Below is a step‑by‑step, production‑ready recipe for getting a fully‑functional OpenVPN server running on an Ubuntu 22.04 (or later) DigitalOcean droplet.
We’ll use the community‑maintained install script from angristan/openvpn‑install because it handles everything else for us – it pulls in Easy‑RSA, generates server/client certificates, configures the firewall, and writes a clean .ovpn
file for each client.
Prerequisites
- A freshly‑created DigitalOcean droplet running Ubuntu 22.04+ (or any Debian‑based distro).
- Root or a sudo‑enabled user.
- The droplet’s public IP address (we’ll call it the anchor IP).
- Basic command‑line skills.
1. Prepare the Droplet
# 1.1 Update the package database and upgrade everything
sudo apt update && sudo apt upgrade -y
# 1.2 Ensure the server is using a non‑default, non‑conflicting firewall
# (DigitalOcean droplets come with UFW disabled by default)
sudo ufw status
If UFW is already enabled, make sure you’ll allow the OpenVPN port later; otherwise you can skip to the next section.
2. Install the OpenVPN Script
# 2.1 Grab the latest copy of the script from GitHub
wget https://github.com/angristan/openvpn-install/raw/master/openvpn-install.sh
# 2.2 Make it executable
chmod +x openvpn-install.sh
Why this script?
- Handles Easy‑RSA certificate creation.
- Loads the correct kernel modules (
openvpn
).- Sets up IP forwarding and NAT.
- Adds a UFW rule for you.
- Generates a ready‑to‑use client
.ovpn
file.
3. Run the Installer
sudo ./openvpn-install.sh
The script will:
- Prompt you for the server IP address (use the droplet’s anchor IP).
- Prompt for the protocol (udp is standard; tcp is optional).
- Prompt for the port (1194 by default).
- Ask how many client profiles you want to create now.
- Generate the server configuration, certificates, and a client
.ovpn
file.
Tip:
If you’re uncertain about the options, just press Enter to accept the defaults.
You can always add additional clients later withsudo /usr/local/sbin/openvpn-install.sh
.
4. Verify the Server is Running
# 4.1 Check the OpenVPN process
sudo systemctl status openvpn@server
# (or if the script used “myvpn” as the instance name, replace “server” with that)
# 4.2 Verify the port is listening
sudo ss -tulpn | grep 1194
You should see something like:
udp 0 0 0.0.0.0:1194 0.0.0.0:* LISTEN 1234/openvpn
5. Firewall Configuration (UFW)
The script automatically adds a rule, but double‑check:
sudo ufw allow 1194/udp # replace 1194 if you used a custom port
sudo ufw reload
sudo ufw status numbered
The ufw status
output should include:
[ 1] 1194/udp ALLOW IN Anywhere
If you prefer nftables you can replace UFW with:
sudo apt install nftables -y
sudo systemctl enable nftables
sudo systemctl start nftables
# Add a rule
sudo nft add rule inet filter input udp dport 1194 accept
6. Obtain the Client Configuration File
The installer creates a .ovpn
file for each client. By default, it is stored in:
/home/<your‑user>/client-configs/files/
If you ran the script as root, the location may be /root/client-configs/files/
.
Copy the file to a secure location on your laptop or phone. For example, on Linux/macOS:
scp <user>@<anchor‑ip>:/home/<user>/client-configs/files/<client>.ovpn .
On Windows, use WinSCP or another SFTP client.
7. Connect from a Client
macOS / Linux
sudo openvpn --config <client>.ovpn
You will be prompted for the certificate’s passphrase (if you set one). Once connected, you’ll see:
Initialization Sequence Completed
Windows
- Download and install OpenVPN GUI.
- Place the
<client>.ovpn
file inC:\Program Files\OpenVPN\config\
. - Right‑click the OpenVPN icon in the system tray → Connect.
- Accept any security prompts.
Android / iOS
- Install the official OpenVPN Connect app.
- Import the
.ovpn
file (via email, cloud storage, or direct transfer). - Tap Connect and you’re in.
8. Adding More Clients Later
If you need a new client, just re‑run the script:
sudo ./openvpn-install.sh
Answer “Yes” when asked if you want to add a new client, give it a name, and it will generate a fresh .ovpn
file in the same client-configs/files/
directory.
9. Basic Security Tips
What | Why |
---|---|
Use a unique, strong client certificate passphrase | Prevents anyone who steals the .ovpn file from connecting. |
Disable root login over SSH | Keeps the droplet safe. sudo ufw deny ssh and use key‑based auth only. |
Limit the UFW port | Keep the OpenVPN port open only for your IP if you’re the sole user. |
Regularly update | sudo apt update && sudo apt upgrade -y . |
10. Quick Recap
- Update droplet, install
ufw
if needed. - Download
openvpn-install.sh
and make it executable. - Run it – answer the prompts (anchor IP, port, protocol, clients).
- Verify the server is listening and firewall allows UDP 1194.
- Copy the
.ovpn
client file from/home/<user>/client-configs/files/
. - Connect with any OpenVPN client app.
That’s it! Your DigitalOcean Ubuntu droplet is now an OpenVPN server, ready to securely tunnel any device that has the client credentials. Happy VPNing!