Setting up an OpenVPN server on Ubuntu can sound tricky, but don’t worry—you’re not diving into a digital jungle without a map. I’ll guide you step by step so you can make your own secure private network. OpenVPN is a free and open-source tool that helps you build a Virtual Private Network (VPN). A VPN lets you send and receive data privately, even on public internet. Think of it like building your own secret tunnel through the web.
I’ve used OpenVPN on several of my home servers and Raspberry Pi devices. It helps me safely connect back to my home network when I’m away. It’s also a good way to keep your internet use private, especially on public Wi-Fi. Plus, it’s fun to say, “I made my own VPN.”
Before we start, let’s explain some key terms:
- VPN: A tool that encrypts your internet traffic so no one else can see what you’re doing.
- OpenVPN: A popular program that builds secure VPNs using SSL (a type of encryption).
- Ubuntu: A user-friendly version of Linux that works well on servers.
What You Need First
Before you install anything, make sure you have:
- A server with Ubuntu (I use Ubuntu 20.04 or 22.04)
- Root or sudo access to that server
- A basic firewall (we’ll configure it)
- About 30 minutes and a good cup of tea or coffee
If that’s all set, let’s dive in. Not literally, unless you’re sitting in a beanbag chair.
Step 1: Update Your Server
We want everything fresh. Start by running:
sudo apt update && sudo apt upgrade -y
This updates all your software. Outdated tools can cause errors, and nobody likes chasing bugs. Especially digital ones.
Step 2: Install OpenVPN and Easy-RSA
OpenVPN needs some helper tools. Easy-RSA helps you create security certificates (like digital ID cards).
sudo apt install openvpn easy-rsa -y
Done? Great. Let’s make the keys.
Step 3: Set Up Easy-RSA
We’ll now set up a folder to create our own Certificate Authority (CA). This lets you sign your own keys.
make-cadir ~/openvpn-ca
cd ~/openvpn-ca
Now let’s configure it:
nano vars
Find these lines and change them to fit you:
set_var EASYRSA_REQ_COUNTRY "US"
set_var EASYRSA_REQ_PROVINCE "California"
set_var EASYRSA_REQ_CITY "SanFrancisco"
set_var EASYRSA_REQ_ORG "MyVPN"
set_var EASYRSA_REQ_EMAIL "[email protected]"
set_var EASYRSA_REQ_OU "MyVPNUnit"
Save and close.
Step 4: Build the Certificate Authority
Now we build the CA:
./easyrsa init-pki
./easyrsa build-ca
It will ask for a password. Don’t lose it—it’s like the keys to your online castle.
Then generate a server certificate and key:
./easyrsa gen-req server nopass
./easyrsa sign-req server server
Then do the same for the client:
./easyrsa gen-req client1 nopass
./easyrsa sign-req client client1
You’ll need a Diffie-Hellman file too:
./easyrsa gen-dh
And generate a key for extra TLS security:
openvpn --genkey --secret ta.key
Whew. That was a lot. But you’re doing great. High five?
Step 5: Configure OpenVPN Server
Copy all the needed files to the OpenVPN folder:
sudo cp pki/ca.crt pki/private/server.key pki/issued/server.crt ta.key /etc/openvpn/
sudo cp pki/dh.pem /etc/openvpn/dh.pem
Create a basic server config:
sudo nano /etc/openvpn/server.conf
Paste this inside:
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
tls-auth ta.key 0
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
comp-lzo
max-clients 10
status openvpn-status.log
verb 3
Save and exit.
Step 6: Enable Packet Forwarding
This allows your VPN to route traffic:
sudo nano /etc/sysctl.conf
Uncomment this line:
net.ipv4.ip_forward=1
Then apply it:
sudo sysctl -p
Step 7: Set Up Firewall (UFW)
Allow SSH and OpenVPN:
sudo ufw allow OpenSSH
sudo ufw allow 1194/udp
Set up forwarding:
sudo nano /etc/ufw/before.rules
Add this at the top:
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
COMMIT
Then enable the firewall:
sudo ufw enable
Double-check it’s running:
sudo ufw status
Step 8: Start OpenVPN
Let’s fire it up:
sudo systemctl start openvpn@server
sudo systemctl enable openvpn@server
Want to check if it worked?
sudo systemctl status openvpn@server
If it says “active (running),” you’re golden.
Step 9: Create Client Config
Now we make a config file for the client to connect to your server.
Create a file like this:
nano client1.ovpn
Paste this, replacing your-server-ip:
client
dev tun
proto udp
remote your-server-ip 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
comp-lzo
verb 3
<ca>
(Insert ca.crt here)
</ca>
<cert>
(Insert client1.crt here)
</cert>
<key>
(Insert client1.key here)
</key>
Use SCP or USB to transfer it to your client device.
Three Things to Remember
- Back up your keys: They’re important.
- Don’t share your
.ovpnfile: It’s like your digital passport. - Restart after config changes: Always restart the service.
Why OpenVPN?
Here’s a quick comparison:
| VPN Tool | Free | Secure | Easy for Beginners |
|---|---|---|---|
| OpenVPN | Yes | Yes | Medium |
| WireGuard | Yes | Yes | Easier |
| PPTP | Yes | No | Easy but outdated |
I like OpenVPN because it’s been around a long time. It’s like that old bike in your garage: it might need tuning, but it still works great.
Wrapping Up (Without the Wrapping Paper)
You did it. You installed OpenVPN on Ubuntu. You now have your own secure tunnel on the internet. No more worrying about sketchy coffee shop Wi-Fi.
Setting this up may seem like a lot of steps, but most of it is just copy-paste and patience. Once it’s running, you won’t have to touch it much.
Have questions? Curious about WireGuard or mobile apps next? I’m happy to share what worked for me.
Oh, and by the way: running your own VPN is cool. But don’t let it go to your head. Unless you’re wearing a tin foil hat—in which case, full respect.
