 |
VOOZH | about |
|
VOOZH | about |
A Virtual Private Network (VPN) allows you to traverse untrusted networks as if you were on a private network. It gives you the freedom to access the internet safely and securely from your smartphone or laptop when connected to an untrusted network, like the WiFi at a hotel or coffee shop.
When combined with HTTPS connections, this setup allows you to secure your wireless logins and transactions. You can circumvent geographical restrictions and censorship, and shield your location and any unencrypted HTTP traffic from untrusted networks.
OpenVPN is a full featured, open-source Transport Layer Security (TLS) VPN solution that accommodates a wide range of configurations. In this comprehensive tutorial, you will learn how to set up OpenVPN on Ubuntu servers (20.04, 22.04, 24.04, and 25.04), and then configure it to be accessible from client machines across multiple platforms.
Why OpenVPN? OpenVPN offers enterprise-grade security with strong encryption, cross-platform compatibility, and extensive configuration options. It’s particularly well-suited for Ubuntu servers due to its excellent integration with the Linux ecosystem and robust security features.
Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.
I help Businesses scale with AI x SEO x (authentic) Content that revives traffic and keeps leads flowing | 3,000,000+ Average monthly readers on Medium | Sr Technical Writer(Team Lead) @ DigitalOcean | Ex-Cloud Consultant @ AMEX | Ex-Site Reliability Engineer(DevOps)@Nutanix
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Thank you for the fresh tutorial version for 20.04. I’ve done everything up to Step 13. Now I’m setting up a client with Linux. After running sudo openvpn --config client1.ovpn, I get TLS Error: TLS handshake failed. What should I check if I miconfigured something?
One caveat that cost me a day (ending in a facepalm):
I don’t enable ufw on all machines (that are behind other firewalls). So I had the 1194 port forwarded.
However! If ufw is not enabled, the iptables NAT (masquerade) command doesn’t get executed and you’ll only be able to reach the target server, not the network/LAN.
Great tutorial, thanks. I’m running into a problem when I try to run the make_config.sh script. Error message says “./make_config.sh: line 9: /root/client-configs/files/client1.ovpn: No such file or directory”. I copy/pasted the make_config.sh file as it appears in the tutorial.*
Great tutorial! I’m having trouble making the request to my CA Server in step 4. Not sure what the issue is because I can ssh into both servers just fine.
user@ip: Permission denied (publickey).
lost connection
OK, so now I’m trying to connect via the OpenVPN client for Windows 10. I’m getting the following log/error messages when I try to connect:
Tue Jun 02 15:47:21 2020 NOTE: --user option is not implemented on Windows
Tue Jun 02 15:47:21 2020 NOTE: --group option is not implemented on Windows
Tue Jun 02 15:47:21 2020 OpenVPN 2.4.9 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 16 2020
Tue Jun 02 15:47:21 2020 Windows version 6.2 (Windows 8 or greater) 64bit
Tue Jun 02 15:47:21 2020 library versions: OpenSSL 1.1.1f 31 Mar 2020, LZO 2.10
Tue Jun 02 15:47:21 2020 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Tue Jun 02 15:47:21 2020 Need hold release from management interface, waiting...
Tue Jun 02 15:47:21 2020 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Tue Jun 02 15:47:21 2020 MANAGEMENT: CMD 'state on'
Tue Jun 02 15:47:21 2020 MANAGEMENT: CMD 'log all on'
Tue Jun 02 15:47:21 2020 MANAGEMENT: CMD 'echo all on'
Tue Jun 02 15:47:21 2020 MANAGEMENT: CMD 'bytecount 5'
Tue Jun 02 15:47:21 2020 MANAGEMENT: CMD 'hold off'
Tue Jun 02 15:47:21 2020 MANAGEMENT: CMD 'hold release'
Tue Jun 02 15:47:21 2020 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Tue Jun 02 15:47:21 2020 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Tue Jun 02 15:47:21 2020 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Tue Jun 02 15:47:21 2020 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Tue Jun 02 15:47:21 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]173.228.31.9:1194
Tue Jun 02 15:47:21 2020 Socket Buffers: R=[65536->65536] S=[65536->65536]
Tue Jun 02 15:47:21 2020 UDP link local: (not bound)
Tue Jun 02 15:47:21 2020 UDP link remote: [AF_INET]173.228.31.9:1194
Tue Jun 02 15:47:21 2020 MANAGEMENT: >STATE:1591138041,WAIT,,,,,,
Very good and thorough instructions, but so far not yielding success with my Android OpenVPN and Ubuntu 18.04 OpenVPN clients. These error couplets appear on the server side during connection attempts:
openvpn[2169]: Authenticate/Decrypt packet error: packet HMAC authentication failed
openvpn[2169]: TLS Error: incoming packet authentication failed from [AF_INET]x.x.x.x:40165
Expect I missed a step somewhere - maybe something went wrong on the CA side? I’m using a new Ubuntu 20.04 CA host, set up according to DigitalOcean’s (that would be your, Jamon Camisso’s) article on the subject, using the recommended ec/sha512 settings.
After the initial failure, tried changing the cipher method and explicitly setting the server-side key-direction to 0, regenerating the client .ovpn files, and restarting the service, but so far no luck.
The same clients successfully connect to my older VPN server (with different .ovpn files, of course).
Hello, thanks for the tutorial. But after I did everthing, I can’t access internet through vpn. I can connect vpn without any problems on different device and OS but cant access any websites. Is there other things I need to do as a newbie on ubuntu? Thanks.
This comment has been deleted
Is it possible to protect the .ovpn file with a username and password?
Is it also possible to add support for using IPv6 along with IPv4?
thanks mate. great tut with clear steps and explanation. nitpicky correction, step 7, para. 6 says: “This line should be uncommented.” think it should say: “This line should be commented out.”
Full documentation for every DigitalOcean product.
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
