OpenVPN: Step by Step Setup on Ubuntu 22.04 (Server + Clients)

OpenVPN

A VPN creates a secure, encrypted connection between your device and a remote server. Instead of sending data directly over the public internet, your network traffic passes through this encrypted tunnel, helping protect it from interception and unauthorized access. Whether you’re connecting to company resources, working remotely, or using public Wi-Fi, a VPN provides an additional layer of security for your communications.

While HTTPS encrypts traffic between your browser and individual websites, it does not protect every connection your device makes. A VPN secures all supported network traffic between the client and the VPN server, making it useful for safeguarding remote access, file transfers, authentication, and other sensitive communications.

Among the available VPN solutions, OpenVPN remains one of the most widely adopted open-source options. Built on the Transport Layer Security (TLS) protocol, it offers strong encryption, flexible authentication methods, and broad compatibility across Linux, Windows, macOS, Android, and iOS.

This guide walks through the complete process of deploying an OpenVPN server on Ubuntu 20.04. Along the way, you’ll create a dedicated Certificate Authority (CA), generate the required certificates and cryptographic keys, configure the VPN server, and prepare client devices for secure connections.

Prerequisites

Before starting the installation, make sure the following requirements are in place:

  • An Ubuntu 20.04 server that will host the OpenVPN service. This server should have a non-root user with sudo privileges, and its firewall should already be configured.
  • A second Ubuntu 20.04 server that will act as the Certificate Authority (CA). Like the VPN server, it should have a non-root user with sudo access and basic firewall protection. This machine will be responsible for generating and signing the certificates used by both the server and VPN clients.

Although it’s technically possible to run the Certificate Authority on the same machine as OpenVPN, keeping them separate is considered a security best practice. By isolating the CA, you reduce the risk of exposing your private signing keys if the VPN server is ever compromised.

You’ll also need at least one client device that will connect to the VPN after the server is configured. Throughout this guide, this device is referred to as the OpenVPN client. For most users, a local computer is sufficient for testing and everyday use.

Once these prerequisites are met, you can begin installing and configuring OpenVPN.

Step 1 – Install OpenVPN and Easy-RSA

The first step is to install OpenVPN along with Easy-RSA. OpenVPN provides the VPN service itself, while Easy-RSA supplies the tools required to build and manage the Public Key Infrastructure (PKI), which is used to generate certificates and private keys for both the server and its clients.

Update the package index and install both packages:

sudo apt update

sudo apt install openvpn easy-rsa

After the installation completes, create a dedicated workspace for Easy-RSA inside your home directory:

mkdir ~/easy-rsa

Next, create symbolic links to the Easy-RSA files installed by the package manager:

ln -s /usr/share/easy-rsa/* ~/easy-rsa/

Using symbolic links instead of copying the files allows your Easy-RSA workspace to stay synchronized with future package updates.

To secure the workspace, change its ownership to your non-root user and restrict access so that only the owner can read or modify its contents:

sudo chown sammy ~/easy-rsa

chmod 700 ~/easy-rsa

Note: Replace sammy with the username you created during the initial server setup.

At this point, both OpenVPN and Easy-RSA are installed, and your PKI workspace is ready for use. The next step is to initialize the PKI structure that will store certificate requests, private keys, and other cryptographic assets required throughout the deployment.

Step 2 – Initialize the PKI Environment

Before certificates can be created, Easy-RSA needs a dedicated Public Key Infrastructure (PKI) directory. This directory stores certificate signing requests (CSRs), private keys, issued certificates, and other files required for certificate management throughout the OpenVPN deployment.

Although the Certificate Authority (CA) is responsible for signing certificates, the OpenVPN server still requires its own PKI workspace to generate certificate requests and organize the associated cryptographic files.

Configure Easy-RSA

Move into the Easy-RSA working directory:

cd ~/easy-rsa

Create a new configuration file named vars:

nano vars

Add the following lines to the file:

set_var EASYRSA_ALGO "ec"

set_var EASYRSA_DIGEST "sha512"

These settings instruct Easy-RSA to generate Elliptic Curve Cryptography (ECC) keys and sign certificates using the SHA-512 hashing algorithm. Both are widely recommended for modern VPN deployments because they provide strong security while maintaining efficient performance.

Save the file and exit the editor.

Initialize the PKI Directory

Run the following command to create the PKI structure:

./easyrsa init-pki

Easy-RSA will create a directory named pki containing the folders required to manage keys, certificate requests, and issued certificates.

Even if your Certificate Authority already maintains its own PKI, this initialization is still required on the OpenVPN server. The server uses this local workspace to generate certificate requests before they are transferred to the CA for signing.

With the PKI environment in place, you’re ready to create the server’s private key and certificate signing request.

Step 3 – Generate the Server Private Key and Certificate Request

The OpenVPN server needs its own identity certificate before clients can establish trusted connections. To obtain that certificate, you’ll first generate a private key along with a Certificate Signing Request (CSR). The private key remains on the VPN server, while the CSR will later be signed by the Certificate Authority.

Start by navigating to the Easy-RSA directory:

cd ~/easy-rsa

Generate the server key and CSR:

./easyrsa gen-req server nopass

Here’s what the command parameters mean:

  • server specifies the Common Name (CN) for the certificate.
  • nopass creates an unencrypted private key, allowing OpenVPN to start automatically without requiring a password during boot.

When prompted to confirm the Common Name, simply press Enter to accept the default value:

Common Name (eg: your user, host, or server name) [server]:

After the process finishes, Easy-RSA creates the following files:

  • pki/private/server.key — the server’s private key.
  • pki/reqs/server.req — the certificate signing request that will be sent to the Certificate Authority.

Install the Server Private Key

Copy the generated private key to OpenVPN’s server configuration directory:

sudo cp ~/easy-rsa/pki/private/server.key /etc/openvpn/server/

Only the private key should remain on the VPN server. The CSR will be transferred to the Certificate Authority, where it will be validated and signed before the resulting certificate is returned for use by OpenVPN.

At this point, the server has everything required to request a trusted certificate from the CA.

Step 4 – Sign the Server Certificate with the Certificate Authority

Now that the OpenVPN server has generated its private key and Certificate Signing Request (CSR), the request must be signed by the Certificate Authority (CA). Once signed, the resulting certificate will allow clients to verify the identity of the VPN server during the TLS handshake.

Transfer the Certificate Request

From the OpenVPN server, securely copy the CSR to your CA server using scp:

scp ~/easy-rsa/pki/reqs/server.req sammy@your_ca_server_ip:/tmp

Replace the following values before running the command:

  • sammy with the username on your CA server.
  • your_ca_server_ip with the IP address of the Certificate Authority server.

Import the Request on the CA Server

Log in to the CA server and switch to the Easy-RSA directory:

cd ~/easy-rsa

Import the server request into the PKI:

./easyrsa import-req /tmp/server.req server

If the request is imported successfully, Easy-RSA will confirm that it has been added to the PKI database and is ready to be signed.

Sign the Certificate

Issue the following command to sign the imported request:

./easyrsa sign-req server server

Easy-RSA displays the certificate details before signing. Review the information and type:

yes

If your CA private key is protected with a passphrase, you’ll be prompted to enter it before the certificate is generated.

After signing, the server certificate will be available at:

pki/issued/server.crt

Copy the Signed Certificate Back

Transfer both the signed server certificate and the CA certificate back to the OpenVPN server:

scp pki/issued/server.crt sammy@your_vpn_server_ip:/tmp

scp pki/ca.crt sammy@your_vpn_server_ip:/tmp

Replace your_vpn_server_ip with the public IP address of your VPN server.

Install the Certificates

On the OpenVPN server, move the certificates into the server configuration directory:

sudo cp /tmp/{server.crt,ca.crt} /etc/openvpn/server

At this point, the server has all of the certificates required to establish trusted VPN connections:

  • server.key – Server private key
  • server.crt – Signed server certificate
  • ca.crt – Certificate Authority certificate

The remaining cryptographic component is the TLS protection key, which you’ll generate in the next step.

Step 5 – Generate the TLS Crypt Key

Besides the server certificate, OpenVPN can use an additional shared key to secure the TLS control channel. This feature, enabled through tls-crypt, encrypts and authenticates the initial handshake packets before the VPN session is established.

Adding this extra layer helps reduce unsolicited connection attempts and provides protection against certain scanning and denial-of-service attacks.

Move into your Easy-RSA directory if you’re not already there:

cd ~/easy-rsa

Generate the TLS key by running:

openvpn --genkey --secret ta.key

Once completed, a file named ta.key will be created in the current directory.

Install the TLS Key

Copy the key to OpenVPN’s configuration directory:

sudo cp ta.key /etc/openvpn/server

Your server now has every cryptographic file required for its configuration:

  • ca.crt – Certificate Authority certificate
  • server.crt – Signed server certificate
  • server.key – Server private key
  • ta.key – Shared TLS crypt key

With the server-side cryptographic assets prepared, the next step is to generate credentials for VPN clients.

Step 6 – Generate Client Credentials

With the server certificates in place, the next task is to create credentials for the VPN client. Every device that connects to your OpenVPN server should have its own unique certificate and private key. Assigning individual credentials to each client improves security and makes certificate management much easier if access ever needs to be revoked.

In this example, the client will be named client1. If you’re configuring VPN access for multiple users or devices, repeat these steps using a different client name for each one.

Create a Directory for Client Files

Begin by creating a directory that will store client certificates, keys, and configuration files:

mkdir -p ~/client-configs/keys

To prevent unauthorized access, restrict permissions so only your user account can access the directory:

chmod -R 700 ~/client-configs

Generate the Client Key and Certificate Request

Navigate to your Easy-RSA workspace:

cd ~/easy-rsa

Generate the client’s private key and Certificate Signing Request (CSR):

./easyrsa gen-req client1 nopass

When Easy-RSA asks for the Common Name, press Enter to accept the default value:

Common Name (eg: your user, host, or server name) [client1]:

After the command finishes, two files will be created:

  • pki/private/client1.key – the client’s private key.
  • pki/reqs/client1.req – the Certificate Signing Request that will be signed by the Certificate Authority.

Store the Client Private Key

Copy the private key into the client configuration directory:

cp pki/private/client1.key ~/client-configs/keys/

Only the private key remains on the OpenVPN server at this stage. The certificate request still needs to be signed by the Certificate Authority before the client can authenticate successfully.

Step 7 – Sign the Client Certificate

The client request generated in the previous step must now be signed by your Certificate Authority. This signed certificate proves the client’s identity whenever it attempts to establish a VPN connection.

Transfer the Client Request

Copy the client’s Certificate Signing Request to the CA server:

scp pki/reqs/client1.req sammy@your_ca_server_ip:/tmp

Replace:

  • sammy with the username on your CA server.
  • your_ca_server_ip with the IP address of the CA server.

Import the Certificate Request

Log in to the CA server and change to the Easy-RSA directory:

cd ~/easy-rsa

Import the request into the CA database:

./easyrsa import-req /tmp/client1.req client1

Once imported successfully, the request is ready to be signed.

Sign the Client Certificate

Generate the signed client certificate by running:

./easyrsa sign-req client client1

Easy-RSA displays the request details before signing. Confirm the operation by entering:

yes

If your CA private key is encrypted, you’ll also be prompted to enter its passphrase.

When the process completes, the signed certificate will be available at:

pki/issued/client1.crt

Copy the Signed Certificate Back

Transfer the signed certificate back to the OpenVPN server:

scp pki/issued/client1.crt sammy@your_server_ip:/tmp

Replace your_server_ip with the public IP address of your VPN server.

Save the Client Certificate

On the OpenVPN server, move the certificate into the client configuration directory:

cp /tmp/client1.crt ~/client-configs/keys/

At this point, the client credentials are almost complete. The client now has:

  • client1.key – Client private key
  • client1.crt – Signed client certificate

The remaining files required to build a complete client profile—the CA certificate and the shared TLS key—will be incorporated later when creating the final .ovpn configuration file.

Step 8 – Configure the OpenVPN Server

With the required certificates and cryptographic keys prepared, you can now configure the OpenVPN server. Instead of creating a configuration file from scratch, OpenVPN provides a sample configuration that serves as a solid starting point. You’ll modify this file to match the settings used throughout this guide.

Copy the Sample Configuration

Copy the default server configuration file into OpenVPN’s configuration directory:

sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf /etc/openvpn/server/

Open the file in a text editor:

sudo nano /etc/openvpn/server/server.conf

Enable tls-crypt

Locate the following line:

tls-auth ta.key 0

Comment it out and replace it with:

;tls-auth ta.key 0

tls-crypt ta.key

Unlike tls-auth, the tls-crypt option encrypts the TLS control channel in addition to authenticating it. This makes the VPN less visible to unauthorized scanning while providing an extra layer of protection during connection establishment.

Update the Encryption Settings

Find the existing cipher configuration:

cipher AES-256-CBC

Replace it with:

cipher AES-256-GCM

auth SHA256

AES-256-GCM is the recommended encryption algorithm for modern OpenVPN deployments, offering both improved security and better performance than CBC mode.

Disable Diffie-Hellman Parameters

Since this setup uses Elliptic Curve Cryptography (ECC), traditional Diffie-Hellman parameters are unnecessary.

Locate:

dh dh2048.pem

Replace it with:

;dh dh2048.pem

dh none

This tells OpenVPN to rely on ECC for key exchange instead of loading a separate DH parameter file.

Drop Root Privileges

For security reasons, OpenVPN should run with reduced privileges after initialization.

Ensure the following directives are enabled:

user nobody

group nogroup

Running the service as an unprivileged user helps minimize the impact of a potential security vulnerability.

Route All Client Traffic Through the VPN (Optional)

If you want clients to send all internet traffic through the VPN, enable the following directive:

push "redirect-gateway def1 bypass-dhcp"

This creates a full-tunnel VPN, meaning all outbound traffic is routed through the OpenVPN server rather than the client’s local gateway.

If your goal is to provide access only to private network resources, you can leave this option disabled.

Configure DNS Servers

To ensure clients use trusted DNS servers after connecting, uncomment or add the following lines:

push "dhcp-option DNS 208.67.222.222"

push "dhcp-option DNS 208.67.220.220"

These addresses point to OpenDNS resolvers, though you can substitute them with any DNS servers that fit your environment.

Customize the Port or Protocol (Optional)

By default, OpenVPN listens on UDP port 1194:

port 1194

proto udp

If your environment requires different settings, you can change the listening port or switch to TCP.

For example:

port 443

proto tcp

When using TCP, disable the following directive if it exists:

explicit-exit-notify 0

This option is only applicable when OpenVPN operates over UDP.

Verify Certificate Paths

Finally, confirm that the server configuration references the correct certificate files:

cert server.crt

key server.key

ca ca.crt

Review the remaining configuration for accuracy, then save the file and exit the editor.

At this point, the OpenVPN server is fully configured and ready for network routing and firewall configuration.

Step 9 – Enable IP Forwarding and Configure the Firewall

The VPN server is now configured, but it still needs permission to forward traffic between the VPN tunnel and the public network. Without IP forwarding and Network Address Translation (NAT), connected clients will establish a VPN session but won’t be able to reach external networks.

The following steps enable packet forwarding and configure UFW to route client traffic correctly.

Enable IP Forwarding

Open the system’s kernel configuration file:

sudo nano /etc/sysctl.conf

Locate—or add—the following line:

net.ipv4.ip_forward = 1

This enables IPv4 packet forwarding within the Linux kernel.

Apply the change immediately:

sudo sysctl -p

There’s no need to reboot the server after running this command.

Identify the Public Network Interface

Before creating NAT rules, determine which network interface provides internet connectivity:

ip route list default

The output typically includes an interface such as eth0, ens3, or ens18. You’ll use this interface name in the firewall rules.

Configure NAT in UFW

Edit UFW’s before.rules file:

sudo nano /etc/ufw/before.rules

Add the following block near the top of the file, before the *filter section:

# START OPENVPN RULES

*nat

:POSTROUTING ACCEPT [0:0]

-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE

COMMIT

# END OPENVPN RULES

Replace eth0 with the name of your server’s public network interface.

This NAT rule translates VPN client traffic so it can access external networks using the server’s public IP address.

Allow Forwarded Traffic

Next, edit the default UFW configuration:

sudo nano /etc/default/ufw

Update the forwarding policy:

DEFAULT_FORWARD_POLICY="ACCEPT"

This allows routed traffic to pass through the firewall.

Allow OpenVPN Connections

Permit incoming OpenVPN traffic:

sudo ufw allow 1194/udp

If you’re using a different port or TCP instead of UDP, modify the rule accordingly.

Also make sure SSH access remains available:

sudo ufw allow OpenSSH

Keeping SSH enabled prevents you from locking yourself out of the server while updating firewall rules.

Reload UFW

Apply the new configuration by restarting UFW:

sudo ufw disable

sudo ufw enable

To verify that the firewall rules have been applied successfully, run:

sudo ufw status

With IP forwarding enabled and the firewall configured, the server is ready to route VPN traffic between connected clients and external networks. The remaining server-side task is to start the OpenVPN service and ensure it launches automatically after every reboot.

Step 10 – Start and Enable the OpenVPN Service

With the server configuration complete and the required networking rules in place, the final server-side task is to start the OpenVPN service and configure it to launch automatically whenever the system boots.

On Ubuntu 20.04, OpenVPN is managed through systemd, allowing you to control the service using standard systemctl commands.

Enable the Service at Boot

Run the following command to enable the OpenVPN service:

sudo systemctl -f enable openvpn-server@server.service

This creates the necessary systemd links so the VPN service starts automatically after every reboot.

Start the Service

Start OpenVPN without restarting the server:

sudo systemctl start openvpn-server@server.service

If no errors are reported, OpenVPN will load the server configuration and begin listening for incoming client connections.

Verify the Service Status

Confirm that the service is running correctly:

sudo systemctl status openvpn-server@server.service

A successful startup should display output similar to:

Active: active (running)

You should also see a message indicating that the initialization process completed successfully.

Troubleshooting Startup Issues

If the service fails to start, review the system logs for more detailed error messages:

sudo journalctl -u openvpn-server@server.service

Some of the most common causes include:

  • Missing or misplaced certificate files
  • Incorrect file permissions
  • Errors in the server configuration file
  • Firewall or routing misconfigurations

The log output usually provides enough information to identify the source of the problem.

Verify the Listening Port

To make sure OpenVPN is listening on the expected port, run:

sudo ss -tulpn | grep openvpn

If the command returns the OpenVPN process bound to the configured port, the server is ready to accept client connections.

At this stage, the server-side deployment is complete. The remaining steps focus on preparing client configuration files and connecting devices to the VPN.

Step 11 – Create the Client Configuration Infrastructure

Rather than building a separate configuration file for every client manually, it’s more practical to create a reusable configuration template. This approach keeps client profiles consistent and makes it much easier to generate new .ovpn files whenever additional users or devices need VPN access.

Create the Required Directories

Begin by creating a directory that will hold the finished client configuration files:

mkdir -p ~/client-configs/files

The generated .ovpn files will be stored here once they’re created.

Copy the Sample Client Configuration

OpenVPN includes a sample client configuration that can be used as a template.

Copy it into your client configuration directory:

cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client-configs/base.conf

Open the copied file for editing:

nano ~/client-configs/base.conf

Configure the Server Address

Locate the remote directive and replace the placeholder value with your server’s public IP address:

remote your_server_ip 1194

If you’re using a custom port, update the port number accordingly.

Verify the Connection Protocol

Ensure the protocol matches the one configured on the server.

For a UDP deployment:

proto udp

If your server is configured for TCP instead:

proto tcp

The client and server must use the same transport protocol; otherwise, the connection will fail.

Drop Client Privileges

For improved security, enable the following directives:

user nobody

group nogroup

These settings reduce the privileges of the OpenVPN process after the connection has been established.

Remove External Certificate References

Because the final client profile will contain embedded certificates and keys, comment out these lines:

;ca ca.crt

;cert client.crt

;key client.key

Embedding these files creates a self-contained configuration that is easier to distribute and import.

Disable tls-auth

If the sample configuration contains the following directive:

tls-auth ta.key 1

Comment it out:

;tls-auth ta.key 1

Since this guide uses tls-crypt, this directive is no longer required.

Match the Encryption Settings

Update the encryption options so they match the server configuration:

cipher AES-256-GCM

auth SHA256

Using identical encryption settings on both sides ensures successful negotiation during connection establishment.

Add the Key Direction

Include the following line:

key-direction 1

This setting is required when using shared TLS keys with client configurations.

Optional DNS Configuration

Linux clients can automatically update their DNS settings by enabling the following directives:

;script-security 2

;up /etc/openvpn/update-resolv-conf

;down /etc/openvpn/update-resolv-conf

Uncomment these lines only if your distribution includes the required helper scripts.

Once you’ve finished making changes, save the file and exit the editor.

The base configuration is now ready. In the next step, you’ll combine this template with the client certificates and keys to generate a complete .ovpn profile that can be imported directly into OpenVPN client applications.

Step 12 – Generate and Transfer the Client Configuration File

At this point, all the required components are available: the client certificate, private key, CA certificate, TLS key, and the base client configuration. The final task is to combine these files into a single OpenVPN profile that can be imported directly into a client application.

Packaging everything into one .ovpn file simplifies deployment and eliminates the need to manage multiple authentication files on each client device.

Generate the Client Profile

Navigate to the client configuration directory:

cd ~/client-configs

Run the configuration script and specify the client name you created earlier:

./make_config.sh client1

The script automatically builds a complete client profile by combining:

  • The base client configuration
  • The client certificate
  • The client private key
  • The CA certificate
  • The shared TLS crypt key

The result is a ready-to-use OpenVPN configuration file.

Verify the Output

Check that the profile has been created successfully:

ls ~/client-configs/files

You should see output similar to:

client1.ovpn

This file contains everything required for authentication and can be imported directly into most OpenVPN-compatible clients.

Transfer the Configuration File

Because the .ovpn file contains sensitive authentication data, it should always be transferred using an encrypted method.

One of the simplest options is SFTP:

sftp sammy@your_server_ip:client-configs/files/client1.ovpn ~/

Replace:

  • sammy with your server username.
  • your_server_ip with the public IP address of your OpenVPN server.

Alternatively, you can use other secure transfer methods such as:

  • SCP (Secure Copy)
  • Graphical SFTP clients
  • Any SSH-based file transfer application

Avoid sending VPN configuration files through unencrypted email or messaging platforms.

Protect the Client Profile

The generated .ovpn file includes several sensitive components:

  • Client certificate
  • Client private key
  • Certificate Authority certificate
  • Shared TLS crypt key
  • OpenVPN connection settings

Anyone who gains access to this file may be able to authenticate to your VPN. Store it securely, transfer it only over encrypted channels, and remove unnecessary copies after deployment.

Once the profile has been transferred successfully, the client is ready to import it into an OpenVPN application and establish a secure VPN connection.

Step 13 – Connect to the VPN Using the Client Profile

After generating the client configuration file, the final setup step is to import it into an OpenVPN client application. Since the profile already contains the required certificates and keys, no additional configuration is necessary.

The import process differs slightly depending on the operating system, but the connection workflow remains the same.

Windows

Download and install the official OpenVPN Connect client or the OpenVPN GUI for Windows.

After installation, import the client1.ovpn profile through the application’s interface or place it in the appropriate configuration directory, depending on the client you’re using.

Once the profile appears in the application:

  1. Open the OpenVPN client.
  2. Select the imported profile.
  3. Click Connect.

If the connection is successful, the client will display a confirmation message and establish the encrypted VPN tunnel.

macOS

Install an OpenVPN-compatible client such as Tunnelblick or OpenVPN Connect.

Import the generated .ovpn file by opening it with the application or using its import feature.

After the profile has been added, select it and initiate the connection.

Linux

Install the OpenVPN package if it is not already available:

sudo apt update

sudo apt install openvpn

Start the VPN connection using the generated profile:

sudo openvpn --config client1.ovpn

OpenVPN will display status messages in the terminal while establishing the connection. Once initialization completes, the VPN tunnel is active.

Android

Install OpenVPN Connect from Google Play.

Transfer the .ovpn file to your Android device using a secure method, then import it into the application.

Select the imported profile and tap Connect to establish the VPN session.

iPhone and iPad

Install OpenVPN Connect from the App Store.

Transfer the client profile to the device using AirDrop, iCloud Drive, or another secure file-sharing method.

Open the file with OpenVPN Connect, import the profile, and start the connection from within the application.

Confirm the Connection

Regardless of the platform you’re using, a successful connection should establish an encrypted tunnel between the client and the OpenVPN server.

Once connected, any traffic configured to pass through the VPN will be encrypted before leaving the client device.

The next step is to verify that network traffic is being routed correctly through the VPN server.

Step 14 – Verify the VPN Connection

After importing the client profile and connecting to the VPN, it’s a good idea to verify that the tunnel is working as expected. A few simple checks can confirm that your traffic is being routed through the VPN server and that DNS requests are handled correctly.

These verification steps are especially useful if you’ve enabled full-tunnel routing with the redirect-gateway option.

Check Your Public IP Address

Before connecting to the VPN, visit any public IP lookup website and note the following information:

  • Your public IP address
  • Your approximate location
  • The DNS servers currently in use

This information represents your normal internet connection through your Internet Service Provider (ISP).

Connect to the VPN

Establish a VPN connection using the client profile you created earlier.

Once the connection is active, revisit the same IP lookup service.

If everything is configured correctly, you should notice that:

  • Your public IP address has changed.
  • Your visible location now corresponds to the VPN server.
  • Your ISP’s public IP address is no longer exposed.

Verify DNS Resolution

A correctly configured VPN should also route DNS queries through the VPN instead of your local network.

You can verify this by performing a DNS leak test or checking which DNS servers your system is currently using.

Ideally, the results should show:

  • The DNS servers configured by your VPN.
  • No DNS servers belonging to your ISP.
  • DNS requests originating from the VPN server rather than your local connection.

Expected Results

The following table summarizes the expected behavior before and after connecting to the VPN.

Check Before VPN After VPN
Public IP ISP-assigned IP VPN server IP
Location Your local region VPN server location
DNS Servers ISP or local router DNS servers provided by the VPN

Troubleshooting

If the results aren’t what you expect, review the following items:

  • Verify that the VPN connection is active.
  • Make sure redirect-gateway is enabled if all traffic should pass through the VPN.
  • Confirm that DNS options are correctly configured in the server configuration.
  • Restart the VPN client and reconnect.
  • Check the OpenVPN server logs for routing or firewall-related errors.

Once these checks pass, you can be confident that both your network traffic and DNS requests are traveling securely through the encrypted VPN tunnel.

Step 15 – Revoke Client Certificates

Over time, you may need to revoke a client’s access to the VPN. This typically happens when a device is lost, an employee leaves an organization, or a certificate is believed to have been compromised.

OpenVPN handles certificate revocation through a Certificate Revocation List (CRL). Any certificate included in this list is considered invalid and will no longer be accepted by the server.

Revoke the Client Certificate

On the Certificate Authority server, revoke the certificate associated with the client:

./easyrsa revoke client1

Replace client1 with the name of the certificate you want to revoke.

Easy-RSA will ask for confirmation before marking the certificate as revoked.

Generate a New Certificate Revocation List

After revoking the certificate, generate an updated CRL:

./easyrsa gen-crl

This creates a file named:

crl.pem

The CRL contains all revoked certificates and must be distributed to the OpenVPN server.

Copy the CRL to the VPN Server

Transfer the newly generated CRL:

scp pki/crl.pem sammy@your_vpn_server_ip:/tmp

Then install it on the VPN server:

sudo cp /tmp/crl.pem /etc/openvpn/server/

Configure OpenVPN to Use the CRL

Open the server configuration file:

sudo nano /etc/openvpn/server/server.conf

Add the following directive if it isn’t already present:

crl-verify crl.pem

This instructs OpenVPN to check every client certificate against the revocation list during authentication.

Restart the OpenVPN Service

Apply the updated configuration by restarting the service:

sudo systemctl restart openvpn-server@server.service

After the restart, any certificate listed in the CRL will be denied access automatically, even if the client still possesses its original configuration file.

Conclusion

You have now completed the deployment of an OpenVPN server on Ubuntu 20.04, from setting up the Certificate Authority to creating client profiles and establishing secure VPN connections.

Throughout this guide, you configured a dedicated PKI, generated and signed certificates, secured the OpenVPN server with modern encryption settings, enabled packet forwarding, configured the firewall, and created portable client configuration files that can be used across multiple platforms.

While installing OpenVPN is relatively straightforward, maintaining a secure VPN environment requires ongoing attention. Protecting private keys, managing client certificates, revoking unused credentials, and keeping the server up to date are all essential practices for maintaining a secure deployment over time.

With everything configured correctly, your VPN server is now ready to provide encrypted remote access for authorized users while keeping network communications protected.

FAQs

What is OpenVPN used for?

OpenVPN is an open-source VPN solution that creates encrypted connections between clients and servers. It’s commonly used for secure remote access, private networking, and protecting traffic transmitted over public networks.

Is OpenVPN free?

Yes. OpenVPN Community Edition is open source and available free of charge. Commercial editions are also available for organizations that require additional management and enterprise features.

Why should the Certificate Authority be hosted on a separate server?

Keeping the CA separate from the VPN server protects the CA’s private signing key. If the VPN server is compromised, an attacker cannot issue new trusted certificates without access to the CA.

Can multiple users connect to the same OpenVPN server?

Yes. Each user or device should have its own certificate and private key, allowing multiple clients to connect securely while making certificate management much easier.

What should I do if a client configuration file is exposed?

Because a client profile contains authentication credentials, it should be treated as sensitive information. If you believe it has been compromised, revoke the corresponding certificate immediately and generate a new one before allowing that user to reconnect.

How do I remove VPN access for a specific user?

Revoke the user’s certificate on the Certificate Authority server, generate an updated Certificate Revocation List (CRL), copy it to the OpenVPN server, and restart the OpenVPN service. Once the updated CRL is in use, the revoked certificate will no longer be accepted.