Step-by-step guide to setting up and configuring OpenVPN on Ubuntu 22.04
A complete guide to setting up and configuring OpenVPN server on Ubuntu 22.04 with proper security and optimization practices.

Step-by-step guide to setting up and configuring OpenVPN on Ubuntu 22.04

  • 12 views
  • 5 minute read
This article will teach you how to install and configure OpenVPN server on Ubuntu 22.04. This guide covers various steps including installing packages, configuring a firewall, and security tips.
Elahe
  • December 16, 2025
0 Shares
0
0
0
0
0
Shares
0
0
0
0
  1. Why should we set up OpenVPN on Ubuntu 22.04?
  2. Prerequisites
  3. Part One — Installing OpenVPN and EasyRSA
  4. Part 2 — Creating CAs, Keys, and Certificates
  5. Part 3 — Configuring the OpenVPN Server
  6. Part 4 — Enabling Routing and NAT
  7. UFW configuration (if enabled)
  8. Part 5 — Setting Up the OpenVPN Service
  9. Part 6 — Creating a Client File (.ovpn) with an Inline Certificate
  10. Section 7 — User Management, Certificate Revocation, and Security
  11. Section 8 — Technical Tips and Optimization for Applications
    1. For trading/forex and crypto
    2. For gaming
    3. For artificial intelligence and rendering
  12. Section 9 — Comparing Locations and Infrastructure
  13. Section 10 — Monitoring and Maintenance
  14. Quick troubleshooting
  15. Summary and security recommendations
  16. Benefits of the infrastructure and locations provided
  17. Frequently Asked Questions

Why should we set up OpenVPN on Ubuntu 22.04?

This guide provides a practical and comprehensive tutorial for setup and configuration. OpenVPN On Ubuntu 22.04 It is designed for system administrators, DevOps, traders, and gamers. The steps include installing packages, creating a PKI with EasyRSA, configuring the server and client, setting up a firewall (ufw/iptables), enabling routing, and security solutions such as tls-crypt, Certificate Revocation List (CRL) Management and Usage fail2ban It will be.

Prerequisites

To follow this guide you will need the following:

  • A server Ubuntu 22.04 With a user with access sudo
  • A public IP address or dedicated IP range (IPv4/IPv6 if needed)
  • Free port (suggested: UDP 1194 or custom port to reduce the possibility of scanning)
  • At least 1GB of RAM for base load; increase resources for enterprise use or hundreds of connections

Part One — Installing OpenVPN and EasyRSA

First, update the packages and then install OpenVPN and EasyRSA.

sudo apt update && sudo apt upgrade -y
sudo apt install -y openvpn easy-rsa

Copy EasyRSA template and prepare PKI:

make-cadir /etc/openvpn/easy-rsa
cd /etc/openvpn/easy-rsa
./easyrsa init-pki

Part 2 — Creating CAs, Keys, and Certificates

Steps to create CA, keys, and certificates with EasyRSA:

./easyrsa build-ca nopass
./easyrsa gen-req server nopass
./easyrsa sign-req server server
./easyrsa gen-req client1 nopass
./easyrsa sign-req client client1
./easyrsa gen-dh
openvpn --genkey --secret /etc/openvpn/ta.key
./easyrsa gen-crl
cp pki/crl.pem /etc/openvpn/crl.pem
chmod 644 /etc/openvpn/crl.pem

Files required for the server:

  • /etc/openvpn/server.crt
  • /etc/openvpn/server.key
  • /etc/openvpn/ca.crt
  • /etc/openvpn/dh.pem
  • /etc/openvpn/ta.key
  • /etc/openvpn/crl.pem

Part 3 — Configuring the OpenVPN Server

A sample configuration file in /etc/openvpn/server/server.conf Create. The following example is a basic and secure configuration using AES-256-GCM and tls-crypt.

port 1194
proto udp
dev tun

ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh.pem
tls-crypt /etc/openvpn/ta.key

server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt

push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 8.8.8.8"

keepalive 10 120
cipher AES-256-GCM
auth SHA256
ncp-ciphers AES-256-GCM
persist-key
persist-tun

user nobody
group nogroup

status /var/log/openvpn/status.log
log /var/log/openvpn/openvpn.log
verb 3

crl-verify /etc/openvpn/crl.pem

Tips:

  • Use of AES-256-GCM and SHA256 authentication Recommended.
  • For minimal latency on sensitive networks such as trading or gaming, UDP It is more suitable; it is possible in limited networks TCP It may be necessary.
  • You can tls-version-min 1.2 Or tls-version-min 1.3 And add a list of more stringent ciphers.

Part 4 — Enabling Routing and NAT

Forwarding must be enabled and NAT must be configured to pass client traffic to the Internet.

Enable IPv4 forwarding temporarily:

sudo sysctl -w net.ipv4.ip_forward=1

To make it permanent:

echo "net.ipv4.ip_forward=1" | sudo tee /etc/sysctl.d/99-openvpn.conf
sudo sysctl --system

Adding a NAT rule with iptables (assuming output interface eth0):

sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

To make rules persistent, use iptables-persistent or netfilter-persistent:

sudo apt install -y iptables-persistent
sudo netfilter-persistent save

If from nftables You use define the equivalent of NAT in nft.

UFW configuration (if enabled)

If from ufw Before enabling NAT, you use the file /etc/ufw/before.rules Edit and add the NAT section. Short example:

*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT

Then in /etc/default/ufw Amount IPV4_FORWARDING to "“yes” or use sysctl. Then open the OpenVPN port and enable ufw:

sudo ufw allow 1194/udp
sudo ufw enable

Part 5 — Setting Up the OpenVPN Service

Run and enable the service (service name may vary depending on distribution):

sudo systemctl start [email protected]
sudo systemctl enable [email protected]

To check the status and log:

sudo systemctl status openvpn-server@server
journalctl -u openvpn-server@server -f

Part 6 — Creating a Client File (.ovpn) with an Inline Certificate

For ease of distribution, create a .ovpn file that includes all cert/key are inline inside it. Replace the following example based on the generated values:

client
dev tun
proto udp
remote YOUR_SERVER_IP 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-GCM
auth SHA256
verb 3

<ca>
-----BEGIN CERTIFICATE-----
(محتوای ca.crt)
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
(محتوای client1.crt)
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
(محتوای client1.key)
-----END PRIVATE KEY-----
</key>
<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
(محتوای ta.key)
-----END OpenVPN Static key V1-----
</tls-crypt>

Transfer this file to your Windows, Mac, or Linux clients. On Linux, you can use NetworkManager or the command openvpn --config client.ovpn Use.

Section 7 — User Management, Certificate Revocation, and Security

User management and security includes the following:

  • Add new user: Generate key and sign like client1.
  • Certificate revocation (revoke): ./easyrsa revoke client1 && ./easyrsa gen-crl Then copy crl.pem to /etc/openvpn/crl.pem and reload the server.
  • Combined use of cert-based and auth-user-pass: You can use PAM or RADIUS and add OTP/2FA for more security.
  • Fail2ban: Installation and configuration to monitor logs and block intrusion attempts.
  • Log management: Reduce log levels in production and use logrotate to maintain log files.
sudo apt install -y fail2ban
# create a custom jail for openvpn as needed

Section 8 — Technical Tips and Optimization for Applications

Some practical suggestions for different scenarios:

For trading/forex and crypto

  • Choose a location close to exchanges or trading servers to reduce RTT (e.g. London, Frankfurt, New York, Tokyo).
  • Use a dedicated VPS for trading with low ping, dedicated resources, and an anti-DDoS server.
  • Use UDP and set the appropriate MTU (e.g. tun-mtu 1500 or less) to prevent fragmentation.

For gaming

  • Choose a location with the lowest ping and use VPS or high-speed servers with a fast network.
  • A/B testing to see if a VPN actually improves routing and reduces ping.

For artificial intelligence and rendering

  • For large data transfers, it is better to use cloud private networks (VPCs) or network-level VPNs with BGP.
  • Use servers with 10Gbps network to connect to the GPU server.

Section 9 — Comparing Locations and Infrastructure

Example of benefits by region:

  • Europe (Frankfurt, London, Amsterdam): Suitable for European traders and low latency to exchanges.
  • America (NY, NJ, Miami): Suitable for North American markets and delay-sensitive loads.
  • Asia (Tokyo, Singapore, Seoul): Suitable for APAC markets and gaming and AI services in the region.

Our company has more than 85 global locationsIt offers BGP and CDN networking, which can be effective in reducing latency, increasing stability, and preventing DDoS attacks.

Section 10 — Monitoring and Maintenance

Maintenance and scalability tips:

  • OpenVPN monitoring with Prometheus/Grafana or Zabbix (using exporters or log analysis).
  • Regular maintenance of CRL and checking of connection logs.
  • For a large number of clients, use a Load Balancer and multiple OpenVPN servers with HA and shared CA.

Quick troubleshooting

  • Check the log: sudo journalctl -u openvpn-server@server -e
  • Tunnel inspection: ip a show tun0
  • Port check: sudo ss -ulpn | grep 1194
  • NAT test: From a VPN client, ping 8.8.8.8 and the server's public IP.

Summary and security recommendations

Key recommendations:

  • Always use TLS (tls-crypt) and a strong CA.
  • Use strong encryption (AES-256-GCM) and at least TLS 1.2.
  • Implement a revoke and CRL procedure to remove access in the event of a key leak.
  • Use fail2ban and rate-limit rules in your firewall.
  • Don't forget to monitor and periodically review logs.

Benefits of the infrastructure and locations provided

Using ready-made infrastructure with multiple locations provides benefits such as reduced ping, increased stability, and DDoS protection. Options such as trading VPS, gaming server, GPU server, and anti-DDoS server are offered for specialized scenarios.

Frequently Asked Questions

In this article:
,
Post written by:
Follow
Previous Article
Next Article
You May Also Like