How to Set Up OpenVPN Access Server on Ubuntu 22.04/20.04
This tutorial is going to show you how to run your own OpenVPN Access server on Ubuntu 22.04/20.04. OpenVPN is an open-source, robust, and highly flexible VPN solution.
Why Set Up Your Own VPN Server?
- Maybe you are a VPN service provider or a system administrator, which behooves you to set up your own VPN server.
- You don’t trust the no-logging policy of VPN service providers, so you go the self-host route.
- You can use VPN to implement network security policy. For example, if you run your own email server, you can require users to log in only from the IP address of the VPN server by creating an IP address whitelist in the firewall. Thus, your email server is hardened to prevent hacking activities.
- Perhaps you are just curious to know how VPN server works.
OpenVPN Access Server Features
- Lightweight and fast. In my test, I can watch YouTube 4K videos with OpenVPN. YouTube is blocked in my country (China).
- Runs on Linux and most BSD servers.
- There is OpenVPN client software for Linux, macOS, Windows, Android, and iOS. Easy distribution of VPN clients and connection profiles.
- Supports RADIUS accounting.
- Supports Active Directory/LDAP integration, 2FA.
- Supports virtual hosting (multiple domains).
- Easy to set up
- Easy management via a web-based admin panel.
- Supports SSL/TLS security, ethernet bridging, TCP or UDP tunnel transport through proxies or NAT.
- Support for dynamic IP addresses, DHCP and static IP addresses.
- Scalability to hundreds or thousands of users
- Supports conventional encryption using a pre-shared secret key (Static Key mode) or public key security (SSL/TLS mode) using client & server certificates
Requirements
To follow this tutorial, you will need a VPS (Virtual Private Server) that can access blocked websites freely (Outside of your country or Internet filtering system). I recommend Kamatera VPS, which features:
- 30 days free trial.
- Starts at $4/month (1GB RAM)
- High-performance KVM-based VPS
- 9 data centers around the world, including United States, Canada, UK, Germany, The Netherlands, Hong Kong, and Isreal.
Follow the tutorial linked below to create your Linux VPS server at Kamatera.
Once you have a VPS running Ubuntu 22.04/20.04, follow the instructions below.
Step 1: Install OpenVPN Access Server on Ubuntu 22.04/20.04
Log into your Ubuntu 22.04/20.04 server. Then run the following command to add OpenVPN Access Server repository to your Ubuntu system.
echo "deb [signed-by=/etc/apt/keyrings/openvpn-as.gpg.key] http://as-repository.openvpn.net/as/debian $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/openvpn-as.list
Next, import the OpenVPN Access Server GPG key to Ubuntu system so that APT can verify package integrity during installation.
wget --quiet -O - https://as-repository.openvpn.net/as-repo-public.gpg | sudo tee /etc/apt/keyrings/openvpn-as.gpg.key
And because this repository uses HTTPS connection, we also need to install apt-transport-https
and ca-certificates
package.
sudo apt install apt-transport-https ca-certificates
Finally, update the package index on your Ubuntu system and install OpenVPN Access Server.
sudo apt update sudo apt install -y openvpn-as
At the end of the installation, you can find the URLs for the admin panel and client panel as well as the username and randomly generated password for the admin account.
Check systemd service status:
sudo systemctl status openvpnas
Sample output:
Check listening ports.
sudo ss -lnptu | grep openvpn
Output:
OpenVPN Access Server automatically enables IP forwarding and IP masquerading.
sysctl net.ipv4.ip_forward
output:
net.ipv4.ip_forward = 1
Check IP masquerading.
sudo iptables -t nat -L POSTROUTING
Output:
Chain POSTROUTING (policy ACCEPT) target prot opt source destination AS0_NAT_POST_REL_EST all -- anywhere anywhere state RELATED,ESTABLISHED AS0_NAT_PRE all -- anywhere anywhere mark match 0x2000000/0x2000000
Run the following two commands to enable TCP BBR algorithm to boost TCP speed.
echo "net.core.default_qdisc=fq" | sudo tee -a /etc/sysctl.d/60-custom.conf echo "net.ipv4.tcp_congestion_control=bbr" | sudo tee -a /etc/sysctl.d/60-custom.conf
Then apply the changes with the below command. The -p option will load sysctl settings from /etc/sysctl.d/60-custom.conf file. This command will preserve our changes across system reboots.
sudo sysctl -p /etc/sysctl.d/60-custom.conf
Step 2: Managing OpenVPN Access Server via the Admin Panel
Go to https://your-server-ip:943/
admin to access the admin panel. It uses a self-signed TLS certificate, so you need to add a security exception in your browser to access it.
OpenVPN Access Server provides sane default settings.
- All client traffic will be routed through OpenVPN server.
- Client will use OpenVPN server as the DNS server.
- The OpenVPN server listens clients requests on TCP port 443 and UDP port 1194.
- TLS 1.2 is the minimum TLS version.
Now we need to create VPN users. Go to User Management -> User Permissions to create a new username. Click the Save Settings button.
Then click the More Settings button to set a password for the new user.
Click the Save Settings button. Then click the Update Running Server button to apply the changes.
Step 3: Set DNS Server For VPN Users
By default, OpenVPN Access Server won’t assign DNS server to VPN users, so they will use the existing DNS server. However, this may cause DNS failure for VPN users.
Go to Configuration -> VPN Settings. In the Routing section, you can find the following text:
Specify the private subnets to which all clients should be given access (one per line):
Enter 172.27.240.0/20
as the value.
In the DNS Settings section, set Have clients use specific DNS servers to yes
. Then enter the primary DNS server and secondary DNS server, such as 8.8.8.8 and 1.1.1.1.
Click the Save Settings button, then click the Update Running Server button to apply the changes.
How to Install and Use OpenVPN client on Ubuntu 22.04/20.04 Desktop
Run the following command to install OpenVPN command line client on Ubuntu desktop.
sudo apt install openvpn
Then go to https://your-server-ip:943
to access the client portal, where the VPN user can download OpenVPN clients and the OpenVPN profile (.ovpn).
Move the .ovpn
file to the /etc/openvpn/
directory. Then edit this file. Mine is named profile-3.ovpn. Yours might be different.
sudo nano /etc/openvpn/profile-3.ovpn
Find the following line.
auth-user-pass
Change it to
auth-user-pass /etc/openvpn/auth.txt
Save and close the file. Then create the /etc/openvpn/auth.txt
file.
sudo nano /etc/openvpn/auth.txt
In this file, we need to enter the VPN username and password on two lines like below. Replace them with your actual username and password.
Save and close the file. Then rename the .ovpn
file to a .conf
file.
sudo mv /etc/openvpn/profile-3.ovpn /etc/openvpn/profile-3.conf
Now you can start the VPN.
sudo systemctl start openvpn@profile-3
Check status:
sudo systemctl status openvpn@profile-3
output:
When you see the Initialization Sequence Completed
message, your OpenVPN connection has been successfully established.
Then go to https://icanhazip.com. If everything is working properly, you should see the public IP address of the OpenVPN Access server.
To stop this Systemd service, run
sudo systemctl stop openvpn@profile-3
If you want to use Network Manager to manage OpenVPN connection, then you need to install these packages.
sudo apt install network-manager-openvpn network-manager-openvpn-gnome
OpenVPN GUI Client for Windows and macOS
Go to the OpenVPN Access Server Client Portal (https://your-server-ip:943
) to download the OpenVPN Connect client for Windows and macOS.
Speed
OpenVPN is pretty fast. I can use it to watch 4k videos on YouTube. As you can see, my connection speed is 63356 Kbps, which translates to 61 Mbit/s.
And here’s the test results on speedtest.net.
How to Install Let’s Encrypt TLS Certificate for OpenVPN Access Server
If you don’t want VPN users to see a security warning when visiting the OpenVPN Access Client Portal, then you need to obtain a valid TLS certificate. We can get it free from Let’s Encrypt.
Install the Certbot client.
sudo apt install certbot
Open TCP ports 80 and 443.
sudo ufw allow 80/tcp sudo ufw allow 443/tcp
Obtain a TLS certificate. You need to create a DNS A record for your sub-domain (openvpn.example.com).
sudo certbot certonly --standalone --preferred-challenges http --agree-tos --email [email protected] -d openvpn.example.com
Then install the certificate.
sudo /usr/local/openvpn_as/scripts/sacli --key "cs.priv_key" --value_file "/etc/letsencrypt/live/openvpn.example.com/privkey.pem" ConfigPut sudo /usr/local/openvpn_as/scripts/sacli --key "cs.cert" --value_file "/etc/letsencrypt/live/openvpn.example.com/cert.pem" ConfigPut sudo /usr/local/openvpn_as/scripts/sacli --key "cs.ca_bundle" --value_file "/etc/letsencrypt/live/openvpn.example.com/chain.pem" ConfigPut
Apply the changes.
sudo /usr/local/openvpn_as/scripts/sacli start sudo systemctl restart openvpnas
Set Up Stunnel (optional)
If you live in a country like China, or Iran, then your national firewall may block OpenVPN connections. You can wrap the OpenVPN traffic inside a TLS tunnel to hide the fact that you are using OpenVPN.
Configure Stunnel on the OpenVPN server
Install Stunnel on the OpenVPN server.
sudo apt install -y stunnel4
Copy the sample configuration file:
sudo cp /usr/share/doc/stunnel4/examples/stunnel.conf-sample /etc/stunnel/openvpn.conf
Edit the new file.
sudo nano /etc/stunnel/openvpn.conf
Find the following lines and uncomment them.
;setuid = stunnel4 ;setgid = stunnel4 ;pid = /var/run/stunnel.pid ;output = /var/log/stunnel.log
Change them to:
setuid = stunnel4 setgid = stunnel4 pid = /var/run/stunnel/stunnel.pid output = /var/log/stunnel/stunnel.log
Find the following lines.
[gmail-pop3] client = yes accept = 127.0.0.1:110 connect = pop.gmail.com:995 verifyChain = yes CApath = /etc/ssl/certs checkHost = pop.gmail.com OCSPaia = yes [gmail-imap] client = yes accept = 127.0.0.1:143 connect = imap.gmail.com:993 verifyChain = yes CApath = /etc/ssl/certs checkHost = imap.gmail.com OCSPaia = yes [gmail-smtp] client = yes accept = 127.0.0.1:25 connect = smtp.gmail.com:465 verifyChain = yes CApath = /etc/ssl/certs checkHost = smtp.gmail.com OCSPaia = yes
This enables tunnels for SMTP, IMAP, and POP3 server. Delete them and add the following lines instead, so Stunnel will be able to pass traffic to the OpenVPN server listen on port 1194.
[openvpn] cert=/etc/letsencrypt/live/openvpn.example.com/fullchain.pem key=/etc/letsencrypt/live/openvpn.example.com/privkey.pem accept = 0.0.0.0:443 connect = 127.0.0.1:1194
Save and close the file. Create the PID file and log file.
sudo mkdir /var/run/stunnel /var/log/stunnel
Grant permission to the user.
sudo chown stunnel4:stunnel4 /var/run/stunnel/ -R sudo chown stunnel4:stunnel4 /var/log/stunnel/ -R
Then go to OpenVPN Access Server admin panel -> Configuration -> Networking Settings. Change the TCP port number from 443
to 1194
.
Save the settings and click the update running server button to apply the changes.
Start Stunnel.
sudo /usr/bin/stunnel4 /etc/stunnel/openvpn.conf
You should see that Stunnel is using port 443.
sudo ss -lnpt | grep 443
If it failed to start, then check the log file: /var/log/stunnel/stunnel.log
. If your server has another process listening on TCP port 443, you need to stop it, or Stunnel won’t be able to bind to TCP port 443.
Configure Stunnel on the OpenVPN client (Ubuntu Desktop)
Install Stunnel on the OpenVPN client.
sudo apt install -y stunnel4
Create Stunnel config file.
sudo nano /etc/stunnel/client.conf
Add the following lines in this file. Replace 12.34.56.78 with the public IP address of your OpenVPN Access Server.
output = /var/log/stunnel/stunnel.log
pid = /var/run/stunnel/stunnel.pid
client = yes
[openvpn]
accept = 127.0.0.1:1194
connect = 12.34.56.78:443
Save and close the file. Create the log directory and pid directory.
sudo mkdir /var/log/stunnel/ /var/run/stunnel/
Start the Stunnel client.
sudo stunnel /etc/stunnel/client.conf
It listens on 127.0.0.1:1194
and passes requests to the Stunnel server.
sudo ss -lnpt | grep 1194
Sample output:
LISTEN 0 4096 127.0.0.1:1194 0.0.0.0:* users:(("stunnel",pid=118898,fd=9))
Next, edit the OpenVPN client config file.
sudo nano /etc/openvpn/profile-3.conf
Find the remote directives.
remote xx.xx.xx.xx 1194 udp remote xx.xx.xx.xx 1194 udp remote xx.xx.xx.xx 443 tcp remote xx.xx.xx.xx 1194 udp remote xx.xx.xx.xx 1194 udp remote xx.xx.xx.xx 1194 udp remote xx.xx.xx.xx 1194 udp remote xx.xx.xx.xx 1194 udp
Change remote server address to 127.0.0.1:1194.
remote 127.0.0.1 1194 tcp
Save and close the file. Then add a static route for the OpenVPN Access Server, to prevent routing loop when using Stunnel.
sudo ip route add xx.xx.xx.xx via 192.168.1.1 dev enp4s0
- Replace xx.xx.xx.xx with the public IP address of your OpenVPN Access server.
- My default gateway is 192.168.1.1 (my router). If your router has a different IP address, change it as approriate.
- enp4s0 is the network interface. You can use
ip addr
command to find out your network interface name.
Then restart OpenVPN client.
sudo systemctl restart openvpn@profile-3
Check logs.
sudo journalctl -eu openvpn@profile-3
If things are working properly, you should see the Initialization Sequence Completed
message. Then go to https://icanhazip.com. you should see the public IP address of the OpenVPN Access server.
Configure Stunnel on the OpenVPN client (Windows)
Download Stunnel and install it on your Windows computer. Then start Stunnel. Right-click the Stunnel icon on the Windows taskbar and select Edit configuration.
Find the following lines.
[gmail-pop3] client = yes accept = 127.0.0.1:110 connect = pop.gmail.com:995 verifyChain = yes CApath = /etc/ssl/certs checkHost = pop.gmail.com OCSPaia = yes [gmail-imap] client = yes accept = 127.0.0.1:143 connect = imap.gmail.com:993 verifyChain = yes CApath = /etc/ssl/certs checkHost = imap.gmail.com OCSPaia = yes [gmail-smtp] client = yes accept = 127.0.0.1:25 connect = smtp.gmail.com:465 verifyChain = yes CApath = /etc/ssl/certs checkHost = smtp.gmail.com OCSPaia = yes
This enables tunnels for SMTP, IMAP, and POP3 server. Delete them and add the following lines instead, so Stunnel will be listening on port 1194 and redirect traffic to the OpenVPN Access Server. Replace 12.34.56.78 with the public IP address of your OpenVPN Access Server.
client = yes
[openvpn]
accept = 127.0.0.1:1194
connect = 12.34.56.78:443
Save and close the file. Right-click the Stunnel icon on the Windows taskbar and select Terminate. Then start Stunnel again.
Next, go to the OpenVPN Access Server Client Portal (https://your-server-ip:943
) to download the OpenVPN Connect client and your connection profile. Launch Notepad text editor and edit the connection profile file. Find the remote directives.
remote xx.xx.xx.xx 1194 udp remote xx.xx.xx.xx 1194 udp remote xx.xx.xx.xx 443 tcp remote xx.xx.xx.xx 1194 udp remote xx.xx.xx.xx 1194 udp remote xx.xx.xx.xx 1194 udp remote xx.xx.xx.xx 1194 udp remote xx.xx.xx.xx 1194 udp
Change remote server address to 127.0.0.1:1194.
remote 127.0.0.1 1194 tcp
Save and close the file. Then open Windows Powershell as administrator, and run the following command to add a static route for the OpenVPN Access Server. This will prevent routing loop when using Stunnel.
route ADD xx.xx.xx.xx MASK 255.255.255.255 192.168.1.1
- Replace xx.xx.xx.xx with the public IP address of your OpenVPN Access server.
- My default gateway is 192.168.1.1 (my router). If your router has a different IP address, change it as appropriate.
Then re-import the OpenVPN connection profile to the OpenVPN Connect client. Now you can try establishing VPN connection.
Troubleshooting
Connection Refused
If your OpenVPN server doesn’t listen on TCP port 1194, then you may find the following error in the Stunnel log.
s_connect: connect 127.0.0.1:1194: Connection refused (111)
Please go to OpenVPN Access Server admin panel -> Configuration -> Network settings, enable TCP on port 1194 and disable UDP. Don’t forget to click the update running server button to apply the changes.
Connection Reset
If you found the following error in the Stunnel log,
TLS fd: Connection reset by peer (104)
It might be that your national firewall is able to detect and block Stunnel traffic. You can try other VPN solutions instead, such as SoftEtherVPN SSTP protocol and OpenConnect VPN protocol.
Wrapping Up
That’s it! I hope this tutorial helped you install and configure OpenVPN on Ubuntu 22.04/20.04. As always, if you found this post useful, then subscribe to our free newsletter to get more tips and tricks 🙂
Hi
The connection is not established correctly. Repeats constantly.
Hi, add this options to stunnel client’s config and try again :
G’day, fabulous post but alas I run into an issue and cant access the OpenVPN Access admin panel in a browser.
When I run these commands:
Check listening ports.
sudo ss -lnptu | grep openvpn
The output is different than in the above post as for me it returns:
sudo ss -lnptu | grep openvpn
udp UNCONN 0 0 0.0.0.0:918 0.0.0.0:* users:((“openvpn-openssl”,pid=15476,fd=5))
udp UNCONN 0 0 0.0.0.0:919 0.0.0.0:* users:((“openvpn-openssl”,pid=15483,fd=5))
udp UNCONN 0 0 0.0.0.0:920 0.0.0.0:* users:((“openvpn-openssl”,pid=15490,fd=5))
udp UNCONN 0 0 0.0.0.0:921 0.0.0.0:* users:((“openvpn-openssl”,pid=15497,fd=5))
udp UNCONN 0 0 *:8443 *:* users:((“openvpn”,pid=966,fd=7))
tcp LISTEN 0 32 0.0.0.0:914 0.0.0.0:* users:((“openvpn-openssl”,pid=15443,fd=5))
tcp LISTEN 0 32 0.0.0.0:915 0.0.0.0:* users:((“openvpn-openssl”,pid=15452,fd=5))
I am running Unbuntu server LTS 22.04 with OpenVPN set to port 8443 and can’t access the admin panel.
Any advice? Thanks!
G’day, fabulous post but alas I run into an issue and cant access the OpenVPN Access admin panel in a browser.
When I run these commands:
Check listening ports.
sudo ss -lnptu | grep openvpn
The output is different than in the above post as for me it returns:
sudo ss -lnptu | grep openvpn
udp UNCONN 0 0 0.0.0.0:918 0.0.0.0:* users:((“openvpn-openssl”,pid=15476,fd=5))
udp UNCONN 0 0 0.0.0.0:919 0.0.0.0:* users:((“openvpn-openssl”,pid=15483,fd=5))
udp UNCONN 0 0 0.0.0.0:920 0.0.0.0:* users:((“openvpn-openssl”,pid=15490,fd=5))
udp UNCONN 0 0 0.0.0.0:921 0.0.0.0:* users:((“openvpn-openssl”,pid=15497,fd=5))
udp UNCONN 0 0 *:8443 *:* users:((“openvpn”,pid=966,fd=7))
tcp LISTEN 0 32 0.0.0.0:914 0.0.0.0:* users:((“openvpn-openssl”,pid=15443,fd=5))
tcp LISTEN 0 32 0.0.0.0:915 0.0.0.0:* users:((“openvpn-openssl”,pid=15452,fd=5))
I am running Unbuntu server LTS 22.04 with OpenVPN set to port 8443 and can’t access the admin panel.
Any advice? Thanks!
Hello there,
Thank you for the write up. I am going to give it a go but do have one question. Does this allow me to update both Ubuntu and OpenVPN via repositories? Do I need to do something to allow this?
Thanks,
Steve
Best OpenVPN-AS guide I have found. Thank you very much for your work on this. Was hitting walls left right and center until I followed this. Cheers!
Hi,
So I’m totally stupid, but whats the deafult username and password to login into? I’ve looked and can’t seemt to find it
I’m talking about once you hit step 2.
“Step 2: Managing OpenVPN Access Server via the Admin Panel”
I take it back, I am stupid and didn’t notice it a autogen in a screenshot prior 🙂
Hello and thank you for your tuts they are all great and work also you are updating them which is also a huge benefit for your readers. I have a question about the vpn Server. I have everything working and everything is routed trough the vpn. I would like that only traffic for the Domain lets say example.com Route trough the vpn and all other traffic without the use of vpn. I think its possible with open vpn Access Server. Can you explain how maybe? Thanks alot.