Linuxserver openvpn

Linuxserver openvpn DEFAULT

Before you can do that To complete this action, sign in to your Community account or create a new one.

A previous version of this tutorial was written by Justin Ellingwood


Want to access the Internet safely and securely from your smartphone or laptop when connected to an untrusted network such as the WiFi of a hotel or coffee shop? A Virtual Private Network (VPN) allows you to traverse untrusted networks securely as if you were on a private network. The traffic emerges from the VPN server and continues its journey to the destination.

When combined with HTTPS connections, this setup allows you to secure your wireless logins and transactions. You can circumvent geographical restrictions and censorship, and shield your location and any unencrypted HTTP traffic from the untrusted network.

OpenVPN is a full-featured, open-source Secure Socket Layer (SSL) VPN solution that accommodates a wide range of configurations. In this tutorial, you will set up an OpenVPN server on an Ubuntu 18.04 server and then configure access to it from Windows, macOS, iOS and/or Android. This tutorial will keep the installation and configuration steps as simple as possible for each of these setups.

Note: If you plan to set up an OpenVPN server on a DigitalOcean Droplet, be aware that we, like many hosting providers, charge for bandwidth overages. For this reason, please be mindful of how much traffic your server is handling.

See this page for more info.


To complete this tutorial, you will need access to an Ubuntu 18.04 server to host your OpenVPN service. You will need to configure a non-root user with privileges before you start this guide. You can follow our Ubuntu 18.04 initial server setup guide to set up a user with appropriate permissions. The linked tutorial will also set up a firewall, which is assumed to be in place throughout this guide.

Additionally, you will need a separate machine to serve as your certificate authority (CA). While it’s technically possible to use your OpenVPN server or your local machine as your CA, this is not recommended as it opens up your VPN to some security vulnerabilities. Per OpenVPN’s Getting started How-To tutorial, you should place your CA on a standalone machine that’s dedicated to importing and signing certificate requests. For this reason, this guide assumes that your CA is on a separate Ubuntu 18.04 server that also has a non-root user with privileges and a basic firewall.

Please note that if you disable password authentication while configuring these servers, you may run into difficulties when transferring files between them later on in this guide. To resolve this issue, you could re-enable password authentication on each server. Alternatively, you could generate an SSH keypair for each server, then add the OpenVPN server’s public SSH key to the CA machine’s file and vice versa. See How to Set Up SSH Keys on Ubuntu 18.04 for instructions on how to perform either of these solutions.

When you have these prerequisites in place, you can move on to Step 1 of this tutorial.

Step 1 — Installing OpenVPN and EasyRSA

To start off, update your VPN server’s package index and install OpenVPN. OpenVPN is available in Ubuntu’s default repositories, so you can use for the installation:

OpenVPN is a TLS/SSL VPN. This means that it utilizes certificates in order to encrypt traffic between the server and clients. To issue trusted certificates, you will set up your own simple certificate authority (CA). To do this, we will download the latest version of EasyRSA, which we will use to build our CA public key infrastructure (PKI), from the project’s official GitHub repository.

As mentioned in the prerequisites, we will build the CA on a standalone server. The reason for this approach is that, if an attacker were able to infiltrate your server, they would be able to access your CA private key and use it to sign new certificates, giving them access to your VPN. Accordingly, managing the CA from a standalone machine helps to prevent unauthorized users from accessing your VPN. Note, as well, that it’s recommended that you keep the CA server turned off when not being used to sign keys as a further precautionary measure.

To begin building the CA and PKI infrastructure, use to download the latest version of EasyRSA on both your CA machine and your OpenVPN server. To get the latest version, go to the Releases page on the official EasyRSA GitHub project, copy the download link for the file ending in , and then paste it into the following command:

Then extract the tarball:

You have successfully installed all the required software on your server and CA machine. Continue on to configure the variables used by EasyRSA and to set up a CA directory, from which you will generate the keys and certificates needed for your server and clients to access the VPN.

Step 2 — Configuring the EasyRSA Variables and Building the CA

EasyRSA comes installed with a configuration file which you can edit to define a number of variables for your CA.

On your CA machine, navigate to the EasyRSA directory:

Inside this directory is a file named . Make a copy of this file, and name the copy without a file extension:

Open this new file using your preferred text editor. Here, we’ll use :

Find the settings that set field defaults for new certificates. It will look something like this:


Uncomment these lines by removing the pound sign () at the beginning of each one. Then update the highlighted values to whatever you’d prefer, but do not leave them blank:


When you are finished, save and close the file. If you edited the file using , do so by pressing , , and then .

Within the EasyRSA directory is a script called which is called to perform a variety of tasks involved with building and managing the CA. Run this script with the option to initiate the public key infrastructure on the CA server:

After this, call the script again, following it with the option. This will build the CA and create two important files — and — which make up the public and private sides of an SSL certificate.

  • is the CA’s public certificate file which, in the context of OpenVPN, the server and the client use to inform one another that they are part of the same web of trust and not someone performing a man-in-the-middle attack. For this reason, your server and all of your clients will need a copy of the file.
  • is the private key which the CA machine uses to sign keys and certificates for servers and clients. If an attacker gains access to your CA and, in turn, your file, they will be able to sign certificate requests and gain access to your VPN, impeding its security. This is why your file should only be on your CA machine and that, ideally, your CA machine should be kept offline when not signing certificate requests as an extra security measure.

If you don’t want to be prompted for a password every time you interact with your CA, you can run the command with the option, like this:

In the output, you’ll be asked to confirm the common name for your CA:

The common name is the name used to refer to this machine in the context of the certificate authority. You can enter any string of characters for the CA’s common name but, for simplicity’s sake, press to accept the default name.

With that, your CA is in place and it’s ready to start signing certificate requests.

Step 3 — Creating the Server Certificate, Key, and Encryption Files

Now that you have a CA ready to go, you can generate a private key and certificate request from your server and then transfer the request over to your CA to be signed, creating the required certificate. You’re also free to create some additional files used during the encryption process.

Start by navigating to the EasyRSA directory on your OpenVPN server:

From there, run the script with the option. Although you already ran this command on the CA machine, it’s necessary to run it here because your server and CA will have separate PKI directories:

Then call the script again, this time with the option followed by a common name for the machine. Again, this could be anything you like but it can be helpful to make it something descriptive. Throughout this tutorial, the OpenVPN server’s common name will simply be “server”. Be sure to include the option as well. Failing to do so will password-protect the request file which could lead to permissions issues later on:

Note: If you choose a name other than “server” here, you will have to adjust some of the instructions below. For instance, when copying the generated files to the directory, you will have to substitute the correct names. You will also have to modify the file later to point to the correct and files.

This will create a private key for the server and a certificate request file called . Copy the server key to the directory:

Using a secure method (like SCP, in our example below), transfer the file to your CA machine:

Next, on your CA machine, navigate to the EasyRSA directory:

Using the script again, import the file, following the file path with its common name:

Then sign the request by running the script with the option, followed by the request type and the common name. The request type can either be or , so for the OpenVPN server’s certificate request, be sure to use the request type:

In the output, you’ll be asked to verify that the request comes from a trusted source. Type then press to confirm this:

If you encrypted your CA key, you’ll be prompted for your password at this point.

Next, transfer the signed certificate back to your VPN server using a secure method:

Before logging out of your CA machine, transfer the file to your server as well:

Next, log back into your OpenVPN server and copy the and files into your directory:

Then navigate to your EasyRSA directory:

From there, create a strong Diffie-Hellman key to use during key exchange by typing:

This may take a few minutes to complete. Once it does, generate an HMAC signature to strengthen the server’s TLS integrity verification capabilities:

When the command finishes, copy the two new files to your directory:

With that, all the certificate and key files needed by your server have been generated. You’re ready to create the corresponding certificates and keys which your client machine will use to access your OpenVPN server.

Step 4 — Generating a Client Certificate and Key Pair

Although you can generate a private key and certificate request on your client machine and then send it to the CA to be signed, this guide outlines a process for generating the certificate request on the server. The benefit of this is that we can create a script which will automatically generate client configuration files that contain all of the required keys and certificates. This lets you avoid having to transfer keys, certificates, and configuration files to clients and streamlines the process of joining the VPN.

We will generate a single client key and certificate pair for this guide. If you have more than one client, you can repeat this process for each one. Please note, though, that you will need to pass a unique name value to the script for every client. Throughout this tutorial, the first certificate/key pair is referred to as .

Get started by creating a directory structure within your home directory to store the client certificate and key files:

Since you will store your clients’ certificate/key pairs and configuration files in this directory, you should lock down its permissions now as a security measure:

Next, navigate back to the EasyRSA directory and run the script with the and options, along with the common name for the client:

Press to confirm the common name. Then, copy the file to the directory you created earlier:

Next, transfer the file to your CA machine using a secure method:

On your CA machine, navigate to the EasyRSA directory, and import the certificate request:

Then sign the request as you did for the server in the previous step. This time, though, be sure to specify the request type:

At the prompt, enter to confirm that you intend to sign the certificate request and that it came from a trusted source:

Again, if you encrypted your CA key, you’ll be prompted for your password here.

This will create a client certificate file named . Transfer this file back to the server:

SSH back into your OpenVPN server and copy the client certificate to the directory:

Next, copy the and files to the directory as well:

With that, your server and client’s certificates and keys have all been generated and are stored in the appropriate directories on your server. There are still a few actions that need to be performed with these files, but those will come in a later step. For now, you can move on to configuring OpenVPN on your server.

Step 5 — Configuring the OpenVPN Service

Now that both your client and server’s certificates and keys have been generated, you can begin configuring the OpenVPN service to use these credentials.

Start by copying a sample OpenVPN configuration file into the configuration directory and then extract it in order to use it as a basis for your setup:

Open the server configuration file in your preferred text editor:

Find the HMAC section by looking for the directive. This line should already be uncommented, but if isn’t then remove the “;” to uncomment it:


Next, find the section on cryptographic ciphers by looking for the commented out lines. The cipher offers a good level of encryption and is well supported. Again, this line should already be uncommented, but if it isn’t then just remove the “;” preceding it:


Below this, add an directive to select the HMAC message digest algorithm. For this, is a good choice:


Next, find the line containing a directive which defines the Diffie-Hellman parameters. Because of some recent changes made to EasyRSA, the filename for the Diffie-Hellman key may be different than what is listed in the example server configuration file. If necessary, change the file name listed here by removing the so it aligns with the key you generated in the previous step:


Finally, find the and settings and remove the “;” at the beginning of each to uncomment these lines:


The changes you’ve made to the sample file up to this point are necessary in order for OpenVPN to function. The changes outlined below are optional, though they too are needed for many common use cases.

(Optional) Push DNS Changes to Redirect All Traffic Through the VPN

The settings above will create the VPN connection between the two machines, but will not force any connections to use the tunnel. If you wish to use the VPN to route all of your traffic, you will likely want to push the DNS settings to the client computers.

There are a few directives in the file which you must change in order to enable this functionality. Find the section and remove the semicolon “;” from the beginning of the line to uncomment it:


Just below this, find the section. Again, remove the “;” from in front of both of the lines to uncomment them:


This will assist clients in reconfiguring their DNS settings to use the VPN tunnel for as the default gateway.

(Optional) Adjust the Port and Protocol

By default, the OpenVPN server uses port and the UDP protocol to accept client connections. If you need to use a different port because of restrictive network environments that your clients might be in, you can change the option. If you are not hosting web content on your OpenVPN server, port is a popular choice since it is usually allowed through firewall rules.


Oftentimes, the protocol is restricted to that port as well. If so, change from UDP to TCP:


If you do switch the protocol to TCP, you will need to change the directive’s value from to , as this directive is only used by UDP. Failing to do so while using TCP will cause errors when you start the OpenVPN service:


If you have no need to use a different port and protocol, it is best to leave these two settings as their defaults.

(Optional) Point to Non-Default Credentials

If you selected a different name during the command earlier, modify the and lines that you see to point to the appropriate and files. If you used the default name, “server”, this is already set correctly:


When you are finished, save and close the file.

After going through and making whatever changes to your server’s OpenVPN configuration are required for your specific use case, you can begin making some changes to your server’s networking.

Step 6 — Adjusting the Server Networking Configuration

There are some aspects of the server’s networking configuration that need to be tweaked so that OpenVPN can correctly route traffic through the VPN. The first of these is IP forwarding, a method for determining where IP traffic should be routed. This is essential to the VPN functionality that your server will provide.

Adjust your server’s default IP forwarding setting by modifying the file:

Inside, look for the commented line that sets . Remove the “#” character from the beginning of the line to uncomment this setting:


Save and close the file when you are finished.

To read the file and adjust the values for the current session, type:

If you followed the Ubuntu 18.04 initial server setup guide listed in the prerequisites, you should have a UFW firewall in place. Regardless of whether you use the firewall to block unwanted traffic (which you almost always should do), for this guide you need a firewall to manipulate some of the traffic coming into the server. Some of the firewall rules must be modified to enable masquerading, an iptables concept that provides on-the-fly dynamic network address translation (NAT) to correctly route client connections.

Before opening the firewall configuration file to add the masquerading rules, you must first find the public network interface of your machine. To do this, type:

Your public interface is the string found within this command’s output that follows the word “dev”. For example, this result shows the interface named , which is highlighted below:

When you have the interface associated with your default route, open the file to add the relevant configuration:

UFW rules are typically added using the command. Rules listed in the file, though, are read and put into place before the conventional UFW rules are loaded. Towards the top of the file, add the highlighted lines below. This will set the default policy for the chain in the table and masquerade any traffic coming from the VPN. Remember to replace in the line below with the interface you found in the above command:


Save and close the file when you are finished.

Next, you need to tell UFW to allow forwarded packets by default as well. To do this, open the file:

Inside, find the directive and change the value from to :


Save and close the file when you are finished.

Next, adjust the firewall itself to allow traffic to OpenVPN. If you did not change the port and protocol in the file, you will need to open up UDP traffic to port . If you modified the port and/or protocol, substitute the values you selected here.

In case you forgot to add the SSH port when following the prerequisite tutorial, add it here as well:

After adding those rules, disable and re-enable UFW to restart it and load the changes from all of the files you’ve modified:

Your server is now configured to correctly handle OpenVPN traffic.

Step 7 — Starting and Enabling the OpenVPN Service

You’re finally ready to start the OpenVPN service on your server. This is done using the systemd utility .

Start the OpenVPN server by specifying your configuration file name as an instance variable after the systemd unit file name. The configuration file for your server is called , so add to end of your unit file when calling it:

Double-check that the service has started successfully by typing:

If everything went well, your output will look something like this:

You can also check that the OpenVPN interface is available by typing:

This will output a configured interface:

After starting the service, enable it so that it starts automatically at boot:

Your OpenVPN service is now up and running. Before you can start using it, though, you must first create a configuration file for the client machine. This tutorial already went over how to create certificate/key pairs for clients, and in the next step we will demonstrate how to create an infrastructure that will generate client configuration files easily.

Step 8 — Creating the Client Configuration Infrastructure

Creating configuration files for OpenVPN clients can be somewhat involved, as every client must have its own config and each must align with the settings outlined in the server’s configuration file. Rather than writing a single configuration file that can only be used on one client, this step outlines a process for building a client configuration infrastructure which you can use to generate config files on-the-fly. You will first create a “base” configuration file then build a script which will allow you to generate unique client config files, certificates, and keys as needed.

Get started by creating a new directory where you will store client configuration files within the directory you created earlier:

Next, copy an example client configuration file into the directory to use as your base configuration:

Open this new file in your text editor:

Inside, locate the directive. This points the client to your OpenVPN server address — the public IP address of your OpenVPN server. If you decided to change the port that the OpenVPN server is listening on, you will also need to change to the port you selected:


Be sure that the protocol matches the value you are using in the server configuration:


Next, uncomment the and directives by removing the “;” at the beginning of each line:


Find the directives that set the , , and . Comment out these directives since you will add the certs and keys within the file itself shortly:


Similarly, comment out the directive, as you will add directly into the client configuration file:


Mirror the and settings that you set in the file:


Next, add the directive somewhere in the file. You must set this to “1” for the VPN to function correctly on the client machine:


Finally, add a few commented out lines to handle various methods that Linux based VPN clients will use for DNS resolution. You’ll add two similar, but separate sets of commented out lines. The first set is for clients that do not use to manage DNS. These clients rely on the utility to update DNS information for Linux clients.


Now add another set of lines for clients that use for DNS resolution:


Save and close the file when you are finished.

Later in Step 10 - Installing the Client Configuration step of this tutorial you will learn how to determine how DNS resolution works on Linux clients and which section to uncomment.

Next, create a simple script that will compile your base configuration with the relevant certificate, key, and encryption files and then place the generated configuration in the directory. Open a new file called within the directory:

Inside, add the following content:


Save and close the file when you are finished.

Before moving on, be sure to mark this file as executable by typing:

This script will make a copy of the file you made, collect all the certificate and key files you’ve created for your client, extract their contents, append them to the copy of the base configuration file, and export all of this content into a new client configuration file. This means that, rather than having to manage the client’s configuration, certificate, and key files separately, all the required information is stored in one place. The benefit of this is that if you ever need to add a client in the future, you can just run this script to quickly create the config file and ensure that all the important information is stored in a single, easy-to-access location.

Please note that any time you add a new client, you will need to generate new keys and certificates for it before you can run this script and generate its configuration file. You will get some practice using this script in the next step.

Step 9 — Generating Client Configurations

If you followed along with this guide, you created a client certificate and key named and , respectively, in Step 4. You can generate a config file for these credentials by moving into your directory and running the script you made at the end of the previous step:

This will create a file named in your directory:

You need to transfer this file to the device you plan to use as the client. For instance, this could be your local computer or a mobile device.

While the exact applications used to accomplish this transfer will depend on your device’s operating system and your personal preferences, a dependable and secure method is to use SFTP (SSH file transfer protocol) or SCP (Secure Copy) on the backend. This will transport your client’s VPN authentication files over an encrypted connection.

Here is an example SFTP command using the example which you can run from your local computer (macOS or Linux). It places the file in your home directory:

Here are several tools and tutorials for securely transferring files from the server to a local computer:

Step 10 — Installing the Client Configuration

This section covers how to install a client VPN profile on Windows, macOS, Linux, iOS, and Android. None of these client instructions are dependent on one another, so feel free to skip to whichever is applicable to your device.

The OpenVPN connection will have the same name as whatever you called the file. In regards to this tutorial, this means that the connection is named , aligning with the first client file you generated.



Download the OpenVPN client application for Windows from OpenVPN’s Downloads page. Choose the appropriate installer version for your version of Windows.

Note: OpenVPN needs administrative privileges to install.

After installing OpenVPN, copy the file to:

When you launch OpenVPN, it will automatically see the profile and make it available.

You must run OpenVPN as an administrator each time it’s used, even by administrative accounts. To do this without having to right-click and select Run as administrator every time you use the VPN, you must preset this from an administrative account. This also means that standard users will need to enter the administrator’s password to use OpenVPN. On the other hand, standard users can’t properly connect to the server unless the OpenVPN application on the client has admin rights, so the elevated privileges are necessary.

To set the OpenVPN application to always run as an administrator, right-click on its shortcut icon and go to Properties. At the bottom of the Compatibility tab, click the button to Change settings for all users. In the new window, check Run this program as an administrator.


Each time you launch the OpenVPN GUI, Windows will ask if you want to allow the program to make changes to your computer. Click Yes. Launching the OpenVPN client application only puts the applet in the system tray so that you can connect and disconnect the VPN as needed; it does not actually make the VPN connection.

Once OpenVPN is started, initiate a connection by going into the system tray applet and right-clicking on the OpenVPN applet icon. This opens the context menu. Select client1 at the top of the menu (that’s your profile) and choose Connect.

A status window will open showing the log output while the connection is established, and a message will show once the client is connected.

Disconnect from the VPN the same way: Go into the system tray applet, right-click the OpenVPN applet icon, select the client profile and click Disconnect.



Tunnelblick is a free, open source OpenVPN client for macOS. You can download the latest disk image from the Tunnelblick Downloads page. Double-click the downloaded file and follow the prompts to install.

Towards the end of the installation process, Tunnelblick will ask if you have any configuration files. Answer I have configuration files and let Tunnelblick finish. Open a Finder window and double-click . Tunnelblick will install the client profile. Administrative privileges are required.


Launch Tunnelblick by double-clicking the Tunnelblick icon in the Applications folder. Once Tunnelblick has been launched, there will be a Tunnelblick icon in the menu bar at the top right of the screen for controlling connections. Click on the icon, and then the Connect client1 menu item to initiate the VPN connection.



If you are using Linux, there are a variety of tools that you can use depending on your distribution. Your desktop environment or window manager might also include connection utilities.

The most universal way of connecting, however, is to just use the OpenVPN software.

On Ubuntu or Debian, you can install it just as you did on the server by typing:

On CentOS you can enable the EPEL repositories and then install it by typing:

Configuring Clients that use

First determine if your system is using to handle DNS resolution by checking the file:

If your system is configured to use for DNS resolution, the IP address after the option will be . There should also be comments in the file like the output that is shown that explain how is managing the file. If you have a different IP address than then chances are your system is not using and you can go to the next section on configuring Linux clients that have an script instead.

To support these clients, first install the package. It provides scripts that will force to use the VPN server for DNS resolution.

One that package is installed, configure the client to use it, and to send all DNS queries over the VPN interface. Open the client’s VPN file:

Now uncomment the following lines that you added earlier:


Save and close the file after uncommenting these lines

Configuring Clients that use

If your system is not using to manage DNS, check to see if your distribution includes an script instead:

If your client includes the file, then edit the OpenVPN client configuration file that you transferred earlier:

Uncomment the three lines you added to adjust the DNS settings:


If you are using CentOS, change the directive from to to match the distribution’s available groups:


Save and close the file.

Connecting your Client Machine to the VPN

Now, you can connect to the VPN by just pointing the command to the client configuration file:

This should connect you to your VPN.



From the iTunes App Store, search for and install OpenVPN Connect, the official iOS OpenVPN client application. To transfer your iOS client configuration onto the device, connect it directly to a computer.

The process of completing the transfer with iTunes is outlined here. Open iTunes on the computer and click on iPhone > apps. Scroll down to the bottom to the File Sharing section and click the OpenVPN app. The blank window to the right, OpenVPN Documents, is for sharing files. Drag the file to the OpenVPN Documents window.

iTunes showing the VPN profile ready to load on the iPhone

Now launch the OpenVPN app on the iPhone. You will receive a notification that a new profile is ready to import. Tap the green plus sign to import it.

The OpenVPN iOS app showing new profile ready to import


OpenVPN is now ready to use with the new profile. Start the connection by sliding the Connect button to the On position. Disconnect by sliding the same button to Off.


The VPN switch under Settings cannot be used to connect to the VPN. If you try, you will receive a notice to only connect using the OpenVPN app.

The OpenVPN iOS app connected to the VPN



Open the Google Play Store. Search for and install Android OpenVPN Connect, the official Android OpenVPN client application.

You can transfer the profile by connecting the Android device to your computer by USB and copying the file over. Alternatively, if you have an SD card reader, you can remove the device’s SD card, copy the profile onto it and then insert the card back into the Android device.

Start the OpenVPN app and tap the menu to import the profile.

The OpenVPN Android app profile import menu selection

Then navigate to the location of the saved profile (the screenshot uses ) and select the file. The app will make a note that the profile was imported.

The OpenVPN Android app selecting VPN profile to import


To connect, simply tap the Connect button. You’ll be asked if you trust the OpenVPN application. Choose OK to initiate the connection. To disconnect from the VPN, go back to the OpenVPN app and choose Disconnect.

The OpenVPN Android app ready to connect to the VPN

Step 11 — Testing Your VPN Connection (Optional)

Note: This method for testing your VPN connection will only work if you opted to route all your traffic through the VPN in Step 5.

Once everything is installed, a simple check confirms everything is working properly. Without having a VPN connection enabled, open a browser and go to DNSLeakTest.

The site will return the IP address assigned by your internet service provider and as you appear to the rest of the world. To check your DNS settings through the same website, click on Extended Test and it will tell you which DNS servers you are using.

Now connect the OpenVPN client to your Droplet’s VPN and refresh the browser. A completely different IP address (that of your VPN server) should now appear, and this is how you appear to the world. Again, DNSLeakTest’sExtended Test will check your DNS settings and confirm you are now using the DNS resolvers pushed by your VPN.

Step 12 — Revoking Client Certificates

Occasionally, you may need to revoke a client certificate to prevent further access to the OpenVPN server.

To do so, navigate to the EasyRSA directory on your CA machine:

Next, run the script with the option, followed by the client name you wish to revoke:

This will ask you to confirm the revocation by entering :

After confirming the action, the CA will fully revoke the client’s certificate. However, your OpenVPN server currently has no way to check whether any clients’ certificates have been revoked and the client will still have access to the VPN. To correct this, create a certificate revocation list (CRL) on your CA machine:

This will generate a file called . Securely transfer this file to your OpenVPN server:

On your OpenVPN server, copy this file into your directory:

Next, open the OpenVPN server configuration file:

At the bottom of the file, add the option, which will instruct the OpenVPN server to check the certificate revocation list that we’ve created each time a connection attempt is made:


Save and close the file.

Finally, restart OpenVPN to implement the certificate revocation:

The client should no longer be able to successfully connect to the server using the old credential.

To revoke additional clients, follow this process:

  1. Revoke the certificate with the command
  2. Generate a new CRL
  3. Transfer the new file to your OpenVPN server and copy it to the directory to overwrite the old list.
  4. Restart the OpenVPN service.

You can use this process to revoke any certificates that you’ve previously issued for your server.


You are now securely traversing the internet protecting your identity, location, and traffic from snoopers and censors.

To configure more clients, you only need to follow steps 4 and 9-11 for each additional device. To revoke access to clients, just follow step 12.



November 11, 2019

Set up an OpenVPN Server using Docker

Option 1

Setting up OpenVPN server

First of all git clone the project.

Then create the env var for your project.

Initialize the $OVPN_DATA container that will hold the configuration files and certificates. The container will prompt for a passphrase to protect the private key used by the newly generated certificate authority.

And run the server.

Creating clients

Once the server is up and running, it’s time to create new clients certificates and config file.

Thanks n Links

The client
GitHub Docker OpenVPN
Digital Ocean Tuto

Option 2 (preferred)

Second option : using

On your local machine :

tips : Change network.proxy.allow_hijacking_localhost to true in about:settings in Firefox.

On your browser :

  • https://localhost:943/admin -> webadmin (admin/password)
  • Create a new user, logout, login as the new user and delete “admin”
  • Under Configuration -> Network Settings, update the hostname/IP with your server’s
  • If you want to use “Alfred” over 4G : Under Network Settings -> advanced settings, “allow clients to see each other” (not that excatly, will correct that later)
  • Under User management, create a new “NON ADMIN” user
  • On the server, modify the as.conf file under config/etc and replace the line boot_pam_users.0=admin with #boot_pam_users.0=admin boot_pam_users.0=kjhvkhv (random username that doesn’t exist)
  • https://locahost:943/ -> reconnect as your newly created “NON ADMIN” user to download the config file for your client
  1. Concordia college moorhead bookstore
  2. Dometic ref
  3. Cannondale trail review
  4. Cat solarium
  5. Allison 3060

Virtual Private Network or VPN is a masked network connection via the internet to the end device or a network. Masking mechanism of VPN is restricting unauthorized users from eavesdropping or hacking. Also, VPN allows users to make a connection to the private or secured network with authorization and make users use the devices in the private network remotely. Setting up this VPN required time and huge steps to follow in a normal scenario. So, this article will describe how to create a VPN server with Docker easily.

There are many service providers and products available for implementing aVPN. But, the popular opensource VPN tool is OpenVPN. So, in this article, we will examine OpenVPN and Docker.

To get into the VPN setup, install the needed software and tools. Let’s list the needed tools and software.

  • Docker Daemon
  • OpenVPN
  • OpenSSL

OpenVPN Setup

If your machine is not installed with Docker, Get installed with Docker first. Once Docker is installed, start with configuring OpenVPN configuration with Docker. We have the popular Docker image for OpenVPN Along with this Docker image, let’s configure OpenVPN with the parameters

  • Share Host Volume for Configuration:
  • Set Network Interface:
  • Mention Group:
  • Mention User ID:
  • Set Host Mode:
  • Set Privileged Mode:

So, The Docker command to create OpenVPN container with will look like this

This will pull the image from docker hub and create the container with the following output

So, now we can start the OpenVPN server by starting the container by passing following command

Start and Configure OpenVPN

OpenVPN will start once you have passed the above command. You can access the OpenVPN from the below URL

https://<container -IP-Address >:943/admin.

This will open the Admin page after you pass default password ().

As the next step, you need to configure DNS and other setting of OpenVPN. Follow the link to configure the OpenVPN initial setup.

So, now download the respective client OpenVPN application for the Operating system and do the configuration to connect the VPN.


For Modern software development and other networking operations, VPN is essential and important to use. But Configuring in the virtual machine or in the physical machine is high resource-consuming and difficult to configure. As always, Docker helps to provision and run pre-configured software and we have seen how to create a VPN server with Docker easily. Here in our situation, Docker helped us to create the pre-configured OpenVPN. In our upcoming article, we will see the detailed tutorial of VPN and Docker. Stay tuned and subscribe DigitalVarys for more articles and study materials on DevOps, Agile, DevSecOps and App Development.

OpenVPN on Ubuntu Server

HOWTO setup a small server

OpenVPN (Virtual Private Network)


Prerequisite: OpenSSL Both the server and client configuration require an existing public key infrastructure. See the sections titled in the snippets of the configuration files below to know which certificates/keys/whatever are required on the server and client, respectively.

The installation of OpenVPN is done with:

# apt-get install openvpn # mkdir /etc/openvpn/jail

Server Configuration

Afterwards some files must be generated:

# cd /root/certs # openssl dhparam -out dh2048.pem 2048 # openvpn --genkey --secret ta.key # cp dh2048.pem ta.key /etc/openvpn

The configuration of the server could look like this (see for details):


# OpenVPN server configuration # (lines begining with `#' or `;' are comments) # IP address, port, and protocol to bind local port 1194 proto udp dev tun # cryptographic options (key, certificates, HMAC, cipher) ca /etc/ssl/certs/ca.crt cert /etc/ssl/certs/server.crt key /etc/ssl/private/server.key dh dh2048.pem tls-auth ta.key 0 cipher AES-256-CBC # networking options for VPN (IP range, routes, if any) server ifconfig-pool-persist ipp.txt # push route(s) ;push "route" # OpenVPN server as default gateway (read OpenVPN HOWTO!) ;push "redirect-gateway def1" # miscellanous options keepalive 5 60 comp-lzo status /var/log/openvpn-status.log verb 3 # hardening: run as nobody in chroot jail etc. # (directory /etc/openvpn/jail must exist) user nobody group nogroup persist-key persist-tun chroot jail # CRL, if any (must be located in /etc/openvpn/jail) ;crl-verify crl.pem

Now you can start the VPN daemon:

# /etc/init.d/openvpn restart

Caveat: Chroot Jail and Syslog

If the option is used to run OpenVPN inside a chroot jail (recommended!), it will not be able to log via syslog anymore after a restart of the syslog daemon. This is due to a change of the socket which is no longer accessible after entering the jail, but required to communicate with syslog. A restart of the syslog daemon especially happens after each rotation of its log files (e.g., once a day). The problem can be circumvented by creating an additional socket inside the chroot jail.

Firstly, create a directory inside the jail:

# mkdir /etc/openvpn/jail/dev

Secondly, configure the syslog daemon to create an additional socket. Currently, the default syslog daemon is provided by the package. Add the following line to its configuration file after the line beginning with :


$AddUnixListenSocket /etc/openvpn/jail/dev/log

Then, restart the syslog daemon:

# /etc/init.d/rsyslog restart

If you use another syslog daemon like (the previous default), you might have to specify the additional socket as command line argument of the daemon. This can be done easily by


SYSLOGD="-a /etc/openvpn/jail/dev/log"

and, finally, restarting the syslog daemon:

# /etc/init.d/sysklogd restart

Client Configuration

The configuration of the clients could look like this (see for details):


# OpenVPN client configuration # (lines begining with `#' or `;' are comments) # IP address, port, and protocol to bind client remote proto udp dev tun resolv-retry infinite nobind # cryptographic options (key, certificates, HMAC, cipher) ca /etc/ssl/certs/ca.crt cert /etc/ssl/certs/client.crt key /etc/ssl/private/client.key tls-auth ta.key 1 cipher AES-256-CBC ns-cert-type server # the next one only for OpenVPN >= 2.1 and server certificates having # the keyUsage and extendedKeyUsage attributes set accordingly: remote-cert-tls server auth-nocache # miscellanous options comp-lzo # hardening: run as nobody in chroot jail etc. # (directory /etc/openvpn/jail must exist) # NOTE: NOT FOR WINDOWS CLIENTS! user nobody group nogroup persist-key persist-tun chroot jail # CRL, if any (must be located in /etc/openvpn/jail) ;crl-verify crl.pem

For the rare case that a connection has to be established from a certain port, you will have to replace in the above example by:


Now you can start the VPN daemon:

# /etc/init.d/openvpn restart

Note: The caveat concerning chroot jail and syslog, of course, also applies to the client.

Networking Requirements (Server)

Note: Be sure to also permit access to any services from the VPN in their configurations. E.g., the Apache2 configuration above does not permit access from the network, etc.

Prerequisite: Shorewall You must, of course, add the new TUN interface (tun0) to the packet filter and permit access to the OpenVPN server from the net (be careful, as the order of the entries of some configuration files is important):


vpn tun0 detect tcpflags,logmartians,nosmurfs




# OpenVPN # ACCEPT net $FW udp 1194 ACCEPT vpn $FW ...... ACCEPT vpn net ...... #

If packets from the VPN are to be forwarded to the network of the server, you will have to enable IP forwarding:


Finally, restart shorewall:

Back to index.


Openvpn linuxserver

Configure your OpenVPN server on Linux |

OpenVPN creates an encrypted tunnel between two points, preventing a third party from accessing your network traffic. By setting up your virtual private network (VPN) server, you become your own VPN provider. Many popular VPN services already use OpenVPN, so why tie your connection to a specific provider when you can have complete control?

The first article in this series set up a server for your VPN, and the second article demonstrated how to install and configure the OpenVPN server software. This third article shows how to start OpenVPN with authentication in place.

To set up an OpenVPN server, you must:
  • Create a configuration file.
  • Set the value to enable routing.
  • Set up appropriate ownership for all configuration and authentication files to run the OpenVPN server daemon under a non-root account.
  • Set OpenVPN to start with the appropriate configuration file.
  • Configure your firewall.

Configuration file

You must create a server config file in . You can start from scratch if you want, and OpenVPN includes several sample configuration files to use as a starting point. Have a look in to see them all.

If you want to build a config file by hand, start with either or (as appropriate), and place your config file in . Both files are extensively commented, so read the comments and decide which makes the most sense for your situation.

You can save time and aggravation by using my prebuilt server and client configuration file templates and file to turn on network routing. This configuration also includes customization to log connects and disconnects. It keeps logs on the OpenVPN server in .

If you use my templates, you'll need to edit them to use your IP addresses and hostnames.

To use my prebuilt config templates, scripts, and to turn on IP forwarding, download my script:

$ curl \ > \

Read the script to get an idea of what it does. Here's a quick overview of its actions:

  • Creates the appropriate directories on your OpenVPN server
  • Downloads server and client config file templates from my website
  • Downloads my custom scripts and places them into the correct directory with correct permissions
  • Downloads and places it into to turn on IP forwarding at the next boot
  • Sets up ownership for everything in

Once you're satisfied that you understand what the script does, make it executable and run it:

$ chmod +x
$ sudo ./

Here are the files it copies (notice the file ownership):

$ ls-al-R/etc/openvpn
total 12
drwxr-xr-x.   4 openvpn openvpn   34 Apr  620:35 .
drwxr-xr-x. 139 root    root    8192 Apr  620:35 ..
drwxr-xr-x.   2 openvpn openvpn   33 Apr  620:35 client
drwxr-xr-x.   4 openvpn openvpn   56 Apr  620:35 server

total 4
drwxr-xr-x. 2 openvpn openvpn   33 Apr  620:35 .
drwxr-xr-x. 4 openvpn openvpn   34 Apr  620:35 ..
-rw-r--r--. 1 openvpn openvpn 1764 Apr  620:35 OVPNclient2020.ovpn

total 4
drwxr-xr-x. 4 openvpn openvpn   56 Apr  620:35 .
drwxr-xr-x. 4 openvpn openvpn   34 Apr  620:35 ..
drwxr-xr-x. 2 openvpn openvpn   59 Apr  620:35 ccd
drwxr-xr-x. 2 openvpn openvpn    6 Apr  620:35 logs
-rw-r--r--. 1 openvpn openvpn 2588 Apr  620:35 OVPNserver2020.conf

total 8
drwxr-xr-x. 2 openvpn openvpn  59 Apr  620:35 .
drwxr-xr-x. 4 openvpn openvpn  56 Apr  620:35 ..
-rwxr-xr-x. 1 openvpn openvpn 917 Apr  620:35
-rwxr-xr-x. 1 openvpn openvpn 990 Apr  620:35

total 0
drwxr-xr-x. 2 openvpn openvpn  6 Apr  620:35 .
drwxr-xr-x. 4 openvpn openvpn 56 Apr  620:35 ..

Here's the file:

# Turn on IP forwarding. OpenVPN servers need to do routing
net.ipv4.ip_forward = 1

Edit and to include your IP addresses. Also, edit to include your server certificate names from earlier. Later, you will rename and edit a copy of for use with your client computers. The blocks that start with show you where to edit.

File ownership

If you used the automated script from my website, file ownership is already in place. If not, you must ensure that your system has a user called that is a member of a group named . You must set the ownership of everything in to that user and group. It's safe to do this if you're unsure whether the user and group already exist because will refuse to create a user with the same name as one that already exists:

$ sudo useradd openvpn
$ sudochown-R openvpn.openvpn /etc/openvpn


If you decided not to disable the firewalld service in step 1, then your server's firewall service might not allow VPN traffic by default. Using the command, you can enable the OpenVPN service, which opens the necessary ports and routes traffic as necessary:

$ sudo firewall-cmd --add-service openvpn --permanent
$ sudo firewall-cmd --reload

No need to get lost in a maze of iptables!

Start your server

You can now start your OpenVPN server. So that it starts automatically after a reboot, use the subcommand of :

Final steps

The fourth and final article in this article will demonstrate how to set up clients to connect to your OpenVPN from afar.

This article is based on D. Greg Scott's blog and is reused with permission.

How to Install \u0026 Setup OpenVPN on Windows 10

openVPNSetup with Docker

Using information from:

NOTE: There is only x86-64 architecture build for this currently.

NOTE: this the web setup is non-free and allows two simultaneous vpn connections (unless paid).
openVPN protocol itself is fully free however, so this web based setup doesn't need to be used.
Note that licencing is US$15 per license per year... minimum 10 licenses!

openVPN Access Server FAQ:

IF you are keen for a simple, free-as-in-beer, 2 connection openVPN setup, then proceed...

Get the container up

Use this docker-compose.yml

Put the right details for your mapped docker storage in the volumes section

version: "2" services: openvpn-as: image: linuxserver/openvpn-as container_name: openvpn-as cap_add: - NET_ADMIN environment: - TZ=Pacific/Auckland volumes: - /dockervolumes/openvpn-as:/config ports: - 943:943 - 9443:9443 - 1194:1194/udp restart: unless-stopped


Set up the web interface

Do this section before port forwarding, as there is a default web interface password.

Go to https://ipaddressofserver:943/admin
Default username/pass is admin/password

Go into the User Permissions menu on the left

Create a new user and give it Admin permissions. Save Settings.

Click 'More Settings' for the Admin user, and give it a password.

Go down to access control (Use NAT should be set) and give the networks you want to the user to be able to access when connected, eg (add multiple subnets one below the other)

Log out of web interface and log in again as new user.

Go to user management and 'Deny Access' or delete the admin user.

Other (Optional)
You can set network addressing in Configuration/VPN Settings menu.

You can choose how DNS service is allocated in Configuration/VPN Settings menu. By default, people keep their own DNS settings, so if you want to route them though the VPN, change it here.

You can set default settings for routing, rather than per user settings in Configuration/VPN Settings menu

Do some port forwarding in your router

Forward these ports in your router to your server running docker. Note that 943 is the web interface - you will need to forward this and expose the this to the outside world to get the clients up and running, but can then turn it off.


Set up the Android App

You will need the external address or domain name of your server (IP address via or dyndns etc). Remember to take your phone off your local wifi to connect/setup.

Install the OpenVPNConnect app on your phone, it is this one
Note this is the 'Official' one, but it is non-free(dom) from OpenVPNInc.

Run the app and add a profile with the + button

it will ask for the url. If your IP is, you'll use:

The app should pull in the certificates and you can save the profile.

You need to edit the profile details (pencil button) and the settings should be something like:

Access Server Hostname (locked):

Profile Name
[email protected]

Server Override (optional)

Port (locked)

Username (locked)

Note: I HAD to put the server override value in there, not sure why (it was initially blank). I couldn't connect without it.

You should now be able to connect (are you off local wifi?) to the VPN.

Turn off port forwarding in your router for the web interface if you want to.
Unforward port 943 - you will need to allow access again if you set up other clients or another user.

Setting Android VPN start/stop shortcuts in launcher
You can create a homescreen shortcut for android for your connection. Edit the Profile (Pencil Botton) and there is a buttom down the bottom with green writing "Set Connect Shortcut".

You can also create a disconnect homescreen shortcut, it is in the app setting menu "Set Disconnect Shortcut" (Not in the profile settings). Note that clicking on these shortcuts in my android launcher sometimes looks like they haven't don't anything (especially if you same the VPN password), although it seems just to work nice and quickly. Check the top android notification bar to see if there is a VPN 'Key' icon when the VPN is operating. You can also check your IP address to see where you are connected obviously.

There is an openVPN app for windows that I am successfully using, pretty sure you'd need admin rights, but not sure.

This is the iOS app, but I've never used it

This is another option for connecting on android is this one (and it is fully open source)
Don't know much about this one sorry.

Some Android Connect FAQs including errors

You can also create your own open vpn client config file (.ovpn) with the certificates in it, here are samples:


You will also be interested:

In this tutorial, I will be setting up an Open VPN server under Docker with CloudSigma. With CloudSigma’s cloud locations spread all over the globe, you can create a server in any of them and access the content from there.

Creating the machine

First, I am creating a machine with the following resources:
20 GHz CPU
I am mounting the disk with Ubuntu 18.04 image available in CloudSigma’s library.

Ubuntu 18.04 : Pre-installed 64bit with VirtIO drivers, superuser, Python 2.7.15, Pip 18.0, OpenSSL 1.1.0i, Cloud-init and latest updates until 2018-09-30.

Updating all existing repos and packages on the machine.

sudo apt update

sudo apt upgrade

Now that our system is up to date, I will move towards installing Docker. For more info on Docker, please check here.

Installing Docker

I can install Docker executing the following commands:

sudo apt-getinstall\






curl-fsSL|sudo apt-key add-


sudo add-apt-repository\





sudo apt-getupdate

sudo apt-getinstall docker-ce



Now that Docker is successfully installed, I can start with getting OpenVPN Access Server working on it. Following is the command for creating a new Docker container of OpenVPN Access Server with the specified configuration.

docker create\


-v<path todata>:/config\







The following commands are mentioned on Docker image’s page.
Where openvpn-as should store configuration files:

For GroupID:

Used for UserID:

For Timezone setting:

Setting interface for openvpn-as default is eth0:

IMPORTANT, for most users, needs to operate in host mode:

IMPORTANT, will not operate unless in privileged mode:

To get group id and user id, execute the following command:

I am mentioning the timezone as CET.

For interface, execute the following command:

The interface would generally be ens3 or eth0. For my system, it is ens3.

After adding all these things, I am executing the following command:

sudo docker create--name=openvpn-as\








Since we don’t have the image already in our system, the image will be pulled from the server. The output would be:

Unable tofind image'linuxserver/openvpn-as:latest'locally

latest:Pulling from linuxserver/openvpn-as

56d9dc91333b:Pull complete

1356b0cfc067:Pull complete

155f3c53d4a5:Pull complete

05088c205b6d:Pull complete

112068b0fa4e:Pull complete

2ff5dd4a0d9b:Pull complete

7dd87385ca73:Pull complete

d966d969c7cd:Pull complete

4439dbcda217:Pull complete

5f960f89c64e:Pull complete


Status:Downloaded newer image forlinuxserver/openvpn-as:latest


Starting up the container with this command:


sudo docker start openvpn-as

Log in

Now that I have started it, I will go to the admin panel of the access server.

Going to the URL: https://<<YourIpAddress>>:943/admin

PenVPN LogIn Screen

It will ask for the username and password which by default is:
Username: admin
Password: password

OpenVPN Access Server License Agreement

Now that I have logged in, it asks whether I accept the EULA (End User License Agreement). Clicking on Agree and moving to the admin dashboard.

VPN server under Docker

It is recommended to change the password of the admin account for security purposes. I am changing it, using the following command:


docker exec-it openvpn-aspasswd admin

Configuring the DNS

Now that our server is up and running, we would want to configure the DNS in it. For more info on Domain Name Servers (DNS), please click here.

One of the fastest DNS servers is Google’s. I am going to configure that in my OpenVPN Access Server, so my clients are able to roam around websites easily.

I am going to the VPN settings and under DNS settings, I will enable “Have clients use specific DNS servers.”

VPN Settings

Next, I will enter the following addresses in the DNS Server columns:
Primary DNS Server:
Secondary DNS Server:

DNS Settings

Save Settings and Click on “Update Running Server.” It will update the running Server.

Now that I’ve configured the server successfully, I can move towards connecting to the VPN through my system.

Accessing the client UI on: https://<<YourIpAddress>>:943.

Enter the admin username, password of the admin or create a new user from the admin panel’s User Management section.

Once I log into it, it will give me various options for different OS. I select Windows and download the Client software.

OpenVPN Connect app

Now that it’s installed, I can start it from Start Menu or it will come automatically. From the system tray, I can connect to the VPN using the account I set up earlier.

Connect to OpenVPN

And I am connected to the VPN. Et Voila! This is how you create a VPN server under Docker.

About Akshay Nagpal

Big Data Analytics and ML enthusiast.


1082 1083 1084 1085 1086