{"id":20202,"date":"2024-02-21T23:08:33","date_gmt":"2024-02-21T20:08:33","guid":{"rendered":"https:\/\/kifarunix.com\/?p=20202"},"modified":"2024-09-26T20:45:06","modified_gmt":"2024-09-26T17:45:06","slug":"how-to-install-openvpn-server-on-ubuntu-24-04","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/how-to-install-openvpn-server-on-ubuntu-24-04\/","title":{"rendered":"How to Install OpenVPN Server on Ubuntu 24.04"},"content":{"rendered":"\n<figure data-wp-context=\"{&quot;uploadedSrc&quot;:&quot;https:\\\/\\\/kifarunix.com\\\/wp-content\\\/uploads\\\/2020\\\/05\\\/install-and-setup-openvpn.png&quot;,&quot;figureClassNames&quot;:&quot;wp-block-image size-full&quot;,&quot;figureStyles&quot;:null,&quot;imgClassNames&quot;:&quot;wp-image-12795&quot;,&quot;imgStyles&quot;:null,&quot;targetWidth&quot;:988,&quot;targetHeight&quot;:550,&quot;scaleAttr&quot;:false,&quot;ariaLabel&quot;:&quot;Enlarge image: install OpenVPN Server on Ubuntu 24.04&quot;,&quot;alt&quot;:&quot;install OpenVPN Server on Ubuntu 24.04&quot;}\" data-wp-interactive=\"core\/image\" class=\"wp-block-image size-full wp-lightbox-container\"><img loading=\"lazy\" decoding=\"async\" width=\"988\" height=\"550\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on-async--click=\"actions.showLightbox\" data-wp-on-async--load=\"callbacks.setButtonStyles\" data-wp-on-async-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/05\/install-and-setup-openvpn.png\" alt=\"install OpenVPN Server on Ubuntu 24.04\" class=\"wp-image-12795\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/05\/install-and-setup-openvpn.png 988w, https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/05\/install-and-setup-openvpn-768x428.png 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/05\/install-and-setup-openvpn-150x84.png 150w, https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/05\/install-and-setup-openvpn-300x167.png 300w, https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/05\/install-and-setup-openvpn-696x387.png 696w, https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/05\/install-and-setup-openvpn-754x420.png 754w\" sizes=\"(max-width: 988px) 100vw, 988px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge image: install OpenVPN Server on Ubuntu 24.04\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on-async--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"context.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"context.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<p>In this guide, you will learn how to install OpenVPN Server on Ubuntu 24.04.&nbsp;<a href=\"https:\/\/openvpn.net\/\" target=\"_blank\" rel=\"noreferrer noopener\">OpenVPN<\/a>&nbsp;is a robust and highly flexible open-source VPN software that uses all of the encryption, authentication, and certification features of the OpenSSL library to securely tunnel IP networks over a single UDP or TCP port. It facilitates the extension of private network across a public network, access remote sites, make secure point-to-point connections, while maintaining security that would be achieved in a private network.<\/p>\n\n\n\n<div class=\"wp-block-rank-math-toc-block\" id=\"rank-math-toc\"><h2>Table of Contents<\/h2><nav><ul><li><a href=\"#installing-open-vpn-server-on-ubuntu-24-04\">Install OpenVPN Server on Ubuntu 24.04<\/a><ul><li><a href=\"#run-system-update\">Run system update<\/a><\/li><li><a href=\"#install-open-vpn-on-ubuntu-24-04\">Install OpenVPN on Ubuntu 24.04<\/a><\/li><li><a href=\"#install-easy-rsa-ca-utility-on-ubuntu-24-04\">Install Easy-RSA CA Utility on Ubuntu 24.04<\/a><\/li><li><a href=\"#create-open-vpn-public-key-infrastructure\">Create OpenVPN Public Key Infrastructure<\/a><ul><li><a href=\"#generate-the-certificate-authority-ca-certificate-and-key\">Generate the Certificate Authority (CA) Certificate and Key<\/a><\/li><li><a href=\"#generate-diffie-hellman-parameters\">Generate Diffie Hellman Parameters<\/a><\/li><\/ul><\/li><li><a href=\"#generate-open-vpn-server-certificate-and-key\">Generate OpenVPN Server Certificate and Key<\/a><\/li><li><a href=\"#generate-hash-based-message-authentication-code-hmac-key\">Generate Hash-based Message Authentication Code (HMAC) key<\/a><\/li><li><a href=\"#generate-open-vpn-revocation-certificate\">Generate OpenVPN Revocation Certificate<\/a><\/li><li><a href=\"#copy-server-certificates-and-keys-to-server-config-directory\">Copy Server Certificates and Keys to Server Config Directory<\/a><\/li><li><a href=\"#generate-open-vpn-client-certificates-and-keys\">Generate OpenVPN Client Certificates and Keys<\/a><\/li><li><a href=\"#copy-client-certificates-and-keys-to-client-directory\">Copy Client Certificates and Keys to Client Directory<\/a><\/li><li><a href=\"#configure-open-vpn-server-on-ubuntu-24-04\">Configure OpenVPN Server on Ubuntu 24.04<\/a><\/li><li><a href=\"#configure-open-vpn-ip-forwarding\">Configure OpenVPN IP Forwarding<\/a><\/li><li><a href=\"#configure-ip-masquerading-on-ufw\">Configure IP Masquerading on UFW<\/a><\/li><li><a href=\"#running-open-vpn-server-on-ubuntu-24-04\">Running OpenVPN Server on Ubuntu 24.04<\/a><\/li><li><a href=\"#related-tutorials\">Related Tutorials<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"installing-open-vpn-server-on-ubuntu-24-04\">Installing OpenVPN Server on Ubuntu 24.04<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"run-system-update\">Run system update<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo apt update<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"install-open-vpn-on-ubuntu-24-04\">Install OpenVPN on Ubuntu 24.04<\/h3>\n\n\n\n<p>OpenVPN package is available on the default Ubuntu 24.04 repos. Thus, to install OpenVPN server, run the command below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo apt install openvpn<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"install-easy-rsa-ca-utility-on-ubuntu-24-04\">Install Easy-RSA CA Utility on Ubuntu 24.04<\/h3>\n\n\n\n<p>Easy-RSA package provides utilities for generating SSL key-pairs that is used to secure VPN connections.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo apt install easy-rsa<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"create-open-vpn-public-key-infrastructure\">Create OpenVPN Public Key Infrastructure<\/h3>\n\n\n\n<p>Once you have installed easy-rsa, you need to initialize the OpenVPN PKI. The PKI consists of:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>a public key and private key for the server and each client<\/li>\n\n\n\n<li>a master Certificate Authority (CA) certificate and key which is used to sign each of the server and client certificates.<\/li>\n<\/ul>\n\n\n\n<p>Before you can proceed, copy the easy-rsa configuration directory to a different location to ensure that that future OpenVPN package upgrades won\u2019t overwrite your modifications.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo cp -r \/usr\/share\/easy-rsa \/etc\/<\/pre>\n\n\n\n<p>Next, initialize the PKI.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">cd \/etc\/easy-rsa\/<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo .\/easyrsa init-pki<\/pre>\n\n\n\n<p>Once the PKI is initialized, <code><strong>\/etc\/easy-rsa\/pki<\/strong><\/code> is created.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"generate-the-certificate-authority-ca-certificate-and-key\">Generate the Certificate Authority (CA) Certificate and Key<\/h4>\n\n\n\n<p>Next, generate the CA certificate and key for signing OpenVPN server and client certificates.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">cd \/etc\/easy-rsa\/<\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo <span style=\"background-color: initial; font-family: inherit; font-size: inherit; color: inherit;\">.\/easyrsa build-ca<\/span><\/code><\/pre>\n\n\n\n<p>This will prompt you for the CA key passphrase and the server common name.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>No Easy-RSA 'vars' configuration file exists!\n\nUsing SSL:\n* openssl OpenSSL 3.0.10 1 Aug 2023 (Library: OpenSSL 3.0.10 1 Aug 2023)\n\nEnter New CA Key Passphrase: \n\nConfirm New CA Key Passphrase: \n....+..+...+.+...........+.+..............+.+..+......+.+.....+....+.........+........+....+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*....+...+...+..+.+...........+.+...+..+...+....+..+.+............+..+.........+.......+..+.......+...+.....+.......+........+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+....+.....+.........+..........+.....+....+..+....+..+.........+......+.......+.....+......+...............+.+........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n............+...+.....+.+........+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.....+...+..+...+.+.....+..................+...+...+.+...+..+..........+...+..+......+.......+..+......+....+.........+..+....+......+...+......+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.......+....+..+....+...+...+............+...........+.......+..+...+..........+...............+...+..+...+....+..+...+..........+..+...+.......+........+.+......+.....+....+......+.....+...+.+.........+..+.........+.......+...+...........+...................+............+..+......+.......+........+.......+..+.+............+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n-----\nYou are about to be asked to enter information that will be incorporated\ninto your certificate request.\nWhat you are about to enter is what is called a Distinguished Name or a DN.\nThere are quite a few fields but you can leave some blank\nFor some fields there will be a default value,\nIf you enter '.', the field will be left blank.\n-----\nCommon Name (eg: your user, host, or server name) [Easy-RSA CA]:kifarunix\n\nNotice\n------\nCA creation complete. Your new CA certificate is at:\n* \/etc\/easy-rsa\/pki\/ca.crt\n<\/code><\/pre>\n\n\n\n<p>The CA certificate is generated and stored at&nbsp;<code>\/etc\/easy-rsa\/pki\/ca.crt<\/code>.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"generate-diffie-hellman-parameters\">Generate Diffie Hellman Parameters<\/h4>\n\n\n\n<p>Generate Diffie-Hellman keys used for key exchange during the TLS handshake between OpenVPN server and the connecting clients. This command has be executed within the Easy-RSA directory;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo .\/easyrsa gen-dh<\/pre>\n\n\n\n<p>DH parameters of size 2048 created at <code><strong>\/etc\/easy-rsa\/pki\/dh.pem<\/strong><\/code>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"generate-open-vpn-server-certificate-and-key\">Generate OpenVPN Server Certificate and Key<\/h3>\n\n\n\n<p>To generate a certificate and private key for the OpenVPN server, run the command below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">cd \/etc\/easy-rsa<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo .\/easyrsa build-server-full server nopass<\/pre>\n\n\n\n<p>Enter the CA key passphrase created above to generate the certificates and keys.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong><code>nopass<\/code><\/strong>&nbsp;disables the use of passphrase.<\/li>\n\n\n\n<li><strong>server<\/strong> is the name assigned to the server for which the certificate is being generated. You can replace &#8220;server&#8221; with the actual name you want to give to your server.<\/li>\n<\/ul>\n\n\n\n<p>An inline file with is also generated, e.g <strong><code>\/etc\/easy-rsa\/pki\/inline\/server.inline<\/code><\/strong>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"generate-hash-based-message-authentication-code-hmac-key\">Generate Hash-based Message Authentication Code (HMAC) key<\/h3>\n\n\n\n<p>TLS\/SSL pre-shared authentication key is used as an additional HMAC signature on all SSL\/TLS handshake packets to avoid DoS attack and UDP port flooding. This can be generated using the command;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo openvpn --genkey secret \/etc\/easy-rsa\/pki\/ta.key<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"generate-open-vpn-revocation-certificate\">Generate OpenVPN Revocation Certificate<\/h3>\n\n\n\n<p>To invalidate a previously signed certificate, you need to generate a revocation certificate. Run the script within the Easy-RSA directory;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo .\/easyrsa gen-crl<\/pre>\n\n\n\n<p>The revocation certificate is generated and stored at&nbsp;<code>\/etc\/easy-rsa\/pki\/crl.pem<\/code>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"copy-server-certificates-and-keys-to-server-config-directory\">Copy Server Certificates and Keys to Server Config Directory<\/h3>\n\n\n\n<p>Copy all generated server certificates\/keys to OpenVPN server configuration directory.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo cp -rp \/etc\/easy-rsa\/pki\/{ca.crt,dh.pem,ta.key,crl.pem,issued,private} \/etc\/openvpn\/server\/<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"generate-open-vpn-client-certificates-and-keys\">Generate OpenVPN Client Certificates and Keys<\/h3>\n\n\n\n<p>OpenVPN clients certificates and private keys can be generated as follows<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">cd \/etc\/easy-rsa<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo .\/easyrsa build-client-full gentoo nopass<\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>where&nbsp;<strong><code>gentoo<\/code><\/strong>&nbsp;is the name of the client for which the certificate and keys are generated.<\/li>\n\n\n\n<li>Always use a unique common name for each client that you are generating certificate and keys for.<\/li>\n<\/ul>\n\n\n\n<p>To generate for the second client,<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo .\/easyrsa build-client-full janedoe nopass<\/pre>\n\n\n\n<p>You can see how to use <code>easyrsa<\/code> command with <code>.\/easyrsa --help<\/code>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"copy-client-certificates-and-keys-to-client-directory\">Copy Client Certificates and Keys to Client Directory<\/h3>\n\n\n\n<p>Create OpenVPN clients directories. For example, we have generated certificates and key files for two clients, gentoo and janedoe, hence we create directories as;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo mkdir \/etc\/openvpn\/client\/{gentoo,janedoe}<\/pre>\n\n\n\n<p>After that, copy the client generated certificates\/keys and server CA certificate to OpenVPN client configuration directory. You can<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo cp -rp \/etc\/easy-rsa\/pki\/{ca.crt,issued\/gentoo.crt,private\/gentoo.key} \/etc\/openvpn\/client\/gentoo<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo cp -rp \/etc\/easy-rsa\/pki\/{ca.crt,issued\/janedoe.crt,private\/janedoe.key} \/etc\/openvpn\/client\/janedoe\/<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"configure-open-vpn-server-on-ubuntu-24-04\">Configure OpenVPN Server on Ubuntu 24.04<\/h3>\n\n\n\n<p>The next step is to configure OpenVPN server.<\/p>\n\n\n\n<p>Copy the sample OpenVPN server configuration to <code>\/etc\/openvpn\/server<\/code> directory as shown below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo cp \/usr\/share\/doc\/openvpn\/examples\/sample-config-files\/server.conf \/etc\/openvpn\/server\/<\/pre>\n\n\n\n<p>Extract the configuration and modify it to suite your needs;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo vim \/etc\/openvpn\/server\/server.conf<\/pre>\n\n\n\n<p>The configuration is highly commented to help you understand various option usage.<\/p>\n\n\n\n<p>This is how our sample configurations looks like with no comments.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>port 1194\nproto udp4\ndev tun\nca ca.crt\ncert issued\/server.crt\nkey private\/server.key  # This file should be kept secret\ndh dh.pem \ntopology subnet\nserver 172.16.20.0 255.255.255.0\nifconfig-pool-persist \/var\/log\/openvpn\/ipp.txt\npush \"redirect-gateway def1 bypass-dhcp\"\npush \"dhcp-option DNS 208.67.222.222\"\npush \"dhcp-option DNS 208.67.220.220\"\nclient-to-client\nkeepalive 10 120\ntls-auth ta.key 0 # This file is secret\ncipher AES-256-CBC\npersist-key\npersist-tun\nstatus \/var\/log\/openvpn\/openvpn-status.log\nlog-append  \/var\/log\/openvpn\/openvpn.log\nverb 3\nexplicit-exit-notify 1\nauth SHA512\n<\/code><\/pre>\n\n\n\n<p>Save and exit the config once done editing.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"configure-open-vpn-ip-forwarding\">Configure OpenVPN IP Forwarding<\/h3>\n\n\n\n<p>To ensure that traffic from the client is routed through the OpenVPN server&#8217;s IP address (helps masks the the client IP address), you need to enable IP forwarding on the OpenVPN server. <\/p>\n\n\n\n<p>Uncomment the line, <code><strong>net.ipv4.ip_forward=1<\/strong><\/code>, on <code><strong>\/etc\/sysctl.conf<\/strong><\/code> to enable packet forwarding for IPv4 <\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo sed -i 's\/#net.ipv4.ip_forward=1\/net.ipv4.ip_forward=1\/' \/etc\/sysctl.conf<\/pre>\n\n\n\n<p>Apply the changes without rebooting the server.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo sysctl --system<\/pre>\n\n\n\n<p>Allow OpenVPN service port through firewall;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo ufw allow 1194\/udp<\/pre>\n\n\n\n<p>You can also limit connection to specific sources only;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo ufw allow from &lt;source&gt; to any port 1194 proto udp comment \"Allow VPN Clients\"<\/code><\/pre>\n\n\n\n<p>Or iptables;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo iptables -A INPUT -p udp --dport 1194 -m comment --comment \"Allow VPN Client\" -j ACCEPT<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"configure-ip-masquerading-on-ufw\">Configure IP Masquerading on UFW<\/h3>\n\n\n\n<p>Find your default interface through which your packets are sent.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">ip route get 8.8.8.8<\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>8.8.8.8 via 10.0.2.2 dev enp0s3 src 10.0.2.15 uid 1000 \n    cache<\/code><\/pre>\n\n\n\n<p>Next, update UFW rules (if you are using UFW);<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo vim \/etc\/ufw\/before.rules<\/code><\/pre>\n\n\n\n<p>Add the following highlighted lines just before the <strong><code>*filter<\/code><\/strong> table settings. Note the interface used shoud match the interface name above.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>...\n<strong>*nat\n:POSTROUTING ACCEPT [0:0]\n-A POSTROUTING -s 172.16.20.0\/24 -o enp0s3 -j MASQUERADE\nCOMMIT<\/strong>\n# Don't delete these required lines, otherwise there will be errors\n*filter\n...\n<\/code><\/pre>\n\n\n\n<p>Save and exit the config.<\/p>\n\n\n\n<p>Enable UFW packet forwarding;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo sed -i 's\/DEFAULT_FORWARD_POLICY=\"DROP\"\/DEFAULT_FORWARD_POLICY=\"ACCEPT\"\/' \/etc\/default\/ufw<\/pre>\n\n\n\n<p>If using IPtables then use the command below to enable IP masquerading;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo iptables -t nat -A POSTROUTING -s 172.16.20.0\/24 -o enp0s3 -j MASQUERADE<\/code><\/pre>\n\n\n\n<p>Reload UFW;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">ufw reload<\/pre>\n\n\n\n<p>Or if you are using iptables, save the rule across, across system reboots;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo cp \/etc\/iptables\/rules.v4{,.bak}<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo iptables-save | sudo tee \/etc\/iptables\/rules.v4<\/code><\/pre>\n\n\n\n<p>Restart Iptables (ensure <strong>iptables-persistent<\/strong> package is installed)<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"running-open-vpn-server-on-ubuntu-24-04\">Running OpenVPN Server on Ubuntu 24.04<\/h3>\n\n\n\n<p>Start and enable OpenVPN server to run on system boot;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo systemctl enable --now openvpn-server@server<\/pre>\n\n\n\n<p>Checking the status;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">systemctl status openvpn-server@server<\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\u25cf openvpn-server@server.service - OpenVPN service for server\n     Loaded: loaded (\/usr\/lib\/systemd\/system\/openvpn-server@.service; enabled; preset: enabled)\n     Active: active (running) since Wed 2024-02-21 20:34:47 CET; 13min ago\n       Docs: man:openvpn(8)\n             https:\/\/community.openvpn.net\/openvpn\/wiki\/Openvpn24ManPage\n             https:\/\/community.openvpn.net\/openvpn\/wiki\/HOWTO\n   Main PID: 30867 (openvpn)\n     Status: \"Initialization Sequence Completed\"\n      Tasks: 1 (limit: 4622)\n     Memory: 1.4M (peak: 1.7M)\n        CPU: 22ms\n     CGroup: \/system.slice\/system-openvpn\\x2dserver.slice\/openvpn-server@server.service\n             \u2514\u250030867 \/usr\/sbin\/openvpn --status \/run\/openvpn-server\/status-server.log --status-version 2 --suppress-timestamps --config server.conf\n\nFeb 21 20:34:47 noble-numbat systemd[1]: Starting openvpn-server@server.service - OpenVPN service for server...\nFeb 21 20:34:47 noble-numbat systemd[1]: Started openvpn-server@server.service - OpenVPN service for server.\n<\/code><\/pre>\n\n\n\n<p>When OpenVPN service runs, it will create a tunnelling interface, tun0;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">ip add s<\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 500\n    link\/none \n    inet 172.16.20.1\/24 scope global tun0\n       valid_lft forever preferred_lft forever\n    inet6 fe80::1a27:fd70:3668:112f\/64 scope link stable-privacy \n       valid_lft forever preferred_lft forever\n<\/code><\/pre>\n\n\n\n<p>Also, be sure to check the logs;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo tail \/var\/log\/openvpn\/openvpn.log<\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>net_iface_mtu_set: mtu 1500 for tun0\nnet_iface_up: set tun0 up\nnet_addr_v4_add: 172.16.20.1\/24 dev tun0\nSocket Buffers: R=[212992->212992] S=[212992->212992]\nUDPv4 link local (bound): [AF_INET][undef]:1194\nUDPv4 link remote: [AF_UNSPEC]\nMULTI: multi_init called, r=256 v=256\nIFCONFIG POOL IPv4: base=172.16.20.2 size=253\nIFCONFIG POOL LIST\nInitialization Sequence Completed\n<\/code><\/pre>\n\n\n\n<p>Magnificent. The OpenVPN server is now ready. That marks the end of our guide on installing OpenVPN Server on Ubuntu 24.04.<\/p>\n\n\n\n<p>You can now configure your clients accordingly.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"related-tutorials\">Related Tutorials<\/h3>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-and-configure-openvpn-client-on-centos-8-ubuntu-18-04\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install and Configure OpenVPN Client on CentOS\/Ubuntu<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/assign-static-ip-addresses-for-openvpn-clients\/\" target=\"_blank\" rel=\"noreferrer noopener\">Assign Static IP Addresses for OpenVPN Clients<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this guide, you will learn how to install OpenVPN Server on Ubuntu 24.04.&nbsp;OpenVPN&nbsp;is a robust and highly flexible open-source VPN software that uses all<\/p>\n","protected":false},"author":10,"featured_media":12795,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[34,121,282,321],"tags":[7411,7413,7412],"class_list":["post-20202","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","category-howtos","category-openvpn","category-vpn","tag-install-openvpn-ubuntu-24-04","tag-openvpn-server-ubuntu-24-04","tag-ubuntu-24-04-openvpn-install","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/20202"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/10"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=20202"}],"version-history":[{"count":7,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/20202\/revisions"}],"predecessor-version":[{"id":23292,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/20202\/revisions\/23292"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/12795"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=20202"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=20202"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=20202"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}