Jun 07

How to Create a VPN Server on Ubuntu 12.04

Create VPN

How to Create a VPN Server on Ubuntu 12.04


apt-get update

apt-get install openvpn openssl

cd /etc/openvpn

cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 ./easy-rsa

apt-get install nano

nano easy-rsa/vars


export EASY_RSA=”`pwd`”


export EASY_RSA=”/etc/openvpn/easy-rsa”

. ./easy-rsa/vars


cd easy-rsa

ln -s openssl-1.0.0.cnf openssl.cnf

cd ..

./easy-rsa/build-ca OpenVPN

./easy-rsa/build-key-server server

./easy-rsa/build-key client1


nano openvpn.conf

begin openvpn.conf contents – copy below this line

dev tun

proto udp

port 1194

ca /etc/openvpn/easy-rsa/keys/ca.crt

cert /etc/openvpn/easy-rsa/keys/server.crt

key /etc/openvpn/easy-rsa/keys/server.key

dh /etc/openvpn/easy-rsa/keys/dh1024.pem

user nobody

group nogroup




status /var/log/openvpn-status.log

verb 3


push “redirect-gateway def1″

#set the dns servers

push “dhcp-option DNS″

push “dhcp-option DNS″

log-append /var/log/openvpn


end openvpn.conf contents – copy above this line

echo 1 > /proc/sys/net/ipv4/ip_forward

do “ifconfig” to get adapter name and ipaddress (venet0 was mine since my vps host is using openvz)

iptables -t nat -A POSTROUTING -s -o venet0 -j SNAT --to YOUR.VPS.IP

cd ..

nano sysctl.conf

un-comment (remove the #) from the line containing #net.ipv4.ip_forward=1

cd ..

/etc/init.d/openvpn start

begin newvpn.ovpn contents – copy below this line

dev tun


proto udp

remote YOUR.VPS.IP 1194

resolv-retry infinite




ca ca.crt

cert client1.crt

key client1.key


verb 3

end newvpn.ovpn contents – copy above this line

The software I download the files with is called WinSCP. It allows you to transfer files via SSH. This is useful if you do not have an ftp or http server running.

Comments prior to 12/23/2012 for this post can be found here.


3 pings

Skip to comment form

  1. GeeksAndTweaks

    All comments have been archived to reduce page load time. They are linked to at the bottom of the original post. Please feel free to leave new comments questions and suggestions. You don’t even have to register :)

  2. joelb

    Hey wow! Great tut. No problems with the steps listed, could use a teensy-tiny bit more info though:

    you mention copying 3 files to the client. Which 3 files?
    I assume these would go in the users .ssh dir?
    Also, the file newvpn.ovpn, where does that go? I’ll be using OS X 10.8 as the client.

    1. GeeksAndTweaks

      ca.crt, client1.crt, and client1.key are the three files if you named everything the same as I did in the tutorial. Those and the newvpn.ovpn would all go in C:\Program Files\OpenVPN\config\choose_a_sensible_folder_name on a Windows machine. On a Mac (bear with me I’ve no experience with them) it appears to be located in ~/Library/openvpn/choose_a_sensible_folder_name (The ~ represents the currently logged on users’ /Home directory) I hope this helps (:

  3. joelb

    sorry, 1 more question: i have fwded port 1194 on the router to the OpenVPN server. Any other ports needed for this?

    1. GeeksAndTweaks

      Port 1194 is all that’s necessary, and is only necessary if your server is behind a router.

  4. Steve

    root@server:/etc/openvpn/easy-rsa/keys# cat >mkclientpkg.sh
    tar -cvzf $client.package.tar.gz ca.crt $client.crt $client.key $client.ovpn
    echo “Saved $client.package.tar.gz”

    root@server:/etc/openvpn/easy-rsa/keys# chmod 700 mkclientpkg.sh
    root@server:/etc/openvpn/easy-rsa/keys# ./mkclientpkg.sh client1
    Saved client1.package.tar.gz
    root@server:/etc/openvpn/easy-rsa/keys# scp client1.package.tar.gz user@someclient:.
    user@someclient:~$ tar -xvzf client1.package.tar.gz
    ~user imports with VPN client… just works.. user is amazed.. ++admin

    disclaimer: o&oe cap fits wear

    1. GeeksAndTweaks

      Nice! Thanks for the tip :)

  5. Simon


    Thanks for the great tutorial. It worked for me and I got the VPN working. The VPN server is an Amazon EC2 instance.

    After establishing the VPN connection using my OpenVPN Windows client, I wanted to ensure that all the Internet traffic is routed via the Amazon EC2 instance. But my local browsing is still using the local ISP. Is there is tutorial somewhere where I can use the VPN server as my access gateway once I’m connected?

    Thanks in advance.

    1. GeeksAndTweaks

      Hmm, by default all your traffic should be routed through the VPN if it’s connected. You’d normally have to take extra steps to get any software to talk outside the VPN while it’s connected.

  6. petter

    hello, i followed the instructions, but the server only allow one client connected at the time, i have tried the same client cert/keys, and created diffrent for each client, but no luck:(
    wome tips how to fix this? thanks

    1. GeeksAndTweaks

      Have you checked the “max-clients” setting in the server config file?

  7. julz

    How can i make it work like pptp? with username and password.

    also how to add account?

    Sorry for asking too much, i really don’t have any idea who to get started :)

    1. GeeksAndTweaks

      I’ve never had the need to set up authentication for the way I use these but this is what the OpenVPN offical site says:

      OpenVPN 2.0 includes a feature that allows the OpenVPN server to securely obtain a username and password from a connecting client, and to use that information as a basis for authenticating the client.

      To use this authentication method, first add the auth-user-pass directive to the client configuration. It will direct the OpenVPN client to query the user for a username/password, passing it on to the server over the secure TLS channel.

      Next, configure the server to use an authentication plugin, which may be a script, shared object, or DLL. The OpenVPN server will call the plugin every time a VPN client tries to connect, passing it the username/password entered on the client. The authentication plugin can control whether or not the OpenVPN server allows the client to connect by returning a failure (1) or success (0) value.

      You can read more here.

  8. julz

    I got everything. its working, though when i check my ip. its still using the same home ip i had. any idea what went wrong?

    1. GeeksAndTweaks

      When you connect, does the Openvpn GUI client icon in the system tray turn green? You can also right click the tray icon, choose “View Log” under your VPN, and see if you can find any errors listed.

  9. Terje

    I want to use a physical (mail)server located in Norway to watch webTV from Norway while in US. webTV providers in Norway will not stream video to my US based IP address. As a work around, I installed the OpenVPN software on my mail server in Norway following your instructions and it works apparently OK. The changes I made was to use where you have and I used 192.168.#.# for the mailserver IP address where you have Your.VPS.IP. Let me know if this is OK.
    However, for the newvpn.ovpn file, what Your.VPS.IP do I use? The static internet IP address of my server in Norway is what I put in the file. My server is behind a router that now is forwarding port 1194 to the local address of my server.
    This is a simple setup to be used for one purpose only. Please let know you suggestions.
    Thanks, Terje

    1. GeeksAndTweaks

      Sounds like you got everything right to me. The IP address you used, is what range of IP’s to assign to clients within the VPN. Being as most machines assign the address for itself (ever heard the joke there’s no place like I suppose it could cause issues if an IP address conflict happened. For example in IPtables when telling it to forward traffic, the server could get confused when you tell it to route traffic to It may think you mean to itself. Does this make sense? I’m not even positive it will cause an issue, but if trouble arises it would be one of the first things I’d troubleshoot.
      And last, you used the correct IP in the .ovpn file.
      Thanks for stopping by :)

  10. Chris


    Great tutorial.

    Im having a little trouble with the setup though. I cannot see tun0 in mx ifconfig on the Ubuntu server and I copied the client files across to my windows machine and I cant seem to get it to connect, just says openvpn exit. Im quite lost where to go from here?

    1. GeeksAndTweaks

      I know this reply is super late but I’m going to leave it for anyone who may run across the same issue. If the machine is not showing a tun0 adapter issue the following commands and try again. If is works as expected you’ll need to do it every time the server starts. Do this by inserting them into rc.local.
      mkdir /dev/net
      mknod /dev/net/tun c 10 200

  11. DaveJ

    This might be a stupid question, but how do you know what to user for YOUR VPS IP?

    1. GeeksAndTweaks

      It’s usually given to you by the company you purchase the VPS from.

  12. Anonymous

    Hi. stupid question. is my easy-rsa/vars file supose to be blank when I open it?

    1. GeeksAndTweaks


  13. Sri Kolla

    Hi, I followed your instructions and installed. But when i tried to connect to openvpn, it connects to openvpn but i cannot browse any internet. connection timed out.

    But i can ping to my vpn server and can browse files in my vps server. What may have gone wrong??

    1. GeeksAndTweaks

      Did you un-comment the line containing #net.ipv4.ip_forward=1 in sysctl.conf?

  14. Steve

    This is a really fantastic tutorial! Thanks
    One question though – I want to VPN into this box from outside. No VPS…just want to allow incoming VPN connections to this server – what do I do about the “YOUR.VPS.IP” line?

    1. GeeksAndTweaks

      YOUR.VPS.IP is to be replaced with the external IP address of the VPS you’re installing the VPN on. The VPS is a virtual private server hosting a virtual private network(VPN). One runs on the other and both are required.

  15. Deirdre Hebert

    When I get to the line: ./easy-rsa/build-ca OpenVPN
    I get the response ./easy-rsa/build-ca: 8: ./easy-rsa/build-ca: ./pkitool: not found

    It looks like pkitool is in the easy-rsa directory, so I’m at a loss as to what is happening. I’m not exactly a Linux expert, so I’m hoping that you can help.


    1. GeeksAndTweaks

      Copy pkitool to / cp pkitool ../

  16. Jasvin

    Hi bro, when i tried to perform following commands, i got “permission denied”
    . ./easy-rsa/vars

    any solutions?

    1. GeeksAndTweaks

      Log on as root or sudo su

  17. Neo

    how can i delete users ?
    someone told me to just delete from /etc/openvpn/easy-rsa/2.0/keys/index.txt , is that correct?
    Thanks in advance

    1. GeeksAndTweaks

      Here’s a short video on YouTube showing how to do it.

      Click to watch in Theater mode

  18. greg

    How can i edit easy-rsa/vars file when its supposed to be empty,.. in video it shows your is not blank

    1. GeeksAndTweaks

      It’s not supposed to be empty, and if it is make sure you’ve issued the command correctly. The vars file resides in /etc/openvpn/easy-rsa/ so cd to that directory and then issue nano vars and see if that does it.

  1. OpenVPN and IPTV | Ubuntu InfoUbuntu Info

    […] set up openvpn server on that computer and frequently using it. I’ve set up vpn server from this guide. I’m not very familiar with configuring routers so I wonder if it is possible to view that […]

  2. OpenVPN and IPTV | WyldePlayground.netWyldePlayground.net -

    […] set up openvpn server on that computer and frequently using it. I’ve set up vpn server from this guide. I’m not very familiar with configuring routers so I wonder if it is possible to view that […]

  3. OpenVPN and IPTV | James n Sheri.comJames n Sheri.com

    […] set up openvpn server on that computer and frequently using it. I’ve set up vpn server from this guide. I’m not very familiar with configuring routers so I wonder if it is possible to view that […]

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Powered by sweetCaptcha