Skip to main content
HashnodeFiko Borizqy (Bestafiko)

Command Palette

Search for a command to run...

Ubuntu - Ultimate Guide to OpenVPN: Server and Client Configuration

Updated
•6 min read
Ubuntu - Ultimate Guide to OpenVPN: Server and Client Configuration
F
Fiko Borizqy

I wrote these tutorials for myself in future when I forget for the next steps.

Setting up a secure OpenVPN server on Oracle Cloud is straightforward when you follow the right steps. This guide walks you through installing OpenVPN using the angristan installation script, configuring it for your Oracle Cloud instance, and ensuring proper routing so your clients can access the internet through the VPN tunnel.

Prerequisites

  • Oracle Cloud Ubuntu instance (or any Ubuntu 20.04+)

  • SSH access to your server

  • Basic understanding of Linux commands

  • A local machine (Mac/Linux/Windows) to connect as a client

Step 1: Install Dependencies

First, update your system and install required packages:

sudo apt update
sudo apt install wget curl

Step 2: Download and Run the angristan OpenVPN Installation Script

The angristan script automates most of the OpenVPN setup, making it simple and reliable:

curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh
chmod +x openvpn-install.sh
sudo ./openvpn-install.sh

Step 3: Configure OpenVPN During Installation

The script runs in interactive mode and will prompt you for configuration options. Here's what to choose:

Server IP Address

IPv4 address: 123.111.222.111
(Replace with your actual Oracle Cloud instance's public IP)

VPN Port

Port [1194]: 11122
(Change from default 1194 to 11122 for obscurity and security)

Protocol

Protocol [1-2]: 1
(Select UDP - faster and more efficient)

VPN Subnet

IPv4 VPN subnet [1-2]: 1
(Select default 10.8.0.0/24)

DNS Servers

Which DNS resolvers should be pushed?
1) Cloudflare
2) Quad9
3) OpenDNS
4) AdGuard

DNS choice [1-4]: 1
(Cloudflare is reliable, or choose your preference)

Compression

Compress data channel? [y/n]: n
(Disable compression for better compatibility)

MTU Size

Customize tunnel MTU? [y/n]: n
(Default 1500 works for most networks)

Encryption Customization

Customize encryption settings? [y/n]: n
(Default modern encryption is secure and compatible)

Username

Do you want to add a new user now? [y/n]: y
Username: fiko
(Use your preferred username)

Step 4: Download the Generated Client Configuration

After installation completes, copy your client profile to your local machine:

scp -P 10022 fiko@123.111.222.111:~/fiko.ovpn ~/Downloads/

Replace fiko with your actual username.

Step 5: Critical - Fix Routing and Internet Access

This step is essential for clients to access the internet through the VPN. The script may not configure this automatically on Oracle Cloud.

Enable IP Forwarding

sudo sysctl -w net.ipv4.ip_forward=1
echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf

Configure NAT (Network Address Translation)

sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
sudo iptables-save > /etc/iptables/rules.v4

Note: 10.8.0.0/24 is the default VPN subnet you selected in Step 3 (VPN Subnet). If you chose a custom subnet during installation, replace 10.8.0.0/24 with your actual subnet. For example, if you configured 10.9.0.0/24, use that instead.

Open Firewall Port

Important: Insert the rule ABOVE the REJECT line. The line number will vary on your system.

If using firewalld:

sudo firewall-cmd --permanent --add-port=11122/udp
sudo firewall-cmd --reload

If using iptables directly:

First, check your current iptables rules:

sudo iptables -L INPUT --line-numbers

Find the line number with the REJECT rule. In most cases it will be the last line. Then insert the new rule ABOVE it using -I INPUT <LINE_NUMBER>:

# Example: If REJECT is on line 16, insert at line 16
sudo iptables -I INPUT 16 -p udp --dport 11122 -j ACCEPT

Verify the rule was inserted correctly:

sudo iptables -L INPUT --line-numbers | grep -E "11122|REJECT"

Your output should look like:

16   ACCEPT     udp  --  anywhere             anywhere             udp dpt:11122
17   REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

The ACCEPT rule must come BEFORE the REJECT rule.

Then save:

sudo iptables-save > /etc/iptables/rules.v4

Step 6: Restart OpenVPN Service

sudo systemctl restart openvpn-server@server
sudo systemctl status openvpn-server@server

Verify the service is running and shows "active (running)".

Step 7: Connect from Your Mac

Using Command Line

sudo openvpn --config ~/Downloads/fiko.ovpn

Leave this running in the terminal. You should see output like:

Initialization Sequence Completed

Using OpenVPN GUI (Alternative)

Install OpenVPN Connect (official client) on macOS and import the .ovpn file.

Step 8: Verify Your Connection

Open a new terminal tab (keep the OpenVPN terminal running) and test:

# Check VPN interface
ifconfig utun8

# Should show something like:
# utun8: inet 10.8.0.2 --> 10.8.0.1

# Check default route
netstat -rn | grep "^default"

# Should show the VPN gateway (10.8.0.1) not your home network

# Test connectivity
ping 8.8.8.8
ping google.com

# Test DNS
nslookup google.com

Troubleshooting

Connection drops immediately after connecting

Cause: DNS resolution failing or routing misconfigured

Fix:

  1. Verify the NAT rule is present: sudo iptables -L -t nat -n

  2. Confirm IP forwarding is enabled: sudo sysctl net.ipv4.ip_forward

  3. Check server logs: sudo journalctl -u openvpn-server@server -n 50

Can connect but no internet access

Cause: Default route not pointing through VPN

Fix: Temporary workaround (on Mac):

sudo route add default 10.8.0.1

Permanent fix: Restart OpenVPN service on server and reconnect client.

Connection times out

Cause: Firewall blocking port 11122

Fix:

# Verify port is open
sudo ss -tlnp | grep 11122

# Check your iptables rules to find the REJECT line number
sudo iptables -L INPUT --line-numbers

# Add to iptables if missing (insert ABOVE REJECT line)
# Replace <LINE_NUMBER> with your actual REJECT line number
sudo iptables -I INPUT <LINE_NUMBER> -p udp --dport 11122 -j ACCEPT
sudo iptables-save > /etc/iptables/rules.v4

Wrong subnet assigned (e.g., 172.27.x.x instead of 10.8.x.x)

Cause: Multiple OpenVPN instances running or config corruption

Fix:

sudo systemctl stop openvpn-server@server
sudo killall openvpn
sleep 2
sudo systemctl start openvpn-server@server

Then reconnect your client.

Adding More Clients

To create additional client profiles:

sudo ./openvpn-install.sh

When prompted, select the option to add a new user. The script will generate a new .ovpn file.

Managing the VPN

Check active connections

sudo tail -f /var/log/openvpn/status.log

View server status

sudo systemctl status openvpn-server@server

Restart the service

sudo systemctl restart openvpn-server@server

View detailed logs

sudo journalctl -u openvpn-server@server -f

Security Best Practices

  1. Change SSH port from 22 to something else (e.g., 10022)

  2. Use key-based authentication instead of passwords

  3. Enable fail2ban to prevent brute force attacks

  4. Regularly update your server: sudo apt update && sudo apt upgrade

  5. Keep OpenVPN updated: The script installs the latest version

  6. Use strong usernames and avoid common names like "admin" or "client"

Conclusion

You now have a fully functional, secure OpenVPN server running on Oracle Cloud. Your clients can connect from anywhere and access the internet through an encrypted tunnel.

If you encounter issues, check the troubleshooting section or review the server logs with:

sudo journalctl -u openvpn-server@server -n 100

Happy secure networking! đź”’

#linux#ubuntu#vpn#openvpn

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

F

Fiko Borizqy (Bestafiko)

52 posts

I wrote these tutorials for myself in future when I forget for the next steps.