Want to access the Internet safely and securely from your smartphone or laptop when connected to an untrusted network such as the WiFi of a hotel or coffee shop? A Virtual Private Network (VPN) allows you to traverse untrusted networks privately and securely to your DigitalOcean Droplet as if you were on a secure and private network. The traffic emerges from the Droplet and continues its journey to the destination.
When combined with HTTPS connections, this setup allows you to secure your wireless logins and transactions. You can circumvent geographical restrictions and censorship, and shield your location and unencrypted HTTP traffic from the untrusted network.
OpenVPN is a full-featured open source Secure Socket Layer (SSL) VPN solution that accommodates a wide range of configurations. In this tutorial, we’ll set up an OpenVPN server on a Droplet and then configure access to it from Windows, OS X, iOS and Android. This tutorial will keep the installation and configuration steps as simple as possible for these setups.
Note: OpenVPN can be installed automatically on your Droplet by adding this script to its User Data when launching it. Check out this tutorial to learn more about Droplet User Data.
The only prerequisite is having a Ubuntu 14.04 Droplet established and running. You will need root access to complete this guide.
Complete these steps for your server-side setup.
###OpenVPN Configuration
Before we install any packages, first we’ll update Ubuntu’s repository lists.
apt-get update
Then we can install OpenVPN and Easy-RSA.
apt-get install openvpn easy-rsa
The example VPN server configuration file needs to be extracted to /etc/openvpn
so we can incorporate it into our setup. This can be done with one command:
gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf
Once extracted, open server.conf
in a text editor. This tutorial will use Vim but you can use whichever editor you prefer.
vim /etc/openvpn/server.conf
There are several changes to make in this file. You will see a section looking like this:
# Diffie hellman parameters.
# Generate your own with:
# openssl dhparam -out dh1024.pem 1024
# Substitute 2048 for 1024 if you are using
# 2048 bit keys.
dh dh1024.pem
Edit dh1024.pem
to say:
This will double the RSA key length used when generating server and client keys.
Still in server.conf
, now look for this section:
# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# or bridge the TUN/TAP interface to the internet
# in order for this to work properly).
;push "redirect-gateway def1 bypass-dhcp"
Uncomment push "redirect-gateway def1 bypass-dhcp"
so the VPN server passes on clients’ web traffic to its destination. It should look like this when done:
push "redirect-gateway def1 bypass-dhcp"
The next edit to make is in this area:
# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses. CAVEAT:
# http://openvpn.net/faq.html#dhcpcaveats
# The addresses below refer to the public
# DNS servers provided by opendns.com.
;push "dhcp-option DNS"
;push "dhcp-option DNS"
Uncomment push "dhcp-option DNS"
and push "dhcp-option DNS"
. It should look like this when done:
push "dhcp-option DNS"
push "dhcp-option DNS"
This tells the server to push OpenDNS to connected clients for DNS resolution where possible. This can help prevent DNS requests from leaking outside the VPN connection. However, it’s important to specify desired DNS resolvers in client devices as well. Though OpenDNS is the default used by OpenVPN, you can use whichever DNS services you prefer.
The last area to change in server.conf
is here:
# You can uncomment this out on
# non-Windows systems.
;user nobody
;group nogroup
Uncomment both user nobody
and group nogroup
. It should look like this when done:
user nobody
group nogroup
By default, OpenVPN runs as the root user and thus has full root access to the system. We’ll instead confine OpenVPN to the user nobody and group nogroup. This is an unprivileged user with no default login capabilities, often reserved for running untrusted applications like web-facing servers.
Now save your changes and exit Vim.
###Packet Forwarding
This is a sysctl setting which tells the server’s kernel to forward traffic from client devices out to the Internet. Otherwise, the traffic will stop at the server. Enable packet forwarding during runtime by entering this command:
echo 1 > /proc/sys/net/ipv4/ip_forward
We need to make this permanent so the server still forwards traffic after rebooting.
vim /etc/sysctl.conf
Near the top of the sysctl file, you will see:
# Uncomment the next line to enable packet forwarding for IPv4
Uncomment net.ipv4.ip_forward
. It should look like this when done:
# Uncomment the next line to enable packet forwarding for IPv4
Save your changes and exit.
ufw is a front-end for iptables and setting up ufw is not hard. It’s included by default in Ubuntu 14.04, so we only need to make a few rules and configuration edits, then switch the firewall on. As a reference for more uses for ufw, see How To Setup a Firewall with UFW on an Ubuntu and Debian Cloud Server.
First set ufw to allow SSH. In the command prompt, ENTER
ufw allow ssh
This tutorial will use OpenVPN over UDP, so ufw must also allow UDP traffic over port 1194
ufw allow 1194/udp
The ufw forwarding policy needs to be set as well. We’ll do this in ufw’s primary configuration file.
vim /etc/default/ufw
. This must be changed from DROP to ACCEPT. It should look like this when done:
Next we will add additional ufw rules for network address translation and IP masquerading of connected clients.
vim /etc/ufw/before.rules
Make the top of your before.rules
file look like below. The area in red for OPENVPN RULES must be added:
# rules.before
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
# ufw-before-input
# ufw-before-output
# ufw-before-forward
# NAT table rules
# Allow traffic from OpenVPN client to eth0
# Don't delete these required lines, otherwise there will be errors
With the changes made to ufw, we can now enable it. Enter into the command prompt:
ufw enable
Enabling ufw will return the following prompt:
Command may disrupt existing ssh connections. Proceed with operation (y|n)?
Answer y
. The result will be this output:
Firewall is active and enabled on system startup
To check ufw’s primary firewall rules:
ufw status
The status command should return these entries:
Status: active
To Action From
-- ------ ----
22 ALLOW Anywhere
1194/udp ALLOW Anywhere
22 (v6) ALLOW Anywhere (v6)
1194/udp (v6) ALLOW Anywhere (v6)
OpenVPN uses certificates to encrypt traffic.
###Configure and Build the Certificate Authority
It is now time to set up our own Certificate Authority (CA) and generate a certificate and key for the OpenVPN server. OpenVPN supports bidirectional authentication based on certificates, meaning that the client must authenticate the server certificate and the server must authenticate the client certificate before mutual trust is established. We will use Easy RSA’s scripts we copied earlier to do this.
First copy over the Easy-RSA generation scripts.
cp -r /usr/share/easy-rsa/ /etc/openvpn
Then make the key storage directory.
mkdir /etc/openvpn/easy-rsa/keys
Easy-RSA has a variables file we can edit to create certificates exclusive to our person, business, or whatever entity we choose. This information is copied to the certificates and keys, and will help identify the keys later.
vim /etc/openvpn/easy-rsa/vars
The variables below marked in red should be changed according to your preference.
export KEY_CITY="Dallas"
export KEY_ORG="My Company Name"
export KEY_EMAIL="sammy@example.com"
export KEY_OU="MYOrganizationalUnit"
In the same vars
file, also edit this one line shown below. For simplicity, we will use server
as the key name. If you want to use a different name, you would also need to update the OpenVPN configuration files that reference server.key
and server.crt
export KEY_NAME="server"
We need to generate the Diffie-Hellman parameters; this can take several minutes.
openssl dhparam -out /etc/openvpn/dh2048.pem 2048
Now let’s change directories so that we’re working directly out of where we moved Easy-RSA’s scripts to earlier in Step 2.
cd /etc/openvpn/easy-rsa
Initialize the PKI (Public Key Infrastructure). Pay attention to the dot (.) and space in front of ./vars
command. That signifies the current working directory (source).
. ./vars
The output from the above command is shown below. Since we haven’t generated anything in the keys
directory yet, the warning is nothing to be concerned about.
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys
Now we’ll clear the working directory of any possible old or example keys to make way for our new ones.
This final command builds the certificate authority (CA) by invoking an interactive OpenSSL command. The output will prompt you to confirm the Distinguished Name variables that were entered earlier into the Easy-RSA’s variable file (country name, organization, etc.).
Simply press ENTER
to pass through each prompt. If something must be changed, you can do that from within the prompt.
###Generate a Certificate and Key for the Server
Still working from /etc/openvpn/easy-rsa
, now enter the command to build the server’s key. Where you see server
marked in red is the export KEY_NAME
variable we set in Easy-RSA’s vars
file earlier in Step 2.
./build-key-server server
Similar output is generated as when we ran ./build-ca
, and you can again press ENTER
to confirm each line of the Distinguished Name. However, this time there are two additional prompts:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Both should be left blank, so just press ENTER
to pass through each one.
Two additional queries at the end require a positive (y
) response:
Sign the certificate? [y/n]
1 out of 1 certificate requests certified, commit? [y/n]
The last prompt above should complete with:
Write out database with 1 new entries
Data Base Updated
###Move the Server Certificates and Keys
OpenVPN expects to see the server’s CA, certificate and key in /etc/openvpn
. Let’s copy them into the proper location.
cp /etc/openvpn/easy-rsa/keys/{server.crt,server.key,ca.crt} /etc/openvpn
You can verify the copy was successful with:
ls /etc/openvpn
You should see the certificate and key files for the server.
At this point, the OpenVPN server is ready to go. Start it and check the status.
service openvpn start
service openvpn status
The status command should return:
VPN 'server' is running
Congratulations! Your OpenVPN server is operational. If the status message says the VPN is not running, then take a look at the /var/log/syslog
file for errors such as:
Options error: --key fails with 'server.key': No such file or directory
That error indicates server.key
was not copied to /etc/openvpn
correctly. Re-copy the file and try again.
So far we’ve installed and configured the OpenVPN server, created a Certificate Authority, and created the server’s own certificate and key. In this step, we use the server’s CA to generate certificates and keys for each client device which will be connecting to the VPN. These files will later be installed onto the client devices such as a laptop or smartphone.
###Key and Certificate Building
It’s ideal for each client connecting to the VPN to have its own unique certificate and key. This is preferable to generating one general certificate and key to use among all client devices.
Note: By default, OpenVPN does not allow simultaneous connections to the server from clients using the same certificate and key. (See
To create separate authentication credentials for each device you intend to connect to the VPN, you should complete this step for each device, but change the name client1 below to something different such as client2 or iphone2. With separate credentials per device, they can later be deactivated at the server individually, if need be. The remaining examples in this tutorial will use client1 as our example client device’s name.
As we did with the server’s key, now we build one for our client1 example. You should still be working out of /etc/openvpn/easy-rsa
./build-key client1
Once again, you’ll be asked to change or confirm the Distinguished Name variables and these two prompts which should be left blank. Press ENTER
to accept the defaults.
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
As before, these two confirmations at the end of the build process require a (y
) response:
Sign the certificate? [y/n]
1 out of 1 certificate requests certified, commit? [y/n]
If the key build was successful, the output will again be:
Write out database with 1 new entries
Data Base Updated
The example client configuration file should be copied to the Easy-RSA key directory too. We’ll use it as a template which will be downloaded to client devices for editing. In the copy process, we are changing the name of the example file from client.conf
to client.ovpn
because the .ovpn
file extension is what the clients will expect to use.
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/easy-rsa/keys/client.ovpn
You can repeat this section again for each client, replacing client1 with the appropriate client name throughout.
Recall from the steps above that we created the client certificates and keys, and that they are stored on the OpenVPN server in the /etc/openvpn/easy-rsa/keys
For each client we need to transfer the client certificate, key, and profile template files to a folder on our local computer or another client device.
In this example, our client1 device requires its certificate and key, located on the server in:
The ca.crt
and client.ovpn
files are the same for all clients. Download these two files as well; note that the ca.crt
file is in a different directory than the others.
While the exact applications used to accomplish this transfer will depend on your choice and device’s operating system, you want the application to use SFTP (SSH file transfer protocol) or SCP (Secure Copy) on the backend. This will transport your client’s VPN authentication files over an encrypted connection.
Here is an example SCP command using our client1 example. It places the file client1.key
into the Downloads directory on the local computer.
scp root@your-server-ip:/etc/openvpn/easy-rsa/keys/client1.key Downloads/
Here are several tools and tutorials for securely transfering files from the server to a local computer:
At the end of this section, make sure you have these four files on your client device:
There are several methods for managing the client files but the easiest uses a unified profile. This is created by modifying the client.ovpn
template file to include the server’s Certificate Authority, and the client’s certificate and its key. Once merged, only the single client.ovpn
profile needs to be imported into the client’s OpenVPN application.
We will create a single profile for our client1 device on the local computer we downloaded all the client files to. This local computer could itself be an intended client or just a temporary work area to merge the authentication files. The original client.ovpn
template file should be duplicated and renamed. How you do this will depend on the operating system of your local computer.
Note: The name of your duplicated client.ovpn
doesn’t need to be related to the client device. The client-side OpenVPN application will use the file name as an identifier for the VPN connection itself. Instead, you should duplicate client.ovpn
to whatever you want the VPN’s nametag to be in your operating system. For example: work.ovpn will be identified as work, school.ovpn as school, etc.
In this tutorial, we’ll name the VPN connection DigitalOcean so DigitalOcean.ovpn
will be the file name referenced from this point on. Once named, we then must open DigitalOcean.ovpn
in a text editor; you can use whichever editor you prefer.
The first area of attention will be for the IP address of your Droplet. Near the top of the file, change my-server-1 to reflect your VPN’s IP.
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote my-server-1 1194
Next, find the area shown below and uncomment user nobody
and group nogroup
, just like we did in server.conf
in Step 1. Note: This doesn’t apply to Windows so you can skip it. It should look like this when done:
# Downgrade privileges after initialization (non-Windows only)
user nobody
group nogroup
The area given below needs the three lines shown to be commented out so we can instead include the certificate and key directly in the DigitalOcean.ovpn
file. It should look like this when done:
# SSL/TLS parms.
# . . .
#ca ca.crt
#cert client.crt
#key client.key
To merge the individual files into the one unified profile, the contents of the ca.crt, client1.crt, and client1.key files are pasted directly into the .ovpn
profile using a basic XML-like syntax. The XML at the end of the file should take this form:
(insert ca.crt here)
(insert client1.crt here)
(insert client1.key here)
When finished, the end of the file should be similar to this abbreviated example:
. . .
. . .
. . .
. . .
The client1.crt
file has some extra information in it; it’s fine to just include the whole file.
Save the changes and exit. We now have a unified OpenVPN client profile to configure our client1.
Now we’ll discuss installing a client VPN profile on Windows, OS X, iOS, and Android. None of these client instructions are dependent on each other so you can skip to whichever is applicable to you.
Remember that the connection will be called whatever you named the .ovpn
file. In our example, since the file was named DigitalOcean.ovpn
, the connection will be named DigitalOcean.
The OpenVPN client application for Windows can be found on OpenVPN’s Downloads page. Choose the appropriate installer version for your version of Windows.
Note: OpenVPN needs administrative privileges to install.
After installing OpenVPN, copy the unified DigitalOcean.ovpn
profile to:
C:\Program Files\OpenVPN\config
When you launch OpenVPN, it will automatically see the profile and makes it available.
OpenVPN must be run as an administrator each time it’s used, even by administrative accounts. To do this without having to right-click and select Run as administrator every time you use the VPN, you can preset this but it must be done from an administrative account. This also means that standard users will need to enter the administrator’s password to use OpenVPN. On the other hand, standard users can’t properly connect to the server unless OpenVPN on the client has admin rights, so the elevated privileges are necessary.
To set the OpenVPN application to always run as an administrator, right-click on its shortcut icon and go to Properties. At the bottom of the Compatibility tab, click the button to Change settings for all users. In the new window, check Run this program as an administrator.
Each time you launch the OpenVPN GUI, Windows will ask if you want to allow the program to make changes to your computer. Click Yes. Launching the OpenVPN client application only puts the applet in the system tray so the the VPN can be connected and disconnected as needed; it does not actually make the VPN connection.
Once OpenVPN is started, initiate a connection by going into the system tray applet and right-clicking on the OpenVPN applet icon. This opens the context menu. Select DigitalOcean at the top of the menu (that’s our DigitalOcean.ovpn
profile) and choose Connect.
A status window will open showing the log output while the connection is established, and a message will show once the client is connected.
Disconnect from the VPN the same way: Go into the system tray applet, right-click the OpenVPN applet icon, select the client profile and click Disconnect.
Tunnelblick is a free, open source OpenVPN client for Mac OS X. You can download the latest disk image from the Tunnelblick Downloads page. Double-click the downloaded .dmg
file and follow the prompts to install.
Towards the end of the installation process, Tunnelblick will ask if you have any configuration files. It can be easier to answer No and let Tunnelblick finish. Open a Finder window and double-click DigitalOcean.ovpn
. Tunnelblick will install the client profile. Administrative privileges are required.
Launch Tunnelblick by double-clicking Tunnelblick in the Applications folder. Once Tunnelblick has been launched, there will be a Tunnelblick icon in the menu bar at the top right of the screen for controlling connections. Click on the icon, and then the Connect menu item to initiate the VPN connection. Select the DigitalOcean connection.
From the iTunes App Store, search for and install OpenVPN Connect, the official iOS OpenVPN client application. To transfer your iOS client profile onto the device, connect it directly to a computer.
Completing the transfer with iTunes will be outlined here. Open iTunes on the computer and click on iPhone > apps. Scroll down to the bottom to the File Sharing section and click the OpenVPN app. The blank window to the right, OpenVPN Documents, is for sharing files. Drag the .ovpn
file to the OpenVPN Documents window.
Now launch the OpenVPN app on the iPhone. There will be a notification that a new profile is ready to import. Tap the green plus sign to import it.
OpenVPN is now ready to use with the new profile. Start the connection by sliding the Connect button to the On position. Disconnect by sliding the same button to Off.
Note: The VPN switch under Settings cannot be used to connect to the VPN. If you try, you will receive a notice to only connect using the OpenVPN app.
Open the Google Play Store. Search for and install Android OpenVPN Connect, the official Android OpenVPN client application.
The .ovpn
profile can be transferred by connecting the Android device to your computer by USB and copying the file over. Alternatively, if you have an SD card reader, you can remove the device’s SD card, copy the profile onto it and then insert the card back into the Android device.
Start the OpenVPN app and tap the menu to import the profile.
Then navigate to the location of the saved profile (the screenshot uses /sdcard/Download/
) and select the file. The app will make a note that the profile was imported.
To connect, simply tap the Connect button. You’ll be asked if you trust the OpenVPN application. Choose OK to initiate the connection. To disconnect from the VPN, go back to the the OpenVPN app and choose Disconnect.
Once everything is installed, a simple check confirms everything is working properly. Without having a VPN connection enabled, open a browser and go to DNSLeakTest.
The site will return the IP address assigned by your internet service provider and as you appear to the rest of the world. To check your DNS settings through the same website, click on Extended Test and it will tell you which DNS servers you are using.
Now connect the OpenVPN client to your Droplet’s VPN and refresh the browser. The completely different IP address of your VPN server should now appear. That is now how you appear to the world. Again, DNSLeakTest’s Extended Test will check your DNS settings and confirm you are now using the DNS resolvers pushed by your VPN.
Congratulations! You are now securely traversing the internet protecting your identity, location, and traffic from snoopers and censors.
Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
If I use your how to, am I able to browse IPv6 enable sites ?
I don’t believe so - all the packet forwarding commands are for IPv4.
Or, use This
its work good.
I just tried this too after this guide not working for me and this script linked to on Github works perfectly and takes less than 60 seconds. You could easily alter some of the settings if you wanted to.
Script creator here, thanks for the mention :)
Thanks for all the great work, but I’m really new to all of this coding and all, so maybe you could make something like a step by step guide that even beginners like me can understand? would be appreciated and will surely donate!
Someone created a step-by-step tutorial in YouTube. It’s not perfect, but should help you get started and set it up.
If someone decides to configure the OpenVPN server using Nyr’s script (which btw is just great, kudos!), and save some time… here is an easy-to-understand guide on YouTube.
But I still strongly encourage everyone to go through this tutorial in order to understand what is going on and how things work.
If you want to have a web-panel for your OpenVPN server and be able to administrate things there, I recommend installing an OpenVPN Access Server. There is a tutorial in DO for this as well.
One of the many perks of OpenVPN AS: if, let’s say, you want to configure VPN for your mobile device, there’s no need to manually export/import/copy client profiles from the server or your PC. All you need to do in this case is access the panel from your device, normally through the port 943
and login. The profile will automatically be imported for you.wow 5 min all works fine. but exist a similar with bridge config? I need share a directory from server with the clients, I thing use Samba.
I just spent an hour on article config for it to not run. That script worked in 4min. WOW. Awesomeness
Not bad, works excellent under Debian 6. But be aware of the DNS leak.
If there is a DNS leak, is a client side problem, nothing to do with the script.
Steps here are so incomplete and missing, you have to have prior linux knowledge or get outside help, comparing that and this script on github which I haven’t completely tested yet, but I do love it since it was so easy and fast setting up. Thanks to its developer and I will donate to them after Using it completely
its work! thx a lot :)
Thanks this works, i can connect but my IP is the same like before, any ideas how to fix this?
After you run this script how do you use this VPN in the browser?
Do all as described but internet after connect not work.
same here. And openvpn logs showing all successful. I am running it as admin. I have checked port forwarding at server status is 1. And vpn service is running… Anyone can guide us what is going wrong?
Same issue here. :(
@feryardiant I solved it then, by reviewing all steps, I think I made a typing mistake somewhere but not sure where it was. So please recheck everything you typed.
@asking_a_question would you please show me which part you had to rewrite? thanks
In my case the error was in Bad LZO decompression header byte: 69. Commenting “comp-lzo” line in server.conf fixed it for me.
Thank you for this! Absolutely great article! Including all the commands and explaining the reason for them is awesome.
First. Sorry for my bad english…
Thanks for this great Tutorial its work without any problem. but now i have a Problem it doesn’t route all traffic trough the ports https://diafygi.github.io/webrtc-ips/ here u can see its can resolve my real IP adress. please can u make a tutorial for route the complete traffic im in Germany and many videos on Youtube are blocked from the Gema and youtube detects my real ip and block the video again…
Newby question: I have a lemp stack, can i configure vpn (as in this tutorial) in the same droplet without it interfering with the lemp stack and the wordpress install??
Yes, OpenVPN should not interfere with LEMP.
Thank you for the info!
Followed the guide and everything appeared to work correctly until I try to browse the internet through the VPN and it wont go anywhere. I connect to the VPN using my Android phone as per the instructions but nothing is being received if I look at the statistics there is barely anything coming in over to the Android phone. Plenty of information is being sent out, just not in.
It sounds like others above are having similar problems maybe?
Check your server logs and see if that offers any clue. It sounds as though IP forwarding may not be set. if you log into your server and
cat /proc/sys/net/ipv4/ip_forward
you should get a “1” returned.
same issue with me too…were you able to solve it?
I had the same problem, but my error was skip the ufirewall config.
You need to config that and start the ufw in order to forward works.
If not just local traffic to the server will work.
Hello I cannot edit the server.conf file. Can someone help me please?
What error are you getting when you try to edit the file? It may be the case you need higher privileges to do so, in which case putting ‘sudo’ in front of the command to edit the file should work, as in ‘sudo vi server.conf’. Good luck!
Huge thanks! Great tutorial!
I could be able to successfully connect to the VPN , but it seems that traffic forward is not working as internet is not working
i executed
cat /proc/sys/net/ipv4/ip_forward
returned 1
any support ?
Same problem here
Edit: a reboot fixed it
Hi, I’ve just tried the all installation and configuration A also configure it on Android 4.4.2
When i connect myself to my OpenVPN server, i successfully get connected but i do not have internet so i can not test anything i says SUCCESSFULLY CONNECTED but nothing else
can you help me ?
Same issue for me too, were you able to solve this?
recheck your uncomplicated firewall settings…(ufw before rules). Maybe you have something wrong there, refer again to the tutorial. Actually that resolved my issue.
Rebooting my server works for me
Rebooting didn’t work, I noticed the ufw.before rules referenced “eth0” as the adapter. On my machine it is “eth1”. Changed it, rebooted and now is working.
Yes if connect to server and vpn is active and no internet connection, you must change only “eth0” interface to yours. Example mine interface is " ens3 " .
Hi again, To solve my problem i also reboot completly my Ubuntu Server, and when i tried again i got internet access and also access to all my LAN at home.
Thanks a lot for this powerfull tuto…
i’ve a second question if it is possible ? To enforce the protection is it possible to first connect to Ubuntu over SSH tunnel then on the client to do a port forwarding on 1194 port ? The to connect with OpenVPN Client in localhost:1194 ?
Yes, it is possible (for TCP at least, probably not for UDP). Check
man ssh
for the options-L
(which one you will use depends on the direction of the tunnel).However, OpenVPN is already an encrypted virtual tunnel. Using it inside another encrypted tunnel will increase the overhead and decrease the performance.
Instead, you might prefer setting up a port-knocking mechanism to open the VPN port only after knocking the correct ports.
I tried to pass over SSH tunnel with openvpn and i got this error : [ECONNREFUSED]: Connection refused (code=111) as the tunnel is built on , i just put the address ; or localhost and i got the error !
any idea ?
Thanks for your reply Denilsonsa… I really do not understand why under Windows + putty (only port forwarding L1194 : + openVpn Desktop Client on localhost:1194 ** :>>>> It works** And Android 4.4.2 : connectbot (only port forwarding L1194 : + Openvpn client on localhost:1194 : it tries to connect on but it loops back : no connection ! To my opinion i miss something in ovpn client… or may be an entry in either server.conf our sshd_config any idea…
its true that only openvpn is enough secure, but a friend of mine, ask me this challenge : to openvpn over ssh, because of packet sniffer and filter
For him under Windows 7 it works like a charm : OpenVPN + SSH but do not work on is Galaxy Tab 10.1 (rooted)
As im a noob on linux… its a little bit difficult for me But im interesting to resolve this challenge
Any ideas ?
Again, thanks for your help
This comment has been deleted
After the command ufw enable I get this error: ERROR: problem running ufw-init /lib/ufw/ufw-init: 3: /etc/default/ufw: : not found
same issue
Thanks so much for the tutorial, worked like a charm. Does anyone know if you get the Open VPN Access server web UI? Documentation from open vpn says it should be https://openvpnasserverip/admin (with openvpnasserverip being your own ip address or domain url) but that doesn’t work. I also tried https://openvpnasserverip:943/admin, adding the port number, because I see that in places as well. Thanks again!
In my particular case to make this work I’ve just had to use as the default interface venet0 instead of eth0. In /etc/ufw/before.rules where it says: -A POSTROUTING -s -o eth0 -j MASQUERADE I used -A POSTROUTING -s -o venet0 -j MASQUERADE Thanks very much for your great guide; it helped me a lot!
I had problems too. I’m a newbie with linux and i followed this tutorial step by step. It connected to VPN, but I couldnt do anything. And everything was because of this line
In /etc/ufw/before.rules where it says: -A POSTROUTING -s -o eth0 -j MASQUERADE
Instead of eth0 and venet0 I had to use em1. Lost my mind over it. But I guess you learn as you go. Type in console “ifconfig” and use the “name” of your ethernet card.
Thanks for this great guide. :thumbsup:
Thanks, that was easy to follow. However, once I connected via Tunnelblick, I lost internet access and doing a traceroute on the command line would show the request getting stuck at the VPS’s IP of To make it work on an OpenVZ container based VPS, I had to add these two steps:
where X.Y.Z is the actual IP address assigned to your VPS. (If that doesn’t work, try venet0:0 )
Lastly, I also apt-get’ed “iptables-persistent” so that iptables is loaded in this configuration on reboot.
Thanks. That solved my problem.
Hi, Appreciate the step-by-step tutorial firstly. I almost make it work. But the weird problem occurs after connection.
Actually I can connect to server via Tunnelblick client on my MacBook. But after 60 seconds, the log in server shows:
“TLS Error: TLS key negotiation failed to occur within 60 seconds” “TLS Error: TLS handshake failed” “SIGUSR1[soft,tls-error] received, client-instance restarting”
Actually during the first 60 seconds, I can browser the internet properly. And also I can ping server successfully, even I check the ip which presents correctly and external ip is my server’s. But after about 60s, encounter the error. The connection is still on, but cannot access internet any more.
Any idea?
I also facing this problem, restart not fixed but if you execute “service openvpn restart” then the problem fixed, you’ll need to do this after reboot
Hi SandPox, I’ve tried several times, still not working with same error.
This comment has been deleted
hmm… maybe you’ll need to do from step “./clean-all” and recreate all those cert/key (remember to update your client VPN config after recreate cert/key)
Hi SandPox, thanks for suggestion.But still cannot work after re-do several times. Below is my iptables maybe helpful.
Chain PREROUTING (policy ACCEPT) target prot opt source destination
Chain INPUT (policy ACCEPT) target prot opt source destination
Chain OUTPUT (policy ACCEPT) target prot opt source destination
Chain POSTROUTING (policy ACCEPT) target prot opt source destination
MASQUERADE all – anywhere anywhere
MASQUERADE all – anywhere anywhere
SNAT all – anywhere anywhere to: MASQUERADE all – anywhere anywhere
MASQUERADE all – anywhere
MASQUERADE all – anywhere
MASQUERADE all – anywhere
I’d also posted in OpenVPN forum including more configuration details.
Same issue here
Bit late, but for any new comers…
To fix this issue: Edit file (on the Ubuntu server)
vim etc/openvpn/server.conf
then comment (#) out the linetls-auth ta.key 0
.# tls-auth ta.key 0
It’s insane how complicated this is! The one-click-alternative is to use Google’s Remote Desktop. All you need is a Chrome browser on both sides.
I have done the steps above. Now I am trying to connect through my windows 7 machine. VPN is not connecting giving me this error:
What maybe the problem?
Sorry my mistake, I have put file names instead of their content. I know this was real stupid from my part, but I would suggest you add the word “content of…” in the tutorial to avoid any confusion
Hey dude !
I’m having the same exact issue that you posted above
Cannot load inline certificate file: error:0906D064:PEM routines:PEM_read_bio:bad base64 decode: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib
How exactly did you fix this ? Is it possible to show off your .opvn file?
And how to set up a vpn-client if I use ubuntu as my desctop os?
Excellent guide James, thanks for contributing!
Hello Everyone,
I come from the Bitnami side and am brand-new to DO, however I’m about to ‘dive in’ to this guide and set this up on my first ‘Droplet’.
A few quick questions for you all:
What is the recommended ‘droplet’ configuration for this type of setup? I realize that all droplets now come with SSDs, so that’s’ good. But I’m not sure what level of ‘overhead’ is going to take place.
Also, what kind/size/power/configuration of Droplet would be required for OpenVPN, based on x amount of users? I’m probably going to have anywhere from 15-20 users to start with, then expand from there. Is there a recommended maximum amount of ‘users’ per server?
Any other recommendations or suggestions?
Thank you!
Hi all,
Right off the bat I’m getting a permissions error with movement of the .conf file.
When I input:
Ubuntu 14.04 LTS is returning:
I’m ssh’d into AWS and have configured many servers on AWS and haven’t run across this yet… Does anyone have any ideas? Do I need to have my own hardware to do this?
Thanks in advance!
This happens because the
command is running as root (insidesudo
), but the redirection>
is done by your current non-root shell.@denilsonsa So what is the fix? Is me not having root access the end-all here?
@dbadness : The following question/answer shows different ways of achieving that. I myself also learned a few tricks by reading it! http://stackoverflow.com/questions/82256/how-do-i-use-sudo-to-redirect-output-to-a-location-i-dont-have-permission-to-wr
@denilsonsa I just dropped into root access with
sudo -s
and all seems good so far. Thanks for the help on this!Hello Everyone,
I come from the Bitnami side and am brand-new to DO.
A few quick questions for you all:
What is the recommended ‘droplet’ configuration for this type of setup? I realize that all droplets now come with SSDs, so that’s’ good. But I’m not sure what level of ‘overhead’ is going to take place.
Also, what kind/size/power/configuration of Droplet would be required for OpenVPN, based on x amount of users? I’m probably going to have anywhere from 15-20 users to start with, then expand from there.
Is there a recommended maximum amount of ‘users’ per server?
Any other recommendations or suggestions?
Thank you!
15-20 users should work fine with 1GB RAM droplet if it only for run VPN without any other service like webserver, sql…
I can connect by using openvpn but I can’t access openvpn admin ui by using this tutorial.
I’m getting “Error code: ERR_CONNECTION_TIMED_OUT” any idea?
This tutorial walks you through installing OpenVPN. Unlike OpenVPN Access Server, it does not come with a graphical UI.
This comment has been deleted
I get the following error:
gzip: /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz: No such file or directory
any idea why?
Thanks for the great tutorial! I managed to set up the VPN server, and am able to connect to it from my computer. However, it seems that tunnelblick keep disconnecting itself from the VPN server after a period of time (about 5 minutes). Did anyone have the same problem? Thanks a lot.
To connect to the OpenVPN server from a Ubuntu Client, you may need to install OpenVPN network manager plugin first,
sudo apt-get install network-manager-openvpn
, then configure VPN in network manager. The network manager allows you to import the *.ovpn config file, but it seems not working for me, it do not understand the inlined cert and key content, I manually configure it in network manager.in remote my-server-1 1194, how can I get my VPN’s ip ?
it’s your droplet (server) IP
Great Tutorial, I was able to get it set up and even customized sightly (i used a different port for my application) was able to get it up and running, connected on my clients, everything was working great. Until my server rebooted. When it booted back up, I was able to get connected to the VPN, but it looks like it’s not dishing out the dhcp to the clients anymore and none of my clients can get to the local lan or internet anymore.
Nothing changed on the server other than the reboot. I went back and looked appears the ufw settings did not hold after the reboot, which was strange. I updated that information again, but still able to connect but can’t get to the internet or local network of the VPN. Also the IP address of my clients are not updating when connecting, like they had before, the server still has the tun0 showing it’s ip at the like it should… any ideas or suggestions would be greatly appreciated.
Hi, i have an error when my client (Windows) try to connect to the server (Ubuntu, on my local network, nat with noip) Error: Error: Received control packet from unexpected IP addr: [AF_INET]192.168.x.x:1194
Any idea ??
When I connect multiple clients to the server one will log out. Is this a problem with the specs of the server? Or what else might be the problem.
Hello, sorry for my bad english after complete all steps, I successefull connected to my own server, but traffic dont go anywere , only pinging my servers’s ip.
This is by far the most complicated config tutorial I have ever attempted… and it freakin’ worked! It’s also one of the best written, best organized config tutorials I’ve ever encountered. Thank you so much. I’ve got a GF who travels internationally for work and from now on she’s going to be tunneled securely to Digital Ocean and emerging onto the internet from NYC no matter where she roams. This is fabulous. Thank you!
Great tutorial. Thanks for the help!
However, I’m not able to connect to the server using OpenVPN. I think it is a iptables problem. Here’s my output for:
iptables -L -v
Any suggests on how to deal with this issue?
Everything works for me but it’s unbelievably slow. Like, Google just made it. Everything else just gets a timeout. Neither the local logs nor the server logs say anything weird.
I try to set it up on my phone. Maybe it’s my PC (wouldn’t know why but worth a try).
This comment has been deleted
MTU perhaps?
These steps are automated with oh-my-vpn , You can use one-liner script to setup OpenVPN server and generate the client configurations.
Thanks for the tutorial and thanks for the posts for when the internet doesn’t work. I’m a programmer, not a sys admin, so after I followed this tutorial and I could connect to my vpn but not to the internet, I was puzzled. salitre30 and speedracr shed some light on what was going on, and I’m going to try explain what I did to fix my lack of internet.
At the console on the server, type:
You should get a response that will show the network adapters on your server. Most of the time, you’ll have something like “eth0” at the top of the list followed by “lo” or “tun0”, but in my particular case, there was no “eth0”. My server had “em1” in place of “eth0”, so after completing the entire tutorial, I did the following (note: I suck at vim, so I use nano):
Then change the line (that we added in the tutorial) from:
Notice that I changed “eth0” to “em1”, and you should change it to whatever you got from running ifconfig. Then I just saved it and rebooted my server. Now I can connect via VPN and I can access the internet without a problem… In fact, I’m writing this while connected to my VPN . Thanks everybody!
Thanks very much for the great tutorial. I was wondering about logging. Is it possible to add some details how one could turn all logging off to make the VPN even more secure?
Hey, thx for this great instruction. Everything works fine, but I can’t connect to any teamspeak server anymore. They are using the port 9987. Do I have to configure something? Thx for your help :)
I did everything in this tutorial yet I can’t connect to the server. I think I have a firewall problem.
Fantastic tutorial, I enjoyed it very much!
First off, you all can get AWS servers for 1 year free! this tutorial + free server = free private vpn!
For people facing “TLS key negotiation failed” errors, I figured out it was because of my using AWS servers which have built-in security groups as a tertiary firewall which you have to disable or reconfigure.
Thanks James! for this excellent step-by-step tutorial.
Works like a charm, thanks!
Thanks for your article. I can set up the VPN on my VPS successfully, and browse websites with new IP.
Here is my question: I previously install LAMP on my server and build a website, and i could browse my own website then. But after I set up the VPN, I cannot log in my website,whereas I can ping the IP successfully or using FileZilla to get the files on my server.
Is there anything that I modified to this consequence? such as the ufw? or DNS? Did any body ever meet such problem?
Great guide. Only thing I’d add - when configuring/enabling ufw, don’t forget to allow port 80 if you’re hosting a webpage as well.
Thanks Iwirsing, it really solved my problem.
Can someone help me to generate the command for downloading .key files from server to my local disk using the MacOS Terminal app?
I’m trying to use the command listed below, but the Terminal app says “Downloads/ No such file or directory”
scp root@your-server-ip:/etc/openvpn/easy-rsa/keys/client1.key Downloads/
I think there is a problem in my local path syntax. I tried to use different variations for the local command path, but is still doesn’t work :((
Thank you so much for the tutorial.
I had a LAMP running on my D.O. server before I performed this setup. The VPN works like a charm, but now I can’t access my websites. I haven’t checked it deeply, it might be a firewall problem, but I wanted to ask in case you have any ideas.
UPDATE: June 24th, 2015 at 17:45
I got it working back. It was the firewall indeed. Just needed to:
ufw allow 80
for the regular http protocolufw allow 443
for the https protocolufw allow 3306
for mysqlPeople, beware that if you have any other services running on the server, they might won’t be accessible after installing the firewall, double check on that!
Hi ! This is a great guide the best I have seen for a long time and it covers exactly what I have in terms of operating systems and hardware being:
Router for incoming traffic Fritz!Box 7270 V3 firmware 74 5.53 udp port 1194 is forwarded to my Ubuntu 14.04 headless server.
An ipad.ovpn profile was generated according to the instructions as per this howto. This profile was loaded via iTunes onto my iPad air 2 on which openvpn v1.5 build 177 (ios 64-bit) has been installed.
Everything seems to work. I can connect without problems. The server ip of my iPad, before connection, is that of my cellular service provider, and once connected, switches to that of the service provider of my ADSL Fritz!Box router. So far so good.
However once connected, which is rather quick, I cannot connect to anything with my iPad. It seems the problem is that my client IP is empty.
my iPad has been assigned a VPN IPv4 address of however
the client IP is empty
Server IP is correct and is the same as my incoming ADSL gateway IP address.
Protocol is UDPv4
I would explode with joy if somebody would assist me to get this working. :-)
Needless to say I checked and crosschecked over and over but cannot find anything I configured incorrectly.
I also disabled my ufw firewall to ensure that I don’t get blocked from there.
Thank you all in advance.
This instruction guide is masterfully done. Thank you very much for your work, and suggestions throughout. As a new Ubuntu user, setting up a VPN server could not be any easier!
hi i’ve follow all the guide but when import client.ovpn on iphone the error is: openvpn error: polarssl: eroor parsing ca certificate: x509 - the crt/crl/crs format is invalid. some solution? thanks
Hi. In Step 3, can we create around 1000 clients? Or, is there any limit for the clients creation?
Just followed the steps here on this post and everything works like a charm! Thanks!!! I really like the step-by-step guide as it also explains why we need to execute each command!
Btw, after the setup, I did a bit more reading and research and ran two more additional steps to hardened the security of OpenVPN.
Hardening OpenVPN Security
I didn’t follow every step in the HOWTO and some were already covered in this tutorial but here’s the additional two steps that I took.
on server.conf
Thanks again for this really awesome step-by-step tutorial and I’m very happy with my OpenVPN setup right now.
I used the script provided in the tutorial, but I try to add more users and I get this: http://i.imgur.com/FaGxlDn.png How do I get by this?
I’m guessing its because you ran the command
again (which is not required) if you’re just going to add new users. Now, you’ll have to resume the step./build-ca
again to regenerate the keys for the server since the./clean-all
have wiped out all the keys in the /keys folder.To add a new user, you only need to run
. ./vars
and./build-key client2
Wow, thank you so so much! I followed it down to the -T and I got my vpn working the first time!
This is how guides should be written, very good detail.
Thank you for the great How-To. What should be done to make the OpenVPN Server/Client IPv6-ready? Would you provide some information/guide on that?
This comment has been deleted
hi? how would i know my VPN’s IP address because i cannot continue to the tutorial. i cannot change my-server-1 to my VPN’s IP because i dont know it sir. Please help
I used the user data script without any modifications to create the droplet…
I disabled the user and group as I am connecting from a Windows machine. Now when I am trying to connect, I get the following error:
Any clue where things are going wrong?
The script copied additional information from the certificate that needed to be deleted. Maybe the developer can correct it…
A vote of thanks to the developer of the script… Made it a breeze :-)
I can’t download any files from /etc/openvpn/easy-rsa/keys/ - it prompts me for my password, but root password no longer works! It says “permission denied public key password”. Given that I followed digital ocean tutorial instructions for setting up ssh keys, shouldn’t it work?
Hi. If you have disabled SSH password auth you should login to your server with the keys you have set up. There should be a configuration option in your SFTP client session settings.
Hi everyone I am new to Ubuntu OS and the whole idea behind VPN so keep that in mind… I went through the tutorial step by step and everything seemed to be working fine. On the step where the client .opvn file is merged and created I used a 192.168.xxx.xxx address (See Below)
The hostname/IP and port of the server.
You can have multiple remote entries
to load balance between the servers.
remote 192.168.xxx.xxx 1194
I used the local ip because the public ip is dynamic and I don’t yet have dynDNS setup. When I installed the .ovpn file to my iPhone everything worked great the VPN was up and running and accepting traffic. The only problem was since I used the local IP I couldn’t leave the local wifi. (Kinda defeats the purpose of VPN because I can’t use it from a public WIFI network like Starbucks)
Later I changed the local ip in the client.opvn file to the public ip. I put the .opvn file on the iphone and forwarded the port in the router. Using the public ip now I cant connect to the VPN. I get a connection timeout on the iPhone every time I try to connect.
Any ideas???
When I port forward do I enter the server ip on the LAN (192.168.xxx.xxx) or the tunnel ip (10.8.x.x)?
Thanks for your help in advance.
For some reason, only on Windows, I get this error:
Here is my .ovpn file:
Like many others here, I can’t get out to the Internet, but the VPN connection is successful. I feel like there’s something simple I’m missing, as I’ve followed this guide on Ubuntu 15.04 and DO’s sister guide for FreeBSD on another droplet. Both use openvpn and in both cases, I can ping and SSH into the droplet, but connectivity stops there.
I’ve tried this with OS X and DD-WRT on a router (both can connect just fine).
Looking at the comments here, I’ve tried rebooting the server, double-checked config settings, and tried changing eth0 to venet0 in ufw settings.
It’s working now. I don’t know why. After the third or so time nuking the Droplet and creating a new one, it’s now working properly. I’m trying to figure out why.
I thought it might have to do with using IPv6 (since this guide only deals with IPv4) but ruled that out, I can use my domain/hostname as the server address and it works fine, I did NOT have to use the Droplet’s IPv4 address for ovpn config file.
It’s possible that it has something to do with going through this guide as a user you create after creating the Droplet vs. using root. This was the first go-around that I used root and didn’t create a user for myself, though I of course used sudo prior. I dunno. For those with issues, try going through this guide as root.
i have no idea with this step,it asks me a password,but i set up droplet with ssh key and don’t have password,how can i go forward?(i have a publickey and a privatekey,but don’t know how to use them), anyone can give me some guidance?i am totally ignorant in this terrain : - (
all works welll until here openssl dhparam -out /etc/openvpn/dh2048.pem 2048, where I was denied and have to sudo the comand, but after this, the comand “. ./vars” gave me the result: NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys, then “./clean-all” result: rm: cannot remove ‘/etc/openvpn/easy-rsa/keys’: Permission denied mkdir: cannot create directory ‘/etc/openvpn/easy-rsa/keys’: File exists. Using sudo the result was: Please source the vars script first (i.e. “source ./vars”) Make sure you have edited it to reflect your configuration.
This comment has been deleted
I can strongly recommend the following script:
The following guide is helpful as well:
As for the UFW setup, see:
Quick question, Am I allowed to download torrent in my local machine through this VPN?
I have followed all the steps up to step 3 and when I type: service openvpn start, I get the correct response but when I type: service openvpn status, I get VPN ‘server’ is not running. I have gone to my system logs and I have found the error and it states: Options error: --dh fails with ‘dh2048.pem’ : No such file or director. I am unsure of where I made an error can anyone help?
Hello everybody! OpenVPN successfully connects to the server, but I’ve a problem: when I try to surf Internet, browser say me: “DNS PROBE FINISHED NO INTERNET”. What is the problem? Thank for replies.
For anyone unable to connect to the internet after successfully setting up their server (and you are confident you completed the steps successfully), take a second look at your .ovpn client file. In my case, the unified version wasn’t picking up the xml at the bottom of the file which specified my ca, cert, and key (I’m running linux 14.04 kde flavor). I removed the xml bit completely and instead un-commented the three lines that this guide tells you to comment, and renamed the configs on those lines according to the names of my files. The downside to this is you have to keep all of the certs in the relative path of the profile if you want to import that profile. But, now you can import that profile. If anyone has any idea why I wasn’t able to load the “unified” profile, do let me know. And no, there were no syntax issues.
Thank you for reply. Could you explain me, more specifically, what did you modify in .ovpn client file?
@ghila96 Sorry for the slow response. I uncommented some lines in my .opvn file and pointed to the paths of each file respectively:
Note that these three files were relative to my .opvn file, and so the path simply consisted of the file names.
I then went to the bottom of the .opvn file and removed all the xml info since I provided the paths to that information with the step above. In my case, I was able to connect using this .opvn profile and have access to the internet. I’m not sure why the xml wasn’t loading correctly :(
If you need to revoke a certificate, navigate to the the
directory and enter the following commands, whereclient1
is the name of the certificate you wish to revoke:there will be some output ending with
a certificate revocation list file called
will be generated in the keys directory. Copy this to the openvpn dir.and add the following to your
file in your openvpn directory.You do not need to restart the
service unless the certificate is currently in use, in which case the following command will restart the server.This comment has been deleted
When I connect to VPN on Windows, the following log appears and it’s always waiting…
Fri Sep 25 11:21:34 2015 OpenVPN 2.3.8 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Aug 4 2015 Fri Sep 25 11:21:34 2015 library versions: OpenSSL 1.0.1p 9 Jul 2015, LZO 2.08 Fri Sep 25 11:21:34 2015 MANAGEMENT: TCP Socket listening on [AF_INET] Fri Sep 25 11:21:34 2015 Need hold release from management interface, waiting… Fri Sep 25 11:21:35 2015 MANAGEMENT: Client connected from [AF_INET] Fri Sep 25 11:21:35 2015 MANAGEMENT: CMD ‘state on’ Fri Sep 25 11:21:35 2015 MANAGEMENT: CMD ‘log all on’ Fri Sep 25 11:21:35 2015 MANAGEMENT: CMD ‘hold off’ Fri Sep 25 11:21:35 2015 MANAGEMENT: CMD ‘hold release’ Fri Sep 25 11:21:35 2015 Socket Buffers: R=[8192->8192] S=[8192->8192] Fri Sep 25 11:21:35 2015 UDPv4 link local: [undef] Fri Sep 25 11:21:35 2015 UDPv4 link remote: [AF_INET] Fri Sep 25 11:21:35 2015 MANAGEMENT: >STATE:1443151295,WAIT,
I followed the guide, until I reached Step 3. At that point, I attempted to use ./build-key (clientname) and was returned with this: “Please edit the vars script to reflect your configuration, then source it with “source ./vars”. Next, to start with a fresh PKI configuration and to delete any previous certificates and keys, run “./clean-all”. Finally, you can run this tool (pkitool) to build certificates/keys.” Any help?
This comment has been deleted
To merge the individual files into the one unified profile, the contents of the ca.crt, client1.crt, and client1.key files are pasted directly into the .ovpn profile using a basic XML-like syntax. The XML at the end of the file should take this form:
What meaning of this???
Ran ‘service openvpn start’ and then ‘service openvpn status’
This is what I get after checking the status. I’ve run the the config 4 times and I can’t find out why it keeps exiting??
openvpn.service - OpenVPN service Loaded: loaded (/lib/systemd/system/openvpn.service; enabled; vendor preset: enabled) Active: active (exited) since Sat 2015-10-10 16:13:56 EDT; 6s ago Process: 28644 ExecStart=/bin/true (code=exited, status=0/SUCCESS) Main PID: 28644 (code=exited, status=0/SUCCESS)
Worked like a charm! Thank you!
One thing, I’ve noticed people are having some issues in making it work. Remember to use the DNS specified in the configuration.
push “dhcp-option DNS” push “dhcp-option DNS”
I’ve used Google DNS. and
Best regards.
This was a wonderful tutorial, but I have a problem finishing up.
I am attempting to test my connect on iOS, but I receive the error “option_error: remote option not specified”
Here is my ovpn file. Please note that I have left out the information which contains my key. Also, am I right in assuming that I must have port 1194 open in order for my server to be seen?
Thank you!
You need to add
before68.199.24.30 1194
:For those of you having trouble with accessing internet while getting successful connection to your server, consider changing MTU at server side. I’ve put
tun-mtu 1300
at the end of /etc/openvpn/server.conf, and all problems vanished. //before that i could surf internet on my phone via LTE, but it didn’t work via wi-fiWhen I used ufw enable apache stopped working. It was somehow blocking my sites too
Run the following commands to have UFW let through HTTP and HTTPS connections:
Take a look at How To Set Up a Firewall with UFW on Ubuntu 14.04 for a detailed explanation on how to use UFW.
but this command allow all visitors to access the webserver, I need a rule for grant access only for openvpn clients connected to the server. I tried with: ufw allow from to any port 80 proto tcp but it doe not works …
I’m able to use TunnelBlick, my IP changes for browsing. But when I want to connect to MySQL the IP is not changed. What am I doing wrong?
If I create a brand new droplet and enter in the script into the user data field as noted above, then does that mean I can skip section 1 in these instructions and move to section 2, or skip to section 3 etc?
Awesome write-up! Really to the point and really works when you are done :)
If I would change one thing it’s when you mention ufw allow 1194 you can actually type ufw allow openvpn :)
Thanks for this!
I had the following problem: starting the server with
openvpn --config server.conf
was working (I could connect to it) but when using systemctl withservice openvpn start
it would simply sayactive (exited)
(as it is supposed to) but not create thetun
interface.The solution is the following:
systemctl daemon-reload
service openvpn restart
And it worked. Hope it helps.
Set this up and it worked on my Android phone, but when I tried to connect my Ubuntu system (client) to my Ubuntu server (running openvpn as installed above), then I could only connect to the server over the VPN, I could not use it to route traffic to the rest of the world. I tried this with ufw enabled and disabled.
I feel like it must be a setting on my client since my phone seemed able to use the VPN. I used Network Manager and setup the gateway, user cert, ca cert and private key as created above, and went to routes and made sure that “Use this connection only for resources on its network” was unchecked (because I want to use the VPN for all traffic.
Any thoughts on why this wouldn’t be working?
Did you uncomment this line from OpenVPN’s server config file?
And oddly, I’ve learned that it’s Network Manager that isn’t working.
I can connect to the VPN with no problem using the command-line on my client, but it doesn’t work from Network Manager - even though I’ve properly used Network Manager for another of my VPN connections.
Folks, there is just too much information missing in this “howto” I’m suprised if ANYONE has followed this tutorial and ran a DNS leak test with 0 results. Also, if you’re tunneling your traffic for everything, say your browser, you might want to educate yourself on WEBRTC. If you don’t correct this - the vpn is useless.
You should not put yourself at risk by transfering files as ‘root’. If you followed the instructions for your Ubuntu droplet --> https://www.digitalocean.com/community/tutorials/initial-server-setup-with-ubuntu-14-04 (read the section Step Five — Configure SSH Daemon) you would have disabled ssh root login. This will prevent you from transfering files via scp as root… I’m sure some of you have ran into problems with that step. I know there were links provided for sftp but the file ownerships are still ‘root’, that’s assuming you logged into your droplet remotley and ran everything as root.
I would suggest not following this article. Read some of the documention provided from the links below and configure your vpn correctly.
https://help.ubuntu.com/community/OpenVPN https://openvpn.net/index.php/open-source/documentation.html
Hey guys!
Can anyone explain how to set up Transmission CLI to work with OpenVPN on the same machine? I have set it up, it worked, but after I set up OpenVPN Im unable to access Transmission…
Hi, thank you for your tutorial, very clear and simple. I changed the port 1194 to a 443 tcp, it works perfectly. Does this configuration works in China ?
So this is not at all your problem or fault, but but I was hoping you might be able to help.
I am not extremely well versed in terminal, but but I was trying to follow the directions here and was getting through it slowly. I stopped one one night hoping to resume the next day. I got to the point of creating the keys and certs, then was unable to get them to my android android and gave up.
Today I woke up the computer to find my password field missing. I restarted and when when I entered the password I was returned to the login screen.
I have tried a few different methods to no avail. Such as chown .Xauthority but that didn’t help. Tried startx, and it timed out and went black. I just tried rm .Xauthority and and it and it is currently “thinking”. I hope this works, but if it doesn’t I’ll post and gain asking for help.
That aside, thanks for this awesome tutorial.
On android and I type so fast my keyboard doubles my words… not not going not going to not going to fix it
So startx got got me into the GUI, but there there is no sidebar or top bar with the system “gear” icon and all that.
Honestly I’m quite confused. If you can, please advise on what I messed up.
I’m not able to get connection to the server (TLS handshake errors etc) I followed these instructions and did everything three times.
I ended up following https://help.ubuntu.com/community/OpenVPN and now I’m connected. Whee.
I am trying to add new clients to the vpn (step3) and when I do the ./build-key client1 I get a message that says “edit the vars script to reflect your configuration” and it won’t let me create a new profile. Is this because of the code lines 36-38 where it added --batch ? in line 28 it followed fine with the tutorial and paid attention to the . ./vars but I am confused by this error. Yes I ran the script when I build the droplet and was just looking over it for verification and to build my own knowledge base. Skill level is a step above noob.
Firstly thanks for the great tutorial. I have it all setup and working via my mac using Tunnelblick. What I would like to do is use my Asus RT-AC68U router to connect to the VPN. I have uploaded the .ovpn file, the one I know works with Tunnelblick, to the router. However when I try to connect it fails with the following in the log:
Dec 16 12:01:23 openvpn[849]: OpenVPN 2.3.8 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Nov 2 2015 Dec 16 12:01:23 openvpn[849]: library versions: OpenSSL 1.0.2d 9 Jul 2015, LZO 2.08 Dec 16 12:01:23 openvpn[850]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Dec 16 12:01:23 openvpn[850]: Socket Buffers: R=[122880->131072] S=[122880->131072] Dec 16 12:01:23 openvpn[850]: failed to find GID for group nogroup: Invalid argument (errno=22) Dec 16 12:01:23 openvpn[850]: Exiting due to fatal error
I’m a noob when it comes to linux but would appreciate any help. Thanks in advance.
This is great awesome tutorial!!!
In windows 10, this set up causes dns leak. To solve that,
must be added on client configuration file and user must be using 2.3.9 version of openvpn GUIthis is a fantastic tutorial, but i have one problem. i got the vpn working when connecting my server directly to my isp, but when the server is behind a router clients cannot connect. i did port forwarding on the router, but am unable to make sense of this iptables business. can anyone help?
After completing step 2 I get I may have missed something
VPN ‘server’ is not running
Great manual but i have a dummy question. At this point:
The hostname/IP and port of the server.
You can have multiple remote entries
to load balance between the servers.
remote my-server-1 1194
***my-server-1 *** should be my server’s local IP (192.168.10.x) or external/public IP (62.228.X.X)?
Please advise.
Thanks for the post, but more simplest way (takes 5 minutes) is to use pre-shared key, like described here - `http://sysadm.pp.ua/linux/shifrovanie/openvpn-point-to-point.html . Does anyone used OpenSSL for certs and keys generation for OpenVPN ???
This comment has been deleted
After finishing the process, i use . ./vars and ./build-key client2 to add a new user. I also use . ./vars and ./revoke-full client2, cp /etc/openvpn/easy-rsa/keys/crl.pem /etc/openvpn and add crl-verify crl.pem to the server.config file. to revoke his access.
Can i just totally delete the user client2 somehow?
Thank you all for your valuable help and time!
This configuration works perfectly with OpenVPN iOS but will have problems using Tunnelblick.
When OpenVPN goes to close down the connection, it is not running as root. So it is unable to alter the routing tables. This is seen in several log entries starting with:
Anyone curious, this tutorial is still working perfectly as of January 16th, 2015. [Tested on Ubuntu 14.04 64 bit.] Thanks a lot, James!
Worked like a charm! Had to reboot or restart a servicve. I’m losing internet connection and then I get it back but i dont know why. I’ll try it on DMZ and see if its better but not today. :)
Please Help I config according to this guide in my linode vps, is OK. But in my digitalocean vps, it does NOT work.
this is my server log in /var/log/syslog
Last line is [UFW BLOCK],
but WHY? what should I do next, thanks very much.
I create a new droplet with user data using this user script: https://github.com/digitalocean/do_user_scripts/blob/master/Ubuntu-14.04/network/open-vpn.yml
it does NOT work either~
Took a while and some sections i stumbled with (not realising i needed to open the various client files in a txt editor and past their contents in) however its complete and i have a client connected no DNS leaks and way faster than the commercial VPN services I have tried so great stuff
I’ve a droplet with openvpn installed and there are few other droplets (app servers). How to configure the openvpn server and connect the other droplets securely from my client?
Thank you very much, worked like charm.
please notice you have one lil mistake in this how to --> step4 : in 5th pane (change “END” to “BEGIN”)
Thanks again:)
Following your guide, I’ve come to a puzzling conclusion.
BUT after connecting to my openvpn setup, USING port 443/tcp not the defaults…
Why is it nerfed so hard? Is there anything I can do about this?
Hello, Following this tutorial I have openvpn server running and I can connect from ubuntu desktop as client without problems, but I need to close apache access for public, just ovpn clients should be able to access the webserver. So I added this rule:
But ufw block all access to apache, connected or not connected to opvn I can’t access:
Adding this rule I can access, but the rest of the world too:
sudo ufw allow http
All steps covered in this tutorial related to ufw are applied.
**Any help please? How to restrict apache access to ovpn clients only and close it for rest of the world? **
I am receiving a ‘permission denied’ error when I try to download my key. I am doing this as the root user. After this script /etc/openvpn/easy-rsa/keys/client1.key Downloads- The server is saying permission denied. Why is this?
How i Can set up openVPN client on Debian 8* ?
one word: PERFECT!!
very good
This is great tutorial. I appreciate for the writer’s lots of work. while I was setting up, I encountered the some problems with configuration. I would like to share my setup experience with others.
[While working on ./build-ca, show same message over and over again ] user@ubuntu:/etc/openvpn/easy-rsa$ sudo ./build-ca [sudo] password for user: Please edit the vars script to reflect your configuration, then source it with “source ./vars”. Next, to start with a fresh PKI configuration and to delete any previous certificates and keys, run “./clean-all”. Finally, you can run this tool (pkitool) to build certificates/keys.
**you need to log in as root rather than sudoer. ** http://stackoverflow.com/questions/27221273/failed-to-create-certificate-when-i-want-to-run-source-vars-and-clean-all
[ Error on build-ca] you will encounter this error when running ./build-ca: "error on line 198 of /etc/openvpn/easy-rsa/openssl-1.0.0.cnf 139640386487968:error:0E065068:configuration file routines:STR_COPY:
add the following lines into “vars” file. don’t forget . ./ as a root, not sudoer export KEY_ALTNAMES=“something” https://bugs.launchpad.net/serverguide/+bug/1504676
[After successful openvpn connection, still no internet ?] you may check on tun0 network activity on openvpn server side ( not client ). I use “nload” Under ufw and other system network configuration, you can add the followings to iptables thru command line as sudoer. For permanent setup, you can add it to rc.local file or network related system configuration file.
Allow traffic initiated from VPN to access LAN
iptables -I FORWARD -i tun0 -o eth0 -s -m conntrack --ctstate NEW -j ACCEPT
Allow established traffic to pass back and forth
iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Masquerade traffic from VPN – done in the nat table
Do this only if you haven’t modified routing tables as explained before
iptables -t nat -I POSTROUTING -o eth0 -s -j MASQUERADE
If you are using ufw for the first time (by this manual) make sure to add 22 port to allowed rules:
Or after you’re logging out from SSH - you will not be able to connect to your Droplet because of the firewall access rules. Same for apache/nginx rules add or your hosts will be not accessible
Hi, I’m having a problem with this tutorial. Everything is well until I try to transfer the files using scp. It then asks me for the root@localhost’s password, which I don’t know. I have root access, as before I started I used the sudo su command. I am a beginner in this area, so I would appreciate any help.
Try with SSH keys setup:
Digital Ocean Guide on SSH Keys
I was hoping i could use this same file on my asus ac1900 but when it tries to connect it fails with the following error.
failed to find GID for group nogroup: No such file or directory (errno=2)
i am able to connect with the open vpn client on my machine, but i don’t know why my router can’t use the same ovpn file to connect like my desktop does. Thanks for any help may be provided.
Thanks for article, it’s very useful.
This is completely broken and does not work, I have tried it twice on two fresh installs of Ubuntu and each time I can connect successfully but the internet does not work once connected on multiple devices.
I found getting internet a bit of a pain. Eventually I found:
Worked when trying to get internet access. Might not be the best way, but it worked for me. Hopefully might help others.
Almost there… Here’s my tunnelblick log 2016-04-20 14:25:12 RESOLVE: Cannot resolve host address: http://xxx.xxx.x.xxx: nodename nor servname provided, or not known 2016-04-20 14:25:17 RESOLVE: Cannot resolve host address: http://xxx.xxx.x.xxx: nodename nor servname provided, or not know
Just setup another client on my iPhone, it won’t connect either, just times out
And then it all worked, dunno what worked, I switched so much I’m not sure what worked.
I have just followed this guide to set up an OpenVPN server on my droplet, and I am now using Tunnelblick to connect. However, it doesn’t connect. I get TLS Handshake errors.
EDIT: Nevermind. A reboot solved my problems!
When I am using SCP command to copy client1.key into the Downloads directory on the local computer. I get this mesage ; Permission denied, please try again.; I am on raspberry pi 3 with ubuntu mate
Someone had the same problem?
scp root@your-server-ip:/etc/openvpn/easy-rsa/keys/client1.key Downloads/
How I keep the client with no change in the default route?
How do I revoke specific certificate from access the server? Thanks a lot.
its works but speed is very slow.
What about using a Chromebook ( Chrome OS ) as a client? Setting up a VPN connection requires a username and password. Any workaround this?
I have Completed all steps and every thing looks normal. But the problem is that i can browse only one site when connected to VPN and that is my Default server IP
well the tutorial is well written and everything looked good until I try and connect.
Oh why does VPN have to be so difficult !!! surely it cant be this hard to tunnel a connection through SSH !!!
I tried the openVPN client , it does’nt see a sever…
I tried the openvpn admin , nothing… but this gude sets access to UDP only ?
TunnelBlick gives me this bizare non understandable errror…
*Tunnelblick: OS X 10.11.5; Tunnelblick 3.6.3 (build 4560) 2016-06-17 17:05:52 *Tunnelblick: Attempting connection with BBLONDON; Set nameserver = 771; monitoring connection 2016-06-17 17:05:52 *Tunnelblick: openvpnstart start BBLONDON.tblk 1337 771 0 3 0 1065264 -ptADGNWradsgnw 2.3.10 2016-06-17 17:05:52 *Tunnelblick:
Could not start OpenVPN (openvpnstart returned with status #251)
Contents of the openvpnstart log: *Tunnelblick: openvpnstart log: Warning: Tunnelblick is using ‘openvpn-down-root.so’, so the route-pre-down script will not be used. You can override this by providing a custom route-pre-down script (which may be a copy of Tunnelblick’s standard route-pre-down script) in a Tunnelblick VPN Configuration. However, that script will not be executed as root unless the ‘user’ and ‘group’ options are removed from the OpenVPN configuration file. If the ‘user’ and ‘group’ options are removed, then you don’t need to use a custom route-pre-down script.OpenVPN returned with status 1, errno = 0: Undefined error: 0
EXCELLENT guide!!! incredible accurate! THANKS
I’ve used this tutorial on several Droplets and I’ve always run into problems getting it to work. After several times I decided to make notes of my install, troubleshoot and finally got a working vpn. Kudos to those of you that have used this tutorial successfully. I have never been able to get a working vpn by following this tutorial without tweaking some things on my droplet. This script https://github.com/Nyr/openvpn-install is good for those of you that want a vpn that WORKS.
This tutorial is good for those of you that want to learn how everything works, but not so much if you want a functional vpn that doesn’t leak. If you follow this tutorial and learn the concepts, troubleshoot and read your log files for errors - you’ll learn a lot. Once you’ve tried this tutorial I suggest you use the link above, read the code to see what it’s doing (you should have a better understanding of the script after following this tutorial) and then install from the link above.
I am wondering if I have to do Step 4 Creating a Unified OpenVPN Profile for Client Devices for every client device needing to connect to the vpn? Also, I set this up on a different LVS, not my digitalocean lvs, what traffic monitoring tools are there to monitor one’s traffic usage? Thank you
Thanks for the perfect article. After establishing the VPN traffic to/from the internet flows perfectly. However, I can ping from my local host (a private IP address inside an enterprize) to the OpenVPN server private network (172.32.x.x - the eth0 address of the Linux machine on which OpenVPN server is installed) but not the other way around, means that I cannot ping from the OpenVPN server private network back to my enterprize private IP address. Any reason why, and how can I fix this?
This comment has been deleted
Hey can you help me with this error
sudo service openvpn restart
sudo service openvpn status
tail -f 2000 /var/log/syslog tail: cannot open ‘2000’ for reading: No such file or directory ==> /var/log/syslog <== Aug 11 07:08:57 ip-172-16-0-5 rsyslogd: [origin software=“rsyslogd” swVersion=“7.4.4” x-pid=“881” x-info=“http://www.rsyslog.com”] rsyslogd was HUPed Aug 11 07:17:01 ip-172-16-0-5 CRON[1766]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly) Aug 11 07:32:45 ip-172-16-0-5 dhclient: DHCPREQUEST of on eth0 to port 67 (xid=0x56487a8f) Aug 11 07:32:45 ip-172-16-0-5 dhclient: DHCPACK of from Aug 11 07:32:45 ip-172-16-0-5 dhclient: bound to – renewal in 1599 seconds. Aug 11 07:33:31 ip-172-16-0-5 ovpn-server[1845]: Options error: --dh fails with ‘dh1024.pem’: No such file or directory Aug 11 07:33:31 ip-172-16-0-5 ovpn-server[1845]: Options error: Please correct these errors. Aug 11 07:33:31 ip-172-16-0-5 ovpn-server[1845]: Use --help for more information.
I managed to get one key working and was able to use the server fine but when I tried to make another key I get this error when I attempt to use it to connect : OpenVPN server certificate verification failed: PolarSSL:SSL read error:X509 - Certificate verification failed, e.g. CRL,CA or signature check failed.
I believe this is because I ran ./build-ca more than once on accident after I attempted to go back into the terminal and make another key. Anyway, my one key still works but I would like to have more than one. Anyway I can fix this?
I went through the tutorial step by step, and the result was great, vpn was working great for me for about 4 months so far, until recently, few days ago the network became too slow, around 20-40kbps, knowing that it was over 12-14mbps previously on my home network which is around 16mbps without the vpn.
I’m not sure why that happened, it could be throttling from my ISP, but wondering if that indeed is the reason, and how can I go over it, will just starting another server using another IP solve the issue, even if for another couple of months? Or can I just change the port number and it will work again?
I recently set up my server using this guid. It works, but my speeds are way down. I have read different articles where you could disable compression in server and client (by commenting out comp-lzo) or by changing the receive and send buffers. My upload limit is 20 Mbps and download is 95 Mbps on server side. If I even try to connect from my homenetwork (where my server is with the same speeds). I get merely 2 Mbps download and 1 Mbps upload speed. Is there a way to increase my speed? The protocol runs tcp on a custom port (with correctly setup port forwarding).
I recently set up my server using this guide . It works, but my speeds are way down. I have read different articles where you could disable compression in server and client (by commenting out comp-lzo) or by changing the receive and send buffers (setting them both to 0 or 32kb). My upload limit is 20 Mbps and download is 95 Mbps on server side. If I even try to connect from my homenetwork (where my server is at the same speeds). I get merely 2 Mbps download and 1 Mbps upload speed. Is there a way to increase my speed? The protocol runs tcp on a custom port (with correctly setup port forwarding).
instead of dh2048.pem keep dh dh2048.pem then it will work
Hi, there is no openvpn.conf file ? i follow the guide until the init of the service and its not running because “missing /etc/openvpn/openvpn.conf” i have all the files required in /etc/openvpn (server.conf, server.crt, server.key, ca.crt & dh2048.pem)
I was facing this issue:
To solve this, I logged in as root
Then performed the commands again
If I need to serve web server (http, https) as well at the same server I would like to configure VPN, what should I do now?
I tried and followed along the steps, but iptables rules via ufw effect running service of web server. Outside cannot access it anymore, as well as ssh. It’s request timeout. I believe it’s because of the rules.
Any suggestion to fix this?
This has been one of the best tutorials I have seen, but I have hit a few snags.
Some places needed sudo to get the commands to work.
Now I have got to setting up the CA, and it all fails, and I cannot find help on the internet. Any help would be most appreciated.
I changed the vars file, and was able to run ./clean-all.
But when I ran ./build-ca, I got
" The build-key-server command had similar results.
What is wrong?
Many thanks for your help.
I have tried setting up OpenVPN in Ubuntu and Debian and these tutorials all seem to be missing something or another. Does anyone know of a tutorial that is COMPLETE and will work at the end?
There is always something not correct between the tutorials, no key setup in the file, etc.
Why does Linux suck so bad now? 10 years ago things worked now it is all convoluted and BS. Not trying to knock your tutorials but none of these things work!!
I have created over 10 Ubuntu droplets and there was always something different wrong. Now tring it with Debian and nothing will work either.
Going to try to find the poster below’s github script.
That’s what I searched for! So great, now I can finally try it out.
Done all the steps, but Tunelblick simply says “Waiting for server response mm:ss”. Where to start troubleshooting?
(openvpn is not listening on 1194 or on any other port for some reason…)
(however the service is enabled)
How do I delete keys? Say if I want to stop someone using my VPN
Tutorial works nicely. But is there some kind of interface to be able to add new clients more easily ?
The same issue as with Ubuntu 16 - connects OK but no internet :( Does anybody know the solution? I thought it must have been the postrouting but that’s set all right in this tutorial.
To those who have the problem to setup OpenVPN, there is a tutorial, it also works on ubuntu.
VPN works great, but all my hosted websites no longer work. Can someone suggest what may be causing this please?
Possible Issue : Ubuntu Server 16.04 - OpenVPN seems not to start, no logs get written
In case someone faces problem with the openvpn service itself getting started, refer the link https://unix.stackexchange.com/questions/292091/ubuntu-server-16-04-openvpn-seems-not-to-start-no-logs-get-written
How would I change the encryption type from BF-CBC to AES-256-XXX?
When I visit certain websites like crunchbase.com. I get captcha. Anyway to avoid this? rDNS, ip reputation, additional security?
Only use VPN for privacy but can be annoying if some sites block or ask for captchas every visit.
How to Setup Layer 2 VPN?
Also, if you reboot, it breaks it. What’s the command to re-enable the OpenVPN server after a system reboot? service openvpn start does not work!
This comment has been deleted
Just my 2 cents:
For ipv6 support this helped me: http://bvd.io/vpn.php
To fix DNS leak on the client side: https://www.dnsleaktest.com/how-to-fix-a-dns-leak.html
Thx. How can we record vpn traffic activites for clients ?
This article is amazing, thank you! For one of the first times in my life, I got no errors as I went through a tutorial. It’s especially amazing considering how many steps there are.
An improvement for me would be to explain how to use the VPN as a client from Ubuntu. It’s odd that many other client types are explained, but not Linux!