OpenVPN Installation and Configuration: Secure VPN Guide for Ubuntu Servers

ğŸ“ What will you learn in this guide?

In this guide, on an Ubuntu-based Virtual Instance (VPS/Droplet):

Installing the OpenVPN server from start to finish,
Managing certificates with a separate CA (Certificate Authority) server,
Enable modern encryption settings such as ECC, AES-256-GCM and tls-crypt,
You will learn how to create single-file .ovpn profiles for Windows, macOS, Linux, iOS and Android clients.

Focus keyword: OpenVPN setup

ðŸ§ Technical Summary (Phase 1)

Area	Description
Main Technical Topic	OpenVPN-based virtual private network (VPN) installation and configuration on Ubuntu servers.
Solved Problem	Providing secure internet access by creating encrypted tunnels in untrusted networks (hotel, cafe Wi-Fi).
Technologies Used	NAT/masquerading with OpenVPN, Easy-RSA 3, PKI, ECC, TLS-Crypt, AES-256-GCM, UFW.
User Steps	OpenVPN and Easy-RSA installation, PKI creation, server and client certificates, tls-crypt, `server.conf`, IP forwarding, UFW, service initialization, client profiles.

ğŸ” Understanding OpenVPN and VPN architecture

A VPN (Virtual Private Network) encrypts and transports your data over unsecured networks.
So you can browse safely even on a hotel, cafe or guest Wi-Fi network.

OpenVPN is a TLS-based, open source and flexible VPN solution.
It is compatible with the Ubuntu ecosystem and offers strong security options.

In this architecture we have three components:

OpenVPN Server – Your VPN server running on Ubuntu.
CA Server – Separate Ubuntu server that generates and signs certificates.
OpenVPN Client – Your local computer or mobile device.

Example nouns:

OpenVPN Server: tr-vpn-01.ornek.com
CA Server: tr-ca-01.ornek.com

ğŸ“‹ Prerequisites

For this guide you need the following background:

OpenVPN Server (example: tr-vpn-01)
- Ubuntu 22.04, 24.04 or 25.04
- Non-root user with authority sudo
- Active firewall (example: ufw)
CA (Certificate Authority) Server (example: tr-ca-01)
- A separate Ubuntu Server
- Likewise sudo authorized user
- CA must be installed with Easy-RSA

Security Note: Keeping the CA and VPN server on the same machine is not recommended.
If the CA key is compromised, your entire VPN infrastructure is compromised.

OpenVPN Client
- Your local computer or mobile device
- This device will connect to VPN with the .ovpn profile you created.

ðŸš€ Step 1 – OpenVPN and Easy-RSA Installation

sudo apt update
sudo apt install openvpn easy-rsa

mkdir ~/easy-rsa
ln -s /usr/share/easy-rsa/* ~/easy-rsa/
sudo chown $USER ~/easy-rsa
chmod 700 ~/easy-rsa

ðŸ§© Step 2 – Creating a PKI

cd ~/easy-rsa
nano vars

set_var EASYRSA_ALGO "ec"
set_var EASYRSA_DIGEST "sha512"


./easyrsa init-pki

ğŸ”‘ Step 3 – Server CSR and Private Key

cd ~/easy-rsa
./easyrsa gen-req server nopass
sudo cp pki/private/server.key /etc/openvpn/server/

ðŸ›ï¸ Step 4 – Signing a Certificate on the CA Server

From VPN Server:

scp pki/reqs/server.req $USER@CA_IP:/tmp

On CA Server:

cd ~/easy-rsa
./easyrsa import-req /tmp/server.req server
./easyrsa sign-req server server

Return certificates:

scp pki/issued/server.crt $USER@VPN_IP:/tmp
scp pki/ca.crt $USER@VPN_IP:/tmp

On VPN Server:

sudo cp /tmp/{server.crt,ca.crt} /etc/openvpn/server

ğŸ›¡ï¸ Step 5 – TLS-Crypt Key

cd ~/easy-rsa
openvpn --genkey --secret ta.key
sudo cp ta.key /etc/openvpn/server

ğŸ‘¥ Step 6 – Client Certificate and Key

mkdir -p ~/client-configs/keys
chmod -R 700 ~/client-configs

cd ~/easy-rsa
./easyrsa gen-req client1 nopass
cp pki/private/client1.key ~/client-configs/keys/

Submit CSR to CA:

scp pki/reqs/client1.req $USER@CA_IP:/tmp

Sign on the CA side:

./easyrsa import-req /tmp/client1.req client1
./easyrsa sign-req client client1

Transfer back:

scp pki/issued/client1.crt $USER@VPN_IP:/tmp

Collect on VPN:

cp /tmp/client1.crt ~/client-configs/keys/
cp ~/easy-rsa/ta.key ~/client-configs/keys/
sudo cp /etc/openvpn/server/ca.crt ~/client-configs/keys/
sudo chown $USER:$USER ~/client-configs/keys/*

âš™ï¸ Step 7 – Configuring server.conf

sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/server/
sudo gunzip /etc/openvpn/server/server.conf.gz
sudo nano /etc/openvpn/server/server.conf

Make the following settings:

tls-crypt ta.key
cipher AES-256-GCM
auth SHA256
dh none
user nobody
group nogroup
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"

ðŸŒ Step 8 – IP Forwarding

sudo nano /etc/sysctl.conf


net.ipv4.ip_forward = 1

sudo sysctl -p

ðŸ”¥ Step 9 – UFW NAT Configuration Learn the interface name:

ip route list default

Open UFW before.rules:

sudo nano /etc/ufw/before.rules

Add:

# START OPENVPN RULES
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.8.0.0/24 -o arac_adi -j MASQUERADE
COMMIT
# END OPENVPN RULES

Change policy:

sudo nano /etc/default/ufw


DEFAULT_FORWARD_POLICY="ACCEPT"

Open port:

sudo ufw allow 1194/udp
sudo ufw disable
sudo ufw enable

ğŸ” Step 10 – Starting OpenVPN Service

sudo systemctl -f enable openvpn-server@server.service
sudo systemctl start openvpn-server@server.service
sudo systemctl status openvpn-server@server.service

ðŸ§± Step 11 – Client Configuration Engine (base.conf + Script)

Different .ovpn file required per client. We will use a template and a script to automate everything.

Create directory for client files:

mkdir -p ~/client-configs/files

Copy the sample client configuration:

cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client-configs/base.conf

Open for editing:

nano ~/client-configs/base.conf

Server address and port

Replace the remote line with your own domain or IP:

remote tr-vpn-01.ornek.com 1194

The protocol line must be the same as the server:

proto udp

Delegate authority and embed certificate lines

Activate these lines:

user nobody
group nogroup

Comment out the certificate and key file paths:

;ca ca.crt
;cert client.crt
;key client.key
;tls-auth ta.key 1

Matching encryption and HMAC settings

Same as server:

cipher AES-256-GCM
auth SHA256
key-direction 1

Preparing lines for DNS scripts

For Linux clients, add the lines for future use and leave a comment:

; script-security 2
; up /etc/openvpn/update-resolv-conf
; down /etc/openvpn/update-resolv-conf

and for those using systemd-resolved:

; script-security 2
; up /etc/openvpn/update-systemd-resolved
; down /etc/openvpn/update-systemd-resolved
; down-pre
; dhcp-option DOMAIN-ROUTE .

Save and close the file.

ğŸ§® Step 12 – Generating .ovpn File with make_config.sh

Now let's write the script that will embed the client certificate and keys into a single .ovpn file.

Create the script file:

nano ~/client-configs/make_config.sh

Add the following content into it:

#!/bin/bash
 
# First argument: Client identifier
 
KEY_DIR=~/client-configs/keys
OUTPUT_DIR=~/client-configs/files
BASE_CONFIG=~/client-configs/base.conf
 
cat $&#123;BASE_CONFIG&#125; \
    <(echo -e '<ca>') \
    $&#123;KEY_DIR&#125;/ca.crt \
    <(echo -e '</ca>\n<cert>') \
    $&#123;KEY_DIR&#125;/$&#123;1&#125;.crt \
    <(echo -e '</cert>\n<key>') \
    $&#123;KEY_DIR&#125;/$&#123;1&#125;.key \
    <(echo -e '</key>\n<tls-crypt>') \
    $&#123;KEY_DIR&#125;/ta.key \
    <(echo -e '</tls-crypt>') \
    > $&#123;OUTPUT_DIR&#125;/$&#123;1&#125;.ovpn

Make the script executable:

chmod 700 ~/client-configs/make_config.sh

To generate .ovpn for client1:

cd ~/client-configs
./make_config.sh client1

The result will be the file ~/client-configs/files/client1.ovpn. You just need to pass this file to the client.

ğŸ“¦ Step 13 – Sending .ovpn to Client

You can pull the file to your local machine via SFTP:

sftp sammy@VPN_IP:client-configs/files/client1.ovpn ~/

ðŸ§ª Step 14 – Testing VPN Connection (Optional)

If you routed all traffic through VPN, you can test the connection.

With VPN turned off, go to a site like https://dnsleaktest.com.
Take note of your IP address and DNS servers.
Connect to VPN and refresh the page.
Your IP address should now belong to the VPN Server.
In extensive testing, verify that DNS is also coming through the VPN.

This test shows that your OpenVPN installation is working correctly.

ðŸ§¨ Step 15 – Certificate Revocation

To deny a client access, you must revoke its certificate.

On CA Server:

./easyrsa revoke client1
./easyrsa gen-crl

Send CRL file to VPN:

scp pki/crl.pem $USER@VPN_IP:/tmp
sudo cp /tmp/crl.pem /etc/openvpn/server/

Add to server.conf:


crl-verify crl.pem

Restart:

sudo systemctl restart openvpn-server@server.service

ðŸ‰ Result

On Ubuntu:

You have set up a secure OpenVPN server,

You managed certificates with separate CA,

You used ECC, AES-256-GCM and tls-crypt,

You have created single-file .ovpn profiles for all platforms.

You can now customize your secure VPN infrastructure as you wish and use it comfortably on GenixNode! ðŸš€

ğŸ“ What will you learn in this guide?​

ðŸ§ Technical Summary (Phase 1)​

ğŸ” Understanding OpenVPN and VPN architecture​

ğŸ“‹ Prerequisites​

ðŸš€ Step 1 – OpenVPN and Easy-RSA Installation​

ðŸ§© Step 2 – Creating a PKI​

ğŸ”‘ Step 3 – Server CSR and Private Key​

ðŸ›ï¸ Step 4 – Signing a Certificate on the CA Server​

ğŸ›¡ï¸ Step 5 – TLS-Crypt Key​

ğŸ‘¥ Step 6 – Client Certificate and Key​

âš™ï¸ Step 7 – Configuring server.conf​

ðŸŒ Step 8 – IP Forwarding​

ğŸ” Step 10 – Starting OpenVPN Service​

ðŸ§± Step 11 – Client Configuration Engine (base.conf + Script)​

Server address and port​

Delegate authority and embed certificate lines​

Matching encryption and HMAC settings​

Preparing lines for DNS scripts​

ğŸ§® Step 12 – Generating .ovpn File with make_config.sh​

ğŸ“¦ Step 13 – Sending .ovpn to Client​

ðŸ§ª Step 14 – Testing VPN Connection (Optional)​

ðŸ§¨ Step 15 – Certificate Revocation​

ðŸ‰ Result​