The Best Price for IPv4/IPv6 Lease – Any RIR & Any Geo-LocationOrder Now
Hostperl logo
Hostperl
Dedicated ServersVPS HostingShared HostingColocationBGP / ASN SetupDDoS ProtectionWordPressn8n HostingDirectus
SaaSGamingFinTechHealthcareTransportationEcommerce
About UsDatacentersCareersContactLegal & Compliance
New ZealandUSLondonSwitzerlandNetherlandsIndia
Support

Setup OpenVPN Server on Ubuntu VPS: Complete Client Access Guide

By Raman Kumar

Share:

Updated on Jun 1, 2026

Setup OpenVPN Server on Ubuntu VPS: Complete Client Access Guide

Why Run Your Own OpenVPN Server

Running your own OpenVPN server gives you complete control over your VPN infrastructure. Unlike commercial VPN services, your Hostperl VPS becomes your private tunnel to the internet with no logging concerns or bandwidth restrictions.

OpenVPN provides enterprise-grade security through SSL/TLS encryption. You can connect multiple devices, route traffic through your server's location, and bypass geographical restrictions.

Prerequisites for OpenVPN Installation

You need root access to your Ubuntu VPS and a static IP address. This tutorial covers Ubuntu 20.04 and 22.04 installations.

Reserve at least 1GB RAM for the OpenVPN service plus your regular server operations. A single-core VPS handles 10-15 concurrent connections efficiently.

Install OpenVPN and Easy-RSA

Update your package repository and install the required components:

sudo apt update
sudo apt install openvpn easy-rsa -y

Create a dedicated directory for the Certificate Authority:

mkdir ~/openvpn-ca
cd ~/openvpn-ca

Copy the Easy-RSA template:

cp -r /usr/share/easy-rsa/* ~/openvpn-ca/

Build Certificate Authority Infrastructure

Initialize the PKI (Public Key Infrastructure):

./easyrsa init-pki

Create the Certificate Authority. You'll be prompted for a Common Name - use something descriptive like "OpenVPN-CA":

./easyrsa build-ca

Generate the server certificate and key:

./easyrsa gen-req server nopass
./easyrsa sign-req server server

Create Diffie-Hellman parameters for key exchange:

./easyrsa gen-dh

Generate a pre-shared key for additional security:

openvpn --genkey --secret ta.key

Configure OpenVPN Server Settings

Copy the generated certificates to OpenVPN's directory:

sudo cp ~/openvpn-ca/pki/ca.crt /etc/openvpn/server/
sudo cp ~/openvpn-ca/pki/issued/server.crt /etc/openvpn/server/
sudo cp ~/openvpn-ca/pki/private/server.key /etc/openvpn/server/
sudo cp ~/openvpn-ca/pki/dh.pem /etc/openvpn/server/
sudo cp ~/openvpn-ca/ta.key /etc/openvpn/server/

Create the main server configuration file:

sudo nano /etc/openvpn/server/server.conf

Add this configuration (replace YOUR_SERVER_IP with your actual server IP):

port 1194
proto udp
dev tun

ca ca.crt
cert server.crt
key server.key
dh dh.pem

server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt

push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

keepalive 10 120
tls-auth ta.key 0
cipher AES-256-GCM
auth SHA256

user nobody
group nogroup

persist-key
persist-tun

status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1

Enable IP Forwarding and UFW Rules

Enable IP forwarding to route traffic through your VPS:

echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

Configure UFW firewall rules. First, edit the UFW before rules:

sudo nano /etc/ufw/before.rules

Add these lines at the top (replace YOUR_SERVER_IP):

# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
COMMIT

Allow OpenVPN through the firewall:

sudo ufw allow 1194/udp
sudo ufw reload

Start OpenVPN Service

Create the log directory:

sudo mkdir -p /var/log/openvpn

Start and enable the OpenVPN service:

sudo systemctl start openvpn-server@server
sudo systemctl enable openvpn-server@server

Verify the service is running:

sudo systemctl status openvpn-server@server

You should see "active (running)" status. Check the tunnel interface:

ip addr show tun0

Generate Client Certificates

Return to your CA directory to create client certificates:

cd ~/openvpn-ca

Generate a client certificate (replace "client1" with your preferred name):

./easyrsa gen-req client1 nopass
./easyrsa sign-req client client1

Create additional clients by repeating with different names like client2, client3, etc.

Create Client Configuration Files

Create a client configuration template:

mkdir ~/client-configs
nano ~/client-configs/base.conf

Add this configuration (replace YOUR_SERVER_IP):

client
dev tun
proto udp
remote YOUR_SERVER_IP 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-GCM
auth SHA256
key-direction 1
verb 3

Create a script to generate complete client configs:

nano ~/client-configs/make_config.sh

Add this script content:

#!/bin/bash

KEY_DIR=~/openvpn-ca/pki
OUTPUT_DIR=~/client-configs/files
BASE_CONFIG=~/client-configs/base.conf

cat ${BASE_CONFIG} \
    <(echo -e '') \
    ${KEY_DIR}/ca.crt \
    <(echo -e '\n') \
    ${KEY_DIR}/issued/${1}.crt \
    <(echo -e '\n') \
    ${KEY_DIR}/private/${1}.key \
    <(echo -e '\n') \
    ~/openvpn-ca/ta.key \
    <(echo -e '') \
    > ${OUTPUT_DIR}/${1}.ovpn

Make it executable and create the output directory:

chmod +x ~/client-configs/make_config.sh
mkdir ~/client-configs/files

Generate Client Configuration Files

Generate the client configuration file:

cd ~/client-configs
./make_config.sh client1

This creates `~/client-configs/files/client1.ovpn` with embedded certificates. Transfer this file securely to your client device.

For additional security, consider implementing certificate revocation lists (CRL) as detailed in our VPS Security Hardening guide.

Client Connection Setup

Install an OpenVPN client on your device:

  • Windows/macOS: OpenVPN Connect or OpenVPN GUI
  • Android/iOS: OpenVPN Connect app
  • Linux: `sudo apt install openvpn`

Import the `.ovpn` file into your client. On Linux, connect using:

sudo openvpn --config client1.ovpn

Test your connection by checking your IP address before and after connecting. Your traffic now routes through your VPS.

Monitor OpenVPN Performance

Check active connections:

sudo cat /var/log/openvpn/openvpn-status.log

Monitor real-time logs:

sudo tail -f /var/log/openvpn/openvpn.log

View connected clients and their virtual IP addresses. Each client receives an IP in the 10.8.0.0/24 range.

For production environments, consider implementing log rotation and monitoring as covered in our Server backup automation tutorial.

Ready to deploy your own OpenVPN server? Hostperl's VPS hosting plans provide the perfect foundation with dedicated resources, static IP addresses, and full root access for secure VPN deployment.

Frequently Asked Questions

How many clients can connect to my OpenVPN server?

A 1GB VPS typically supports 15-20 concurrent connections. Performance depends on bandwidth usage and encryption overhead. Monitor CPU and memory usage to determine your practical limits.

Can I change the default OpenVPN port?

Yes, edit the `port` directive in `/etc/openvpn/server/server.conf` and update your UFW rules accordingly. Using non-standard ports can help avoid basic port scanning.

How do I revoke a client certificate?

Use `./easyrsa revoke client1` in your CA directory, then generate a new CRL with `./easyrsa gen-crl`. Copy the CRL to `/etc/openvpn/server/` and add `crl-verify crl.pem` to your server config.

What if OpenVPN fails to start?

Check the logs with `sudo journalctl -u openvpn-server@server`. Common issues include certificate path errors, port conflicts, or firewall blocking. Verify all certificate files exist in `/etc/openvpn/server/`.

How do I backup my OpenVPN configuration?

Backup the entire `/etc/openvpn/server/` directory and your `~/openvpn-ca/` folder. Store these securely as they contain your private keys and certificates. Regular backups prevent complete reconfiguration after server failures.

Hostperl Dedicated Servers Ad

Featured Category

All Categories

Latest Chapters