Setup your own OpenVPN server on Ubuntu

Learn how to create your own VPN server on any country in the world at which you need to rent any cheap VPS server.

OpenVPN server on Ubuntu

On a new server which located in country where you want to proxy target traffic:

First of all install OpenVPN:

sudo apt install openvpn

Start and enable in systemd

sudo systemctl start [email protected]
sudo systemctl enable [email protected]

Edit sysctl.conf:

sudo nano /etc/sysctl.conf


sudo sysctl -p

Now we need to find your primary adapter(network interface) which is used to accept connections from the internet. Run:

ip route | grep default

Most often it called enpXXX or ethX

Image for a hint

Now edit the UFW before config:

nano /etc/ufw/before.rules

In A POSTROUTING line change ens0 to your adapter.

# # NAT table rules
# Allow traffic from OpenVPN client to ADAPTER (change to the interface you discovered!)

Also edit:

sudo nano /etc/default/ufw

Find and change DEFAULT_FORWARD_POLICY to accept


Now apply UFW rules:

sudo ufw allow 888/udp
sudo ufw allow 888/tcp
sudo ufw allow OpenSSH
sudo ufw disable
sudo ufw enable
sudo ufw reload

The OpenVPN server configuration

Above section is how to connect network to route and forward VPN traffic, however you need also configure VPN server on VPN daemon also

cat /etc/openvpn/server.conf 


port 888

# TCP or UDP server?
proto tcp
;proto udp

dev tun

# SSL/TLS root certificate (ca), certificate
# (cert), and private key (key).  Each client
# and the server must have their own cert and
# key file.  The server and all clients will
# use the same ca file.
# See the "easy-rsa" directory for a series
# of scripts for generating RSA certificates
# and private keys.  Remember to use
# a unique Common Name for the server
# and each of the client certificates.

ca keys/ca.crt
cert keys/server.crt

# This file should be kept secret
key keys/server.key  

# Diffie hellman parameters.
# Generate your own with:
#   openssl dhparam -out dh2048.pem 2048
dh keys/dh2048.pem

# Network topology
# Should be subnet (addressing via IP)
# unless Windows clients v2.0.9 and lower have to
# be supported (then net30, i.e. a /30 per client)
# Defaults to net30 (not recommended)
topology subnet

# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on Comment this line out if you are
# ethernet bridging. See the man page for more info.

crl-verify keys/crl.pem

# Push routes to the client to allow it
# to reach other private subnets behind
# the server.  Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (
# back to the OpenVPN server.
;push "route"
;push "route"

# To assign specific IP addresses to specific
# clients or if a connecting client has a private
# subnet behind it that should also have VPN access,
# use the subdirectory "ccd" for client-specific
# configuration files (see man page for more info).

# The addresses below refer to the public
# DNS servers provided by
push "dhcp-option DNS"
push "dhcp-option DNS"

# The keepalive directive causes ping-like
# messages to be sent back and forth over
# the link so that each side knows when
# the other side has gone down.
# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.
keepalive 10 120

# For extra security beyond that provided
# by SSL/TLS, create an "HMAC firewall"
# to help block DoS attacks and UDP port flooding.
# Generate with:
#   openvpn --genkey --secret ta.key
# The server and each client must have
# a copy of this key.
# The second parameter should be '0'
# on the server and '1' on the clients.
tls-auth keys/ta.key 0 # This file is secret

# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
cipher BF-CBC        # Blowfish (default)
;cipher AES-128-CBC   # AES
;cipher DES-EDE3-CBC  # Triple-DES

# Enable compression on the VPN link.
# If you enable it here, you must also
# enable it in the client config file.

# It's a good idea to reduce the OpenVPN
# daemon's privileges after initialization.
# You can uncomment this out on
# non-Windows systems.
user nobody
group nogroup

# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.

# Output a short status file showing
# current connections, truncated
# and rewritten every minute.
status /tmp/openvpn-status.log 3

# Set the appropriate level of log
# file verbosity.
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 3

Read carefully line by line config to understand which keys/certificate to create and how.

🔑 Also EasyRSA should be installed and configured for OpenVPN, for now it is not covered in this post

To generate certificates for clients create this file:

nano /etc/openvpn/ 



function build_client_key {

  pushd easy-rsa
  source vars

  ./build-key $CLIENT_NAME

  mkdir -p clients/$CLIENT_NAME/tun_$CLIENT_NAME

  mv keys/$CLIENT_NAME.csr clients/$CLIENT_NAME/tun_$CLIENT_NAME/
  mv keys/$CLIENT_NAME.crt clients/$CLIENT_NAME/tun_$CLIENT_NAME/
  mv keys/$CLIENT_NAME.key clients/$CLIENT_NAME/tun_$CLIENT_NAME/
  cp keys/ca.crt clients/$CLIENT_NAME/tun_$CLIENT_NAME/
  cp keys/ta.key clients/$CLIENT_NAME/tun_$CLIENT_NAME/

  cat << EOF > clients/$CLIENT_NAME/tun_$CLIENT_NAME.ovpn
dev                 tun_$CLIENT_NAME
proto               tcp
remote              office.YOURCOMPANY.COM 888  
cipher              BF-CBC
resolv-retry        infinite
ca                  tun_$CLIENT_NAME/ca.crt
cert                tun_$CLIENT_NAME/$CLIENT_NAME.crt
key                 tun_$CLIENT_NAME/$CLIENT_NAME.key
tls-auth            tun_$CLIENT_NAME/ta.key 1
#auth               SHA512
#ns-cert-type       server
keepalive           9 30
verb                3
tun-mtu             1500
mute                20
redirect-gateway autolocal
#status             /var/log/tun_$CLIENT_NAME.status

  pushd clients
  tar zcvf tun_$CLIENT_NAME.tar.gz $CLIENT_NAME

export -f build_client_key
bash -c "build_client_key [email protected]"

To create a client:

/etc/openvpn/ johndoe

Where johndoe is your or your collogue which need to work through VPN server. Then find package tun_johndoe .tar.gz and transfer it from server to user via scp/ftp or in any other way.

#openvpn #ufw #vpn
Ivan Borshchov profile picture
Apr 13, 2021
by Ivan Borshchov
Did it help you?
Yes !

Best related