Table of Contents
Was this article helpful?

1  out of  1 found this helpful

Try Vultr Today with

$50 Free on Us!

Want to contribute?

You could earn up to $600 by adding new articles.

How to Create an OpenVPN Server on Ubuntu 16.04

Last Updated: Wed, Sep 21, 2016
Linux Guides System Admin Ubuntu
Archived content

This article is outdated and may not work correctly for current operating systems or software.


OpenVPN is a secure VPN which uses SSL ( Secure Socket Layer ) and offers a broad range of features. In this guide we'll be covering the process of installing OpenVPN on Ubuntu 16 utilizing the easy-rsa hosted certificate authority.


In order to get started, we need some packages installed:

sudo su

apt-get update

apt-get install openvpn easy-rsa

Certificate Authority

OpenVPN is a SSL VPN, which means that it acts as Certificate Authority in order to encrypt the traffic between both parties.


We can start with setting up our OpenVPN server's Certificate Authority by running the following command:

make-cadir ~/ovpn-ca

We can now switch into our fresh created directory:

cd ~/ovpn-ca


Open the file with the name vars and take a look at the following parameters:



export KEY_CITY="Matawan"

export KEY_ORG="Your Awesome Organization"

export KEY_EMAIL=""

export KEY_OU="YourOrganizationUnit"

And edit them with your own values. We also need to look for and edit the following line:

export KEY_NAME="server"


We can now start building our Certificate Authority by running the following command:



These commands might take a few minutes to complete.


Now, we can start building our server's key by running the following command:

./build-key-server server

While the server field should be replaced with KEY_NAME we set in the vars file earlier. In our case, we can keep server.

The build process of our server's key might ask a few questions, like the expiration of itself. We answer all these questions with y.

Strong Key

In the next step, we create a strong Diffie-Hellman key which will be used during the exchange of our keys. Type in the following command to create one:



We can now create a HMAC signature to strengthen the server's TLS integrity verification:

openvpn --genkey --secret keys/ta.key

Generate a Client Key

./build-key client

Configure the Server

Once we've successfully created our own Certificate Authority, we can start with copying all needed files and configuring OpenVPN itself. Now, we're going to copy the generated keys and certificates to our OpenVPN directory:

cd keys

cp ca.crt ca.key server.crt server.key ta.key dh2048.pem /etc/openvpn

cd ..

Afterwards, we can copy an example OpenVPN config file to our OpenVPN directory by running the following command:

gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | tee /etc/openvpn/server.conf

Edit the Config

We can now start editing our config to fit our needs. Open the file /etc/openvpn/server.conf and uncomment the following lines:

push "redirect-gateway def1 bypass-dhcp"

user nobody

group nogroup

push "dhcp-option DNS"

push "dhcp-option DNS"

tls-auth ta.key 0

We also need to add a new line to our config. Place the following line under the tls-auth line:

key-direction 0

Allow Forwarding

Because we want to allow our clients to access the Internet through our server, we open the following file /etc/sysctl.conf and uncomment this line:


Now we have to apply the changes:

sysctl -p


In order to provide Internet Access to our VPN clients, we also have to create a NAT rule. This rule is a short one-liner which looks like this:

iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE


We can now start our OpenVPN server and let clients connect by typing in the following key:

service openvpn start


This concludes our tutorial. Enjoy your new OpenVPN Server!

Want to contribute?

You could earn up to $600 by adding new articles.