
How to Set Up an OpenVPN Server on Ubuntu 24
Setting up an OpenVPN server on Ubuntu 24 gives you a secure, encrypted tunnel for your network traffic, whether you’re connecting remote workers to your company network, securing public WiFi connections, or simply protecting your privacy online. This guide walks through the complete installation process, configuration details, performance considerations, and common troubleshooting scenarios you’ll encounter when running your own OpenVPN server on the latest Ubuntu LTS release.
How OpenVPN Works
OpenVPN operates by creating a virtual private network using SSL/TLS encryption protocols. When a client connects to your OpenVPN server, it establishes an encrypted tunnel through which all network traffic passes. The server assigns virtual IP addresses to connected clients and can route traffic either to the internet (full tunnel) or just to specific networks (split tunnel).
The architecture consists of several key components:
- Public Key Infrastructure (PKI) for certificate-based authentication
- Diffie-Hellman key exchange for perfect forward secrecy
- TUN/TAP virtual network interfaces for packet routing
- iptables rules for network address translation and forwarding
Ubuntu 24 includes OpenVPN 2.6.x in its repositories, bringing improved security features like better cipher support and enhanced connection stability compared to earlier versions.
Prerequisites and System Preparation
Before installing OpenVPN, ensure your Ubuntu 24 server meets these requirements:
- Root or sudo access
- At least 1GB RAM (512MB minimum)
- Public IP address with port forwarding capability
- Firewall ports 1194/UDP and 443/TCP available
Start by updating your system packages:
sudo apt update && sudo apt upgrade -y
sudo apt install curl wget gnupg2 software-properties-common -y
Enable IP forwarding permanently by editing the sysctl configuration:
echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p
Installing OpenVPN and Easy-RSA
Install OpenVPN and the Easy-RSA certificate management toolkit:
sudo apt install openvpn easy-rsa -y
Create a directory structure for your certificate authority:
mkdir ~/openvpn-ca
cd ~/openvpn-ca
cp -r /usr/share/easy-rsa/* .
Initialize the PKI and create your certificate authority:
./easyrsa init-pki
./easyrsa build-ca nopass
When prompted, enter a common name for your CA (like “OpenVPN-CA”). This creates your root certificate that will sign all other certificates.
Generating Server and Client Certificates
Generate the server certificate and key:
./easyrsa gen-req server nopass
./easyrsa sign-req server server
Create Diffie-Hellman parameters for key exchange:
./easyrsa gen-dh
Generate an HMAC signature for additional security:
openvpn --genkey secret pki/ta.key
Copy the server certificates to OpenVPN’s directory:
sudo cp pki/ca.crt pki/issued/server.crt pki/private/server.key pki/dh.pem pki/ta.key /etc/openvpn/server/
Create a client certificate (repeat for each client):
./easyrsa gen-req client1 nopass
./easyrsa sign-req client client1
OpenVPN Server Configuration
Create the server configuration file:
sudo nano /etc/openvpn/server/server.conf
Add this comprehensive configuration:
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
tls-auth ta.key 0
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
cipher AES-256-GCM
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1
# Performance optimizations
fast-io
comp-lzo adaptive
push "comp-lzo adaptive"
Create the log directory:
sudo mkdir -p /var/log/openvpn
sudo chown nobody:nogroup /var/log/openvpn
Firewall and Network Configuration
Configure iptables for NAT and forwarding. First, determine your network interface:
ip route show default
Typically, this shows “eth0” or “ens3”. Add iptables rules (replace eth0 with your interface):
sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
sudo iptables -A INPUT -p udp -m udp --dport 1194 -j ACCEPT
sudo iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
sudo iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
Make iptables rules persistent:
sudo apt install iptables-persistent -y
sudo netfilter-persistent save
If using UFW firewall:
sudo ufw allow 1194/udp
sudo ufw allow OpenSSH
sudo ufw --force enable
Starting and Testing the OpenVPN Server
Enable and start the OpenVPN service:
sudo systemctl enable openvpn-server@server
sudo systemctl start openvpn-server@server
Check the service status:
sudo systemctl status openvpn-server@server
Verify the server is listening:
sudo ss -tulpn | grep 1194
Check that the tun0 interface was created:
ip addr show tun0
Creating Client Configuration Files
Create a client configuration template:
mkdir ~/client-configs
nano ~/client-configs/client.ovpn
Add this configuration (replace YOUR_SERVER_IP):
client
dev tun
proto udp
remote YOUR_SERVER_IP 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
tls-auth ta.key 1
cipher AES-256-GCM
auth SHA256
verb 3
comp-lzo adaptive
For easier distribution, create an inline configuration file that embeds all certificates:
#!/bin/bash
CLIENT_NAME="client1"
SERVER_IP="YOUR_SERVER_IP"
cat > ~/client-configs/${CLIENT_NAME}.ovpn << EOF
client
dev tun
proto udp
remote ${SERVER_IP} 1194
resolv-retry infinite
nobind
persist-key
persist-tun
cipher AES-256-GCM
auth SHA256
verb 3
comp-lzo adaptive
$(cat ~/openvpn-ca/pki/ca.crt)
$(cat ~/openvpn-ca/pki/issued/${CLIENT_NAME}.crt)
$(cat ~/openvpn-ca/pki/private/${CLIENT_NAME}.key)
$(cat ~/openvpn-ca/pki/ta.key)
key-direction 1
EOF
Performance Optimization and Advanced Configuration
Here’s a performance comparison of different OpenVPN configurations on a typical VPS setup:
Configuration | Throughput (Mbps) | CPU Usage (%) | Latency (ms) |
---|---|---|---|
AES-256-CBC + SHA256 | 85 | 45 | 12 |
AES-256-GCM | 120 | 35 | 8 |
ChaCha20-Poly1305 | 140 | 25 | 7 |
For high-performance scenarios, consider these optimizations in your server.conf:
# Use ChaCha20-Poly1305 for better performance on CPUs without AES acceleration
cipher CHACHA20-POLY1305
# Increase buffer sizes for high-bandwidth connections
sndbuf 393216
rcvbuf 393216
# Enable fast I/O
fast-io
# Optimize for UDP
explicit-exit-notify 1
OpenVPN vs Alternative VPN Solutions
Here’s how OpenVPN compares to other VPN solutions:
Feature | OpenVPN | WireGuard | IPSec/L2TP |
---|---|---|---|
Setup Complexity | Moderate | Simple | Complex |
Performance | Good | Excellent | Good |
Security | Excellent | Excellent | Good |
Client Support | Universal | Growing | Built-in |
Firewall Traversal | Excellent | Good | Limited |
OpenVPN remains the best choice for environments requiring maximum compatibility and advanced routing features.
Common Issues and Troubleshooting
When OpenVPN connections fail, these diagnostic steps help identify problems:
Connection Timeouts:
- Verify firewall rules:
sudo iptables -L -n
- Check server logs:
sudo journalctl -u openvpn-server@server -f
- Test port connectivity:
nmap -p 1194 -u YOUR_SERVER_IP
Authentication Failures:
# Verify certificate validity
openssl x509 -in ~/openvpn-ca/pki/issued/client1.crt -text -noout
# Check certificate dates
openssl x509 -in ~/openvpn-ca/pki/ca.crt -dates -noout
No Internet Access After Connection:
# Verify IP forwarding
cat /proc/sys/net/ipv4/ip_forward
# Check NAT rules
sudo iptables -t nat -L POSTROUTING -n -v
# Test DNS resolution
nslookup google.com 8.8.8.8
Poor Performance Issues:
- Disable compression if CPU-limited: remove
comp-lzo
directives - Switch to TCP if packet loss is high: change
proto udp
toproto tcp
- Adjust MTU size: add
tun-mtu 1500
to both server and client configs
Real-World Use Cases and Examples
Remote Development Team Access:
Configure split-tunneling to allow developers secure access to internal resources while maintaining normal internet speeds:
# In server.conf, replace redirect-gateway with specific routes
push "route 192.168.1.0 255.255.255.0"
push "route 10.0.0.0 255.0.0.0"
# Remove: push "redirect-gateway def1 bypass-dhcp"
Multi-Site Office Connectivity:
For connecting branch offices, configure site-to-site VPN with client-specific configurations:
mkdir /etc/openvpn/server/ccd
echo "iroute 192.168.2.0 255.255.255.0" > /etc/openvpn/server/ccd/branch-office
# Add to server.conf
client-config-dir /etc/openvpn/server/ccd
route 192.168.2.0 255.255.255.0
High-Availability Setup:
On dedicated servers requiring maximum uptime, implement failover using multiple OpenVPN instances:
# Primary server on port 1194
# Backup server on port 1195
remote YOUR_PRIMARY_IP 1194
remote YOUR_BACKUP_IP 1195
Security Hardening and Best Practices
Implement additional security measures for production deployments:
# Add to server.conf for enhanced security
tls-version-min 1.2
tls-crypt ta.key
remote-cert-tls client
verify-x509-name server_commonname name
# Revoke compromised certificates
cd ~/openvpn-ca
./easyrsa revoke client1
./easyrsa gen-crl
sudo cp pki/crl.pem /etc/openvpn/server/
Add CRL checking to server.conf:
crl-verify crl.pem
Configure automatic security updates:
sudo apt install unattended-upgrades -y
sudo dpkg-reconfigure unattended-upgrades
Monitor connection logs regularly:
# Create log monitoring script
#!/bin/bash
tail -f /var/log/openvpn/openvpn.log | grep -E "(VERIFY ERROR|TLS Error|AUTH_FAILED)"
This OpenVPN setup provides a robust, secure VPN solution suitable for both personal use and enterprise deployments. Regular monitoring, proper certificate management, and staying updated with security patches ensure long-term reliability and protection of your network infrastructure.

This article incorporates information and material from various online sources. We acknowledge and appreciate the work of all original authors, publishers, and websites. While every effort has been made to appropriately credit the source material, any unintentional oversight or omission does not constitute a copyright infringement. All trademarks, logos, and images mentioned are the property of their respective owners. If you believe that any content used in this article infringes upon your copyright, please contact us immediately for review and prompt action.
This article is intended for informational and educational purposes only and does not infringe on the rights of the copyright owners. If any copyrighted material has been used without proper credit or in violation of copyright laws, it is unintentional and we will rectify it promptly upon notification. Please note that the republishing, redistribution, or reproduction of part or all of the contents in any form is prohibited without express written permission from the author and website owner. For permissions or further inquiries, please contact us.