Running an OpenVPN server on Ubuntu, particularly Ubuntu 22.04 LTS, is a common and practical deployment choice. It is frequently used to enable secure remote access to private infrastructure, protect internet traffic when connected to public Wi-Fi networks, connect branch offices or distributed teams through encrypted site-to-site tunnels, and implement personal privacy configurations on a VPS.
In this guide, you will learn how to install and configure OpenVPN using two different approaches: a fast script based installation method for quick deployment, and a manual configuration method that provides full control over security settings and server behavior. Let’s delve in.
Why OpenVPN Matters
OpenVPN is important because it provides secure remote access to private infrastructure without exposing internal services directly to the public internet.Â
Organizations use it to allow employees to safely connect to internal networks, while individuals deploy it on VPS environments to protect traffic on public Wi-Fi or bypass network restrictions. Its flexibility, security model, and wide compatibility make it one of the most trusted VPN technologies in production environments today.
Prerequisites and Security Notes
Assumptions. We assume that you have already prepared some basic steps and you have already installed these:
- OS: Ubuntu 22.04 LTS
- VPS with root or sudo access
- Static public IP
- UDP port 1194 (default)
- Certificate-based authentication (PKI via easy rsa)
So we will go to the next step.
Basic Preparation
Before installing and configuring OpenVPN, your Ubuntu server must be clean, updated, and properly aligned with security and networking requirements. Skipping these foundational steps can cause TLS errors, firewall lockouts, or deployment failures later. Treat this stage as infrastructure hardening, not just housekeeping.
Update system:
sudo apt update && sudo apt upgrade -y
Why? Ensures latest security patches.
Set correct timezone:
timedatectl sudo timedatectl set-timezone UTC
Why? TLS validation depends on accurate system time.
Ensure firewall access for SSH before making changes:
sudo ufw allow OpenSSH
If deploying on a Vps hosting environment, confirm that your provider allows UDP 1194.
Choosing a Method Script vs Manual
Some users prefer to use Scripts and some go with the manual one. But at the end the main goal is the same. We prepared a comparison table for you to choose between two methods based on your preferences:
| Criteria | Script Method | Manual Method |
| Time | 5–10 min | 30–60 min |
| Complexity | Low | Moderate |
| Control | Limited | Full |
| Learning Value | Low | High |
| Best For | Quick deployment | Production + customization |
For users researching how to install openvpn ubuntu, both paths work. The choice depends on your need for control and understanding.
Method 1: Fast Installation with Script
This is the quickest way to install OpenVPN on any host.
Step 1: Download Script
curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh chmod +x openvpn-install.sh sudo ./openvpn-install.sh
Why? This script automates configuring an OpenVPN Server on Ubuntu.
Step 2: Follow Prompts
You’ll be asked:
- IP address
- Protocol (choose UDP)
- Port (default 1194)
- DNS provider
- Client name
The script generates:
clientname.ovpn
Usually located in:
/home/username/
Step 3: Download Client File
From your local machine:
scp user@server-ip:/home/user/client.ovpn
Why? This file contains certificates + configuration.
The script method is ideal if you need a working OpenVPN Server quickly with sane defaults.
Method 2: Manual Installation and Configuration
This one covers full control over configuring an OpenVPN Server on Ubuntu.
Step 1: Install OpenVPN and Easy RSA
sudo apt install openvpn easy-rsa -y
Why? OpenVPN handles tunnels; easy-rsa manages certificates (PKI).
Step 2: Set Up PKI
Create directory:
make-cadir ~/openvpn-ca cd ~/openvpn-ca
Initialize:
./easyrsa init-pki ./easyrsa build-ca
Build server certificate:
./easyrsa gen-req server nopass ./easyrsa sign-req server server
Generate Diffie Hellman:
./easyrsa gen-dh
Create client cert:
./easyrsa gen-req client1 nopass ./easyrsa sign-req client client1
Why? Certificates authenticate both server and OpenVPN Client securely.
Step 3: Copy Certificates
sudo cp pki/ca.crt pki/issued/server.crt pki/private/server.key pki/dh.pem /etc/openvpn/server/
Step 4: Create Server Configuration
sudo nano /etc/openvpn/server/server.conf
Example minimal secure config:
port 1194 proto udp dev tun ca ca.crt cert server.crt key server.key dh dh.pem cipher AES-256-GCM auth SHA256 topology subnet server 10.8.0.0 255.255.255.0 push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 8.8.8.8" keepalive 10 120 persist-key persist-tun user nobody group nogroup verb 3
Why? Defines encryption, subnet, and routing behavior. Avoid weak ciphers like BF-CBC.
Step 5: Enable IP Forwarding
sudo nano /etc/sysctl.conf
Uncomment:
net.ipv4.ip_forward=1
Apply:
sudo sysctl -p
Why? Allows traffic routing between VPN and internet.
Step 6: Configure Firewall + NAT
If using UFW:
sudo ufw allow 1194/udp sudo nano /etc/ufw/before.rules
Add before *filter:
*nat :POSTROUTING ACCEPT [0:0] -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE COMMIT
Update UFW default forward policy:
sudo nano /etc/default/ufw
Change:
DEFAULT_FORWARD_POLICY="ACCEPT"
Restart UFW:
sudo ufw disable sudo ufw enable
Why? Enables NAT so VPN clients access the internet.
Step 7: Start and Enable Service
sudo systemctl start openvpn-server@server sudo systemctl enable openvpn-server@server sudo systemctl status openvpn-server@server
Check logs:
sudo journalctl -xeu openvpn-server@server
Why? Confirms the OpenVPN Server is running properly.
Create Client Configuration (.ovpn)
The next step is creating a portable client configuration file. This .ovpn file contains all necessary connection parameters and authentication materials in a single profile.
Create client:
nano client1.ovpn
Basic template:
client dev tun proto udp remote YOUR_SERVER_IP 1194 cipher AES-256-GCM auth SHA256 resolv-retry infinite nobind persist-key persist-tun verb 3 <ca> ...paste ca.crt... </ca> <cert> ...paste client1.crt... </cert> <key> ...paste client1.key... </key>
Transfer securely:
scp client1.ovpn user@localmachine:
Why? The .ovpn file bundles authentication and connection details.
Connecting Clients
To connect an OpenVPN Client, first install the official client software on your device (Windows, macOS, or Linux), then import the generated .ovpn configuration file. On mobile devices, use the openvpn app, import the profile, and initiate the connection from the app interface.
Once connected, verify your public IP and routing to ensure traffic is securely passing through the OpenVPN tunnel.
- Windows / macOS / Linux: Install official OpenVPN Client from openvpn.net then Import .ovpn file and connect.
- Mobile (Android/iOS): Install the openvpn app from the app store and Import profile via file or QR code.
Testing and Validation
You should verify that traffic is actually passing through the VPN tunnel. These checks confirm proper routing, IP masking, and DNS integrity.
After connecting:
Check IP:
curl ifconfig.me
Should match server IP.
Check route:
ip route
Verify DNS leak via browser tools.
Why? Ensures traffic is routed through OpenVPN tunnel.
Common Troubleshooting (8+ Issues)
Even with correct setup, connection failures usually stem from firewall rules, certificate mismatches, routing gaps, or service conflicts. Start by checking port access, TLS errors, and system logs before modifying configs.
If your OpenVPN connection fails, verify UDP 1194 is open on both the server firewall and VPS panel. TLS or authentication errors typically indicate certificate or time-sync issues.
If clients connect but have no internet, review NAT, IP forwarding, DNS push settings, and inspect logs using journalctl.
Common issues:
- Port blocked: Ensure UDP 1194 is open in UFW and your VPS provider firewall.
- TLS Error: Certificate mismatch, wrong CA, or expired cert.
- No internet access: Missing NAT (MASQUERADE) rule or IP forwarding disabled.
- DNS not resolving: Check push “dhcp-option DNS” lines and client config.
- MTU issues: Add tun-mtu 1400 to reduce fragmentation problems.
- Time mismatch: Sync server and client time using NTP.
- Permission denied: Verify correct ownership and permissions on key files.
- Service not starting: Check logs with journalctl -u openvpn.
- Conflicting VPN service: Ensure no other instance of OpenVPN is using port 1194.
Methodical validation of logs, firewall rules, routing tables, and certificate integrity will resolve the majority of deployment issues.
Conclusion
If you are an intermediate Ubuntu user familiar with SSH, the recommended path is manual installation. This approach allows you to fully understand how the OpenVPN Server operates, control cipher selection and firewall rules, and troubleshoot issues more effectively when they arise. It also provides stronger production readiness compared to automated setups. The script method is best reserved for quick labs or temporary environments.Â
For real infrastructure deployments on a VPS, a manual setup offers greater operational confidence and long term maintainability.
FAQ
How to install OpenVPN on Ubuntu 22.04?
You can install OpenVPN using sudo apt install openvpn easy-rsa -y, then configure certificates and server settings manually, or use an automated installation script for faster deployment.
What is the difference between OpenVPN Server and OpenVPN Client?
The OpenVPN Server runs on your Ubuntu VPS and manages encrypted tunnels, while the OpenVPN Client connects from user devices (Windows, macOS, Linux, or mobile) to access the secure network.
Which protocol should I choose when setting up OpenVPN?
UDP is recommended for better performance and lower latency, while TCP may help in restrictive network environments.
Why is my OpenVPN client connected but has no internet access?
This usually indicates missing NAT rules, disabled IP forwarding, or incorrect firewall configuration on the server.
Is manual configuration better than using a script to set up OpenVPN?
For intermediate users, manual configuration offers better control, stronger security awareness, and easier troubleshooting in production environments.
