BLOG POSTS

MangoHost Blog / How to Set Up and Configure an OpenVPN Server on Ubuntu 24

How to Set Up and Configure an OpenVPN Server on Ubuntu 24

Setting up an OpenVPN server on Ubuntu 24 is one of those essential skills that every sysadmin worth their salt should have in their toolkit. Whether you’re securing remote work connections, creating site-to-site tunnels, or just want to bypass geo-restrictions while maintaining proper security hygiene, OpenVPN remains the gold standard for VPN solutions. This guide will walk you through the complete process of installing, configuring, and troubleshooting an OpenVPN server on Ubuntu 24.04, including certificate management, client configuration, and performance optimization tips that actually matter in production environments.

How OpenVPN Works Under the Hood

OpenVPN operates as a SSL/TLS-based VPN solution that creates secure point-to-point or site-to-site connections through encrypted tunnels. Unlike IPSec which works at the network layer, OpenVPN functions in userspace and can traverse NAT firewalls and web proxies more easily. It uses a custom security protocol that utilizes SSL/TLS for key exchange, creating a virtual network interface (typically tun0 or tap0) that handles encrypted traffic routing.

The architecture consists of three main components: the OpenVPN daemon, Public Key Infrastructure (PKI) for certificate management, and routing tables that determine how traffic flows through the tunnel. When a client connects, the server authenticates the certificate, establishes an encrypted channel, assigns an IP address from the VPN subnet, and pushes routing information to direct traffic appropriately.

Step-by-Step OpenVPN Server Setup

Prerequisites and Initial Setup

First, ensure your Ubuntu 24.04 system is updated and install the required packages:

sudo apt update && sudo apt upgrade -y
sudo apt install openvpn easy-rsa iptables-persistent -y

Enable IP forwarding, which is crucial for the VPN to route traffic properly:

# Edit sysctl configuration
echo 'net.ipv4.ip_forward=1' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

Setting Up the Certificate Authority

OpenVPN relies heavily on PKI, so we’ll use Easy-RSA to manage certificates:

# Copy Easy-RSA template
make-cadir ~/openvpn-ca
cd ~/openvpn-ca

# Configure the vars file
cp vars.example vars
nano vars

Edit the vars file with your organization details:

export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="YourOrg"
export KEY_EMAIL="admin@yourorg.com"
export KEY_OU="IT"

Initialize the PKI and create the Certificate Authority:

source vars
./clean-all
./build-ca

# Generate server certificate and key
./build-key-server server
./build-dh

# Generate HMAC signature for additional security
openvpn --genkey --secret keys/ta.key

OpenVPN Server Configuration

Create the main server configuration file:

sudo mkdir -p /etc/openvpn/server
sudo cp ~/openvpn-ca/keys/{ca.crt,server.crt,server.key,dh2048.pem,ta.key} /etc/openvpn/server/

Create the server configuration file:

sudo nano /etc/openvpn/server.conf

Here’s a production-ready configuration that balances security and performance:

port 1194
proto udp
dev tun

ca ca.crt
cert server.crt
key server.key
dh dh2048.pem

# VPN subnet - adjust as needed
server 10.8.0.0 255.255.255.0

# Maintain client connections across restarts
ifconfig-pool-persist /var/log/openvpn/ipp.txt

# Push routes to clients
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

# Security enhancements
tls-auth ta.key 0
cipher AES-256-GCM
auth SHA256
dh dh2048.pem

# Performance and reliability
keepalive 10 120
comp-lzo
persist-key
persist-tun

# Logging
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3

# Run as non-privileged user
user nobody
group nogroup

Firewall and NAT Configuration

Configure iptables to handle VPN traffic routing:

# Allow VPN traffic
sudo iptables -A INPUT -i tun+ -j ACCEPT
sudo iptables -A FORWARD -i tun+ -j ACCEPT
sudo iptables -A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT

# NAT configuration for internet access
sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

# Allow OpenVPN through firewall
sudo iptables -A INPUT -p udp --dport 1194 -j ACCEPT

# Save iptables rules
sudo netfilter-persistent save

Starting and Enabling the Service

sudo systemctl start openvpn@server
sudo systemctl enable openvpn@server

# Check status
sudo systemctl status openvpn@server

Client Configuration and Management

Creating Client Certificates

For each client, generate a unique certificate:

cd ~/openvpn-ca
source vars
./build-key client1

Client Configuration Template

Create a client configuration file:

client
dev tun
proto udp
remote YOUR_SERVER_IP 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
tls-auth ta.key 1
cipher AES-256-GCM
auth SHA256
comp-lzo
verb 3

Automated Client Config Generation Script

Here’s a handy script to generate complete client configurations:

#!/bin/bash
# generate-client-config.sh

CLIENT=$1
SERVER_IP=$2

if [ -z "$CLIENT" ] || [ -z "$SERVER_IP" ]; then
    echo "Usage: $0  "
    exit 1
fi

cd ~/openvpn-ca
source vars
./build-key $CLIENT

# Create inline client config
cat > ~/clients/$CLIENT.ovpn << EOF
client
dev tun
proto udp
remote $SERVER_IP 1194
resolv-retry infinite
nobind
persist-key
persist-tun
cipher AES-256-GCM
auth SHA256
comp-lzo
verb 3
key-direction 1


$(cat keys/ca.crt)



$(cat keys/$CLIENT.crt)



$(cat keys/$CLIENT.key)



$(cat keys/ta.key)

EOF

echo "Client configuration created: ~/clients/$CLIENT.ovpn"

Performance Optimization and Monitoring

Performance Tuning Options

For high-throughput scenarios, consider these optimizations:

# Add to server.conf for better performance
sndbuf 0
rcvbuf 0
push "sndbuf 0"
push "rcvbuf 0"

# Multi-client scaling
max-clients 100
duplicate-cn  # Only if you need shared certificates (not recommended for production)

Monitoring and Logging

Set up proper logging and monitoring:

sudo mkdir -p /var/log/openvpn
sudo chown nobody:nogroup /var/log/openvpn

# Create logrotate configuration
sudo nano /etc/logrotate.d/openvpn

/var/log/openvpn/*.log {
    daily
    missingok
    rotate 52
    compress
    delaycompress
    notifempty
    create 644 nobody nogroup
    postrotate
        systemctl reload openvpn@server
    endscript
}

OpenVPN vs Alternatives Comparison

Feature	OpenVPN	WireGuard	IPSec/IKEv2	SoftEther
Setup Complexity	Medium	Low	High	High
Performance	Good	Excellent	Good	Good
Platform Support	Excellent	Good	Excellent	Good
Security Maturity	Excellent	Good	Excellent	Good
NAT Traversal	Excellent	Good	Complex	Excellent
Configuration Flexibility	Excellent	Limited	Good	Excellent

Common Issues and Troubleshooting

Connection Problems

The most frequent issues and their solutions:

Client can’t connect: Check firewall rules and ensure port 1194 is open
Connected but no internet: Verify IP forwarding is enabled and NAT rules are correct
DNS not working: Ensure pushed DNS servers are accessible or use different ones
Certificate errors: Check certificate validity and ensure client/server certificates match CA

Debugging Commands

# Check OpenVPN status
sudo systemctl status openvpn@server

# View real-time logs
sudo tail -f /var/log/openvpn/openvpn.log

# Check routing table
ip route show

# Test VPN connectivity
sudo openvpn --config /etc/openvpn/server.conf --verb 6

# Check active connections
cat /var/log/openvpn/openvpn-status.log

Performance Issues

If you’re experiencing slow connections:

# Check MTU settings
ping -M do -s 1472 vpn-client-ip

# Optimize buffer sizes
echo 'net.core.rmem_default = 262144' >> /etc/sysctl.conf
echo 'net.core.rmem_max = 16777216' >> /etc/sysctl.conf
echo 'net.core.wmem_default = 262144' >> /etc/sysctl.conf
echo 'net.core.wmem_max = 16777216' >> /etc/sysctl.conf
sudo sysctl -p

Security Best Practices

Hardening Your OpenVPN Server

Use strong cipher suites: AES-256-GCM with SHA256 authentication provides excellent security
Implement certificate revocation: Set up a Certificate Revocation List (CRL) for compromised certificates
Enable TLS authentication: The ta.key provides an additional layer of security against DoS attacks
Run as non-privileged user: Minimize potential damage from security vulnerabilities
Regular certificate rotation: Implement a policy for regular certificate renewal

Certificate Revocation Setup

# Generate CRL
cd ~/openvpn-ca
source vars
./revoke-full client1
cp keys/crl.pem /etc/openvpn/server/

# Add to server.conf
echo 'crl-verify crl.pem' | sudo tee -a /etc/openvpn/server.conf

Real-World Use Cases and Applications

Site-to-Site VPN

For connecting branch offices, modify the server configuration:

# Add routes for remote networks
route 192.168.10.0 255.255.255.0
push "route 192.168.1.0 255.255.255.0"

# Client-to-client communication
client-to-client

Road Warrior Setup

For mobile users and remote workers, the standard configuration works well, but consider adding:

# Automatic reconnection
explicit-exit-notify 1

# Block outside DNS to prevent leaks
block-outside-dns

# Compress data
compress lz4-v2
push "compress lz4-v2"

Multi-Server Load Balancing

For high availability, set up multiple OpenVPN servers behind a load balancer:

# Client config for multiple servers
remote vpn1.example.com 1194
remote vpn2.example.com 1194
remote-random

Advanced Configuration Options

Custom Routing and Split Tunneling

Sometimes you don’t want all traffic going through the VPN:

# Instead of redirect-gateway, push specific routes
push "route 10.0.0.0 255.0.0.0"
push "route 172.16.0.0 255.240.0.0"
push "route 192.168.0.0 255.255.0.0"

Authentication Integration

For enterprise environments, integrate with existing authentication systems:

# LDAP authentication plugin
plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth-ldap.conf

# Two-factor authentication
auth-user-pass-verify /etc/openvpn/scripts/auth.sh via-env

OpenVPN’s flexibility and mature ecosystem make it an excellent choice for organizations needing reliable, secure remote access. While newer solutions like WireGuard offer better performance, OpenVPN’s extensive configuration options and proven track record in enterprise environments keep it relevant. The setup process might seem involved initially, but the payoff in terms of security and functionality makes it worthwhile for production deployments.

For additional resources, check the official OpenVPN community documentation and the Easy-RSA GitHub repository for the latest updates and advanced configuration examples.

This article incorporates information and material from various online sources. We acknowledge and appreciate the work of all original authors, publishers, and websites. While every effort has been made to appropriately credit the source material, any unintentional oversight or omission does not constitute a copyright infringement. All trademarks, logos, and images mentioned are the property of their respective owners. If you believe that any content used in this article infringes upon your copyright, please contact us immediately for review and prompt action.

This article is intended for informational and educational purposes only and does not infringe on the rights of the copyright owners. If any copyrighted material has been used without proper credit or in violation of copyright laws, it is unintentional and we will rectify it promptly upon notification. Please note that the republishing, redistribution, or reproduction of part or all of the contents in any form is prohibited without express written permission from the author and website owner. For permissions or further inquiries, please contact us.