194::/64 -j SNAT --to 2400:8901::f03c:92ff:fe3e:cf92 ExecStart=/sbin/ip6tables -I FORWARD -s fddd:1194:1194:1194::/64 -j ACCEPT ExecStart=/sbin/ip6tables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT ExecStop=/sbin/ip6tables -t nat -D POSTROUTING -s fddd:1194:1194:1194::/64 ! -d fddd:1194:1194:1194::/64 -j SNAT --to 2400:8901::f03c:92ff:fe3e:cf92 ExecStop=/sbin/ip6tables -D FORWARD -s fddd:1194:1194:1194::/64 -j ACCEPT ExecStop=/sbin/ip6tables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT RemainAfterExit=yes [Install] WantedBy=multi-user.target Another option is to run iptables command and sysctl command commands to verify NAT rule setup on your server: #sudo iptables -t nat -L -n -v #sysctl net.ipv4.ip_forward #sudo cat /etc/sysctl.d/30-openvpn-forward.conf OR when using password to protect vpn #sudo cat /etc/sysctl.d/99-openvpn.conf OpenVPN verify NAT and firewall forwarding rules on Linux: NAT Firewall OpenVPN Rules Verification Insert the rules if not inserted using the following command: #sudo systemctl start openvpn-iptables.service OR when using password to protect vpn #sudo systemctl start iptables-openvpn.service #sudo sysctl -w net.ipv4.ip_forward=1 #sudo sysctl -p -f /etc/sysctl.d/30-openvpn-forward.conf OR when using password to protect vpn ## #sudo sysctl -p -f /etc/sysctl.d/99-openvpn.conf Is OpenVPN server running and port is open? Use the ss command or netstat command and pidof command/ps command: Check "1194" is the openvpn server port #netstat -tulpn | grep :1194 Check '1194' is the openvpn server port #ss -tulpn | grep :1194 Check the openvpn server running #ps aux | grep openvpn Check the openvpn server running #ps -C openvpn Find the openvpn server PID #pidof openvpn Verify that OpenVPN server runnign and Port is Open on ubuntu Linux If not running, restart the OpenVPN server: #sudo systemctl restart openvpn-server@server.service Look out for errors: #sudo systemctl status openvpn-server@server.service Can the Linux desktop client connect to the OpenVPN server machine? First you need to run a simple test to see if the OpenVPN server port (UDP 1194) accepts connections: #nc -vu 172.104.177.197 1194 Connection to 172.104.177.197 port [udp/openvpn] succeeded! If not connected it means either a Linux desktop firewall or your router is blocking access to server. Make sure both client and server using same protocol and port, e.g. UDP port 1194. Now successfully set up an OpenVPN server on Ubuntu Linux 20.04 LTS server running in the cloud. Thank you for reading this article.
Was this helpful?
5 / 2
Heya i am for the first time here. I found this board and I find It truly useful & it helped me out a lot. I hope to give something back and aid others like you helped me.