Set Up OpenVPN Server On Ubuntu 20.04 LTS

VPN allow to connect securely to an insecure public network such as wifi network at the airport or hotel or any publicly used internet. In many enterprises and government offices, VPN is needed to access corporate server resources. A widespread usage to bypass the blocked sites/apps and increase your privacy or safety online. Here step-by-step process to setup OpenVPN server on Ubuntu 20.04 LTS server.OpenVPN is extremely popular and a full-featured SSL VPN (Virtual Private Network) software. It implements OSI layer 2 or 3 secure network extension using the SSL/TLS protocol. Like much other popular software, it is open-source, free software and distributed under the GNU GPL.

Step 1 – Update your system

First, run the apt command to apply security updates:
sudo apt update
sudo apt upgrade

Step 2 – Find and note down your IP address

Use the ip command as follows:
ip a
ip a show eth0

Step 3 – Download and run openvpn-install.sh script

Use the wget command as follows:
#wget https://git.io/vpn -O openvpn-ubuntu-install.sh

For password authentication along with certificates:
#wget https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh -O openvpn-ubuntu-install.sh

Make it executable. Set up permissions using the chmod command:
#chmod -v +x openvpn-ubuntu-install.sh

One can view the script using a text editor such as nano/vim:
#nano openvpn-ubuntu-install.sh

Run openvpn-ubuntu-install.sh script to install OpenVPN server
Now do this:
#sudo ./openvpn-ubuntu-install.sh

Do you want to protect the configuration file with a password?
(e.g. encrypt the private key with a password)
1) Add a passwordless client
2) Use a password for the client
Select an option [1-2]: 2
(You will be asked for the client password below)

I strongly suggest that you always choose the DNS server option as 1.1.1.1 or Google DNS or any other DNS service provided that you trust as per your needs. At the end see information as follows:

    Your client configuration is available at: /root/clientname.ovpn
    If you want to add more clients, just run this script again!

How to start/stop/restart OpenVPN server on Ubuntu 20.04:

Use the systemctl command as follows:
Stop the OpenVPN server
#sudo systemctl stop openvpn-server@server.service

OR when using password to protect vpn
#sudo systemctl stop openvpn@server.service

Start the OpenVPN server:
#sudo systemctl start openvpn-server@server.service

OR when using password to protect vpn
#sudo systemctl start openvpn@server.service

Restart the OpenVPN server after changing configuration options
#sudo systemctl restart openvpn-server@server.service

OR when using password to protect vpn
#sudo systemctl restart openvpn@server.service

Show status of the OpenVPN server
#sudo systemctl status openvpn-server@server.service

OR when using password to protect vpn
#sudo systemctl status openvpn@server.service

Warning: AWS EC2/Lightsail users need to open the default OpenVPN port UDP/1194 using Amazon EC2 security groups for the Linux instances feature. Run the following ss command to see your OpenVPN port on EC2 cloud instance:

#sudo ss -tulpn | grep -i openvpn


Step 4 – Connect an OpenVPN server using iOS/Android/Linux/Windows desktop client

Note for Windows user: Please download scp clients such as PSCP or WinSCP to copy the .ovpn file to your Windows machine. Some versions of windows may come with both ssh/sftp/ssh clients.

On server your will find a client configuration file called /root/clientname.ovpn. All you have to do is copy this file to your local desktop using the scp command:
#scp root@172.104.177.127:/root/clientname.ovpn .

Next, provide this file to your OpenVPN client to connect:

    Apple iOS client
    Android client
    Apple MacOS (OS X) client
    Windows 8/10 client

Tip: Forgotten your .opvn file location on the Ubuntu 20.04 LTS server? Try locating by typing the following command:
sudo find / -iname "*.ovpn"
Unable to bind service to VPN port?

It would help if you force Linux to bind an IP address that doesn’t exist with net.ipv4.ip_nonlocal_bind Linux kernel option. For example, during Ubuntu 20.04 LTS startup (boot) time, OpenVPN IP addresses such as 10.8.0.1/32 may not be available to services such as HTTPD or SSHD. Edit the following file:
# sudo nano /etc/sysctl.d/1000-force-openvpn-bind.conf

OR when using password to protect vpn ##
# sudo vim /etc/sysctl.d/1000-force-openvpn-bind.conf

Append the following:

net.ipv4.ip_nonlocal_bind=1

Reload changes using the sysctl command:
# sudo sysctl -p /etc/sysctl.d/1000-force-openvpn-bind.conf


Linux Desktop: OpenVPN client configuration:

First, install the openvpn client for your desktop using the yum command/dnf command/apt command:
#sudo dnf install openvpn

OR
#sudo apt install openvpn

Next, copy desktop.ovpn as follows:
#sudo openvpn --client --config /etc/openvpn/client.conf

Your Linux system will automatically connect when computer restart using openvpn script/service:
#sudo systemctl start openvpn@client # <--- start client service


Step 5 – Verify/test the connectivity:

Simply visit this page to check your IP address and it much change to your VPN server IP address. Next, execute the following commands after connecting to OpenVPN server from your Linux desktop:

#ping 10.8.0.1 (Ping to the OpenVPN server gateway)
#ip route      (Make sure routing setup working)


Step 6 – How to add or remove a new VPN user with a certificate:

You need to run the same script again for adding or removing a new VPN user to TLS certificate. For instance:
# sudo ./openvpn-ubuntu-install.sh

You will see menu as follows:

OpenVPN is already installed.

Select an option:
   1) Add a new client
   2) Revoke an existing client
   3) Remove OpenVPN
   4) Exit
Option: 

Choose option :
# 1 to add a new VPN client/user and option 
# 2 to remove the existing VPN client and user. Let us add a new client/user called "mining"

A note about trouble shooting OpenVPN server and client issues:

Type the following commands on your Ubuntu 20.04 Linux LTS server. First, check OpenVPN server for errors:
#sudo journalctl --identifier openvpn


Is firewall rule setup correctly on your server? Use the cat command to see rules:
sudo cat /etc/systemd/system/openvpn-iptables.service
## OR when using password to protect vpn ##
sudo cat /etc/systemd/system/iptables-openvpn.service

Config:

[Unit]
Before=network.target
[Service]
Type=oneshot
ExecStart=/sbin/iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to 172.104.177.197
ExecStart=/sbin/iptables -I INPUT -p udp --dport 1194 -j ACCEPT
ExecStart=/sbin/iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
ExecStart=/sbin/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
ExecStop=/sbin/iptables -t nat -D POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to 172.104.177.197
ExecStop=/sbin/iptables -D INPUT -p udp --dport 1194 -j ACCEPT
ExecStop=/sbin/iptables -D FORWARD -s 10.8.0.0/24 -j ACCEPT
ExecStop=/sbin/iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
ExecStart=/sbin/ip6tables -t nat -A POSTROUTING -s fddd:1194:1194:1194::/64 ! -d fddd:1194:1194:1194::/64 -j SNAT --to 2400:8901::f03c:92ff:fe3e:cf92
ExecStart=/sbin/ip6tables -I FORWARD -s fddd:1194:1194:1194::/64 -j ACCEPT
ExecStart=/sbin/ip6tables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
ExecStop=/sbin/ip6tables -t nat -D POSTROUTING -s fddd:1194:1194:1194::/64 ! -d fddd:1194:1194:1194::/64 -j SNAT --to 2400:8901::f03c:92ff:fe3e:cf92
ExecStop=/sbin/ip6tables -D FORWARD -s fddd:1194:1194:1194::/64 -j ACCEPT
ExecStop=/sbin/ip6tables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target

Another option is to run iptables command and sysctl command commands to verify NAT rule setup on your server:

#sudo iptables -t nat -L -n -v
#sysctl net.ipv4.ip_forward
#sudo cat /etc/sysctl.d/30-openvpn-forward.conf

OR when using password to protect vpn
#sudo cat /etc/sysctl.d/99-openvpn.conf

OpenVPN verify NAT and firewall forwarding rules on Linux:

NAT Firewall OpenVPN Rules Verification
Insert the rules if not inserted using the following command:

#sudo systemctl start openvpn-iptables.service

OR when using password to protect vpn
#sudo systemctl start iptables-openvpn.service
#sudo sysctl -w net.ipv4.ip_forward=1
#sudo sysctl -p -f /etc/sysctl.d/30-openvpn-forward.conf

OR when using password to protect vpn ##
#sudo sysctl -p -f /etc/sysctl.d/99-openvpn.conf

Is OpenVPN server running and port is open? Use the ss command or netstat command and pidof command/ps command:

Check "1194" is the openvpn server port
#netstat -tulpn | grep :1194

Check '1194' is the openvpn server port
#ss -tulpn | grep :1194

Check the openvpn server running
#ps aux | grep openvpn

Check the openvpn server running
#ps -C openvpn

Find the openvpn server PID
#pidof openvpn

Verify that OpenVPN server runnign and Port is Open on ubuntu Linux
If not running, restart the OpenVPN server:
#sudo systemctl restart openvpn-server@server.service

Look out for errors:
#sudo systemctl status openvpn-server@server.service

Can the Linux desktop client connect to the OpenVPN server machine? First you need to run a simple test to see if the OpenVPN server port (UDP 1194) accepts connections:
#nc -vu 172.104.177.197 1194
Connection to 172.104.177.197 port [udp/openvpn] succeeded!

If not connected it means either a Linux desktop firewall or your router is blocking access to server. Make sure both client and server using same protocol and port, e.g. UDP port 1194.


Now successfully set up an OpenVPN server on Ubuntu Linux 20.04 LTS server running in the cloud.

Thank you for reading this article.

Was this helpful?

3 / 1

Leave a Reply 0

Your email address will not be published. Required fields are marked *