Setting up a VPN on an Ubuntu Server allows you to securely access your local network or browse the internet privately. Below are instructions for two popular VPN solutions: OpenVPN is a widely used, secure VPN solution.
Install OpenVPN
-
Update your system:
sudo apt update && sudo apt upgrade -y
-
Install OpenVPN & Easy-RSA (for certificates):
sudo apt install openvpn easy-rsa -y
-
Set up the PKI (Public Key Infrastructure):
make-cadir ~/openvpn-ca cd ~/openvpn-ca
-
Configure the CA:
- Edit
vars:nano vars
- Update the following (replace with your info):
export KEY_COUNTRY="US" export KEY_PROVINCE="CA" export KEY_CITY="SanFrancisco" export KEY_ORG="YourOrg" export KEY_EMAIL="admin@example.com" export KEY_OU="MyOrgUnit" export KEY_NAME="server" - Source the vars:
source vars
- Edit
-
Build Certificates:
- Clean any old certs and generate new ones:
./clean-all ./build-ca ./build-key-server server ./build-dh
- Generate HMAC key:
openvpn --genkey --secret keys/ta.key
- Clean any old certs and generate new ones:
-
Configure OpenVPN Server:
- Copy sample config:
gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | sudo tee /etc/openvpn/server.conf
- Edit
/etc/openvpn/server.conf:sudo nano /etc/openvpn/server.conf
- Modify key paths (uncomment/set these):
ca /etc/openvpn/ca.crt cert /etc/openvpn/server.crt key /etc/openvpn/server.key dh /etc/openvpn/dh.pem tls-auth /etc/openvpn/ta.key 0 - Enable
user nobodyandgroup nogroupfor security.
- Copy sample config:
-
Start OpenVPN:
sudo systemctl enable --now openvpn@server
-
Enable IP Forwarding (for routing):
- Edit
/etc/sysctl.conf:sudo nano /etc/sysctl.conf
- Uncomment:
net.ipv4.ip_forward=1 - Apply changes:
sudo sysctl -p
- Edit
-
Configure Firewall (UFW):
sudo ufw allow 1194/udp sudo ufw allow OpenSSH sudo ufw enable
-
Generate Client Configs:
- Use
easy-rsato create client certs:cd ~/openvpn-ca source vars ./build-key client1
- Create
.ovpnfiles for clients.
- Use
WireGuard (Faster & Modern)
WireGuard is a lightweight and high-performance VPN.
Install WireGuard
-
Install WireGuard:
sudo apt update && sudo apt install wireguard -y
-
Generate Keys:
umask 077 wg genkey | tee privatekey | wg pubkey > publickey
-
Configure Server (
/etc/wireguard/wg0.conf):sudo nano /etc/wireguard/wg0.conf
Example config:
[Interface] PrivateKey = <SERVER_PRIVATE_KEY> Address = 10.0.0.1/24 ListenPort = 51820 PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE [Peer] PublicKey = <CLIENT_PUBLIC_KEY> AllowedIPs = 10.0.0.2/32
-
Enable IP Forwarding:
sudo nano /etc/sysctl.conf
Uncomment:
net.ipv4.ip_forward=1Apply:
sudo sysctl -p
-
Start WireGuard:
sudo wg-quick up wg0 sudo systemctl enable --now wg-quick@wg0
-
Configure Firewall (UFW):
sudo ufw allow 51820/udp sudo ufw allow OpenSSH sudo ufw enable
-
Client Setup:
-
Install WireGuard on the client.
-
Create a config (
client.conf):[Interface] PrivateKey = <CLIENT_PRIVATE_KEY> Address = 10.0.0.2/24 DNS = 8.8.8.8 [Peer] PublicKey = <SERVER_PUBLIC_KEY> Endpoint = <SERVER_IP>:51820 AllowedIPs = 0.0.0.0/0 PersistentKeepalive = 25
-
Which VPN to Choose?
- OpenVPN: More traditional, supports TCP/UDP, good for compatibility.
- WireGuard: Faster, simpler, better for mobile & low-latency use.
Would you like help with client setup or troubleshooting? 🚀



