How to Install OpenVPN On an Ubuntu OpenVZ VPS

ubuntu VPN

ubuntu VPN

If you are a webmaster outside the US, and you have purchased a US VPS. This tutorial is for you! The big question is why you should install openvpn on vps? Well the biggest reason is that you can change your IP to watch stuff like Hulu which is is only available for US visitors. Another benefit of VPN is the security it offers by encrypting traffic on public networks like public WIFI spots which are not very safe. You could of course use a commercial service like StrongVPN in which case you typically pay ($5-10) per month, but for webmasters who have rent a VPS, they will prefer to run VPN on their VPS hosting.

OpenVZ VPS supports VPN inside a container via kernel TUN/TAP module and device. First thing you need to do is to enable TUN/TAP.

You can enable TUN/TAP in your hosting control panel. TUN/TAP is disable in some VPS hosting, you need to submit a ticket to you hosting provider to enable TUN/TAP.

Steps of Installing OpenVPN Inside an OpenVZ VPS on Ubuntu 10.04:

First, install the openvpn package:

sudo apt-get install openvpn
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn
cd /etc/openvpn/
sudo gunzip server.conf.gz

This will copy and unpack the example server config. The sample config uses the ip range and subnet
Edit the server.conf file with your favorite editor:

nano /etc/openvpn/server.conf

Now you need to uncomment the following (remove the “;” in front of the line):
push “redirect-gateway def1 bypass-dhcp”
push “dhcp-option DNS
push “dhcp-option DNS

Copy the necessary files to to create our certificates:

sudo mkdir /etc/openvpn/easy-rsa/
sudo cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
cd /etc/openvpn/easy-rsa

We need to adjust the vars file, which contains the settings for the certificates.
Please keep in mind that the ‘country’ field may only contain 2 letters.

Open the vars file and go to the end.
The default file contains:

# These are the default values for fields
# which will be placed in the certificate.
# Don’t leave any of these fields blank.
export KEY_CITY=”SanFrancisco”
export KEY_ORG=”Fort-Funston”
export KEY_EMAIL=”me@myhost.mydomain”

You can modify these values if you like.
After that create the necessary key and CA’s:

Creating server certificates

cd /etc/openvpn/easy-rsa/
source vars
./pkitool –initca
./pkitool –server server

This will build your proper certificates based up the example files slightly editted. I recommend this for non-advanced users and first-timers.

Creating client certificates

cd /etc/openvpn/easy-rsa/
source vars
./pkitool hostname

Remember to replace hostname with the name of the client you want to connect. This can be used as an identifier for example “client1”

You’ll need to do 1 thing more to fix the routing. That is to route the traffic from tun0 to the interface that provides internet (venet0:0 by default).

iptables -t nat -A POSTROUTING -s -j SNAT -to-source your_vps_ip

Since we can’t use the MASQUERADE command, we need to use SNAT. Also only full interfaces are supported (So venet0:0 isn’t compatible with the -o option). That’s why I cover this on a static IP based configuration. This will route all network traffic on to the internet-supplying interface.

sudo /etc/init.d/openvpn restart

Configure your VPN client on your computer, the client will need the following files:


Create a config file, for example myvps.ovpn and change the certificate settings to include the files above:

In the line “remote hostname 1194? change “hostname” with your VPS hostname that will match the certificate.
Also change the ssl settings in case you used a different name for the client certificates then myvps.

You can buy a cheap VPS from or visit and search for an OpenVZ VPS.

Leave a Reply

Your email address will not be published. Required fields are marked *