How to setup ssl vpn server on Ubuntu server 14.04

Step 1. Install OpenVPN and Easy-RSA

sudo apt-get update
sudo apt-get install openvpn easy-rsa

Extract sample server.conf to /etc/openvpn folder

gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf

Start editing server.conf

sudo nano /etc/openvpn/server.conf

Change dh1024.pem to dh2048.pem to double RSA key

# Diffie hellman parameters.
# Generate your own with:
# openssl dhparam -out dh1024.pem 1024
# Substitute 2048 for 1024 if you are using
# 2048 bit keys.
# dh dh1024.pem
dh dh2048.pem


Uncomment push “redirect-gateway def1 bypass-dhcp”
push "redirect-gateway def1 bypass-dhcp"

# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# or bridge the TUN/TAP interface to the internet
# in order for this to work properly).
push "redirect-gateway def1 bypass-dhcp"


Uncomment push “dhcp-option DNS”

# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses. CAVEAT:
# The addresses below refer to the public
# DNS servers provided by

push "dhcp-option DNS"

push "dhcp-option DNS"

push "dhcp-option DNS"


Uncomment both user nobody and group nogroup

# You can uncomment this out on
# non-Windows systems.

user nobody

group nogroup


STEP 2. Enable packet forwarding. Allow Firewall

sudo echo 1 > /proc/sys/net/ipv4/ip_forward
sudo nano /etc/sysctl.conf

Uncomment net.ipv4.ip_forward



For VPN server facing public

Firewall facing public

Allow ssh
Allow 1194/udp

# Allow VPN to LAN
iptables -I FORWARD -i tun0 -o lan -s -d -m conntrack --ctstate NEW -j ACCEPT
# Allow VPN to WAN
iptables -I FORWARD -i tun0 -o wan -s -m conntrack --ctstate NEW -j ACCEPT

# Allow LAN to WAN
iptables -I FORWARD -i lan -o wan -s -m conntrack --ctstate NEW -j ACCEPT

#Allow established traffic to pass back and forth
iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

#Masquerade traffic from VPN to WAN
iptables -t nat -I POSTROUTING -o wan -s -j MASQUERADE

#Masquerade traffic from LAN to WAN
iptables -t nat -I POSTROUTING -o wan -s -j MASQUERADE

#Masquerade traffic from VPN to LAN (if LAN hosts dont' use VPN server default gateway)
iptables -t nat -A POSTROUTING -o lan -d -j MASQUERADE
####### This is the same as MASQUERADING VPN to LAN
iptables -t nat -A POSTROUTING -o lan -d -j SNAT --to-source


For VPN server behind firewall

VPN server behind firewall


STEP 3. Create Certificate Authority (only run once!)

Copy Easy-RSA generation scripts to /etc/openvpn

cp -r /usr/share/easy-rsa/ /etc/openvpn

Make the key storage directory

mkdir /etc/openvpn/easy-rsa/keys

Make your key personal by entering your info

sudo nano /etc/openvpn/easy-rsa/vars
export KEY_CITY="Singapore"
export KEY_ORG="My Company Name"
export KEY_EMAIL="";
export KEY_OU="ClientOrganizationalUnit"
export KEY_NAME="server"

Generate Diffie-Hellman parameters

openssl dhparam -out /etc/openvpn/dh2048.pem 2048

Move to /etc/openvpn/easy-rsa/

cd /etc/openvpn/easy-rsa

Initialize the PKI (Public Key Infrastructure)

. ./vars

Since we haven’t generated anything in the keys directory yet, the warning is nothing to be concerned about
“NOTE: If you run ./clean-all, it will be doing a rm -rf on /etc/openvpn/easy-rsa/keys”

Now we’ll clear the working directory of any possible old or example keys to make way for our new ones.


Builds certificate authority (CA) by invoking an interactive OpenSSL command
Prompt you to confirm Easy-RSA’s variables.
Simply press ENTER to pass through each prompt.


 Remember that this step (generating Certificate Authority) should only run once.!


STEP 4. Server-side Certificate & Key

Generate a Certificate and Key for the Server
Still working from /etc/openvpn/easy-rsa folder, execute below.

./build-key-server server

(“server” refers to the export KEY_NAME variable entered in Easy-RSA vars)

Just press ENTER to pass through each one.
A challenge password []:
An optional company name []:

Answer Y to additional two queries below.
Sign the certificate? [y/n]
1 out of 1 certificate requests certified, commit? [y/n]

Move the Server Certificates and Keys
OpenVPN expects server’s CA(certificate and key) in /etc/openvpn.
Let’s copy them into the proper location.

cp /etc/openvpn/easy-rsa/keys/{server.crt,server.key,ca.crt} /etc/openvpn

Start OpenVPN

service openvpn start
service openvpn status

Look at /var/log/syslog for OpenVPN errors
Options error: –key fails with ‘server.key’: No such file or directory


STEP 5. Generate Certificates and Keys for Clients

From location /etc/openvpn/easy-rsa execute below command

./build-key client_name1
./build-key client_name2
./build-key client_name3

Press ENTER to accept the defaults.
Sign the certificate? [y/n]
1 out of 1 certificate requests certified, commit? [y/n]

In the copy process, we will change file extension for clients to use later.
Example from client_name1.conf to client_name1.ovpn

cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/easy-rsa/keys/client_name1.ovpn
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/easy-rsa/keys/client_name2.ovpn
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/easy-rsa/keys/client_name3.ovpn


STEP 6. Transferring Certificates and Keys to Client Devices

Requires clients certificate and key to be located in server.



The ca.crt and client.ovpn are the same for all client devices.

The ca.crt and client.ovpn are located at the following location.



Securely copy out client_name1.key file

scp Downloads/

Make sure you have the following 4 files for your client




STEP 7. Create a Unified OpenVPN profile for client

Edit client_name1.ovpn and enter your vpn ip address

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote x.x.x.x 1194

Uncomment user nobody and group nogroup

# Downgrade privileges after initialization (non-Windows only)

user nobody

group nogroup

Insert certificate and key 

# SSL/TLS parms.
# . . .
#ca ca.crt
#cert client.crt
#key client.key

(insert ca.crt here)
(insert client1.crt here)
(insert client1.key here)

Save client.ovpn and deploy at client device


STEP 8. Deploy Client profile

Download OpenVPN client 

Save client_name1.ovpn file at the following location

C:\Program Files\OpenVPN\config\client.ovpn

Always run as Administrator

Leave a Comment

Your email address will not be published. Required fields are marked *