How To Set Up an OpenVPN Server on Ubuntu 16.04


Want to access the Internet safely and securely from your smartphone or laptop when connected to an untrusted network such as the WiFi of a hotel or coffee shop? A Virtual Private Network (VPN) allows you to traverse untrusted networks privately and securely as if you were on a private network. The traffic emerges from the VPN server and continues its journey to the destination.

When combined with HTTPS connections, this setup allows you to secure your wireless logins and transactions. You can circumvent geographical restrictions and censorship, and shield your location and any unencrypted HTTP traffic from the untrusted network.

OpenVPN is a full-featured open source Secure Socket Layer (SSL) VPN solution that accommodates a wide range of configurations. In this tutorial, we’ll set up an OpenVPN server on a Droplet and then configure access to it from Windows, OS X, iOS and Android. This tutorial will keep the installation and configuration steps as simple as possible for these setups.

Note: If you plan to set up an OpenVPN server on a DigitalOcean Droplet, be aware that we, like many hosting providers, charge for bandwidth overages. For this reason, please be mindful of how much traffic your server is handling.

See this page for more info.


To complete this tutorial, you will need access to an Ubuntu 16.04 server.

You will need to configure a non-root user with sudo privileges before you start this guide. You can follow our Ubuntu 16.04 initial server setup guide to set up a user with appropriate permissions. The linked tutorial will also set up a firewall, which we will assume is in place during this guide.

When you are ready to begin, log into your Ubuntu server as your sudo user and continue below.

Step 1: Install OpenVPN

To start off, we will install OpenVPN onto our server. OpenVPN is available in Ubuntu’s default repositories, so we can use apt for the installation. We will also be installing the easy-rsa package, which will help us set up an internal CA (certificate authority) for use with our VPN.

To update your server’s package index and install the necessary packages type:

  • sudo apt-get update
  • sudo apt-get install openvpn easy-rsa

The needed software is now on the server, ready to be configured.

Step 2: Set Up the CA Directory

OpenVPN is an TLS/SSL VPN. This means that it utilizes certificates in order to encrypt traffic between the server and clients. In order to issue trusted certificates, we will need to set up our own simple certificate authority (CA).

To begin, we can copy the easy-rsa template directory into our home directory with the make-cadir command:

  • make-cadir ~/openvpn-ca

Move into the newly created directory to begin configuring the CA:

  • cd ~/openvpn-ca

Step 3: Configure the CA Variables

To configure the values our CA will use, we need to edit the vars file within the directory. Open that file now in your text editor:

  • nano vars

Inside, you will find some variables that can be adjusted to determine how your certificates will be created. We only need to worry about a few of these.

Towards the bottom of the file, find the settings that set field defaults for new certificates. It should look something like this:

. . .

export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="me@myhost.mydomain"
export KEY_OU="MyOrganizationalUnit"

. . .

Edit the values in red to whatever you’d prefer, but do not leave them blank:

. . .

export KEY_CITY="New York City"
export KEY_ORG="DigitalOcean"
export KEY_EMAIL=""
export KEY_OU="Community"

. . .

While we are here, we will also edit the KEY_NAME value just below this section, which populates the subject field. To keep this simple, we’ll call it server in this guide:

export KEY_NAME="server"

When you are finished, save and close the file.

Step 4: Build the Certificate Authority

Now, we can use the variables we set and the easy-rsa utilities to build our certificate authority.

Ensure you are in your CA directory, and then source the vars file you just edited:

  • cd ~/openvpn-ca
  • source vars

You should see the following if it was sourced correctly:

NOTE: If you run ./clean-all, I will be doing a rm -rf on /home/sammy/openvpn-ca/keys

Make sure we’re operating in a clean environment by typing:

  • ./clean-all

Now, we can build our root CA by typing:

  • ./build-ca

This will initiate the process of creating the root certificate authority key and certificate. Since we filled out the vars file, all of the values should be populated automatically. Just press ENTER through the prompts to confirm the selections:

Generating a 2048 bit RSA private key ..........................................................................................+++ ...............................+++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]: State or Province Name (full name) [NY]: Locality Name (eg, city) [New York City]: Organization Name (eg, company) [DigitalOcean]: Organizational Unit Name (eg, section) [Community]: Common Name (eg, your name or your server's hostname) [DigitalOcean CA]: Name [server]: Email Address []:

We now have a CA that can be used to create the rest of the files we need.

Step 5: Create the Server Certificate, Key, and Encryption Files

Next, we will generate our server certificate and key pair, as well as some additional files used during the encryption process.

Start by generating the OpenVPN server certificate and key pair. We can do this by typing:

Note: If you choose a name other than server here, you will have to adjust some of the instructions below. For instance, when copying the generated files to the /etc/openvpn directroy, you will have to substitute the correct names. You will also have to modify the /etc/openvpn/server.conf file later to point to the correct .crt and .key files.

  • ./build-key-server server

Once again, the prompts will have default values based on the argument we just passed in (server) and the contents of our vars file we sourced.

Feel free to accept the default values by pressing ENTER. Do not enter a challenge password for this setup. Towards the end, you will have to enter y to two questions to sign and commit the certificate:

. . . Certificate is to be certified until May 1 17:51:16 2026 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated

Next, we’ll generate a few other items. We can generate a strong Diffie-Hellman keys to use during key exchange by typing:

  • ./build-dh

This might take a few minutes to complete.

Afterwards, we can generate an HMAC signature to strengthen the server’s TLS integrity verification capabilities:

  • openvpn --genkey --secret keys/ta.key

Step 6: Generate a Client Certificate and Key Pair

Next, we can generate a client certificate and key pair. Although this can be done on the client machine and then signed by the server/CA for security purposes, for this guide we will generate the signed key on the server for the sake of simplicity.

We will generate a single client key/certificate for this guide, but if you have more than one client, you can repeat this process as many times as you’d like. Pass in a unique value to the script for each client.

Because you may come back to this step at a later time, we’ll re-source the vars file. We will use client1 as the value for our first certificate/key pair for this guide.

To produce credentials without a password, to aid in automated connections, use the build-key command like this:

  • cd ~/openvpn-ca
  • source vars
  • ./build-key client1

If instead, you wish to create a password-protected set of credentials, use the build-key-pass command:

  • cd ~/openvpn-ca
  • source vars
  • ./build-key-pass client1

Again, the defaults should be populated, so you can just hit ENTER to continue. Leave the challenge password blank and make sure to enter y for the prompts that ask whether to sign and commit the certificate.

Step 7: Configure the OpenVPN Service

Next, we can begin configuring the OpenVPN service using the credentials and files we’ve generated.

Copy the Files to the OpenVPN Directory

To begin, we need to copy the files we need to the /etc/openvpn configuration directory.

We can start with all of the files that we just generated. These were placed within the ~/openvpn-ca/keys directory as they were created. We need to move our CA cert, our server cert and key, the HMAC signature, and the Diffie-Hellman file:

  • cd ~/openvpn-ca/keys
  • sudo cp ca.crt server.crt server.key ta.key dh2048.pem /etc/openvpn

Next, we need to copy and unzip a sample OpenVPN configuration file into configuration directory so that we can use it as a basis for our setup:

  • gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | sudo tee /etc/openvpn/server.conf

Adjust the OpenVPN Configuration

Now that our files are in place, we can modify the server configuration file:

  • sudo nano /etc/openvpn/server.conf

Basic Configuration

First, find the HMAC section by looking for the tls-auth directive. Remove the “;” to uncomment the tls-auth line:

tls-auth ta.key 0 # This file is secret

Next, find the section on cryptographic ciphers by looking for the commented out cipher lines. The AES-128-CBC cipher offers a good level of encryption and is well supported. Remove the “;” to uncomment the cipher AES-128-CBC line:

cipher AES-128-CBC

Below this, add an auth line to select the HMAC message digest algorithm. For this, SHA256 is a good choice:

auth SHA256

Finally, find the user and group settings and remove the “;” at the beginning of to uncomment those lines:

user nobody
group nogroup

(Optional) Push DNS Changes to Redirect All Traffic Through the VPN

The settings above will create the VPN connection between the two machines, but will not force any connections to use the tunnel. If you wish to use the VPN to route all of your traffic, you will likely want to push the DNS settings to the client computers.

You can do this, uncomment a few directives that will configure client machines to redirect all web traffic through the VPN. Find the redirect-gateway section and remove the semicolon “;” from the beginning of the redirect-gateway line to uncomment it:

push "redirect-gateway def1 bypass-dhcp"

Just below this, find the dhcp-option section. Again, remove the “;” from in front of both of the lines to uncomment them:

push "dhcp-option DNS"
push "dhcp-option DNS"

This should assist clients in reconfiguring their DNS settings to use the VPN tunnel for as the default gateway.

(Optional) Adjust the Port and Protocol

By default, the OpenVPN server uses port 1194 and the UDP protocol to accept client connections. If you need to use a different port because of restrictive network environments that your clients might be in, you can change the port option. If you are not hosting web content your OpenVPN server, port 443 is a popular choice since this is usually allowed through firewall rules.

# Optional!
port 443

Often if the protocol will be restricted to that port as well. If so, change proto from UDP to TCP:

# Optional!
proto tcp

If you have no need to use a different port, it is best to leave these two settings as their default.

(Optional) Point to Non-Default Credentials

If you selected a different name during the ./build-key-server command earlier, modify the cert and key lines that you see to point to the appropriate .crt and .key files. If you used the default server, this should already be set correctly:

cert server.crt
key server.key

When you are finished, save and close the file.

Step 8: Adjust the Server Networking Configuration

Next, we need to adjust some aspects of the server’s networking so that OpenVPN can correctly route traffic.

Allow IP Forwarding

First, we need to allow the server to forward traffic. This is fairly essential to the functionality we want our VPN server to provide.

We can adjust this setting by modifying the /etc/sysctl.conf file:

  • sudo nano /etc/sysctl.conf

Inside, look for the line that sets net.ipv4.ip_forward. Remove the “#” character from the beginning of the line to uncomment that setting:


Save and close the file when you are finished.

To read the file and adjust the values for the current session, type:

  • sudo sysctl -p

Adjust the UFW Rules to Masquerade Client Connections

If you followed the Ubuntu 16.04 initial server setup guide in the prerequisites, you should have the UFW firewall in place. Regardless of whether you use the firewall to block unwanted traffic (which you almost always should do), we need the firewall in this guide to manipulate some of the traffic coming into the server. We need to modify the rules file to set up masquerading, an iptables concept that provides on-the-fly dynamic NAT to correctly route client connections.

Before we open the firewall configuration file to add masquerading, we need to find the public network interface of our machine. To do this, type:

  • ip route | grep default

Your public interface should follow the word “dev”. For example, this result shows the interface named wlp11s0, which is highlighted below:

default via dev wlp11s0 proto static metric 600

When you have the interface associated with your default route, open the /etc/ufw/before.rules file to add the relevant configuration:

  • sudo nano /etc/ufw/before.rules

This file handles configuration that should be put into place before the conventional UFW rules are loaded. Towards the top of the file, add the highlighted lines below. This will set the default policy for the POSTROUTING chain in the nat table and masquerade any traffic coming from the VPN:

Note: Remember to replace wlp11s0 in the -A POSTROUTING line below with the interface you found in the above command.

# rules.before
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
#   ufw-before-input
#   ufw-before-output
#   ufw-before-forward

# NAT table rules
# Allow traffic from OpenVPN client to wlp11s0 (change to the interface you discovered!)

# Don't delete these required lines, otherwise there will be errors
. . .

Save and close the file when you are finished.

We need to tell UFW to allow forwarded packets by default as well. To do this, we will open the /etc/default/ufw file:

  • sudo nano /etc/default/ufw

Inside, find the DEFAULT_FORWARD_POLICY directive. We will change the value from DROP to ACCEPT:


Save and close the file when you are finished.

Open the OpenVPN Port and Enable the Changes

Next, we’ll adjust the firewall itself to allow traffic to OpenVPN.

If you did not change the port and protocol in the /etc/openvpn/server.conf file, you will need to open up UDP traffic to port 1194. If you modified the port and/or protocol, substitute the values you selected here.

We’ll also add the SSH port in case you forgot to add it when following the prerequisite tutorial:

  • sudo ufw allow 1194/udp
  • sudo ufw allow OpenSSH

Now, we can disable and re-enable UFW to load the changes from all of the files we’ve modified:

  • sudo ufw disable
  • sudo ufw enable

Our server is now configured to correctly handle OpenVPN traffic.

Step 9: Start and Enable the OpenVPN Service

We’re finally ready to start the OpenVPN service on our server. We can do this using systemd.

We need to start the OpenVPN server by specifying our configuration file name as an instance variable after the systemd unit file name. Our configuration file for our server is called /etc/openvpn/server.conf, so we will add @server to end of our unit file when calling it:

  • sudo systemctl start openvpn@server

Double-check that the service has started successfully by typing:

  • sudo systemctl status openvpn@server

If everything went well, your output should look something that looks like this:

● openvpn@server.service - OpenVPN connection to server Loaded: loaded (/lib/systemd/system/openvpn@.service; disabled; vendor preset: enabled) Active: active (running) since Tue 2016-05-03 15:30:05 EDT; 47s ago Docs: man:openvpn(8) Process: 5852 ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/%i.conf --writepid /run/openvpn/ (code=exited, sta Main PID: 5856 (openvpn) Tasks: 1 (limit: 512) CGroup: /system.slice/system-openvpn.slice/openvpn@server.service └─5856 /usr/sbin/openvpn --daemon ovpn-server --status /run/openvpn/server.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/server.conf --writepid /run/openvpn/ May 03 15:30:05 openvpn2 ovpn-server[5856]: /sbin/ip addr add dev tun0 local peer May 03 15:30:05 openvpn2 ovpn-server[5856]: /sbin/ip route add via May 03 15:30:05 openvpn2 ovpn-server[5856]: GID set to nogroup May 03 15:30:05 openvpn2 ovpn-server[5856]: UID set to nobody May 03 15:30:05 openvpn2 ovpn-server[5856]: UDPv4 link local (bound): [undef] May 03 15:30:05 openvpn2 ovpn-server[5856]: UDPv4 link remote: [undef] May 03 15:30:05 openvpn2 ovpn-server[5856]: MULTI: multi_init called, r=256 v=256 May 03 15:30:05 openvpn2 ovpn-server[5856]: IFCONFIG POOL: base= size=62, ipv6=0 May 03 15:30:05 openvpn2 ovpn-server[5856]: IFCONFIG POOL LIST May 03 15:30:05 openvpn2 ovpn-server[5856]: Initialization Sequence Completed

You can also check that the OpenVPN tun0 interface is available by typing:

  • ip addr show tun0

You should see a configured interface:

4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 100 link/none inet peer scope global tun0 valid_lft forever preferred_lft forever

If everything went well, enable the service so that it starts automatically at boot:

  • sudo systemctl enable openvpn@server

Step 10: Create Client Configuration Infrastructure

Next, we need to set up a system that will allow us to create client configuration files easily.

Creating the Client Config Directory Structure

Create a directory structure within your home directory to store the files:

  • mkdir -p ~/client-configs/files

Since our client configuration files will have the client keys embedded, we should lock down permissions on our inner directory:

  • chmod 700 ~/client-configs/files

Creating a Base Configuration

Next, let’s copy an example client configuration into our directory to use as our base configuration:

  • cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client-configs/base.conf

Open this new file in your text editor:

  • nano ~/client-configs/base.conf

Inside, we need to make a few adjustments.

First, locate the remote directive. This points the client to our OpenVPN server address. This should be the public IP address of your OpenVPN server. If you changed the port that the OpenVPN server is listening on, change 1194 to the port you selected:

. . .
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote server_IP_address 1194
. . .

Be sure that the protocol matches the value you are using in the server configuration:

proto udp

Next, uncomment the user and group directives by removing the “;”:

# Downgrade privileges after initialization (non-Windows only)
user nobody
group nogroup

Find the directives that set the ca, cert, and key. Comment out these directives since we will be adding the certs and keys within the file itself:

# SSL/TLS parms.
# See the server config file for more
# description.  It's best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
#ca ca.crt
#cert client.crt
#key client.key

Mirror the cipher and auth settings that we set in the /etc/openvpn/server.conf file:

cipher AES-128-CBC
auth SHA256

Next, add the key-direction directive somewhere in the file. This must be set to “1” to work with the server:

key-direction 1

Finally, add a few commented out lines. We want to include these with every config, but should only enable them for Linux clients that ship with a /etc/openvpn/update-resolv-conf file. This script uses the resolvconf utility to update DNS information for Linux clients.

# script-security 2
# up /etc/openvpn/update-resolv-conf
# down /etc/openvpn/update-resolv-conf

If your client is running Linux and has an /etc/openvpn/update-resolv-conf file, you should uncomment these lines from the generated OpenVPN client configuration file.

Save the file when you are finished.

Creating a Configuration Generation Script

Next, we will create a simple script to compile our base configuration with the relevant certificate, key, and encryption files. This will place the generated configuration in the ~/client-configs/files directory.

Create and open a file called within the ~/client-configs directory:

  • nano ~/client-configs/

Inside, paste the following script:


# First argument: Client identifier


cat ${BASE_CONFIG} \
    <(echo -e '<ca>') \
    ${KEY_DIR}/ca.crt \
    <(echo -e '</ca>\n<cert>') \
    ${KEY_DIR}/${1}.crt \
    <(echo -e '</cert>\n<key>') \
    ${KEY_DIR}/${1}.key \
    <(echo -e '</key>\n<tls-auth>') \
    ${KEY_DIR}/ta.key \
    <(echo -e '</tls-auth>') \
    > ${OUTPUT_DIR}/${1}.ovpn

Save and close the file when you are finished.

Mark the file as executable by typing:

  • chmod 700 ~/client-configs/

Step 11: Generate Client Configurations

Now, we can easily generate client configuration files.

If you followed along with the guide, you created a client certificate and key called client1.crt and client1.key respectively by running the ./build-key client1 command in step 6. We can generate a config for these credentials by moving into our ~/client-configs directory and using the script we made:

  • cd ~/client-configs
  • ./ client1

If everything went well, we should have a client1.ovpn file in our ~/client-configs/files directory:

  • ls ~/client-configs/files

Transferring Configuration to Client Devices

We need to transfer the client configuration file to the relevant device. For instance, this could be your local computer or a mobile device.

While the exact applications used to accomplish this transfer will depend on your choice and device’s operating system, you want the application to use SFTP (SSH file transfer protocol) or SCP (Secure Copy) on the backend. This will transport your client’s VPN authentication files over an encrypted connection.

Here is an example SFTP command using our client1.ovpn example. This command can be run from your local computer (OS X or Linux). It places the .ovpn file in your home directory:

  • sftp sammy@openvpn_server_ip:client-configs/files/client1.ovpn ~/

Here are several tools and tutorials for securely transferring files from the server to a local computer:

Step 12: Install the Client Configuration

Now, we’ll discuss how to install a client VPN profile on Windows, OS X, iOS, and Android. None of these client instructions are dependent on one another, so feel free to skip to whichever is applicable to you.

The OpenVPN connection will be called whatever you named the .ovpn file. In our example, this means that the connection will be called client1.ovpn for the first client file we generated.



The OpenVPN client application for Windows can be found on OpenVPN’s Downloads page. Choose the appropriate installer version for your version of Windows.

OpenVPN needs administrative privileges to install.

After installing OpenVPN, copy the .ovpn file to:

C:\Program Files\OpenVPN\config

When you launch OpenVPN, it will automatically see the profile and makes it available.

OpenVPN must be run as an administrator each time it’s used, even by administrative accounts. To do this without having to right-click and select Run as administrator every time you use the VPN, you can preset this, but this must be done from an administrative account. This also means that standard users will need to enter the administrator’s password to use OpenVPN. On the other hand, standard users can’t properly connect to the server unless the OpenVPN application on the client has admin rights, so the elevated privileges are necessary.

To set the OpenVPN application to always run as an administrator, right-click on its shortcut icon and go to Properties. At the bottom of the Compatibility tab, click the button to Change settings for all users. In the new window, check Run this program as an administrator.


Each time you launch the OpenVPN GUI, Windows will ask if you want to allow the program to make changes to your computer. Click Yes. Launching the OpenVPN client application only puts the applet in the system tray so that the VPN can be connected and disconnected as needed; it does not actually make the VPN connection.

Once OpenVPN is started, initiate a connection by going into the system tray applet and right-clicking on the OpenVPN applet icon. This opens the context menu. Select client1 at the top of the menu (that’s our client1.ovpn profile) and choose Connect.

A status window will open showing the log output while the connection is established, and a message will show once the client is connected.

Disconnect from the VPN the same way: Go into the system tray applet, right-click the OpenVPN applet icon, select the client profile and click Disconnect.



Tunnelblick is a free, open source OpenVPN client for Mac OS X. You can download the latest disk image from the Tunnelblick Downloads page. Double-click the downloaded .dmg file and follow the prompts to install.

Towards the end of the installation process, Tunnelblick will ask if you have any configuration files. It can be easier to answer No and let Tunnelblick finish. Open a Finder window and double-click client1.ovpn. Tunnelblick will install the client profile. Administrative privileges are required.


Launch Tunnelblick by double-clicking Tunnelblick in the Applications folder. Once Tunnelblick has been launched, there will be a Tunnelblick icon in the menu bar at the top right of the screen for controlling connections. Click on the icon, and then the Connect menu item to initiate the VPN connection. Select the client1 connection.



If you are using Linux, there are a variety of tools that you can use depending on your distribution. Your desktop environment or window manager might also include connection utilities.

The most universal way of connecting, however, is to just use the OpenVPN software.

On Ubuntu or Debian, you can install it just as you did on the server by typing:

  • sudo apt-get update
  • sudo apt-get install openvpn

On CentOS you can enable the EPEL repositories and then install it by typing:

  • sudo yum install epel-release
  • sudo yum install openvpn


Check to see if your distribution includes a /etc/openvpn/update-resolv-conf script:

  • ls /etc/openvpn

Next, edit the OpenVPN client configuration file you transfered:

  • nano client1.ovpn

Uncomment the three lines we placed in to adjust the DNS settings if you were able to find an update-resolv-conf file:

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

If you are using CentOS, change the group from nogroup to nobody to match the distribution’s available groups:

group nobody

Save and close the file.

Now, you can connect to the VPN by just pointing the openvpn command to the client configuration file:

  • sudo openvpn --config client1.ovpn

This should connect you to your server.



From the iTunes App Store, search for and install OpenVPN Connect, the official iOS OpenVPN client application. To transfer your iOS client configuration onto the device, connect it directly to a computer.

Completing the transfer with iTunes will be outlined here. Open iTunes on the computer and click on iPhone > apps. Scroll down to the bottom to the File Sharing section and click the OpenVPN app. The blank window to the right, OpenVPN Documents, is for sharing files. Drag the .ovpn file to the OpenVPN Documents window.

iTunes showing the VPN profile ready to load on the iPhone

Now launch the OpenVPN app on the iPhone. There will be a notification that a new profile is ready to import. Tap the green plus sign to import it.

The OpenVPN iOS app showing new profile ready to import


OpenVPN is now ready to use with the new profile. Start the connection by sliding the Connect button to the On position. Disconnect by sliding the same button to Off.

The VPN switch under Settings cannot be used to connect to the VPN. If you try, you will receive a notice to only connect using the OpenVPN app.

The OpenVPN iOS app connected to the VPN



Open the Google Play Store. Search for and install Android OpenVPN Connect, the official Android OpenVPN client application.

The .ovpn profile can be transferred by connecting the Android device to your computer by USB and copying the file over. Alternatively, if you have an SD card reader, you can remove the device’s SD card, copy the profile onto it and then insert the card back into the Android device.

Start the OpenVPN app and tap the menu to import the profile.

The OpenVPN Android app profile import menu selection

Then navigate to the location of the saved profile (the screenshot uses /sdcard/Download/) and select the file. The app will make a note that the profile was imported.

The OpenVPN Android app selecting VPN profile to import


To connect, simply tap the Connect button. You’ll be asked if you trust the OpenVPN application. Choose OK to initiate the connection. To disconnect from the VPN, go back to the OpenVPN app and choose Disconnect.

The OpenVPN Android app ready to connect to the VPN

Step 13: Test Your VPN Connection

Once everything is installed, a simple check confirms everything is working properly. Without having a VPN connection enabled, open a browser and go to DNSLeakTest.

The site will return the IP address assigned by your internet service provider and as you appear to the rest of the world. To check your DNS settings through the same website, click on Extended Test and it will tell you which DNS servers you are using.

Now connect the OpenVPN client to your Droplet’s VPN and refresh the browser. The completely different IP address of your VPN server should now appear. That is now how you appear to the world. Again, DNSLeakTest’s Extended Test will check your DNS settings and confirm you are now using the DNS resolvers pushed by your VPN.

Step 14: Revoking Client Certificates

Occasionally, you may need to revoke a client certificate to prevent further access to the OpenVPN server.

To do so, enter your CA directory and re-source the vars file:

  • cd ~/openvpn-ca
  • source vars

Next, call the revoke-full command using the client name that you wish to revoke:

  • ./revoke-full client3

This will show some output, ending in error 23. This is normal and the process should have successfully generated the necessary revocation information, which is stored in a file called crl.pem within the keys subdirectory.

Transfer this file to the /etc/openvpn configuration directory:

  • sudo cp ~/openvpn-ca/keys/crl.pem /etc/openvpn

Next, open the OpenVPN server configuration file:

  • sudo nano /etc/openvpn/server.conf

At the bottom of the file, add the crl-verify option, so that the OpenVPN server checks the certificate revocation list that we’ve created each time a connection attempt is made:

crl-verify crl.pem

Save and close the file.

Finally, restart OpenVPN to implement the certificate revocation:

  • sudo systemctl restart openvpn@server

The client should now longer be able to successfully connect to the server using the old credential.

To revoke additional clients, follow this process:

  1. Generate a new certificate revocation list by sourcing the vars file in the ~/openvpn-ca directory and then calling the revoke-full script on the client name.
  2. Copy the new certificate revocation list to the /etc/openvpn directory to overwrite the old list.
  3. Restart the OpenVPN service.

This process can be used to revoke any certificates that you’ve previously issued for your server.


Congratulations! You are now securely traversing the internet protecting your identity, location, and traffic from snoopers and censors.

To configure more clients, you only need to follow steps 6, and 11-13 for each additional device. To revoke access to clients, follow step 14.


  • Thanks!
    BTW, if not working for some one this script may do the trick:

    • Hey, how secure is this?
      How do we know it’s not adding some funny logging/calling home setup in the background?

      Sorry about the noob question.

    • Thanks, your open-vpn installed worked flawlessly on Digital Ocean. I couldn’t get the step-by-step running (my ip route | grep default kept reporting eth0 as my public interface - think that was a problem). In any event, OpenVPN on PC connected no worries.

    • yeah thanks the script works perfect for me too. I’ve tipped you also. I was not able to get things working by following the guide here (to the letter!), so you’ve been really helpful :)

    • I’ve followed this tutorial step by step and managed to install and connect to the VPN, however after I was connected I couldn’t do anything except ssh to server ip. After using the script you provided everything works okay, thanks :)

      (Also I’m writing this from the server)

    • Thank god for this script… after doing this 100 times over and over again and it not working, tried your script worked right away lol my issue was : Mar 24 15:24:15 bradVPN ovpn-server[2236]: TLS Error: reading acknowledgement record from packet

    • wow, I spent hours on above tutorial, not sure where I went wrong but it didn’t work for me at step 11 (error: line 21: —–END: command not found ./ line 36: /dev/fd/63: Permission denied, tried sudo, same)

      This script worked perfectly!! All these in less than a minute! Thank you so much!!

    • After I started a new droplet, this worked flawlessly. I tried for three frikkin days…
      Forget RTFM. RTFC

    • There’s something wrong with this tutorial somewhere. Been trying to setup using this tutorial to the letter but after countless retries, I finally gave up and used the script above. Took only seconds. Thank you!

    • Worked PERFECTLY. After installing it, just tweak ufw, etc.

    • Thank you very much!

    • how can I run the script on the server?

    • hi
      I run an OpenVpn service on my Ubuntu VPS by following this article.
      service is activate successfully. but I can’t connect to that by my client Debian machine.
      the connection failed error is here:

      ERROR: Private key password verification failed.
      Exiting due to fatal error.

    • This ran just fine. My question is, how do you then generate the file for iphone?

    • I’m talking about the ovpn file. The VPN is running, but now how to do the ovpn generation?

    • At last it works!) Thanks for the script. I tried following this tutorial step by step before but didn’t succeed.

  • Works great, thanks !!

    But if I want more than one client to connect, how do I create login for another one?

  • Thanks for making an updated guide for the new LTS release!!

    If anyone else is having trouble with iOS setup using OpenVPN Connect, you need to remove all of the [inline] options (ca, cert, key, tls-auth) and just leave the embedded certificates there. I chose to just comment the lines out in the config, but you can delete them as well.

    • I think I’m having this issue, iOS devices “connect” to the VPN, but the IP addresses are not changed.

      I can connect successfully on my laptop, but not on iOS. I tried to delete the inline options, but that seems to have broken the ovpn file. Any help would be awesome.

      • Ok, I’ve fixed it. It was a different issue, I needed to route all client traffic through the VPN. Simple enough to add:

        push “redirect-gateway def1”

        To the server.conf.

  • You could also use this, deploy an OpenVPN Endpoint with a single command.

  • If you want a GUI – Pritunl is great also, as is OpenVPN Access Server.

  • OpenVPN still defaults to BF-CBC which hasn’t been broken yet but as a good practice it would be best to use AES-128-CBC; you will at least get an advantage since many CPUs hardware optimize AES, not to mention it’s got more eyeballs looking at it and is ‘battle hardened’.

    Using the additional directive “auth SHA256” will use SHA2 instead of SHA1 for message authentication; the latter is now considered cryptographically broken.

    More hardening tips:

  • Great tutorial.....on my Androids I am getting “Error reading multiple files referenced by profile: [inline], [inline], [inline], [inline]” can I correct that?

  • is there a solution if the net provider here prevents UDP connection ?

  • I’ve strictly followed this guide on a newly crested Ubuntu 16.04 system, altough I had to leave out the [inline] directives (I commented out those lines) to be able to get the ovpn profile working on iOS. I can now succesfully set up a connection from an iPad to the server, however once OpenVPN is connected, I can’t actually browse the web. The syslog en ufw.log files don’t seem to report anything unexpected. How can I best approach debugging this issue?

  • Thanks!

    Can you add a Username & Password to the openvpn config? So that not everyone can logon who has the config

  • Great tutorial. However, I have a couple of suggestions that I think are very important. First, you should note that if you use a name other than “server”, you will have to change information in the server’s config file in order to get up and running by pointing to the correct .key and .crt files. OpenVPN will fail to start if you do not do so.

    The other suggestion is related to the order in which you give instructions when setting up routing. You should be getting the interface name before even going into the ufw rules. It doesn’t really make sense to open the file, edit it, exit and save the file, use the command to find interface name, go back into file, edit it and then save it again. Interface name > Edit File > Save file and done.

    Thanks for taking the time to create this tutorial!!!

  • I’m kind of confused here. Tried to setup OpenVPN on an Ubuntu server 16.04 using this guide except I used 443/tcp for the vpn port. I got the .ovpn file on my phone and it connects fine but does not load any web pages. Help is much appreciated.

  • I’m having the same problem as gecko40. Followed the instructions, but specified tcp on the default port instead of udp. I can connect fine, just can’t view any web pages. Any ideas?

  • On OS X with an iOS device you can also AirDrop the client1.ovpn file and open it in OpenVPN Client on the phone/tablet. A little easier than iTunes transfer

  • For those experiencing dnsleaks, if found appending these three lines into the .ovpn file fixed it:
    script-security 2
    up /etc/openvpn/update-resolv-conf
    down /etc/openvpn/update-resolv-conf

  • I am in China at the moment. It’s working mostly as expected: I can access youtube, facebook, etc. If I go to Wolfram Alpha and ask “where am I” it would give me the VPN server location, as expected. But if I go to, I’d get forwarded to their Chinese site. I am on a Mac and I have tried several browsers. They all forwarded me to the Chinese site. How does skype know that I am in China? I thought all traffic in VPN goes through the VPN server.
    Using Pure OpenVPN:

  • This is a very nice howto and I could configure the server and client without many trouble. However, I do not want the client traffics be redirected through the VPN, but only the client to be able to connect to each other through the VPN, while accessing internet directly from their respective connections.

    I commented back the “push” instructions and uncommented the “client-to-client” one, but to no avail…

    How should I do?

  • I have TLS problem when I try to connect Windows 10 client to my ubuntu openvpn server.

    See my problem there:

    Can someone help me?

  • Thank you for the incredible guide! It was easy to get my OpenVPN server up and running.

    Quick question.. Is there a configuration somewhere to have OpenVPN prevent clients from accessing the local network? I would like to forward internet traffic only.

  • Is possible to enable and use IPv6 ?
    My internet connection dont have IPv6, but I wish to use Digital Ocean as IPv6 tunnel.

  • i have all install finish , when i configer in client pc in windows 8 then all ok connection but not working web pages i think this my problems in ufw can you tell me if i ufw off this then also not working ?

  • I followed these and now I can’t connect my server via ssh :)

    • I have the same problem.
      Have you found a solution?

      The only way to do it I found is to use “Access console” option in DO control panel. But I need to allow password (not CA) access for SSH user, that’s bad.
      I think the problem is somewhere in routing/firewall configuration.

      • Commented out all new lines in /etc/ufw/before.rules and ALL now works. Do I really need them?..

      • The issue is is because the commands reset the firewall and only the ports for the VPN are opened.

        There is no way to recover the VPS, you will need to destroy it and start over again.

        When you reach the stage of the ufw commands, after disabling and enabling the ufw, run these commands to regain access again to SSH:

        sudo ufw allow 22/tcp
        sudo ufw allow 22/udp

        That should restore the SSH connection, if you are still connected to the VPS.

  • Thank you very much for your excellent guide. It was easy to get my OpenVPN server up and running.
    How to set static IP Addresses for clients?

  • I’m keep getting “openvpn@server.service failed because the control process exited with error code”
    When I tried to start the server. can you please help..........!!!!!!!!!!!!?????

  • Thank for guide..
    When i create client1 , client2 and client3
    Now i jus need 2 client..
    Can i remove client3..
    If can, how to remove it..
    This my first time install ovpn..
    Before that using pritunl..

    • @weethai Hello! Good question.

      To revoke OpenVPN access for a certificate you’ve signed, first you’ll need to go to the CA directory you created and re-source the vars file:

      • cd ~/openvpn-ca
      • source vars

      Afterwards, you can call the revoke-full command with the client you wish to revoke:

      • ./revoke-full client3

      This will show some output, ending in error 23. This is normal, so don’t worry. This will generate a certificate revocation list in the keys subdirectory called crl.pem.

      Transfer this file to your OpenVPN configuration directory:

      • sudo cp ~/openvpn-ca/keys/crl.pem /etc/openvpn

      Now, open the OpenVPN server configuration file:

      • sudo nano /etc/openvpn/server.conf

      At the bottom of the file, add this line so that the server checks client connections against the generated certificate revocation list each time:

      . . .
      crl-verify crl.pem

      Save and close the file.

      Restart OpenVPN to implement the changes:

      • sudo systemctl restart openvpn@server

      Your client should now no longer have access to make new connections to the OpenVPN server.

      To revoke additional clients, you will need to:

      1. Generate a new certificate revocation list by sourcing the vars file in the ~/openvpn-ca directory and then calling the revoke-full script on the client name.
      2. Copy the new certificate revocation list to /etc/openvpn
      3. Restart the OpenVPN service.

      Hope that helps.

      • Thank..
        I did it..
        Now i trying using auth passwaord…
        In the cert i remove all cliet cert..
        jus using user n pass to conect..
        Any it work well..
        Also jus a few second to remove user..
        Using webmin to add user ..
        Sorry my poor language..

  • Thank you for putting this together. Excellent how to, the install and configuration went without a hitch!

    Step 6: Generate a Client Certificate and Key Pair suggests that we can generate client certs on client machines or a local administrator’s machine, then sign the cert with the server/CA cert. Can you provide some instruction on how to do this in the context of the how to, if we choose to go the more “complicated” route for security reasons?

    Thanks again, all the DigitalOcean documentation is great!

  • Nice article!
    Btw I wasn’t able to ssh to my freshly spun server after following this tutorial, found out that the ufw only allows UDP connection thus blocking any new ssh connection. Need to execute ufw allow ssh via web console.

    Tried to connect via ios device but got connection timeout from OpenVPN app

    Server log:
    Jul 08 07:04:33 vpn ovpn-server[1005]: [IP_ADDR]:58639 TLS Error: TLS key negotiation failed
    Jul 08 07:04:33 vpn ovpn-server[1005]: [IP_ADDR]:58639 TLS Error: TLS handshake failed
    Jul 08 07:04:33 vpn ovpn-server[1005]: [IP_ADDR]:58639 SIGUSR1[soft,tls-error] received,
    Jul 08 07:04:43 vpn ovpn-server[1005]: [IP_ADDR]:51523 TLS Error: TLS key negotiation failed
    Jul 08 07:04:43 vpn ovpn-server[1005]: [IP_ADDR]:51523 TLS Error: TLS handshake failed

    Any suggestion?

  • Should I be running ./clean-all every time I login to create new client certs? Or is that something we do once in the very beginning? The ~/openvpn-ca/keys folder is growing, and I just want to make sure that I’m not supposed to be cleaning it out periodically.

    • @scottie Good question. No, you should not be doing that. The ./clean-all will remove all of the contents from your ~/openvpn-ca/keys directory, which includes all of your CA information. Granted, since OpenVPN only pays attention to the files we copy, your setup would still work. However, it might lead to breakage down the road as you try to revoke keys that no longer exist, etc. You should only run the ./clean-all script if you want to start over from scratch.

  • Hey,

    I’m actually setting up the VPN in my ubuntu vm. It does not support systemctl command that comes in step 9. Im really a noobie to this linux world, can anyone help me about an alternative for this? Stuck at this point and not able to move forward. Thanks!!

    • @hulkbuster: If the systemctl command is not available, that’s almost always a sign that you are trying to complete this guide using a different, incompatible version of Ubuntu. If you happen to be using Ubuntu 14.04, this guide would probably work out better for you.

      by James
      OpenVPN is a full-featured open source Secure Socket Layer (SSL) VPN solution that accommodates a wide range of configurations. In this tutorial, we'll set up an OpenVPN server on a Droplet and then configure access to it from Windows, OS X, iOS and Android. This tutorial will keep the installation and configuration steps as simple as possible for these setups.
  • This is the worst article I’ve seen from, can you please get someone like James who wrote the OpenVPN installation on Ubuntu 14.04 ( to re-write this article??

  • If OpenVPN fails to start and gives you the error:

    daemon() failed or unsupported: Resource temporarily unavailable (errno=11)

    You’ll find the solution here at Ask Ubuntu

  • I was wondering if anyone knows how to audit OpenVPN connections? I’d like to understand how my OpenVPN server is being used, since I have multiple users accessing the server for VPN services. I’d like to understand things like who, when, how long, and any other details about the connect like IP addresses, etc. Thoughts? Thank you!

  • i have below errors, could someone help pls?

    Authenticate/Decrypt packet error: packet HMAC authentication failed
    TLS Error: incoming packet authentication failed from [AF_INET]
  • Very nice! I have a question: How can I redirect clients traffic only to a certain site, instead of all the internet traffic? for example: I want to redirect only the traffic to, but all the other traffic does not go through the VPN. Thanks

  • Thanks for the tutorial :D

  • After following this tutorial I lost SSH and SFTP access to my server. I followed the tutorial exactly, but I lost all access to my server and had to destroy it.

    If you could please fix this tutorial so other people don’t lose their servers that would be great.

    • I found a fix: you need to manually re-add the SSH ports after modifying the firewall:

      sudo ufw allow 22/tcp
      sudo ufw allow 22/udp

  • How do I add support for ipv6? My ipv6 address gets exposed since that isn’t being routed through the tunnel?

  • I’m running windows client, should I be uncommenting out the user and group?
    I followed the tutorial, was able to connect with openvpn, but without internet access after connection. Help?

  • I have tried many so called tutorials for OpenVPN this works.

    Thank You!

  • Hello my computer is on Ubuntu, how can I use the ovpn file on my Ubuntu to connect to my VPN droplet?

  • I followed this guide to the T I was logged in under root when I did this guide.... when i got to the end to copy the file over from my ubuntu server using mac OS X terminal using sftp - i ran the command but it said no such file or directory - I then moved the opencpv.conf from where it was under some folder under the root and moved it to /home/ronnie etc… and it created the directory and it moved the file.

    I was able to get it copied over to my mac book pro using the sftp command. but when I open the openvpn file using tunnel block - it doesn’t connect and the log on tunnel block shows

    File will self-destruct in 1 week… Also, I’m very new to ubuntu and all of this please bare with me and if there is info in the log that show;d not be showing please let me know ASAP


  • While executing command:
    sudo systemctl start openvpn@server

    I got error :

    Failed to start openvpn@server.service: Unknown unit: openvpn@server.service
    See system logs and ‘systemctl status openvpn@server.service’ for details.

    Please help. Thank you.

    • @arunnk: In the sudo systemctl start openvpn@server command, the server is taken from the name of the .conf file in the /etc/openvpn directory. In the guide, the gunzip command created the /etc/openvpn/server.conf file, which we then edited. Check to make sure that file is in your /etc/openvpn directory.

  • Getting error in the begining after build-key-server:

    skobkin@vpn:~/openvpn-ca$ ./build-key-server 
    /home/skobkin/openvpn-ca/pkitool: 293: shift: can't shift that many
  • Hi. Good Tutorial. I would like to setup openvpn for this scenario: I will have 10 droplets with their external(public) interfaces disabled. I need an openvpn configuration that only tunnels traffic to those droplets, not to the internet. What changes need to be made to the configuration on the tutorial?

  • Thank you for the useful guide.

    Just a small point, if you have not followed the “Initial Server Setup with Ubuntu 16.04” (as I had not) then you may not have turned on your firewall. So I could establish an openvpn connection but not get any data back.

    I needed to run the following commands:

    sudo ufw allow OpenSSH
    sudo ufw enable

    You can tell if your firewall is enabled by running

    sudo ufw status
  • Thanks for the great tutorial. I followed the instruction step by step. After that, I can successfully connect to the vpn server. BUT, the speed is extremely slow, i.e. in 20B/s, out 50B/s. Any idea anything I can do to optimize the setup? Many thanks.

  • In this tutorial, how about using username & password?
    Because everyone who get the key, can login to the our network vpn. Thanks.

  • If you want to condense the entire client creation process you can place this script in your home directory [cd ~ && touch && chmod +x && nano]

    [hashtag]!/usr/bin/env bash
    . ./openvpn-ca/vars
    ./openvpn-ca/build-key ${1}
    ./client-configs/ ${1}

    And execute as: ./ username

    Make sure to preserve the exact text or the script might not work [shebang should include “bash” or source command might break]. Replace [hashtag] with # since it’s not rendering in comments.

    Thank you for your very instructive guides as always: they’re awesome. I suggest increasing dhparam to 4096 and increasing key size to 4096 in openvpn-ca/vars. Also this tutorial has some tips about ciphers you might wish to implement: Enabling duplicate-cn might make it easier for users with multiple devices so that they can use only one identity / config file. And lastly, a simple mention about switching to 443/tcp might help many users in getting around restrictive firewalls. Just a few thoughts. Thanks again! :)

  • On Step 6, I cannot get it to build-key. I keep getting this error:
    pkitool: Need a readable ca.crt and ca.key in /root/openvpn-ca/keys
    Try pkitool --initca to build a root certificate/key.

  • DNS is not responding. i have server in digital ocean. when i connect to vpn internet goes off. Hitting the ip works but not the names.

  • i am not able to access the internet after that. DNS is not responding.


    server-ipv6 fd00:b956:4dc2::/64
    push "route-ipv6 2000::/3"
    push "dhcp-option DNS 2001:4860:4860::8888"
    push "dhcp-option DNS 2001:4860:4860::8844"


    # NAT table rules
    # Allow traffic from OpenVPN client to eth0
    -A POSTROUTING -s fd00:b956:4dc2::/64 -o eth0 -j MASQUERADE
    -A POSTROUTING -s fd00:b956:4dc2::/64 -o tun+ -j SNAT --to-source 2a03:7720::1fe


    • Thank you so much for this! I’ve been looking everywhere but couldn’t find anything but this worked.
      For anyone else out there I was trying to connect to an ipv6 only website but couldn’t reach it since my ISP doesn’t provide IPv6 yet. Using this setup I’m able to reach the website.

    • 6to4 IPv6 no Nat

         auto tun6to4
         iface tun6to4 inet6 6to4
      # Local IP
         mtu 1280


      server-ipv6 2002:6810:1904::/64
      push "route-ipv6 2000::/3"
      push "dhcp-option DNS 2001:4860:4860::8888"
      push "dhcp-option DNS 2001:4860:4860::8844"




  • Hi Justin,

    many thanks! It’s the first tuto that I used and can connect my pc to my Pi. Maybe I mist something but on step 13 I get no difference either connected or not. Would you happen to have suggestion for a more exhaustive testing I could do and of course record and or log? What I have in mind is to use the OpenVPN server to connect all members of the family to some kind of private family cloud (maybe OwnCloud). I understand some networks may block this and even my own ISP provider may not allow this. Wow can I find out about all this stuff?


  • Having problems with
    Afterwards, we can generate an HMAC signature to strengthen the server’s TLS integrity verification capabilities:

    openvpn --genkey --secret keys/ta.key

    Got this

    Command 'openvpn' is available in '/usr/sbin/openvpn'
    The command could not be located because '/usr/sbin' is not included in the PATH environment variable.
    This is most likely caused by the lack of administrative privileges associated with your user account.
    openvpn: command not found
    • @zybik: Does the account you are logged in as have sudo privileges? If not, you will not be able to complete this guide. This is the most likely reason that /usr/sbin is not in your PATH.

      If you do have sudo privileges but /usr/sbin is not in your PATH for some reason, you will likely want to modify the PATH variable to include /usr/sbin. You can do this by typing:

      • echo "PATH=$PATH:/usr/sbin" >> ~/.bashrc
      • source ~/.bashrc

      Or, on the short term, you can call the executable with a full path like:

      • /usr/sbin/openvpn --genkey --secret keys/ta.key

      Hope that helps.

  • I followed this OpenVPN setup exactly and it worked perfectly!
    I tested it by using the OpenVPN Windows client instructions.

    That’s great - but I wanted to connect using my Tomato router client.

    After a few hours of trial and error - I finally got Tomato configured correctly!

    Here are the Tomato OpenVPN Client settings that worked for me:

    Interface Type: TUN
    Protocol: UDP
    Server Address/Port: Port 1194 (Your Droplet IP)
    Firewall: Automatic
    Authorization Mode: TLS
    Username/Password Authentication: [X] (check)
    Username: root
    Password: •••••••••
    Username Authen: [ ] (uncheck)

    Extra HMAC authorization (tls-auth): Outgoing (1)
    Create NAT on tunnel [X] (check)

    Poll Interval: 0
    Redirect Internet traffic [X] (check)
    Accept DNS configuration: Disabled

    Encryption cipher: BF-CBC (Note: AES-128-CBC didn’t work)
    Compression: Enabled

    TLS Renegotiation Time: -1
    Connection retry: -1
    Verify server certificate (tls-remote): [ ] (uncheck)

    Custom Configuration: tun-mtu 1500 (type this in the “custom” box)

    “KEYS” TAB
    Copy each key from your client1.ovpn file to the corresponding text box.

    That’s it!

  • When I ran sudo ufw allow OpenSSH I got an error message: ERROR: Could not find a profile matching ‘OpenSSH’

    Another issue I encounter was after I ran sftp tim@openvpn_server_ip:client-configs/files/client1.ovpn ~/ I received the message ssh: Could not resolve hostname openvpnserverip: Name or service not known
    Couldn’t read packet: Connection reset by peer

    Thanks for any help in advance! I tried running the second command again and it wouldn’t terminate so I had to ctrl + c it myself

  • Getting a DNS leak after following this. Any fix?

    • I’m also having a DNS leak after following the tutorial.

      When I start the connection on client I get this error:

      ERROR: Linux route add command failed: external program exited with error` status: 2

      and when I stop the connection:

      Sat Oct  1 23:52:13 2016 /sbin/ip route del
      RTNETLINK answers: Operation not permitted
      Sat Oct  1 23:52:13 2016 ERROR: Linux route delete command failed: external program exited with error status: 2
      Sat Oct  1 23:52:13 2016 /sbin/ip route del
      RTNETLINK answers: Operation not permitted
      Sat Oct  1 23:52:13 2016 ERROR: Linux route delete command failed: external program exited with error status: 2
      Sat Oct  1 23:52:13 2016 /sbin/ip route del
      RTNETLINK answers: Operation not permitted
      Sat Oct  1 23:52:13 2016 ERROR: Linux route delete command failed: external program exited with error status: 2
      Sat Oct  1 23:52:13 2016 /sbin/ip route del
      RTNETLINK answers: Operation not permitted
      Sat Oct  1 23:52:13 2016 ERROR: Linux route delete command failed: external program exited with error status: 2
      Sat Oct  1 23:52:13 2016 Closing TUN/TAP interface
      Sat Oct  1 23:52:13 2016 /sbin/ip addr del dev tun0 local peer
      RTNETLINK answers: Operation not permitted
      Sat Oct  1 23:52:13 2016 Linux ip addr del failed: external program exited with error status: 2
      Sat Oct  1 23:52:13 2016 /etc/openvpn/update-resolv-conf tun0 1500 1570 init
      rm: cannot remove 'tun0.openvpn': Permission denied
      Sat Oct  1 23:52:13 2016 WARNING: Failed running command (--up/--down): external program exited with error status: 1
      Sat Oct  1 23:52:13 2016 Exiting due to fatal error

      What would be the problem?

  • Hi. I have been using that script from road warrior for about a month. It was very easy to set up and get it working the only problem I’m having that its very slow when connected to the vpn? Any Ideas would be great help. Thanks.....

  • Thanks for this, very helpful.

    Mine will fail on step 9 - sudo systemctl start openvpn@server

    Changing “dh dh1024.pem” to “dh dh2048.pem” in server.conf allows it to start

    Does that sound right? Or am I just masking a different problem?

  • Hello, I am having some issues with copying client1.opvn file over to my mac. Any help, suggestions or if you want me to run some commands please let me know. Thank you

  • Great tutorial Justin, easy to follow with lots of notes and explanations - superb for linux beginners like myself. Thanks a lot!

    I wonder if you could do another tutorial or instruct me on how to configure OpenVPN and Firewall for Multicast? and IGMP? (as I’ve read somewhere) for the Kodi uPNP server to be discoverable by the client connected to the OpenVPN server?

  • Good Tuto :-)
    If you want another easy install with docker :

  • Does this setup allow computers connected to the VPN to see each other? I am a little confused on the commonly accepted use of the term VPN, I was always under the impression that a VPN was the equivalent of a LAN over the internet; creating a private network where computers could safely communicate separate of the normal WAN open network. And it was to my understanding that a secure server in which you could connect and traverse the internet “safely” was a proxy. Does OpenVPN make them one in the same or something?

    Using something like Hamachi gives the typical usage for a VPN, just a secured private network of systems without external access via the VPN server, but the way you talk about OpenVPN it sounds like you get the best of both worlds? Is that is truly the case, can you also setup OpenVPN to only work as a private network without access to the outside world via the VPN?

    • @purchases VPN is a flexible technology that can be configured in many different ways. In this guide, we use it to encrypt and tunnel all communication between the client and server. This does function somewhat like a proxy, but there are some differences.

      Proxies typically have to be configured on an application-by-application basis. If you want to use the proxy, you’ll have to adjust your web browser’s connection settings. If you need another application to use the proxy, you’ll have to do additional configuration in that application’s settings. Not all applications have settings for configuring proxies however, and the case-by-case basis can be painful and unwieldy to manage. In addition, many proxies are not encrypted.

      VPNs, when configured like this article, are capable of routing all traffic through the encrypted tunnel. This means that you can use your applications as normal without any special configuration: the traffic will simply be routed through the VPN and exit on the server’s end. This simplifies the process and makes it a more holistic solution for securely routing traffic.

      As I said though, VPNs are flexible. The private networking features you speak of were probably the initial intended use-case, but they’re now used frequently for the secure routing like this article. You can modify the configuration here though to get the private networking features you’d like.

      On the server side, in the /etc/openvpn/server.conf file, you can uncomment the client-to-client line so that clients can communicate with and discover one another. If you want to disable the behavior where clients are configured to sent all traffic through the VPN (allowing clients to choose which traffic to send through), you can comment out the push "redirect-gateway def1 bypass-dhcp" line and the push "dhcp-option DNS" and push "dhcp-option DNS" lines:

      • sudo nano /etc/openvpn/server.conf
      # push "redirect-gateway def1 bypass-dhcp"
      . . .
      # push "dhcp-option DNS"
      # push "dhcp-option DNS"
      . . .

      Restart the service to implement the changes you made:

      • sudo systemctl restart openvpn@server

      That should hopefully configure everything in the way you were mentioning. Hope that helps!

      • @jellingwood Thanks for the comprehensive answer, it is exactly what I had in mind because I don’t intend to secure all my traffic through the tunnel or sometimes I don’t need tunnelling at all although I’d like to keep my client machines together.

        I have already applied the client-to-client setting but I am not sure whether it works or not. I was hoping that I will see the remote clients in the Network section in Finder but there is nothing else there besides my RasPi, not even the DO server which is the vpn host. What is the direct effect of enabling client-to-client?

        Another question is related to your statement above: allowing clients to choose which traffic to send through. How can we select which traffic goes through the tunnel?

        Other way of putting it: is it possible to configure the clients (not the server) not to go through the tunnel and connect directly?

        Moreover, is it possible to have 2 config files (call them clientTunnel.ovpn and clientNoTunnel.ovpn) and pick the one that you need when you connect to the VPN? That would require client side configuration, just as in the above question.

        And one more question: is it ok to use the same client config (client1.ovpn) for several clients at the same time? Will it disconnect the others, is it bad practice, what is your opinion?

        Once again, thanks for the great tutorial, it’s a great intro to the VPN world even for the newcomers!

        PS: I am on Ubuntu 14.04 and everything works fine except for the systemctl commands which need to be replaced with sudo service openvpn start/stop/restart.

        • @bosch In terms of the client-to-client setting, if you have two clients connected to the VPN, you can see if you can reach one from the other by the VPN IP address that’s given. You should be able to discover this address in the openvpn output, in your network settings, etc. Once you know the VPN IP address of the other computer, you can connect directly to it using whatever method you conventionally do.

          You can ping it to check connectivity like this:

          • ping
          PING ( 56(84) bytes of data. 64 bytes from icmp_seq=1 ttl=64 time=171 ms 64 bytes from icmp_seq=2 ttl=64 time=93.7 ms 64 bytes from icmp_seq=3 ttl=64 time=112 ms

          If you are having trouble finding the address to connect to, you can also use a tool like nmap to discover all of the hosts within the VPN network, like this:

          • sudo nmap -sn

          You will be given a listing of all of the hosts connected to the VPN:

          Starting Nmap 6.40 ( ) at 2016-10-31 11:16 EDT Nmap scan report for # this is the VPN server Host is up (0.0029s latency). Nmap scan report for # this is one client Host is up (0.41s latency). Nmap scan report for # this is another client Host is up. Nmap done: 256 IP addresses (3 hosts up) scanned in 46.98 seconds

          The above subnet is the default that’s set in the /etc/openvpn/server.conf file (with the line server so it should work if you did not explicitly modify the network range.

          In terms of sending only specific data through the VPN, that will be specific to whatever software you’re using. There’s no general way I know of telling you how to do that.

          To answer another of your questions, OpenVPN does not allow direct client-to-client communication. All traffic must be routed through the central server. Direct connection would require a mesh network. You can find out more from the answer to a similar question here.

          Yes, you can have two separate configuration files and use whichever one you want to use on a case-by-case basis. There shouldn’t be any problem with that. I would recommend pushing the routes to the client in the server configuration (uncomment those push lines again and restart the OpenVPN service on the server). You can then choose to ignore the pushed routes on the client by adding this to your client configuration for your clientNoTunnel.ovpn file:

          . . .
          . . .

          If you wish to use the same config / certificate files, you’ll need to uncomment duplicate-cn in your /etc/openvpn/server.conf file on the server. This is not recommended though, since it makes it takes away your ability to invalidate any compromised keys without invalidating every one of your clients. You might as well generate a different client configuration for each client.

          Hope that helps.

  • OpenVPN is also very good if you, like me, have an SSL cert for one server but don’t want to purchase another but want both web servers to use HTTPS.

    I have one web server using apache at my home, which binds to Nginx then proxies through for requests from

    Like so: connects to an OpenVPN server on my home network. This VPN server responds only to’s IP using IPTables.
    Apache on my home network then binds to
    Nginx passes all requests from URI to Everything else is handled by itself or PHP, etc…

    This allows everything sent to the HTTP server on my home network to be encrypted on the OpenVPN tunnel.

    Home network:

    <Directory "/share/Qweb/public">
            AuthType Basic
            AuthName "Password needed. No public access."
            AuthUserFile "/share/Qweb/.htpasswd"
            Require valid-user
            Options +Indexes

    VHost config

            ServerName Public
            DocumentRoot "/share/Qweb"
            Alias "/home" "/share/Qweb/public"
    server {
            listen 443 default ssl;
            ssl_certificate ssl/;
            ssl_certificate_key ssl/;
            location /home/ {
                    proxy_redirect http://$host/ /home/;
                    include proxy_params;

    Now, the all HTTP traffic is encrypted on the tunnel :).

  • Hi, thank you for the excellent tutorial. Unfortunately, I’ve ran into a problem. On all my devices, the openvpn client is stuck at ‘Waiting for server response’ and eventually has a timeout. Can anyone please help me? Thanks!

  • Hi this guide is awesome. I followed similar guide for 14.04 (from digital ocean tutorials). I am experiencing very slow speeds on this method compared to that one. I’m not sure what is the reason here.

    1. Thank you.
    2. I followed instructions, provisioned using .ovdpn file, but it failed to connect. my ~/.cert/nm-openvpn got proper *-ca.pem , *-key.pem, *-tls-auth.pem , but the -cert.pem is 0 bytes, and nm-openvpn process don’t like that.

    Any idea how that happened ?

  • Thanks! It’s a great HOWTO

  • Thank you for the comprehensive guide - I do have an issue that I am hoping someone could help me with though:

    On “Step 11: Generate Client Configurations”, when I go to run the new script:

    ./ client1

    I am getting the following error:

    ./ line 9: /home/engineer/client-configs/files/client1.ovpn: No such file or directory

    I assumed that this script would generate the file “client1.ovpn” in the files directory, but it seems like it’s looking for this file to already be existing? Further, I tried manually making a blank client1.ovpn file (w/ touch) in the directory and rerunning the script but received the same error.

    Does anyone know how to rectify this issue?

    • @ziggybabybeauty The script should indeed be making the file in that directory.

      I’m not exactly sure what the problem is and unfortunately, the “No such file or directory” error is a bit ambiguous. It can happen when the ending file is not there, in this case client1.ovpn, but that same error is used when one of the parent directories cannot be found. I know this isn’t very in-depth, but my first inclination in troubleshooting would be to make sure that both the client-configs and files directories are available and named correctly.

  • Great tutorial.
    I think the sentence below needs to be corrected.

    Your public interface should follow the word “dev”. For example, this result shows the interface named wlp11s0, which is highlighted below:

    default via dev eth0 proto static metric 600

  • Hey, a minor heads up. My configuration only worked when I used my Droplet’s original IP address. I was trying with the Floating IP and/or the host I’d set in the DNS record, and none worked. I wonder if this is an issue with Digital Ocean or if this is the expected behavior.


  • Anybody has this error after following all the instructions of this and the prerequisite tutorial?

    Job for openvpn@server.service failed because the control process exited with error code. See "systemctl status openvpn@server.service" and "journalctl -xe" for details.

    Running as a root and the VPS has TUN/TAP enabled (if that helps in anyways)


  • How can I use the VPN on one server, where I will have for example 5 users/clients that when logged in can access one host/folder on the server, and other 5 users/clients that will have access to another host/folder without being able to access the host/folder that they don’t have permission to.
    Is this possible with OpenVPN and how can I achieve that?

  • When I try to connect from my PC I get an error, Cannot Resolve Host Address: serverIPaddress: No such host is known.

    Anyone have any suggestions?

  • When I try to connect on both windows and Android it says the private key is invalid? I didn’t put a password or anything. Any hep?

  • Hello, Good Day.

    I want to disable the server key/cert in the client before it connect in the server.
    I want to used only the ca.crt to connect to the server.

    How configure this setup? thank you in advance.

  • I fixed my previous problem but now whenever I try to connect it times out?

    This is the error I get:

    Sun Dec 11 21:31:33 2016 NOTE: –user option is not implemented on Windows
    Sun Dec 11 21:31:33 2016 NOTE: –group option is not implemented on Windows
    Sun Dec 11 21:31:33 2016 OpenVPN 2.3.14 x8664-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Dec 7 2016
    Sun Dec 11 21:31:33 2016 Windows version 6.2 (Windows 8 or greater) 64bit
    Sun Dec 11 21:31:33 2016 library versions: OpenSSL 1.0.2i 22 Sep 2016, LZO 2.09
    Sun Dec 11 21:31:33 2016 MANAGEMENT: TCP Socket listening on [AF
    Sun Dec 11 21:31:33 2016 Need hold release from management interface, waiting…
    Sun Dec 11 21:31:34 2016 MANAGEMENT: Client connected from [AFINET]
    Sun Dec 11 21:31:34 2016 MANAGEMENT: CMD ‘state on’
    Sun Dec 11 21:31:34 2016 MANAGEMENT: CMD 'log all on’
    Sun Dec 11 21:31:34 2016 MANAGEMENT: CMD 'hold off’
    Sun Dec 11 21:31:34 2016 MANAGEMENT: CMD 'hold release’
    Sun Dec 11 21:31:34 2016 Control Channel Authentication: tls-auth using INLINE static key file
    Sun Dec 11 21:31:34 2016 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256’ for HMAC authentication
    Sun Dec 11 21:31:34 2016 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256’ for HMAC authentication
    Sun Dec 11 21:31:34 2016 Socket Buffers: R=[65536->65536] S=[65536->65536]
    Sun Dec 11 21:31:34 2016 UDPv4 link local: [undef]
    Sun Dec 11 21:31:34 2016 UDPv4 link remote: [AF
    Sun Dec 11 21:31:34 2016 MANAGEMENT: >STATE:1481491894,WAIT,,,
    Sun Dec 11 21:32:34 2016 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Sun Dec 11 21:32:34 2016 TLS Error: TLS handshake failed
    Sun Dec 11 21:32:34 2016 SIGUSR1[soft,tls-error] received, process restarting
    Sun Dec 11 21:32:34 2016 MANAGEMENT: >STATE:1481491954,RECONNECTING,tls-error,,
    Sun Dec 11 21:32:34 2016 Restart pause, 2 second(s)
    Sun Dec 11 21:32:36 2016 Socket Buffers: R=[65536->65536] S=[65536->65536]
    Sun Dec 11 21:32:36 2016 UDPv4 link local: [undef]
    Sun Dec 11 21:32:36 2016 UDPv4 link remote: [AF_INET]
    Sun Dec 11 21:32:36 2016 MANAGEMENT: >STATE:1481491956,WAIT,,,

    I don’t understand this at all…

    All I know is it isn’t working.

  • Sorry for my bad english. PLEASE HELP ME!
    I completed all steps. But created file name is client1.ovpn don’t copy to C:/program files/open vpn
    PuTTY said “ cp: cannot stat ‘client1.ovpn’: No such file or directory ” and it doesn’t copy the file.
    I writing the code : ls ~/client-configs/files
    it found the client1.ovpn file but don’t copy to program files. ( I could not finish step 12)

  • thanks working great from my iphone!
    1 question
    from the vpn server i need http access to other server on the local lan.

    so vpn server is on local with public ip etc.
    and the webserver is on

    please help:-)

  • got it simply add
    push “redirect-gateway def1” to the server.conf

  • Thanks for making a guide and it is very valuable for me.
    But, I find some confused followed this guide on a Ubuntu 16.04 system. I write a bash file followed this title and got error at the step 10.
    Here is the code:
    sudo sh -c “cat << EOF > ~/client-configs/


    First argument: Client identifier


    cat ${BASECONFIG} \
    <(echo -e ’<ca>’) \
    DIR}/ca.crt \
    <(echo -e ’</ca>\n<cert>’) \
    ${KEYDIR}/${1}.crt \
    <(echo -e ’</cert>\n<key>’) \
    DIR}/${1}.key \
    <(echo -e ’</key>\n<tls-auth>’) \
    ${KEYDIR}/ta.key \
    <(echo -e ’</tls-auth>’) \
    > ${OUTPUT

    But, the Ubuntu returned:
    cat: /home//openvpn-ca/keys/.crt: No such file or directory
    cat: /home/
    /openvpn-ca/keys/.key: No such file or directory

    How do I solve the problem?

    • @huebuquan You have to remember to pass in the name you used for the client when calling the script. It’s difficult to tell if you are doing that or not.

      Basically, you have to call the script like this:

      • ./ client1

      If you leave off the client1 (or whatever you named your client), you may get output similar to what you’re seeing.

  • Hi, I don’t understand this:

    openvpn --genkey --secret keys/ta.key

    where is the file “ta.key” ?

  • i checked many times on this setup. there are no dns leaking.

  • Really nice tutorial, thank you. Everything worked right away, except for client to client communication. I cannot ping other clients connected to the server through their virtual address. I tried enabling the “client-to-client” option in the server configuration, but this had no effect. How should I configure the server such that clients may communicate with each other through their virtual adresses?

    • @jessetilro Enabling the client-to-client option should be all that’s necessary to connect from one host to the other using the VPN IP addresses. If you’ve uncommented that setting, some things to check are:

      • Did you restart the service with sudo systemctl restart openvpn@server?
      • Do you have any firewalls enabled on the server or clients that might be interferring?
      • Have you restarted the connections from each client after making the change?

      Apart from those steps, I don’t have much advice because OpenVPN should be allowing routing between your clients with that setting enabled. Sorry I can’t be of more help.

      • Thank you very much for your time. After a lot of experimenting and monitoring traffic I found out that Windows Firewall was indeed interfering on the client side (linux clients did not have the problem). Pinging now works, but many (LAN purpose) applications will still not detect other VPN clients. I tried assigning the virtual network interfaces of the clients a higher priority. Is there any additional or alternative configuration necessary to allow VPN client applications to automatically detect other VPN clients as if they were on the same local network?

  • Hi, Great guide, very comprehensive and very much appreciated.
    Although as a novice, I have an issue that I hope someone can help with.
    In Section 8: Identifying the public network interface of our machine*

    When I run the command ip route | grep default I get the following results which dont look right according to the guide.

    default via dev eth0 onlink

    Can someone please point me in the right direction on how to obtain the public network interface name.

    PS, I have followed this and the prerequisite tutorial, everything has been working fine up-to this point.

    • @jbmtech Hey there, thanks for reaching out.

      Given your output, it looks like your public interface is eth0. Have you tried using that value already or did you pause because the output looked a bit different? If you just wanted to double check before moving on, then I’d go ahead and use eth0 as your public networking interface and continue. If you tried that already, we can look at other things perhaps.

  • Will this work in China? I am totally new to VPN and I use Ubunt 16.04. Basically I’d like to continue enjoying facebook and all the banned sites in China.


  • error when trying to connect to vpn

    Tue Jan 10 10:15:39 2017 Message hash algorithm ‘enp4s8’ not found
    Tue Jan 10 10:15:39 2017 Exiting due to fatal error

  • I have this problem where the keys and other bits are not posted in my openvpn conf. (.ovpn file) the following section:


    is blank and doesn’t look like this example:




    —–BEGIN OpenVPN Static key V1—–

    —–END OpenVPN Static key V1—–

    When I ran the client1 command I received the following output:

    cat: /home/whatever/openvpn-ca/keys/ca.crt: No such file or directory
    cat: /home/whatever/openvpn-ca/keys/.crt: No such file or directory
    cat: /home/whatever/openvpn-ca/keys/.key: No such file or directory
    cat: /home/whatever/openvpn-ca/keys/ta.key: No such file or directory

    I checked the directories however and the key files are there and named client1… what am I missing?


  • Hi Thanks for the Great guide…

    But at the time of generating client1.ovpn it showing permission denied, Can you plz help!!
    Below is FYR

    jduser@VPN:~/client-configs$ ./ client1

    Sample client-side OpenVPN 2.0 config file

    for connecting to multi-client server.

    This configuration can be used by multiple

    clients, however each client should have

    its own cert and key files.

    On Windows, you might want to rename this

    file so it has a .ovpn extension

    Specify that we are a client and that we

    will be pulling certain config file directives

    from the server.


    Use the same setting as you are using on

    the server.

    On most systems, the VPN will not function

    unless you partially or fully disable

    the firewall for the TUN/TAP interface.

    ;dev tap
    dev tun

    Windows needs the TAP-Win32 adapter name

    from the Network Connections panel

    if you have more than one. On XP SP2,

    you may need to disable the firewall

    for the TAP adapter.

    ;dev-node MyTap

    Are we connecting to a TCP or

    UDP server? Use the same setting as

    on the server.

    ;proto tcp
    proto udp

    The hostname/IP and port of the server.

    You can have multiple remote entries

    to load balance between the servers.

    remote {My Public IP} 1194
    ;remote my-server-2 1194

    Choose a random host from the remote

    list for load-balancing. Otherwise

    try hosts in the order specified.


    Keep trying indefinitely to resolve the

    host name of the OpenVPN server. Very useful

    on machines which are not permanently connected

    to the internet such as laptops.

    resolv-retry infinite

    Most clients don’t need to bind to

    a specific local port number.


    Downgrade privileges after initialization (non-Windows only)

    ;user nobody
    ;group nogroup

    Try to preserve some state across restarts.


    If you are connecting through an

    HTTP proxy to reach the actual OpenVPN

    server, put the proxy server/IP and

    port number here. See the man page

    if your proxy server requires


    ;http-proxy-retry # retry on connection failures
    ;http-proxy [proxy server] [proxy port #]

    Wireless networks often produce a lot

    of duplicate packets. Set this flag

    to silence duplicate packet warnings.


    SSL/TLS parms.

    See the server config file for more

    description. It’s best to use

    a separate .crt/.key file pair

    for each client. A single ca

    file can be used for all clients.

    ca ca.crt

    cert client.crt

    key client.key

    cipher AES-128-CBC

    auth SHA256

    key-direction 1

    script-security 2

    up /etc/openvpn/update-resolv-conf

    down /etc/openvpn/update-resolv-conf

    Verify server certificate by checking that the

    certicate has the correct key usage set.

    This is an important precaution to protect against

    a potential attack discussed here:

    To use this feature, you will need to generate

    your server certificates with the keyUsage set to

    digitalSignature, keyEncipherment

    and the extendedKeyUsage to


    EasyRSA can do this for you.

    remote-cert-tls server

    If a tls-auth key is used on the server

    then every client must also have the key.

    ;tls-auth ta.key 1

    Select a cryptographic cipher.

    If the cipher option is used on the server

    then you must also specify it here.

    ;cipher x

    Enable compression on the VPN link.

    Don’t enable this unless it is also

    enabled in the server config file.


    Set log file verbosity.

    verb 3

    Silence repeating messages

    ;mute 20
    ./ line 20: /dev/fd/63: Permission denied
    ./make line 22: /home/jduser/openvpn-ca/keys/ca.crt: Permission denied
    ./ line 24: /dev/fd/63: Permission denied
    ./make line 26: /home/jduser/openvpn-ca/keys/client1.crt: Permission denied
    ./ line 28: /dev/fd/63: Permission denied
    ./make line 30: /home/jduser/openvpn-ca/keys/client1.key: Permission denied
    ./ line 32: /dev/fd/63: Permission denied
    ./make line 34: /home/jduser/openvpn-ca/keys/ta.key: Permission denied
    ./ line 36: /dev/fd/63: Permission denied

  • Great tutorial ! Having something up-to date, in particular is really something valuable, but the explainations & other aspects are really enjoyable too.

    I have one question about this :
    “You will need to configure a non-root user with sudo privileges”
    => Is that a real prerequisite, or just because you advise to follow good pratices ?

    I was afraid some installation or config file had to be made as non-root for important security purposes, but otherwise, I often work directly as root, since putting a sudo before every command doesn’t make much sense to me.
    Was the exception I made here a real necessity ?

    (off-topic note : on the other hand, I’m particularly careful when using any sort of rm, or even mv)

    • @pifou42 For tutorials like this: yes, I’d consider it an actual prerequisite. While it’s possible to translate a procedure like this to work with the root user, the interactions between the components will change, there are subtle security implications in regards to file permissions and ownership, and above all, this wasn’t tested using the root user.

      In this instance, it isn’t as much about preventing you from accidentally running a dangerous command. We run as an unprivileged user so that the resulting files and services run with the appropriate permissions and are isolated from other parts of the system. If you choose to try to do this as root, it is your responsibility to figure out the necessary permissions and ownership, etc.

      • Thats precisely the reasons why I preferred following your instructions. Looks like I guessed right :). I won’t play with security when setting-up a VPN.

        Thanks for your answer.

  • Hi there and thanks for perfect post!
    Could you please describe how static IP address can be set to client1 ?

  • I have OpenVPN-2.4 running on my Ubuntu 16.04 server, and also running on several clients, e.g., dd-wrt router, windows PCs and android clients.

    In my Ubuntu /etc/openvpn/server.conf I have
    push “dhcp-option DNS”

    I want my clients to use the server’s iptable rules set up to block a list of IP addresses.

    I have have tried several sets of iptable rules in my Ubuntu server /etc/init.d/openvpn file, not of which work. E.g., I try
    blacklist IP:
    iptables -A INPUT -s IP -j DROP
    delete blacklisted IP
    iptables -D INPUT -s IP -j DROP
    to test an IP that I can use in one of my client browsers.

    I have tried (uncommented iptables lines are used currently):

    iptables -A INPUT -i tun+ -j ACCEPT

    iptables -A FORWARD -i tun+ -j ACCEPT

    iptables -A FORWARD -i tun+ -o eth0 -m state –state RELATED,ESTABLISHED -j ACCEPT

    iptables -A FORWARD -i eth0 -o tun+ -m state –state RELATED,ESTABLISHED -j ACCEPT

    iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE

    iptables -A OUTPUT -o tun+ -j ACCEPT

    from another doc

        /sbin/iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
        /sbin/iptables -A FORWARD -s -j ACCEPT
        /sbin/iptables -A FORWARD -j REJECT
        /sbin/iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE
        /sbin/iptables -A INPUT -i tun+ -j ACCEPT
        /sbin/iptables -A FORWARD -i tun+ -j ACCEPT

    Otherwise, my VPNs seem to be working fine.

    • How did you get this setup to work with dd-wrt? I seem to get a connection (both through setting up the GUI and trying to run it manually over ssh using the config generated by the guide) but after connecting, none of the devices connected to the router can get out to the internet.


    This rule is not fully correct. OpenVPN server provides IPs from the range So correct one will be


  • This Documentation is really helpful and amazing. Thank you.

    Now I have a small problem its just that my DNS remains the same even after i connect to my VPN as in my DNS is my ISP’s provided DNS and not the DNS of Open VPN.
    What is the fix for this ?

  • Thanks a lot for this guide. Got the Droplet especially for VPN :D

  • DNS leak in Windows
    add ‘block-outside-dns’ in client1.ovpn
    problem solved :)

  • @jellingwood: Great job Justin. You made this as clear as possible. Impressive.

    @pssabishek: with Ubuntu 16.04.1 LTS as my client, I was able to plug DNS leaks with this solution

    @TerryE: ‘block-outside-dns’ is only for windows clients. Linux clients will encounter
    Options error: Unrecognized option or missing parameter(s) in client1.ovpn:125: block-outside-dns (2.3.10)

    Android OpenVPN Connect accepts my ovpn file and says it connects, but DNS leak persists.

    Also, I encountered a permissions issue on an unrooted tablet that Android OpenVPN Connect cannot see files I copy via usb. I had to pass the ovpn file through Dropbox

    • now no leaks with Android tablet:

      un-commented push “redirect-gateway def1 bypass-dhcp” directive in /etc/openvpn/server.conf and left push “dhcp-option DNS …” commented out.

      Checked (enabled) Android OpenVPN Connect Preferences, DNS Fallback: Use Google DNS server as fallback for connections that route all internet traffic through the VPN tunnel but don’t define any VPN DNS servers.

      Android OpenVPN Connect client and Linux desktop both leak -free.

  • Following all your steps, I can successfully setup the server and generate multiple clients as needed. Thank you!

  • I tried this and it works great. This was easier to follow than the VPN section of the Ubuntu Server Guide. I have ran into one problem. The problem is accessing network shares on Windows 10 PCs through the VPN. I can access OS X and Linux shares through the VPN but not Windows 10.

    Any Ideas how to fix this?

    I have tried changing the windows firewall settings to allow smb in/out from any network.

    Also, could setting up the VPN in bridged mode fix the problem? I was reading on the openvpn website that bridged mode uses OSI layer 2 and tunnel mode uses OSI layer 3. I am not sure what that means but thought it could have something to do with this problem.

    I appreciate any help that you can give.

  • This is incredible. Best OpenVPN tutorial out there. Thank you!

  • Hi,
    I need a L2TP/ IPSec vpn server running on ubuntu-16.10-server-amd64 bit machine. Can anybody suggest any VPN software options??

    • tried from android, too
      still same stuff(

      • @bruhteeshka It looks like you need to replace server_IP_address with the actual IP address of your VPN server in your client configuration (and the ~/client-configs/base.conf file before you generate more certificates). Hope that helps.

        • so i’m kinda stuck…
          how can i find out this actual IP adress
          and what should i do with this configuration file?)

          • @bruhteeshka So how do you typically connect to the VPN server you are setting up? If it’s by SSHing into an IP address, you’ll use that same IP address here. If it’s by a domain name, that works too.

            If you’re still unsure, you can try typing this into a terminal when logged into your VPN server:

            • curl -4

            This should return your publicly accessible IP address, which might look something like this (do not use this example value):


            You would then change both the ~/client-configs/base.conf file and the client1.opvn file you generated, so that the remote line references the IP address you discoverered:

            # Substitute the highlighted value below with IP address you discovered
            # Keep the "1194" at the end though
            remote 1194

            After that, you should try connecting again with the newly edited client1.ovpn file to see if it works.

        • Thanks a lot! And I’m guessing this is what I needed:

  • having trouble connecting I thought I did everything right but I guess not. perhaps someone could help me out? here is my log:

    Wed Feb 22 11:56:11 2017 NOTE: –user option is not implemented on Windows
    Wed Feb 22 11:56:11 2017 NOTE: –group option is not implemented on Windows
    Options error: –up script fails with ’/etc/openvpn/update-resolv-conf’: No such file or directory
    Options error: Please correct this error.
    Use –help for more information.

  • Hi everyone!
    I have some issue with Windows 10. Sometimes everything works as opposed to the browser.
    I have to type in the Windows cmd console :
    -netsh winsock reset
    -netsh int ip reset
    -ipconfig /release
    -ipconfig /renew
    -ipconfig /flushdns
    that everything was back to normal.
    What could be the reason?

  • Hi,
    Great tutorial, it works! But since I installed it I have no longer access to ‘owncloud’ installed on the same server, I prevously had local access on but since openVPN was installed it no longer works… But I still abble to ping the server from LAN and from distant computer connected on OpenVPN wich a good point but not enough to be OK. Is openVPN responsible of that and do you have any clues to check it all?

  • Hello!

    I migrated my server over to London and assumed I needed to follow this guide. However after doing this all of my client profiles give the error:

    OpenVPN Core Error: PolarSSL: error parsing config private key: PK - invalid key tag or value

    What am I doing wrong!

  • getting this error when i try to connect using windows workstation: Options error: Unknown key direction ‘1<ca>’ – must be '0’ or '1’

  • Step 11: Generate Client Configurations: after running ./ client1, it creates a blank file named client1 in the correct folder with the following errors:

    / line 20: /dev/fd/63: Permission denied
    ./make line 22: /home/aaron/openvpn-ca/keys/ca.crt: Permission denied
    ./ line 24: /dev/fd/63: Permission denied
    ./make line 26: /home/aaron/openvpn-ca/keys/client1.crt: Permission denied
    ./ line 28: /dev/fd/63: Permission denied
    ./make line 30: /home/aaron/openvpn-ca/keys/client1.key: Permission denied
    ./ line 32: /dev/fd/63: Permission denied
    ./make line 34: /home/aaron/openvpn-ca/keys/ta.key: Permission denied
    ./ line 36: /dev/fd/63: Permission denied

  • Justin, and anybody else that may be reading this: first of all thanks for the awesome guide!

    I can’t seem to connect to the Ubuntu 16.04 VPN server from my Ubuntu 16.04 client. However, I CAN successfully connect to the VPN server from my local MacBook OS X Sierra machine. The command I use to connect is: sudo openvpn --config client.ovpn and it connects fine. However, if I use this same command and same .ovpn file on my Ubuntu 16.04 client, it does not connect.

    Here is what happens when I try to connect to the Ubuntu VPN server from the Ubuntu client:

    In addition, not only does this command not connect, but it also shuts down all the websites I’m running from the machine I’m attempting to connect to the VPN server from, and forces me to reset that machine in order to get them online again. :/

    If you have any help, insight, thoughts, or suggestions, how I could get this figured out, so I can connect to the VPN server from my Ubuntu client machine, it would be greatly appreciated! Thank you in advance.

    • @skcin7 Hey there. Thanks for posting the verbose logs. That’s helpful.

      From the logs, it looks like maybe you haven’t uncommented the necessary lines within the client1.ovpn script for Linux clients. OS X doesn’t require those lines, so that might be why the configuration works on your OS X client but not on Ubuntu. Check out the section on configuring Linux clients here to modify the configuration file when it’s used on your Ubuntu client.

      Basically, you need to set script-security to “2” to allow calling external scripts. Afterwards, point both the up and down scripts to /etc/openvpn/update-resolve-conf. This script should be available if you installed OpenVPN on your Ubuntu 16.04 client from the default repositories. It handles updating the resolvers on the machine when the VPN is brought up or torn down so that everything is routed correctly.

      Hopefully that helps.

      by Justin Ellingwood
      Want to access the Internet safely and securely from your smartphone or laptop when connected to an untrusted network such as the WiFi of a hotel or coffee shop? A Virtual Private Network (VPN) allows you to traverse...
  • thanks this tutorial help me a lot, but I have a small question in case that I should assign static IP’s to my clients, what is the procedure?

  • openvpn --genkey --secret keys/ta.key

    Is there a typo here ? It is supposed to be ca.key, isn’t it ?

  • I can connect to the server but I can’t browse the internet. I get DNS Probe Finished No Internet

  • hi all

    Im having a problem with step 11, everything seems to follow through until i get to the last command prompt that i am supposed to input ( this line “ sftp sammy@openvpnserverip:client-configs/files/client1.ovpn ~/ ”). when I type this out i get this output
    “ ssh: Could not resolve hostname openvpnserverip: Name or service not known
    Couldn’t read packet: Connection reset by peer ” .

    your help is greatly needed

    • @818683 You will need to replace openvpn_server_ip with the actual IP address or domain name of your OpenVPN server.

      • after replacing openvpnserverip with the actual ip address. i am then prompted to enter a password. i typed in the PEM pass phrase but that did not work. so i am wondering which password they are looking for, cause i have even used my computer password and that too proved futile.

        quick side question though how does one find their domain name of their OpenVPN server

        • @kingK It’s difficult to say which password you are referring to. When do you get this? When trying to connect or before that while configuring things? The only passwords that would be relevant during connection would be either your local computer’s password, or the PEM passphrase if you set that up. If you can’t get that to work, I’d suggest trying this setup again using a a key without a passphrase first to isolate the problem. After validating that you can get that working, you can try once more with a passphrase-protected key.

          As far as the domain name goes, your server likely will not have a publicly routeable domain name unless you have purchased and assigned one. There are many different domain registrars where you can purchase an available name and then set up a record to direct traffic from the domain to your server. This is not necessary though if you are comfortable just using the server’s public IP address instead.

  • Everything works lovely (which is highly unusual for me given my ineptitude) with the first client, but for some reason I can’t get any other client certificates/keys to work. I know I don’t need to, but for the sake of completeness I’d like to. It’s obviously something I’m doing/have done wrong, but I don’t know where to start. Tunnelblick just sits on ‘waiting for server response’. Any ideas?



    • hi robin
      i am stuck on the 11th step after running this line “sftp sammy@openvpnserverip:client-configs/files/client1.ovpn ~/”
      i am prompted for a password, i typed in the PEM passphrase but that didnt work do you perhaps know how to resolve this

      • are you actually typing ‘sammy’? cos that should be your username. if it’s asking for a password, that would mean you log onto your server with a password right? so it’s probably looking for the password for the user 'sammy’ on your server, which probably doesn’t exist…?

    • @robinfoster Hey there. Unfortunately, “waiting for server response” is a pretty vague message, as I’m sure you’ve realized. Because of that, it’s difficult to say what exactly is going wrong, but there are a few things you can try to get some more information.

      If there’s an option within your client to enable verbose logging, that is a good place to start. You should also take a look at the logs on the VPN server when you are connecting. You can do that with journalctl by typing:

      • sudo journalctl -u openvpn@server

      To automatically refresh the view as new logs come in, add the -f option:

      • sudo journalctl -f -u openvpn@server

      You should also check your client configuration file to make sure there aren’t any lines that are only applicable to a certain type of operating system. For instance, the up, down, and script-security lines are only applicable on hosts with /etc/openvpn/update-resolv-conf available. Operating system-specific lines may interfere with the connection when used on other systems.

      So, not an exact answer, but hopefully one that will lead you to more information to troubleshoot a bit better.

      • Thanks for this, lots to go on. My main confusions stems from the fact that nothing has changed since I created a fulling working .ovpn file the first time round, but subsequent attempts are failing. I imagine I’ve set something up wrong though, so I’ll follow your suggestions and see what happens.

      • So… I get the following:

        Mar 20 21:19:23 rpf-vpn ovpn-server[1496]: Authenticate/Decrypt packet error: packet HMAC authentication failed
        Mar 20 21:19:23 rpf-vpn ovpn-server[1496]: TLS Error: incoming packet authentication failed from [AF_INET]

        Is that any more specific an error? Googling has plenty of results, but none that mean too much to me I’m afraid.


        • @robinfoster Hey there. Sorry for the delay, I hadn’t seen your response earlier.

          If you search for “HMAC authentication failed” in this guide, it looks like the issue might be with the tls-auth settings. Try checking the /etc/openvpn/ta.key file on the server matches the values within the <tls-auth> and </tls-auth> tags within the client configuration. It’s possible that even the line endings could be affecting the way that that it’s interpreted. Also, double check the key-direction setting and make sure that the client and server use different values.

          Other than that, I’m not quite sure what’s going on. I hope the above helps you figure it out though.

  • hi all
    im getting this “Sun Mar 19 17:29:05 2017 RESOLVE: Cannot resolve host address: my-server-1: Name or service not known” after doing everything successfully how do i fix this to the vpn working.

  • Hello,
    I get default via dev eth0 onlink when I issue command :
    ip route | grep default.
    How do I find correct interface?

  • Did have huge issues first time installing with “TLS handshake error…” but after I combined this tutorial with this one from Linode
    situation was much better.
    And line tls-auth ta.key 1 # This file is secret
    for Android client should be commented with ; and only key-direction 1 to be used.

  • I’ve literally gone from no droplets to my own working vpn in 1 hour - excellent tutorials - I love DO

  • Quick tip for people who don’t have ufw or a firewall at all and are unable to connect to the internet after connecting to the VPN-

    sudo iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE

    (change eth0 to your network card, which can be found using the command below)
    ip route | grep default

    and add the following to your config to push all traffic through the vpn and use Google DNS–

    push “dhcp-option DNS”
    push “dhcp-option DNS”
    push “redirect-gateway def1”

  • For anyone struggling with this guide when it comes time to running your client configuration in OSX with Tunnelblick and getting a ‘ca.crt not found error’, all you have to do is open the client1.ovpn file and comment out the following 3 lines:

    #ca ca.crt
    #cert client.crt
    #key client.key

    Tunnelblick will then look within the client1.ovpn config file for the information instead of looking for the external files! :)

  • Hi, im having issues with systemd I think.

    sudo systemctl status openvpn@server

    causes this error

    sudo: systemctl: command not found

    I’m on Ubuntu 16.04 on a vagrant virtual box machine.

    • @munchingmonster I’m not sure what the issue could be. If you’re installing on Ubuntu 16.04, that command should be available unless you’ve done something drastic like switch out the entire init system (you wouldn’t have done that without knowing about it). I would suggest maybe spinning up a new Ubuntu 16.04 server to see if the same thing happens on a fresh box.

  • I am in india and my server is in singapore after following the above give procedure when i connect to the server it does establish connection with an IP assigned but am not able to access the internet. Any fix for this ? or have i dont anything wrong ?

  • thanks!

    I just wondering why i should copy ca.key to the openvpn dir ?

    sudo cp ca.crt ca.key server.crt server.key ta.key dh2048.pem /etc/openvpn

  • root@cloud:~# sudo systemctl enable openvpn@server
    sudo: systemctl: command not found

    Anyone else get this

    root@cloud:~# lsb_release -a
    No LSB modules are available.
    Distributor ID: Ubuntu
    Description: Ubuntu 14.04.2 LTS
    Release: 14.04
    Codename: trusty

    • @ezssl As your output indicates, you’re trying to follow this guide on the incorrect release. This guide was written for Ubuntu 16.04, which uses the systemd init system. Ubuntu 14.04 uses Upstart as its init system, so it’s not directly compatible. You can either switch to Ubuntu 16.04, or you can follow our OpenVPN guide for Ubuntu 14.04. Hope that helps!

      by James
      OpenVPN is a full-featured open source Secure Socket Layer (SSL) VPN solution that accommodates a wide range of configurations. In this tutorial, we'll set up an OpenVPN server on a Droplet and then configure access to it from Windows, OS X, iOS and Android. This tutorial will keep the installation and configuration steps as simple as possible for these setups.
  • Hi first thanks for the great guide. But I have now the problem that I can not source vars anymore. It worked for the first certificate. But after going back to create more certificates it doesn’t work anymore. At this point I don’t know how to fix this. Help would be great!

  • This just wrecked my server, can’t connect to it through FTP, my Samba shares are gone, web server is busted, the only thing working, thank god, is ssh, how do I fix this without having to reinstall everything?

    • @sanosukekursch I’m sorry this guide caused you so much trouble. It’s possible that you just need to allow access to those services through the firewall. Try taking a look at Step 5 of our firewall guide to see if you can regain access to everything.

      by Hazel Virdó
      UFW, or Uncomplicated Firewall, is an interface to iptables that is geared towards simplifying the process of configuring a firewall. While iptables is a solid and flexible tool, it can be difficult for beginners to learn how to use it to properly configure a firewall. If you're looking to get started securing your network, and you're not sure which tool to use, UFW may be the right choice for you. This tutorial will show you how to set up a firewall with UFW on Ubuntu 16.04.
  • Thanks for providing such a nice article, This makes complex thing easy.

    I have one question, I want to add more than one client so i repeated step 6 and 11-12 , but both the clients now have different DHCP Server,
    My main task is to make those two clients communicate with each other so for this reason i uncommented client-to-client and added server
    topology subnet
    in server conf file.


  • Which product from Digital Ocean would I need to purchase to set up an OpenVPN on their network?

  • I did it and can connect to VPN server but it doesn’t change my public IP address so it doesnt work properly.. I’ve tried both on OSX and Ubuntu.

  • Thx for the good tutorial.
    However I tried it 2 times unsuccessfully. The first time I couldnt access the vpn, the second time it seemed to be alright because of the message “Initialization Sequence Completed” but my ip-Address didnt change to the server’s. Internet access was possible but with my original ip.
    Any suggestions (without using the script mentioned here)?
    Thx for your help.

    My configuration: Ubuntu 16.04 client and ocean server with Ubuntu 16.04 (and lamp on it). Both were newly installed.

    • @markus4711 If you are using Ubuntu 16.04 for both the server and client, the first thing I’d do is check to make sure that the configuration is trying to modify your DNS resolvers. First make sure that there is an update-resolv-conf script within the /etc/openvpn directory on your client:

      • file /etc/openvpn/update-resolv-conf
      update-resolv-conf: Bourne-Again shell script, ASCII text executable

      Afterwards, in the client configuration file (client1.ovpn in this example), make sure you’ve uncommented the three lines that tell the client to run that script:

      • nano client1.ovpn
      . . .
      script-security 2
      up /etc/openvpn/update-resolv-conf
      down /etc/openvpn/update-resolv-conf
      . . .

      These lines are responsible for running the update-resolv-conf script, which dynamically alters how your client routes traffic.

      On the server side, make sure you’ve followed the directions in this section to push the DNS traffic to your clients.

      That’s usually enough to make it work.

      • @jellingwood
        Yeah, now it works!
        The solution was your suggestion: “On the server side, make sure you’ve followed the directions in this section to push the DNS traffic to your clients.”

        I had to uncomment these 3 lines in the /etc/openvpn/server.conf:
        push “redirect-gateway def1 bypass-dhcp”
        push “dhcp-option DNS”
        push “dhcp-option DNS”

        Thanks for your help!
        best regards

  • on step four when I enter “source vars” it logs me out and even if I log back in and try to run the “./build-ca” it tells me that i need to run “source vars”
    any help new? to all this, thanks

  • Adjust the UFW Rules to Masquerade Client Connections

    Stuck here .... Anyone up for help ??
    I am using filezilla to edit my files , because I don’t know how to use terminal .
    I can find files in ufw folder , there is just one folder named as ‘applications.d’
    I did extact same steps from 1 to 8 and now an obstacle
    Thanks !!

  • stuck at step 8 I open directory ufw but can’t find any file
    Using filezila
    I am skipping step 8 and going for 9 someone please help me … about step 8

  • Hi can anyone help when i try to connect it gives me this error in the log file

    Sat May 27 14:14:04 2017 NOTE: –user option is not implemented on Windows
    Sat May 27 14:14:04 2017 NOTE: –group option is not implemented on Windows
    Options error: Unrecognized option or missing parameter(s) in client1.ovpn:128: key-direction (2.3.16)
    Use –help for more information.

  • Followed this tutorial and everything appeared to be correct with the client being able to connect, but no traffic was passing. Did a bunch of searching on the internet and found I had to add this to the process:

    iptables -t nat -A POSTROUTING -s ! -d -j SNAT –to <replace with server IP>

    once I issued this command on the server, the clients worked fine.

    Suggestion is to add this line to /etc/rc.local so it gets run on every reboot.

  • After you’ve done the above procedure, trying to connect to the .ovpn file I get these two errors:

    2017-05-30 09:21:45 OpenSSL: error:0906D06C:PEM routines:PEM_read_bio:no start line
    2017-05-30 09:21:45 OpenSSL: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib
  • Hi guys! I used this instruction (or ) because it`s almost the same and automated, but I have a problem now:

    I can use only 1 connection to server at the same time.

    And here I dont know should I create new one openVpn config or its kind of restriction?

    Example: I connected on Windows10 by OpenVPN (use my client.ovpn) and in few minutes I connected on Android by OpenVPN (use the same client.ovpn config) and since this time I will have timeouts on WIndows.

    Maybe you know how to fix this.

  • Hi! I followed your tutorial on a fresh vps, and OpenVPN works. There remains only one issue. I have a php script running which listens for traffic on a specific port. With OpenVPN enabled, this doesn’t work since it’s listening in the wrong interface (tun0) instead of ens3. Do you have a suggestion how to fix this?

    No traffic:
    root@vps-ams:~# tcpdump port 5030
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes

    Traffic after a pkill of OpenVPN:
    root@vps-ams:~# tcpdump port 5030
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes

  • What exactly do I have to do in Step 11 after creating the client1.ovpn file ?

  • I’m getting this error:

    2017-06-15 09:04:03 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    2017-06-15 09:04:03 TLS Error: TLS handshake failed

    From the logs everything seems to be connecting ok (i.e. no ufw issues or anything).

  • I’ve been using directions for over 15 years. This was the most complete I’ve ever came across. Thumbs up! Now, since i’m using shorewall, before i accidentally break its configuration and lock myself outside (i’m setting this remotely) by trying to translate the masquerade and the forward policy, do you have any hints? If not, still, amazing job!

  • RESOLVE: Cannot resolve host address: serverIPaddress: nodename nor servname provided, or not known

  • Just completed this tutorial and my VPN server is working great.

    I added this line to my .ovpn file to stop DNS leaks I was getting.

  • Heads up, as of today Openvpn has not been updated by the Ubuntu folks. Better download the code from openvpn directly.

  • Hi Justin,

    Thanks for the tutorial. Everything worked fine in the configuration part but i have a query

    remote “serverIPaddress: 1194

    In the abover line in the config file serverIPAddress is my host machine interface VPN IP right?

    Becaz when i was trying to connect to VPN using the .ovpn file i am getting "Waiting for the server”. And that is forever.

    Could you please help me with this.

  • Great tutorial. One error - early in step 11 you need to include

    mkdir files

    or else ./ client1 fails

    Many thanks

  • @jellingwood I’m getting an error “Error reading multiple files referenced by profile : ca.crt, client.crt, client.key” in my OpenVPN android app when I attempt to import the client1.ovpn file. See screenshot. Any idea what I may have done wrong?

    • @shaansweb In step 10, while creating the base configuration, there is a step to comment out these lines (you comment out a line by adding the hash symbol in front of it):

      #ca ca.crt
      #cert client.crt
      #key client.key

      Make sure that your client configuration either comments out or removes those lines, otherwise OpenVPN will search for additional files within the directory.

      by Justin Ellingwood
      Want to access the Internet safely and securely from your smartphone or laptop when connected to an untrusted network such as the WiFi of a hotel or coffee shop? A Virtual Private Network (VPN) allows you to traverse...
  • Perfect for me! Shadowsocks-libev client doesn’t work in my local machine. But this one works just fine!

  • Hi. i’m getting an error on step 9,

    ~$ sudo systemctl start openvpn@USER
    Job for openvpn@USER.service failed because the control process exited with error code. See “systemctl status openvpn@USER.service” and “journalctl -xe” for details.

    i got these error when i enter the start command. i hope someone can help me with this.
    Thank you!

  • Hi. I think i missed type a script, and end up using sever instead of server. and now i can’t find the part i missed and want to edit the line to fix the “sever to server”. i hope someone can help me.

    Jul 07 11:21:49 USER ovpn-sever[15287]: Options error: In [CMD-LINE]:1: Error opening configuration file: /etc/openvpn/sever.conf
    Jul 07 11:21:49 USER ovpn-sever[15287]: Use –help for more information.
    Jul 07 11:21:49 USER systemd[1]: openvpn@sever.service: Control process exited, code=exited status=1
    Jul 07 11:21:49 USER sudo[15284]: pam_unix(sudo:session): session closed for user root
    Jul 07 11:21:49 USER systemd[1]: Failed to start OpenVPN connection to sever.
    – Subject: Unit openvpn@sever.service has failed
    – Defined-By: systemd
    – Support:

    • @mcjg10 It looks like the part with the typo is actually the command you’re typing into the command line. It’s making OpenVPN look for a file called /etc/openvpn/sever.conf instead of /etc/openvpn/server.conf.

      Try this command:

      • sudo systemctl start openvpn@server

      Hope that helps. Good luck!

  • Thank you !

    This tutorial worked like a charm and without any pain.
    Just copy&paste.

    PERFECT !!

  • In Step 9. I’m missing something regarding the openvpn@server.service file, as systemctl can’t find it and fails. The .conf file is where it’s supposed to be, but what is the .service file and where should it be?

  • You should add that when setting up the client base file that you cannot use a floating IP address and still have a UDP connection work, you must use the real IP of the droplet (or assign your DNS to that IP, if applicable)

  • having a problem at step 9:
    systemctl status openvpn@server
    sudo: systemctl: command not found

    • @AlessioScarlet If your system does not have the systemctl command, you are probably trying to complete this tutorial on a different version of Linux than intended. Ubuntu 16.04 ships with the systemd init system, which contains the systemctl command. If you are running a different version of Ubuntu, or a different version of Linux entirely, that command may not be available. I recommend that you either try this again using Ubuntu 16.04 or use the search at the top of this page to try to find a guide that matches the version of Linux that you are running. Hope that helps.

  • My VPN profile show connected in my android phone but the ip remains the same as mobile internet IP instead of the vpn server IP.

    Do any one face this issue? ANy solutions?

  • I followed the steps to a tee and got stuck on:

    sudo systemctl start openvpn@server

    The following was outputted:
    Job for openvpn@server.service failed because the control process exited with error code. See “systemctl status openvpn@server.service” and “journalctl -xe” for details.

    Going to try the script that everyone is suggesting now.

  • This article is awesome. Thanks, Justin!

    I’ve created a github repo that hosts the configuration above and allows you to just run a few scripts to get everything set up: I hope it helps!

  • I was able to complete the step by step tutorial, but when I use my Galaxy S8 and OpenVPN Connect to connect to the OpenVPN server, my IP address does not change when I check DNS Leak.

    Also when I do a cat /etc/openvpn/openvpn-status.log I see my android’s IP address show up.

  • pls what i wanted to confirm is the address am suppose to put at the comment below. is it my ip from my droplet which is still the same address as eth0 or the tun0 address
    “remote serverIPaddress 1194”.

  • I think I might have locked myself out from my server. I tried to ssh as root and also as the new user created with sudo priviledges but am not granted permission.
    if I ssh root @ server ip address I get this message saying permission denied(publickey) if i also ssh filda@server ip address I get the same result.
    I did some configuration using the initial server setup tutorials with ubuntu 16.04(prerequisite) I generated public key in step 4 using option 1. i also completed configuration on step 5.when i tried using ssh filda@ server ip address i was allowed access then but now i cant log in using both root and filda. pls am still new with linux . do anyone have a solution or know what am doing wrong.


  • I don’t know why but after using this vpn for somedays (5-6 days) i noticed that my hard disk usage wen’t high to 90 gb and the vpn data consumption was also around this range. Is something wrong here?

  • I have a droplet that I currently use for a simple, low traffic website (an nginx server)
    Can I run this concurrently from the same droplet?? Should I??

  • Thanks so much for this Guide. I’m currently running it on a VM machine with Ubuntu Server 16.04 and after I followed the Step by Step Instructions it worked perfectly as I can connect with a Windows PC to the Server and I get a correct IP address. I can access resources internal to the network, but I can’t browse the internet through the tunnel. Any clue why? If I try to ping I get an IP resolved, but it times out.

  • This messed up my current nginx setup, (just a default setup that serves files) how can i fix this? or if needed how can i easily undo all this

  • Hey there brotha, very beautiful tutorial. Had a few issues though, but corrected them.

    Excpet one.

    I am running OpenVPN server on a seperate machine on my network running Ubuntu 16 tsomething I think.

    Openvpn is running and on the correct port.

    But when I run sudo systemctl status openvpn@vpn_server
    I get the following error. < Active: failed (Result: exit-code)> and it is due to a pid file.

    Starting OpenVPN connection to vpnserver…
    Aug 22 17:55:59 vpnserver systemd[1]: openvpn@vpn
    server.service: PID file /run/openvpn/ not readable (yet?) after start: No such file or directory
    Aug 22 17:55:59 vpnserver systemd[1]: Started OpenVPN connection to vpn
    Aug 22 17:55:59 vpnserver systemd[1]: openvpn@vpn_server.service: Main process exited, code=exited, status=1/FAILURE
    Aug 22 17:55:59 vpnserver systemd[1]: openvpn@vpn_server.service: Unit entered failed state.
    Aug 22 17:55:59 vpnserver systemd[1]: openvpn@vpn_server.service: Failed with result ‘exit-code’.

    Looking in the /run/openvpn directory there is a file, but no file. Im sure this is just a simple error in a .conf file somewhere, but I have no idea where took. Any thoughts?

  • Ok, I got everything working and connecting just fine, but on my phone being connected to my vpnserver NOT on wifi, but actually using my wan ip for now until I get a dns issue fixed when I goto google and type <my ip> it still shows my current ip from the phone isp and not my server ip address like it should.

  • Excellent article,
    This article solved many issues; I think the user of IOS is more than any other operating system so if any IOS user want to setup OpenVPN can visit:

  • how does one go about allowing access to the LAN from the client? I have the connection working, and I have internet access, but I need network access as well,

  • Please note that on Windows, OpenVPN GUI now allows to be launched as a ‘normal’ user, provided the user is member of a local group named 'OpenVPN Administrators’. Users who are member of this group can launch VPNs (with routing) without admin rights.
    Config files can now be put in C:\Users\%USERNAME%\OpenVPN\Config so only that user can launch that particular ovpn.

  • It didn’t work for me at first but then I used the script and uninstalled it and installed it again with script and then uninstalled it and used this tutorial and used the default port and udp and the name “server” and then it worked perfectly.

  • Thanks so much for the great tutorial, managed to get it up on running connect from my Mac to the server just perfectly fine!

    I do have one question though, I’m trying to connect to the VPN via my dd-wrt router so that all devices behind my router can access the VPN. I can connect just fine from the dd-wrt router, and I’ve validated that on the router the traffic gets tunneled via the VPN.

    However, any client connecting to the dd-wrt router doesn’t get routed correctly. I’m pretty sure the configuration of the OpenVPN client on the dd-wrt router is just fine, perhaps is there something that needs to be done on the OpenVPN server to effectively allow it to act as a gateway for multiple machines with NAT or something along those lines?

  • To anyone having DNS leak issues, simply add this line to your ovpn file:


    And it should work!


  • Hi
    I followed this guideline but I donnt know why This was not successful. And moreover my default vpn setting has been changed and I cannt use them now. How can I restore to default setting??

  • For those with problems “tls error incoming packet authentication failed from”, a simple fix is to make sure restart openvpn service with command below. Took me few hours to figure this out.

    sudo systemctl restart openvpn@server

  • I ran into a few (a lot of) issues while setting this up I was able to fix it by changing two things. I am installing the server on a raspberry Pi 3 V1.2 running Raspbian Stretch Lite and connecting with an android phone through OpenVPNConnect

    At Step 8: Adjust the Server Networking Configuration, I completed the steps involved in (Optional) Push DNS Changes to Redirect All Traffic Through the VPN.

    I also removed the ta.key portion (everything between the <tls-auth> headers) from the bottom of the produced client1.ovpn file and included the ta.key in the same directory as the client1.ovpn file on the client side when importing.

    Hopefully this helps someone else! Please remember to share solutions!

    Edit: I also had to run sudo ln -s openssl-1.0.0.cnf openssl.cnf before being able to run source vars at the beginning of Step 4: Build the Certificate Authority.

  • many thanks, you’ve saved me the time)

  • I am able to use openvpn perfectly fine but, with one client config file any one can use the file and connect to vpn in the network. I want to restrict each client file to a single user, based on mac address how to do that?

    and is it possible to pass traffic only through Openvpn for all the clients.

    • @xprt Unfortunately, OpenVPN does not provide a way to restrict the configs and certificates based on MAC address. MAC addresses are relatively easy for attackers to spoof, so that’s probably not a great way to restrict access anyways. If you want a second factor of authentication, you can create a client with a password so that even if certificates are shared, they won’t be usable without the password.

      As for pushing all traffic through OpenVPN, try modifying the options listed in the section on pushing DNS changes for clients. Hope that helps!

  • Great tutorial!

    I miss the chapter 15 - Cleanup. What is a good idea of doing with the files in ~/openvpn-ca/keys/ (permission,backup offline, etc) ??? Additionally what files are really needed with which permissions in the /etc/openvpn/ directory..

    Thanks in advance!!!

    I had just to change one more thing in the client config:
    tls-auth needs to be commented otherwise applications like tunnelblick are searching for the ta.key file instead of using the inline one…

    • @KnustJohannes The files in the ~/openvpn-ca/keys directory should be kept secure from outside parties since they contain all of the information necessary to connect to the server or create new keys. By default, all of the private files (the .key files) should only be readable by the user who created them, so your account strength will dictate their security.

      Arguably, the client credentials (the client1.key and client1.crt for instance should be moved off of the server since the client should be responsible for handling those and they don’t need to be present on the server. A separate copy of each certificate file (the files ending in .crt) is written to the directory named after the serial certificate’s serial number (can be found in the index.txt file) and ending with .pem (so the second certificate generated will also be available as 02.pem in the directory). You can keep these on the server for reference if you’d like since certificates themselves are not private.

      In general though, you’ll want to maintain access to most of the files in the ~/openvpn-ca/keys directory in some form or another so that you can create new keys or revoke existing keys in case of compromise or rotation. One option is to move and maintain the entire directory to a different machine that is only brought online when key management tasks are required. This can help protect the files from compromise.

      As for the /etc/openvpn directory, you’ll need to have the certificate authority’s self-signed certificate (ca.crt), the OpenVPN server configuration file called (server.conf), the OpenVPN’s certificate and key (server.crt and server.key), and the Diffie-Hellman key and HMAC signature (dh2048.pem and ta.key). Depending on your configuration in the server.conf file, the server itself may also generate an openvpn-status.log file and an ipp.txt file to map clients to virtual IP addresses to help with persistence. If you have revoked keys, you’ll also have a crl.pem file listing the certificates that the server should no longer accept. Ubuntu usually also includes an update-resolv-conf script in the /etc/openvpn directory that’s used mainly on client machines. You may be able to remove this from your OpenVPN server if it bothers you, but it won’t hurt anything.

      The permissions for the /etc/openvpn directory are pretty straightforward. Anything ending with .key should be inaccessible to normal users. Everything else can usually have slightly relaxed permissions. I wouldn’t modify any files generated by the OpenVPN server itself though (like the openvpn-status.log and ipp.txt files) without checking whether that affects the server’s operation first.

      Anyways, I hope that helps! Good luck!

  • So I lost internet half way through this, specifically at step #9, and now I cannot SSH into my droplet… any one have any ideas?

  • I’m not quite understand why are you relying on the old version of Easy-RSA. Please use Easy-RSA v3 instead.

  • Cheers for the tuto.
    However i ve got a problem with it. I ve followed the step till step 12 just changing port 1194 to 443 and protocol UDP to TCP. The thing at this i had to reboot my computer (who s on dual boot) to go on Windows to download the file (client.opvn etc…) with filezilla. But it’s there i can’t connect to the server. I try to connect with PuTTy and then go back on Ubuntu to try with SSH. None of them works. I even try from an other connection and try with external ip adress.
    I run ssh on port 1337, with TCP protocol. I can ping the server, but when I try to connect with SSH, i got a time out. If i try with an other port than the one i configure (1337) i got a “sshexchangeidentification: Connection closed by remote host”. So if anyone can help me, would be nice.
    I forgot to mention but i run Ubuntu on my computer and Ubuntu Server 16.04 on the server, whose connected in ethernet to my internet box.

  • Big security concern,

    you should NOT copy your easy-rsa generated ca.key anywhere!
    It is a private CA key and never leaves safe place where client certificates are generated.

  • All of my web server requests now return a bad gateway 502 error after using this guide! Advice where this may have happened and or how to fix?

  • Worked a treat for me.
    Thank you very much.
    I just need to understand a bit more about how it all works.

  • I followed everything exactly as the tutorial says but when I load the ovpn file on my iPhone I’m getting the error “Missing/bad file: ta.key : cannot open for read: /var/mobile/Con…”

  • Hi, and thanks for a great tutorial!

    After trying some other tutorials, I ended up using PPTP, got some issues there as well, and decided to give openvpn another try.

    With this tutorial I actually got it to work..

    I’m running the server on a Ubuntu 16.04 desktop on a vmware at home, and currently I have been able to connect an Ubuntu 17.10 host, and 2 Android devices (phone and tablet).

    The main reason for me using vpn in the forst place is to obtain Norwegian IP address in order to watch geo locked contents (TV) from wherever I travel in the world (and I travel a lot :)

    Whings brings me on to the actual issue:

    I have an apartment in Spain, and there I want to connect my Smart TV, Apple TV and Chromecast also via the VPN.
    In order to do this I intend to set up my Ubuntu 17.10 host as a router, using the wireless adapter to connect to the main ISP network, and my ethernet interface as a dhcp server connected to another wireless router dedicated for clients that should have their traffic routed through the VPN connection.

    My wireless card (wlx6470021e653d) should thus work as the main route out via tun0?

    My eth interface (eno1) is acting as a dhcp server with ip
    The dhcp function works, and clients connected to the attched wireless router on this interface gets IP addresses, with default gateway

    The issue is how to set up openvpn server/client so that hosts on my local lan gets their traffic routed through the VPN?

    In the server config file there is a section for this (this i show it is on my server):

    EXAMPLE: Suppose the client

    having the certificate common name “Thelonious”

    also has a small subnet behind his connecting

    machine, such as

    First, uncomment out these lines:

    client-config-dir ccd

    Then create a file ccd/Thelonious with this line:


    This will allow Thelonious’ private subnet to

    access the VPN. This example will only work

    if you are routing, not bridging, i.e. you are

    using “dev tun” and “server” directives.

    EXAMPLE: Suppose you want to give

    Thelonious a fixed VPN IP address of

    First uncomment out these lines:

    client-config-dir ccd

    Then add this line to ccd/Thelonious:


    I have created the ccd directory and the client file containing the mentioned commands.
    I am running this client on and the tun 0 interface gets correct IP and connection to the server is working. The client is connected to internet via the server and all lokks fine.
    Is the above config OK for the other hosts behind the client?

    The issue now is to set up the vpn client in order for the hosts behind the client to also get access to the vpn and dns accordingly.

    i realize this may be more of a ubuntu routing / ufw issue, but hope someone can help as I’m not very well into linux routing and ufw firewall.

    i guess this issue would also be intesting for users doing more or less the same using a dd-wrt box for hosts insted of my ubuntu 17.10 host.

    Will take a couple of weeks before i can fiddle more with this, and if no replies I will update with solution when I have one.

    Again: Thanks for the great tutorial.

  • I have follow all the steps. But unable to connect to other website except my set up vpn server.
    Which part did I miss? Please help…

  • Thx for your awesome tutorial!
    I tried it and it works fine, surfing with my servers IP.
    Onyone knows if I can configure it to stream netflix with it?
    Netflix detects it as a proxy :/

  • :~/openvpn-ca/keys$ sudo systemctl start openvpn@server
    Failed to issue method call: Unit openvpn@server.service failed to load: Bad message. See system logs and ‘systemctl status openvpn@server.service’ for details.

    any suggestions?
    did everything according to the instructions

  • Why does my ubuntu install easy-rsa v2.2.2-2 when there is an easy-rsa3? I am getting an error building my CA because my openssl version is 1.1.0 which breaks the script

  • That is a wonderful manual. I got this working on Ubuntu server - Ubuntu client machine, but attempts to import the profile on android phone return “Error reading multiple files referenced by profile : ca.crt, client.crt, client.key”.
    Is there anything I could do to fix that?

  • Hi, followed the instructions and everything seemed to install and configure ok.

    When running the OpenVPN client from my Windows 10 PC I get the following error:
    Insufficient key material or header text not found in file ’[[INLINE]]’

    My client1.ovpn is within the OpenVPN\config directory.

    Anyone know what this error means?

  • I’m stuck at step 7.
    cp: cannot stat ‘ta.key’: No such file or directory
    cp: cannot stat 'dh2048.pem’: No such file or directory

    Isn’t there an easier way for vpn? :(

  • I’m stuck at step 7:
    cp: cannot stat ‘ta.key’: No such file or directory
    cp: cannot stat 'dh2048.pem’: No such file or directory

    Please help

  • At step Step 9: Start and Enable the OpenVPN Service, I was not able to start the service. A quick google session brought me to this community page:

    At the top a user suggests the following:
    Just comment out the LimitNPROC line in /lib/systemd/system/openvpn@.service. Reboot system after that. Enter again sudo systemctl start openvpn@server and the mistake have to disappear.

    This did the trick for me and after a reboot, everything worked fine, however, I have to admit that I’m not sure on what this setting does, whether it was just the reboot that solved the problem or if this setting is even safe. Maybe someone here could confirm that? And if that is the case, it might be good to add it to this tutorial.

  • Hello all,

    if someone is using iptables you can use

    iptables -t nat -A POSTROUTING -s -o <external interface> -j MASQUERADE

    use <external interface> as described in this how to ;)

    Check iptalbes NAT rules with

    iptables –table nat –list

    Thanks a lot for your greate how to !!! :-)

  • hi all, i installed and configured succesfully and i connect via openvpn GUI on my win client.

    How to build second client2.ovpn file?

    cd ~/openvpn-ca
    source vars
    ./build-key-pass client2
    cd ~/client-configs
    ./ client2

    is it enough?

  • If you upgrade openvpn to the latest version, there are new crl.pem requirements, which broke my openvpn connections following this guide.

    For a quick fix: remove the line from step 14: crl-verify crl.pem

    the restart the server openvpn process.

    For a proper fix, I am still working on it… I think you have to recreate a non-expired crl.pem file but you have to add a new variable to the vars file first :KEY_ALTNAMES.

  • If you update to openvpn 2.4.4 (using OpenSSL 1.0.2g) you may have crl.pem issues. When I upgraded I could no longer connect unless I commented out the crl-verify line in Step 14.

    I’m trying to recreate my crl.pem now but unsuccessfully so far.

    • The problem may lie in the service being started as nobody:nogroup (see one of the steps above that says to uncomment the “user” and “group” lines). It may be possible to run the service as root, but I went with the following:

      The log file complains that it can’t read the crl.pem file, at least it did in my case. The crl.pem file was world readable, but nobody:nogroup has to be able to navigate to the file. Thus, each parent folder has to have executable permissions to get to the file. I created /REV and copied the crl.pem file to it. I then used “crl-verify /REV/crl.pem” in the config file. This appears to work. I’m waiting on the author of this guide to answer whether or not it’s safe to run the service as root. My OpenVPN server is an isolated machine in a locked room. I think it’s okay.

    • @devanb Hey there. This guide only covers the version of OpenVPN included in Ubuntu 16.04’s default repositories, so I’ll be unable to provide much specific guidance.

      That being said, it looks like other users have experienced the issue with the CRL system in OpenVPN 2.4.4. You can take a look at this blog post to understand the problem a bit.
      Basically, for 2.4.4, you can modify the CRL expiration to try to work around the issue until an update fixes it.

      For this guide, you’d want to do something like the following…

      Open up the ~/openvpn-ca/openssl-1.0.0.cnf file:

      • nano ~/openvpn-ca/openssl-1.0.0.cnf

      Inside, find the default_crl_days option and change the value to a long period of time. For instance, for 10 years, you can set it like this:

      . . .
      default_crl_days= 3650
      . . .

      Afterwards, you can try to revoke the key again to regenerate the CRL:

      • cd ~/openvpn-ca
      • source vars
      • ./revoke-full client3

      Follow the rest of the CRL portion of this guide to copy the new CRL, add the crl-verify line to your server config (sounds like you’ve already done this), and restart the OpenVPN service. I can’t verify personally if this works or not, but it seems to be the same issue you’re describing, so it’s worth a shot. Good luck!

      • Thank you for the thorough response.

        I followed the same guide you are referring to and it was stuck on a missing common name in my certificate authority. There were no more clients to revoke and I couldn’t just recreate the crl.pem from my preexisting index. Since I only have a few clients, I just recreated all the keys for the server and clients.

        I also considered downgrading instead but I think there was a recently discovered security issues with the openvpn version distributed in Ubuntu 16.04.

  • Anyone other than myself and @devanb not able to revoke a certificate? OpenVPN 2.3.10 with openssl 1.0.2g. I followed the guide above at step 14 for crl-verify option but every client can’t connect after entering crl-verify /etc/openvpn/crl.pem in the config file. When I comment it out and restart the service everything is back to normal, but the cert I want to disable still works.

    I also used this guide for CRL with no avail. The directions are largely the same.

    • The problem may lie in the service being started as nobody:nogroup (see one of the steps above that says to uncomment the “user” and “group” lines). It may be possible to run the service as root, but I went with the following:

      The log file complains that it can’t read the crl.pem file, at least it did in my case. The crl.pem file was world readable, but nobody:nogroup has to be able to navigate to the file. Thus, each parent folder has to have executable permissions to get to the file. I created /REV and copied the crl.pem file to it. I then used “crl-verify /REV/crl.pem” in the config file. This appears to work. I’m waiting on the author of this guide to answer whether or not it’s safe to run the service as root. My OpenVPN server is an isolated machine in a locked room. I think it’s okay.

  • Ok Im so close, Ive got this up and running on my windows client but im trying to run this on my dd wrt router. Any good write ups for this? I tried copying and pasting the certs in the right fields on the dd wrt but im getting some errors, heres the dd wrt log

    20171226 06:51:48 W WARNING: –ns-cert-type is DEPRECATED. Use –remote-cert-tls instead.
    20171226 06:51:48 W NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
    20171226 06:51:48 I TCP/UDP: Preserving recently used remote address: [AFINET]...:1194
    20171226 06:51:48 Socket Buffers: R=[172032->172032] S=[172032->172032]
    20171226 06:51:48 I UDPv4 link local: (not bound)
    20171226 06:51:48 I UDPv4 link remote: [AF
    20171226 06:52:33 MANAGEMENT: Client connected from [AFINET]
    20171226 06:52:33 D MANAGEMENT: CMD ‘state’
    20171226 06:52:33 MANAGEMENT: Client disconnected
    20171226 06:52:33 MANAGEMENT: Client connected from [AF
    20171226 06:52:33 D MANAGEMENT: CMD 'state’
    20171226 06:52:33 MANAGEMENT: Client disconnected
    20171226 06:52:33 MANAGEMENT: Client connected from [AFINET]
    20171226 06:52:33 D MANAGEMENT: CMD 'state’
    20171226 06:52:33 MANAGEMENT: Client disconnected
    20171226 06:52:33 MANAGEMENT: Client connected from [AF
    20171226 06:52:33 D MANAGEMENT: CMD 'status 2’
    20171226 06:52:33 MANAGEMENT: Client disconnected
    20171226 06:52:33 MANAGEMENT: Client connected from [AF_INET]
    20171226 06:52:33 D MANAGEMENT: CMD 'log 500’
    19691231 18:00:00

    Any assistance with this would be greatly appeciated, thanks

  • I have stuck at Step 5, I could not see ta.key file in the keys folder.
    This what I have in the keys folder:
    01.pem ca.key client1.key index.txt index.txt.old serial.old server.csr
    ca.crt client1.csr dh2048.pem index.txt.attr serial server.crt server.key

    Please help me

    • very last part of step 5:

      openvpn –genkey –secret keys/ta.key

      that should create the referenced ta.key file. That step is easy to miss.

  • Hi I followed the steps listed but when I got to connect through tunnelblik on my Mac it says “Waiting for server response”. I did enable port forwarding on my router for port 1194 UDP.

  • Thanks! This tutorial is very helpful.

  • In the UFW settings I was locked out when I hit enable as my SSH is on a different port… luckily I was able to access my VPS through its web console to add that port to UFW

  • For anyone getting “Active: inactive (dead)” when running “systemctl status openvpn@server”, like this:

    # systemctl status openvpn@server
    ● openvpn@some-config.service - OpenVPN connection to some-config
       Loaded: loaded (/lib/systemd/system/openvpn@.service; enabled; vendor preset: enabled)
       Active: inactive (dead)
         Docs: man:openvpn(8)

    Check out this link:

  • Many, many thanks for this awesome tutorial!! I setup my first droplet, vpn server, and phone vpn client setup first try and very quickly.

  • Hi
    I do follow this article for make a OpenVpn server.
    every thing is OK.
    but I can’t connect to server with my client Linux.
    this is log of my client:
    Tue Feb 13 07:52:13 2018 OpenVPN 2.4.0 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 18 2017
    Tue Feb 13 07:52:13 2018 library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.08
    Tue Feb 13 07:52:13 2018 NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
    Tue Feb 13 07:52:13 2018 Error: private key password verification failed
    Tue Feb 13 07:52:13 2018 Exiting due to fatal error
    Can U help me?

  • hi
    I run an OpenVpn service on my Ubuntu VPS by following this article.
    service is activate successfully. but I can’t connect to that by my client Debian machine.
    the connection failed error is here:

    ERROR: Private key password verification failed.
    Exiting due to fatal error.

  • hi
    I run an OpenVpn service on my Ubuntu VPS by following this article.
    service is activate successfully. but I can’t connect to that by my client Debian machine.
    the connection failed error is here:

    ERROR: Private key password verification failed.
    Exiting due to fatal error.

  • how do you save and exit??? it doesnt work

  • Good tutorial. Except, for me, the server would not start unless I do ‘systemctl daemon-reload’ before starting the server.

  • Open VPN networking is working but no internet access
    Try this on the server:

    sudo iptables -t nat -A POSTROUTING -j MASQUERADE

  • For everyone who is struggling on step 9 because of missing TUN/TAP, I may have a solution for you:

    When I tried to start my openvpn-service I received

    Cannot open TUN/TAP dev /dev/net/tun: Operation not permitted (errno=1)

    So I searched in my openvpn-log (which I had to enable in the server.conf of openvpn, just uncomment the “log openvpn-log” entry).
    I got error-messages in my openvpn-log like

    openvpn Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2)

    So yeah… Maybe there isn’t TUN/TAP enabled? Searched for it on Google and yeah… turns out that my vServer Provider (noez, Germany) doesn’t enable TUN/TAP per default, so I had to activate it manually in my control center by noez. One reboot later it worked perfectly!

    Ah yeah… and if you see some errors sayin

    openvpn@server.service: PID file /run/openvpn/ not readable (yet?) after start: No such file or directory

    and you look in this folder and it is empty, you just have to add another entry in the server.conf at the end (or elsewhere):

    writepid /run/openvpn/

    Reboot and check if your tunnel is online. I hope this helps you a bit… searched for hours because of this above.

  • Just got this working. For some reason I had to use ‘