How to Install OpenVPN on Ubuntu 20.04 / 22.04 (Step by Step)

How to Install OpenVPN on Ubuntu 20.04 / 22.04 (Step by Step). In this post, we introduce OpenVPN protocol, its working principle, advantages then show you how to install OpenVPN server on Ubuntu.

OpenVPN is the VPN encryption protocol with the largest user base. One of the first VPN encryption technologies started in 2001. The software is considered as the best security and versatility solution due to its connectivity with Windows, macOS, Android and Linux.

What is OpenVPN?

Firstly, OpenVPN is currently one of the most reliable protocols. It functions as both software and a VPN protocol. Also, it uses various security measures to offer a site to site or secure point to point network connection. Nowadays, there are plenty of VPN providers and consumers who are using this protocol.

Moreover, OpenVPN was created by James Yohan and published to the general public in 2001. Choose a variety of ports and encryption methods with it. What is more, it also enables you to use it for other projects or check its source code for problems.

All in all, this protocol helps in managing client server connections perfectly. Creates a very secure tunnel for the transfer of data between your device and the VPN server and conversely. Some of the platforms that use OpenVPN are macOS, iOS, Windows, Linux, Android, and routers.

How Does OpenVPN Work?

A VPN connection protects your internet connection when functioning from a distance (e.g., hotel, airport, or even a different country). Basically, a VPN transmits all of your network traffic over an encrypted tunnel. Routing network traffic hides your IP address when accessing the internet by substituting it with the location and an IP address from the VPN server, which misrepresents the location. Besides, a VPN connection additionally protects against outside attacks.

Advantages of OpenVPN

Let’s examine the advantages that help OpenVPN to gain a user base among VPN providers.

Better Security

Certainly, OpenVPN uses peer authentication and pre shared keys, among other security protocols, to secure communication. Further, the network has maximum protection and security from Man in the Middle attacks by using OpenSSL in combination with HMAC packet authentication.


If OpenVPN disconnects for some reason, the network comes to a halt so that it can be fixed or configured. As an outcome, it is essential to be sure that there are no information losses or communications failures.


Most of the time, OpenVPN is downloaded for free. Some platforms provide it for free of costs like MacOS, Linux, Android, and iOS. Additionally, you also use OpenVPN to have a free connection to a VPN server. As a result, whenever VPN connections are received from a certain server, OpenVPN gives access for free. This implies that OpenVPN is convenient and cost effective.

Community Support

Chiefly, OpenVPN has support from the global community as it is an open source solution. Use almost any GNU GPL licensed software to support them. This is due to the source code’s ease of modification. Anyone who needs to use our VPN network benefits from it.

Firewall Compatibility

Since OpenVPN is accessible on the port that facilitates TCP or UDP, significant security limitations to overcome. Network imposed firewalls cannot obstruct connections to OpenVPN, even if they exist.

Platform support

Regardless of the operating system, a wide range of devices and platforms can support OpenVPN. These platforms are Mac OS, Android, and iOS. Therefore, it is not only preferred by seasoned users but also suitable for newcomers.

We have reached the main part of the article How to Install OpenVPN on Ubuntu 20.04 / 22.04.

How to Install OpenVPN on Ubuntu 20.04 / 22.04 (Step by Step)

This section shows you how to install OpenVPN server and client on Ubuntu 20.04 / 22.04 server.


  • Two servers running Ubuntu 20.04 or 22.04.
  • A root user or a user with sudo privileges.

Step 1 - Update the System

Before starting, you need to update all your system packages to the updated version. You can update all of them by running the following command.

					apt update -y
apt upgrade -y

Once all the packages are updated, you proceed to the next step.

Step 2 - Installing OpenVPN

By default, the OpenVPN package is included in the Ubuntu default repository. You install it via following command.

					apt install openvpn -y

Once the OpenVPN server is installed, verify the OpenVPN version with the following command.

					openvpn --version

You should see the version information in the following output.

					OpenVPN 2.5.5 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 14 2022
library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10
Originally developed by James Yonan
Copyright (C) 2002-2021 OpenVPN Inc <>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_maintainer_mode=no enable_management=yes enable_multihome=yes enable_option_checking=no enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no


Step 3 - Installing Easy-RSA and Creating PKI for OpenVPN

Next, you need to install Easy-RSA public key infrastructure (PKI) management tool on your server. By default, it is available in the Ubuntu default repository. Please install it using the following command.

					apt install easy-rsa -y

Once installed, navigate to your Easy-RSA directory and create a vars file to create OpenVPN server’s private key and certificate.

					cd /usr/share/easy-rsa/
nano vars

Add the following configurations.

					set_var EASYRSA                 "$PWD"
set_var EASYRSA_PKI             "$EASYRSA/pki"
set_var EASYRSA_DN              "cn_only"
set_var EASYRSA_REQ_CITY        "London"
set_var EASYRSA_REQ_ORG         "cloudinfra CERTIFICATE AUTHORITY"
set_var EASYRSA_REQ_EMAIL     ""
set_var EASYRSA_REQ_OU          "cloudinfra EASY CA"
set_var EASYRSA_KEY_SIZE        2048
set_var EASYRSA_ALGO            rsa
set_var EASYRSA_CA_EXPIRE      7500
set_var EASYRSA_CERT_EXPIRE     365
set_var EASYRSA_NS_SUPPORT  "no"
set_var EASYRSA_EXT_DIR         "$EASYRSA/x509-types"
set_var EASYRSA_SSL_CONF        "$EASYRSA/openssl-easyrsa.cnf"
set_var EASYRSA_DIGEST          "sha256"


Save and close the file after you finish. Then, run the following command to initialize PKI.

					./easyrsa init-pki 

You should see the following screen.

Step 4 - Creating Certificate Authority and CSR

Next, you need to build certificate authority and CSR on your server. First, run the following command to build CA.

					./easyrsa build-ca nopass

You should see the following screen.

Next, generate the certificate request with the following command.

					./easyrsa gen-req cloudinfra-server nopass

You should see the following screen.

Step 5 - Use CA to Sign the Server Key

Next, you need to sign the request using the generated CA file as shown below.

					./easyrsa sign-req server cloudinfra-server

You should see the following screen.

Now, verify all generated certificates using the following command.

					openssl verify -CAfile pki/ca.crt pki/issued/cloudinfra-server.crt

If everything is fine, you will get the following output.

					pki/issued/cloudinfra-server.crt: OK

Next, you will also need to generate Diffie-Hellman key to use for the key exchange. YGenerate it with the following command.

					./easyrsa gen-dh

You will see the following output.

					Note: using Easy-RSA configuration from: /usr/share/easy-rsa/vars
Using SSL: openssl OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
Generating DH parameters, 2048 bit long safe prime


DH parameters of size 2048 created at /usr/share/easy-rsa/pki/dh.pem


Finally, copy all the certificate and key file to the OpenVPN server directory.

					cp pki/ca.crt pki/dh.pem pki/private/cloudinfra-server.key pki/issued/cloudinfra-server.crt /etc/openvpn/server/


Once you are done, proceed to generate client certificate and key.

Step 6 - Creating Client Certificate and Key

At this point, your OpenVPN certificates are ready to use. Now, you need to create certificate and key file for the client. First, build the client key using the following command.

					./easyrsa gen-req client nopass

You should see the following screen.

Then, sign the key using the following command.

					./easyrsa sign-req client client

You should see the following screen.

Finally, copy all client key and certificate file to the client directory.

					cp pki/ca.crt pki/issued/client.crt pki/private/client.key /etc/openvpn/client/

Once you are done, proceed to configure OpenVPN server.

Step 7 - Configuring OpenVPN Server

Next, you need to create an OpenVPN configuration file and define the port, and path of all your generated certificate and key. Create a configuration file using the following command.

					nano /etc/openvpn/server.conf

Add the following configurations:

					port 1194
proto udp
dev tun
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/cloudinfra-server.crt
key /etc/openvpn/server/cloudinfra-server.key
dh /etc/openvpn/server/dh.pem
push "redirect-gateway def1"

push "dhcp-option DNS"
push "dhcp-option DNS"
cipher AES-256-GCM
auth SHA256
keepalive 20 60
compress lz4
user nobody
group nogroup
log-append /var/log/openvpn.log
verb 3
explicit-exit-notify 0


Save and close the file when you are done. Then, start the OpenVPN service and enable it to start at system reboot.

					systemctl start openvpn@server
systemctl enable openvpn@server

Verify the status of OpenVPN service using the following command.

					systemctl status openvpn@server

You should see the OpenVPN status in the following output.

					● openvpn@server.service - OpenVPN connection to server
     Loaded: loaded (/lib/systemd/system/openvpn@.service; disabled; vendor preset: enabled)
     Active: active (running) since Sat 2023-02-11 15:35:17 UTC; 8s ago
       Docs: man:openvpn(8)
   Main PID: 2332 (openvpn)
     Status: "Initialization Sequence Completed"
      Tasks: 1 (limit: 2242)
     Memory: 2.0M
        CPU: 28ms
     CGroup: /system.slice/system-openvpn.slice/openvpn@server.service
             └─2332 /usr/sbin/openvpn --daemon ovpn-server --status /run/openvpn/server.status 10 --cd /etc/openvpn --script-security 2 --con>

Feb 11 15:35:17 vpnserver systemd[1]: Starting OpenVPN connection to server...


Concurrently, OpenVPN creates a new network interface named tun0 automatically after starting the service. Verify it using the following command.

					ip a show tun0

You should see the tun0 details on the following screen.

Step 8 - Configuring IP Forwarding

In order to route all traffic through OpenVPN, you need to enable the IP forwarding on your server. Do it by editing the sysctl.conf file.

					nano /etc/sysctl.conf

Uncomment the following line.

					net.ipv4.ip_forward = 1


Save and close the file then run the following command to apply the changes.

					sysctl -p

Step 9 - Creating OpenVPN Client Configuration File

Next, you need to create a client.ovpn configuration file to connect OpenVPN client to server. You create it with the following command.

					nano /etc/openvpn/client/client.ovpn

Define your OpenVPN server IP, port, and certificate name as shown below:

dev tun
proto udp
remote vpn-server-ip 1194
ca ca.crt
cert client.crt
key client.key
cipher AES-256-GCM
auth SHA256
resolv-retry infinite
compress lz4
verb 3
explicit-exit-notify 0


Save and close the file when you are done.

Step 10 - Installing OpenVPN Client

This section explains how to install OpenVPN on client system and connect it to the OpenVPN server.

First, log into the client machine and install the OpenVPN package using the following command.

					apt install openvpn -y

After the successful installation, you need to copy all client’s certificate, key and configuration file to the client machine. You copy all of them with the following command.

					scp -r root@vpn-server-ip:/etc/openvpn/client/* /etc/openvpn/client/


Next, navigate to the client directory and run the following command to connect to the OpenVPN server.

					cd /etc/openvpn/client/
openvpn --config client.ovpn


Once you are connected to the OpenVPN server, you proceed to the next step.

Step 11 - Verifying OpenVPN Connection

At this point, your client machine is connected to the OpenVPN server. Now, it’s time to verify the OpenVPN connection.

Go to the OpenVPN server machine and run the following command.

					ip a show tun0

You see the IP address assigned by OpenVPN server on the following screen

To verify the server log, run the following command.

					tail -f /var/log/openvpn.log

You should see the VPN server log in the following screen.

Thank you for reading How to Install OpenVPN on Ubuntu 20.04 / 22.04. We shall conclude. 

How to Install OpenVPN on Ubuntu 20.04 / 22.04 (Step by Step) Conclusion

We hope you can now implement OpenVPN in your organization to provide secure your network. Users use OpenVPN, an open VPN protocol, and a VPN client software to execute secure VPN connections. Truly, VPN providers offer this protocol because of its use of the OpenSSL library, 256 bit encryption and cross platform compatibility. Generally, you should choose a VPN service that provides access to OpenVPN connections and other VPN protocols.

Do explore more of our content regarding VPN, by navigating to our blog over here

Avatar for Hitesh Jethva
Hitesh Jethva

I am a fan of open source technology and have more than 10 years of experience working with Linux and Open Source technologies. I am one of the Linux technical writers for Cloud Infrastructure Services.

5 1 vote
Article Rating
Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x