How to Set Up OpenVPN Access Server on Ubuntu 22.04/20.04

This tutorial is going to show you how to run your own OpenVPN Access server on Ubuntu 22.04/20.04. OpenVPN is an open-source, robust, and highly flexible VPN solution.

Why Set Up Your Own VPN Server?

  • Maybe you are a VPN service provider or a system administrator, which behooves you to set up your own VPN server.
  • You don’t trust the no-logging policy of VPN service providers, so you go the self-host route.
  • You can use VPN to implement network security policy. For example, if you run your own email server, you can require users to log in only from the IP address of the VPN server by creating an IP address whitelist in the firewall. Thus, your email server is hardened to prevent hacking activities.
  • Perhaps you are just curious to know how VPN server works.

Set Up OpenVPN with Stunnel on Ubuntu

OpenVPN Access Server Features

  • Lightweight and fast. In my test, I can watch YouTube 4K videos with OpenVPN. YouTube is blocked in my country (China).
  • Runs on Linux and most BSD servers.
  • There is OpenVPN client software for Linux, macOS, Windows, Android, and iOS. Easy distribution of VPN clients and connection profiles.
  • Supports RADIUS accounting.
  • Supports Active Directory/LDAP integration, 2FA.
  • Supports virtual hosting (multiple domains).
  • Easy to set up
  • Easy management via a web-based admin panel.
  • Supports SSL/TLS security, ethernet bridging, TCP or UDP tunnel transport through proxies or NAT.
  • Support for dynamic IP addresses, DHCP and static IP addresses.
  • Scalability to hundreds or thousands of users
  • Supports conventional encryption using a pre-shared secret key (Static Key mode) or public key security (SSL/TLS mode) using client & server certificates

Requirements

To follow this tutorial, you will need a VPS (Virtual Private Server) that can access blocked websites freely (Outside of your country or Internet filtering system). I recommend Kamatera VPS, which features:

  • 30 days free trial.
  • Starts at $4/month (1GB RAM)
  • High-performance KVM-based VPS
  • 9 data centers around the world, including United States, Canada, UK, Germany, The Netherlands, Hong Kong, and Isreal.

Follow the tutorial linked below to create your Linux VPS server at Kamatera.

Once you have a VPS running Ubuntu 22.04/20.04, follow the instructions below.

Step 1: Install OpenVPN Access Server on Ubuntu 22.04/20.04

Log into your Ubuntu 22.04/20.04 server. Then run the following command to add OpenVPN Access Server repository to your Ubuntu system.

echo "deb [signed-by=/etc/apt/keyrings/openvpn-as.gpg.key] http://as-repository.openvpn.net/as/debian $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/openvpn-as.list

Next, import the OpenVPN Access Server GPG key to Ubuntu system so that APT can verify package integrity during installation.

wget --quiet -O - https://as-repository.openvpn.net/as-repo-public.gpg | sudo tee /etc/apt/keyrings/openvpn-as.gpg.key

And because this repository uses HTTPS connection, we also need to install apt-transport-https and ca-certificates package.

sudo apt install apt-transport-https ca-certificates

Finally, update the package index on your Ubuntu system and install OpenVPN Access Server.

sudo apt update

sudo apt install -y openvpn-as

At the end of the installation, you can find the URLs for the admin panel and client panel as well as the username and randomly generated password for the admin account.

Install OpenVPN Access Server on Ubuntu

Check systemd service status:

sudo systemctl status openvpnas

Sample output:

sudo systemctl status openvpnas

Check listening ports.

sudo ss -lnptu | grep openvpn

Output:

sudo ss -lnptu | grep openvpn

OpenVPN Access Server automatically enables IP forwarding and IP masquerading.

sysctl net.ipv4.ip_forward

output:

net.ipv4.ip_forward = 1

Check IP masquerading.

sudo iptables -t nat -L POSTROUTING

Output:

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
AS0_NAT_POST_REL_EST  all  --  anywhere             anywhere             state RELATED,ESTABLISHED
AS0_NAT_PRE  all  --  anywhere             anywhere             mark match 0x2000000/0x2000000

Run the following two commands to enable TCP BBR algorithm to boost TCP speed.

echo "net.core.default_qdisc=fq" | sudo tee -a /etc/sysctl.d/60-custom.conf

echo "net.ipv4.tcp_congestion_control=bbr" | sudo tee -a /etc/sysctl.d/60-custom.conf

Then apply the changes with the below command. The -p option will load sysctl settings from /etc/sysctl.d/60-custom.conf file. This command will preserve our changes across system reboots.

sudo sysctl -p /etc/sysctl.d/60-custom.conf

Step 2: Managing OpenVPN Access Server via the Admin Panel

Go to https://your-server-ip:943/admin to access the admin panel. It uses a self-signed TLS certificate, so you need to add a security exception in your browser to access it.

openvpn access server admin login

OpenVPN Access Server provides sane default settings.

  • All client traffic will be routed through OpenVPN server.
  • Client will use OpenVPN server as the DNS server.
  • The OpenVPN server listens clients requests on TCP port 443 and UDP port 1194.
  • TLS 1.2 is the minimum TLS version.

Now we need to create VPN users. Go to User Management -> User Permissions to create a new username. Click the Save Settings button.

openvpn access server create new user

Then click the More Settings button to set a password for the new user.

openvpn access server set user password

Click the Save Settings button. Then click the Update Running Server button to apply the changes.

Step 3: Set DNS Server For VPN Users

By default, OpenVPN Access Server won’t assign DNS server to VPN users, so they will use the existing DNS server. However, this may cause DNS failure for VPN users.

Go to Configuration -> VPN Settings. In the Routing section, you can find the following text:

Specify the private subnets to which all clients should be given access (one per line):

Enter 172.27.240.0/20 as the value.

In the DNS Settings section, set Have clients use specific DNS servers to yes. Then enter the primary DNS server and secondary DNS server, such as 8.8.8.8 and 1.1.1.1.

Click the Save Settings button, then click the Update Running Server button to apply the changes.

How to Install and Use OpenVPN client on Ubuntu 22.04/20.04 Desktop

Run the following command to install OpenVPN command line client on Ubuntu desktop.

sudo apt install openvpn

Then go to https://your-server-ip:943 to access the client portal, where the VPN user can download OpenVPN clients and the OpenVPN profile (.ovpn).

download openvpn connection profile

Move the .ovpn file to the /etc/openvpn/ directory. Then edit this file. Mine is named profile-3.ovpn. Yours might be different.

sudo nano /etc/openvpn/profile-3.ovpn

Find the following line.

auth-user-pass

Change it to

auth-user-pass /etc/openvpn/auth.txt

Save and close the file. Then create the /etc/openvpn/auth.txt file.

sudo nano /etc/openvpn/auth.txt

In this file, we need to enter the VPN username and password on two lines like below. Replace them with your actual username and password.

openvpn auth-user-pass

Save and close the file. Then rename the .ovpn file to a .conf file.

sudo mv /etc/openvpn/profile-3.ovpn /etc/openvpn/profile-3.conf

Now you can start the VPN.

sudo systemctl start [email protected]

Check status:

sudo systemctl status [email protected]

output:

openvpn Initialization Sequence Completed

When you see the Initialization Sequence Completed message, your OpenVPN connection has been successfully established.

Then go to https://icanhazip.com. If everything is working properly, you should see the public IP address of the OpenVPN Access server.

To stop this Systemd service, run

sudo systemctl stop [email protected]

If you want to use Network Manager to manage OpenVPN connection, then you need to install these packages.

sudo apt install network-manager-openvpn network-manager-openvpn-gnome

OpenVPN GUI Client for Windows and macOS

Go to the OpenVPN Access Server Client Portal (https://your-server-ip:943) to download the OpenVPN Connect client for Windows and macOS.

Speed

OpenVPN is pretty fast. I can use it to watch 4k videos on YouTube. As you can see, my connection speed is 63356 Kbps, which translates to 61 Mbit/s.

ocserv vpn speed test singapore server

And here’s the test results on speedtest.net.

ocserv vpn speed test singapore

How to Install Let’s Encrypt TLS Certificate for OpenVPN Access Server

If you don’t want VPN users to see a security warning when visiting the OpenVPN Access Client Portal, then you need to obtain a valid TLS certificate. We can get it free from Let’s Encrypt.

Install the Certbot client.

sudo apt install certbot

Open TCP ports 80 and 443.

sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

Obtain a TLS certificate. You need to create a DNS A record for your sub-domain (openvpn.example.com).

sudo certbot certonly --standalone --preferred-challenges http --agree-tos --email [email protected] -d openvpn.example.com

Then install the certificate.

sudo /usr/local/openvpn_as/scripts/sacli --key "cs.priv_key" --value_file "/etc/letsencrypt/live/openvpn.example.com/privkey.pem" ConfigPut

sudo /usr/local/openvpn_as/scripts/sacli --key "cs.cert" --value_file "/etc/letsencrypt/live/openvpn.example.com/cert.pem" ConfigPut

sudo /usr/local/openvpn_as/scripts/sacli --key "cs.ca_bundle" --value_file "/etc/letsencrypt/live/openvpn.example.com/chain.pem" ConfigPut

Apply the changes.

sudo /usr/local/openvpn_as/scripts/sacli start
sudo systemctl restart openvpnas

Set Up Stunnel (optional)

If you live in a country like China, or Iran, then your national firewall may block OpenVPN connections. You can wrap the OpenVPN traffic inside a TLS tunnel to hide the fact that you are using OpenVPN.

Configure Stunnel on the OpenVPN server

Install Stunnel on the OpenVPN server.

sudo apt install -y stunnel4

Copy the sample configuration file:

sudo cp /usr/share/doc/stunnel4/examples/stunnel.conf-sample /etc/stunnel/openvpn.conf

Edit the new file.

sudo nano /etc/stunnel/openvpn.conf

Find the following lines and uncomment them.

;setuid = stunnel4
;setgid = stunnel4

;pid = /var/run/stunnel.pid

;output = /var/log/stunnel.log

Change them to:

setuid = stunnel4
setgid = stunnel4

pid = /var/run/stunnel/stunnel.pid

output = /var/log/stunnel/stunnel.log

Find the following lines.

[gmail-pop3]
client = yes
accept = 127.0.0.1:110
connect = pop.gmail.com:995
verifyChain = yes
CApath = /etc/ssl/certs
checkHost = pop.gmail.com
OCSPaia = yes

[gmail-imap]
client = yes
accept = 127.0.0.1:143
connect = imap.gmail.com:993
verifyChain = yes
CApath = /etc/ssl/certs
checkHost = imap.gmail.com
OCSPaia = yes

[gmail-smtp]
client = yes
accept = 127.0.0.1:25
connect = smtp.gmail.com:465
verifyChain = yes
CApath = /etc/ssl/certs
checkHost = smtp.gmail.com
OCSPaia = yes

This enables tunnels for SMTP, IMAP, and POP3 server. Delete them and add the following lines instead, so Stunnel will be able to pass traffic to the OpenVPN server listen on port 1194.

[openvpn]
cert=/etc/letsencrypt/live/openvpn.example.com/fullchain.pem 
key=/etc/letsencrypt/live/openvpn.example.com/privkey.pem
accept = 0.0.0.0:443
connect = 127.0.0.1:1194

Save and close the file. Create the PID file and log file.

sudo mkdir /var/run/stunnel /var/log/stunnel

Grant permission to the user.

sudo chown stunnel4:stunnel4 /var/run/stunnel/ -R
sudo chown stunnel4:stunnel4 /var/log/stunnel/ -R

Then go to OpenVPN Access Server admin panel -> Configuration -> Networking Settings. Change the TCP port number from 443 to 1194.

openvpn access server tcp port

Save the settings and click the update running server button to apply the changes.

Start Stunnel.

sudo /usr/bin/stunnel4 /etc/stunnel/openvpn.conf

You should see that Stunnel is using port 443.

sudo ss -lnpt | grep 443

If it failed to start, then check the log file: /var/log/stunnel/stunnel.log. If your server has another process listening on TCP port 443, you need to stop it, or Stunnel won’t be able to bind to TCP port 443.

Configure Stunnel on the OpenVPN client (Ubuntu Desktop)

Install Stunnel on the OpenVPN client.

sudo apt install -y stunnel4

Create Stunnel config file.

sudo nano /etc/stunnel/client.conf

Add the following lines in this file. Replace 12.34.56.78 with the public IP address of your OpenVPN Access Server.

output = /var/log/stunnel/stunnel.log
pid = /var/run/stunnel/stunnel.pid
client = yes
[openvpn]
accept = 127.0.0.1:1194
connect = 12.34.56.78:443

Save and close the file. Create the log directory and pid directory.

sudo mkdir /var/log/stunnel/ /var/run/stunnel/

Start the Stunnel client.

sudo stunnel /etc/stunnel/client.conf

It listens on 127.0.0.1:1194 and passes requests to the Stunnel server.

sudo ss -lnpt | grep 1194

Sample output:

LISTEN 0      4096       127.0.0.1:1194       0.0.0.0:*    users:(("stunnel",pid=118898,fd=9))

Next, edit the OpenVPN client config file.

sudo nano /etc/openvpn/profile-3.conf

Find the remote directives.

remote xx.xx.xx.xx 1194 udp
remote xx.xx.xx.xx 1194 udp
remote xx.xx.xx.xx 443 tcp
remote xx.xx.xx.xx 1194 udp
remote xx.xx.xx.xx 1194 udp
remote xx.xx.xx.xx 1194 udp
remote xx.xx.xx.xx 1194 udp
remote xx.xx.xx.xx 1194 udp

Change remote server address to 127.0.0.1:1194.

remote 127.0.0.1 1194 tcp

Save and close the file. Then add a static route for the OpenVPN Access Server, to prevent routing loop when using Stunnel.

sudo ip route add xx.xx.xx.xx via 192.168.1.1 dev enp4s0
  • Replace xx.xx.xx.xx with the public IP address of your OpenVPN Access server.
  • My default gateway is 192.168.1.1 (my router). If your router has a different IP address, change it as approriate.
  • enp4s0 is the network interface. You can use ip addr command to find out your network interface name.

Then restart OpenVPN client.

sudo systemctl restart [email protected]

Check logs.

sudo journalctl -eu [email protected]

If things are working properly, you should see the Initialization Sequence Completed message. Then go to https://icanhazip.com.  you should see the public IP address of the OpenVPN Access server.

Configure Stunnel on the OpenVPN client (Windows)

Download Stunnel and install it on your Windows computer. Then start Stunnel. Right-click the Stunnel icon on the Windows taskbar and select Edit configuration.

Find the following lines.

[gmail-pop3]
client = yes
accept = 127.0.0.1:110
connect = pop.gmail.com:995
verifyChain = yes
CApath = /etc/ssl/certs
checkHost = pop.gmail.com
OCSPaia = yes

[gmail-imap]
client = yes
accept = 127.0.0.1:143
connect = imap.gmail.com:993
verifyChain = yes
CApath = /etc/ssl/certs
checkHost = imap.gmail.com
OCSPaia = yes

[gmail-smtp]
client = yes
accept = 127.0.0.1:25
connect = smtp.gmail.com:465
verifyChain = yes
CApath = /etc/ssl/certs
checkHost = smtp.gmail.com
OCSPaia = yes

This enables tunnels for SMTP, IMAP, and POP3 server. Delete them and add the following lines instead, so Stunnel will be listening on port 1194 and redirect traffic to the OpenVPN Access Server. Replace 12.34.56.78 with the public IP address of your OpenVPN Access Server.

client = yes
[openvpn]
accept = 127.0.0.1:1194
connect = 12.34.56.78:443

Save and close the file. Right-click the Stunnel icon on the Windows taskbar and select Terminate. Then start Stunnel again.

Next, go to the OpenVPN Access Server Client Portal (https://your-server-ip:943) to download the OpenVPN Connect client and your connection profile. Launch Notepad text editor and edit the connection profile file.  Find the remote directives.

remote xx.xx.xx.xx 1194 udp
remote xx.xx.xx.xx 1194 udp
remote xx.xx.xx.xx 443 tcp
remote xx.xx.xx.xx 1194 udp
remote xx.xx.xx.xx 1194 udp
remote xx.xx.xx.xx 1194 udp
remote xx.xx.xx.xx 1194 udp
remote xx.xx.xx.xx 1194 udp

Change remote server address to 127.0.0.1:1194.

remote 127.0.0.1 1194 tcp

Save and close the file. Then open Windows Powershell as administrator, and run the following command to add a static route for the OpenVPN Access Server. This will prevent routing loop when using Stunnel.

route ADD xx.xx.xx.xx MASK 255.255.255.255 192.168.1.1
  • Replace xx.xx.xx.xx with the public IP address of your OpenVPN Access server.
  • My default gateway is 192.168.1.1 (my router). If your router has a different IP address, change it as appropriate.

Then re-import the OpenVPN connection profile to the OpenVPN Connect client. Now you can try establishing VPN connection.

Troubleshooting

Connection Refused

If your OpenVPN server doesn’t listen on TCP port 1194, then you may find the following error in the Stunnel log.

s_connect: connect 127.0.0.1:1194: Connection refused (111)

Please go to OpenVPN Access Server admin panel -> Configuration -> Network settings, enable TCP on port 1194 and disable UDP. Don’t forget to click the update running server button to apply the changes.

Connection Reset

If you found the following error in the Stunnel log,

TLS fd: Connection reset by peer (104)

It might be that your national firewall is able to detect and block Stunnel traffic. You can try other VPN solutions instead, such as SoftEtherVPN SSTP protocol and OpenConnect VPN protocol.

Wrapping Up

That’s it! I hope this tutorial helped you install and configure OpenVPN on Ubuntu 22.04/20.04. As always, if you found this post useful, then subscribe to our free newsletter to get more tips and tricks 🙂

Rate this tutorial
[Total: 1 Average: 5]

2 Responses to “How to Set Up OpenVPN Access Server on Ubuntu 22.04/20.04

  • Hi
    The connection is not established correctly. Repeats constantly.

     2022.10.24 13:02:22 LOG5[0]: Service [openvpn] accepted connection from 127.0.0.1:50167
    2022.10.24 13:02:23 LOG5[0]: s_connect: connected x.x.x.x:443
    2022.10.24 13:02:23 LOG5[0]: Service [openvpn] connected remote server from 192.168.1.102:50168
    2022.10.24 13:02:27 LOG5[1]: Service [openvpn] accepted connection from 127.0.0.1:50170
    2022.10.24 13:02:27 LOG5[1]: s_connect: connected x.x.x.x:443
    2022.10.24 13:02:27 LOG5[1]: Service [openvpn] connected remote server from 192.168.1.102:50171
    2022.10.24 13:02:31 LOG5[2]: Service [openvpn] accepted connection from 127.0.0.1:50173
    2022.10.24 13:02:31 LOG5[2]: s_connect: connected x.x.x.x:443
    2022.10.24 13:02:31 LOG5[2]: Service [openvpn] connected remote server from 192.168.1.102:50174
    2022.10.24 13:02:42 LOG3[0]: SSL_connect: Connection reset by peer (WSAECONNRESET) (10054)
    2022.10.24 13:02:42 LOG5[0]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
    2022.10.24 13:02:47 LOG3[1]: SSL_connect: Connection reset by peer (WSAECONNRESET) (10054)
    2022.10.24 13:02:47 LOG5[1]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
    2022.10.24 13:02:50 LOG3[2]: SSL_connect: Connection reset by peer (WSAECONNRESET) (10054)
    2022.10.24 13:02:50 LOG5[2]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket 
  • Hi, add this options to stunnel client’s config and try again :

    sslVersionMin = TLSv1.2
    sslVersionMax = TLSv1.2
    

Leave a Comment

  • Comments with links are moderated by admin before published.
  • Your email address will not be published.
  • Use <pre> ... </pre> HTML tag to quote the output from your terminal/console.
  • Please use the community (https://community.linuxbabe.com) for questions unrelated to this article.
  • I don't have time to answer every question. Making a donation would incentivize me to spend more time answering questions.

The maximum upload file size: 2 MB. You can upload: image. Links to YouTube, Facebook, Twitter and other services inserted in the comment text will be automatically embedded. Drop file here