CDLab Technology · Providing professional DevOps practice and tools

How to install OpenVPN server on Ubuntu 20.04


OpenVPN is a full-featured SSL VPN that implements OSI layer 2 or 3 secure network extension using the industry-standard SSL/TLS protocol, supports flexible client authentication methods based on certificates, smart cards, and/or username/password credentials, and allows user or group-specific access control policies using firewall rules applied to the VPN virtual interface. OpenVPN is not a web application proxy and does not operate through a web browser.


So, for now, we will install and set up the OpenVPN server on ubuntu 20.04 or familiar.

Let's start

!!! All commands are executed in privileged mode. To enter it, you need to execute the command

sudo -s

Step 1 - Update your server’s package index and install the last upgrade

Update the local package:

apt update && apt upgrade


Step 2 - Install OpenVPN server and easy-rsa tools

apt install openvpn easy-rsa -y


Step 3 - Prepare keys 

To begin, we can copy the easy-rsa template directory into openvpn directory

cp -r /usr/share/easy-rsa /etc/openvpn/

and after go to the new directory

cd /etc/openvpn/easy-rsa

Next, initialize the PKI.

./easyrsa init-pki

After we will Generate the Certificate Authority (CA) Certificate and Key

./easyrsa build-ca

When generating certificates, you will need to enter a password of 8 characters, which is the password for the CA certificate.
You cannot leave the field empty!
Save it! We will need it further to generate certificates for the server and clients.

The next generate Diffie Hellman Parameters

./easyrsa gen-dhThen Generate OpenVPN Server Certificate and Key

./easyrsa build-server-full server nopass

Enter the CA key passphrase create above to generate the certificates and keys.

nopass disables the use of passphrase.

Afterward, we can generate an HMAC signature to strengthen the server’s TLS integrity verification capabilities

openvpn --genkey --secret /etc/openvpn/easy-rsa/pki/ta.key

Copy Server Certificates and Keys to Server Config Directory

cp -rp /etc/openvpn/easy-rsa/pki/{ca.crt,dh.pem,ta.key,issued,private} /etc/openvpn/server/

Step 4 - Setup OpenVPN server

Create and open the server's config file /etc/openvpn/server/server.conf

This is how our sample configurations look like with no comments. The configuration is highly commented on to help you understand various option usage.


port 1194
proto udp
dev tun
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/issued/server.crt
key /etc/openvpn/server/private/server.key 
dh /etc/openvpn/server/dh.pem
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS"
keepalive 10 120
tls-auth /etc/openvpn/server/ta.key 0
cipher AES-256-CBC
status /var/log/openvpn/openvpn-status.log
log-append  /var/log/openvpn/openvpn.log
verb 4
auth SHA512


To ensure that traffic from the client is routed through the OpenVPN server’s IP address (helps masks the client IP address), you need to enable IP forwarding on the OpenVPN server.

Uncomment the line, net.ipv4.ip_forward=1, on /etc/sysctl.conf to enable packet forwarding for IPv4

sed -i 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/' /etc/sysctl.conf

And apply the new settings

sysctl -p

Create iptables rules for internet access

iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE


  •  - network from config above
  • eth0 - network interface

for save rule after reboot server, you can use utility iptables-persistent

apt install iptables-persistent -y

just answer YES, when the installer asks about saving the iptables rules.

Start and enable OpenVPN server to run on system boot

systemctl enable --now [email protected]

Checking the server status

systemctl status [email protected]

and also, checking log file

tail /var/log/openvpn/openvpn.log
at the end of the file should be Initialization Sequence Completed
That's all, the server-side is ready!


Step 5 - Generate clients certificate

Go to the easy-rsa folder

cd /etc/openvpn/easy-rsaGenerate client certificate

./easyrsa build-client-full client_namewhere ,

  • client_name is the name of the client for which the certificate and keys are generated.
  • always use a unique common name for each client that you are generating certificates and keys for.


copy generated certificate to temporary folder in the home directory /home/ubuntu/temp

cp -rp /etc/openvpn/easy-rsa/pki/{ca.crt,ta.key,issued/client_name.crt,private/client_name.key} /home/ubuntu/temp

This is client sample configurations (client.conf)

dev tun
proto udp
remote SERVER_IP
port 1194
resolv-retry infinite
auth SHA512
cipher AES-256-CBC
verb 4

certificate from ca.crt file

certificate from issued/client_name.crt file

certificate from private/client_name.key file

key-direction 1

certificate from ta.key file


After put certificates to client.conf file, you can import this file to  any operating system (Linux, Windows, macOS, Android, IOS)


Create date 16.12.2020