Below is a step‑by‑step, production‑ready recipe for getting a fully‑functional OpenVPN server running on an Ubuntu 22.04 (or later) DigitalOcean droplet.
We’ll use the community‑maintained install script from angristan/openvpn‑install because it handles everything else for us – it pulls in Easy‑RSA, generates server/client certificates, configures the firewall, and writes a clean .ovpn file for each client.

Prerequisites

  • A freshly‑created DigitalOcean droplet running Ubuntu 22.04+ (or any Debian‑based distro).
  • Root or a sudo‑enabled user.
  • The droplet’s public IP address (we’ll call it the anchor IP).
  • Basic command‑line skills.

1. Prepare the Droplet

# 1.1 Update the package database and upgrade everything
sudo apt update && sudo apt upgrade -y

# 1.2 Ensure the server is using a non‑default, non‑conflicting firewall
# (DigitalOcean droplets come with UFW disabled by default)
sudo ufw status

If UFW is already enabled, make sure you’ll allow the OpenVPN port later; otherwise you can skip to the next section.


2. Install the OpenVPN Script

# 2.1 Grab the latest copy of the script from GitHub
wget https://github.com/angristan/openvpn-install/raw/master/openvpn-install.sh

# 2.2 Make it executable
chmod +x openvpn-install.sh

Why this script?

  • Handles Easy‑RSA certificate creation.
  • Loads the correct kernel modules (openvpn).
  • Sets up IP forwarding and NAT.
  • Adds a UFW rule for you.
  • Generates a ready‑to‑use client .ovpn file.

3. Run the Installer

sudo ./openvpn-install.sh

The script will:

  1. Prompt you for the server IP address (use the droplet’s anchor IP).
  2. Prompt for the protocol (udp is standard; tcp is optional).
  3. Prompt for the port (1194 by default).
  4. Ask how many client profiles you want to create now.
  5. Generate the server configuration, certificates, and a client .ovpn file.

Tip:
If you’re uncertain about the options, just press Enter to accept the defaults.
You can always add additional clients later with sudo /usr/local/sbin/openvpn-install.sh.


4. Verify the Server is Running

# 4.1 Check the OpenVPN process
sudo systemctl status openvpn@server
# (or if the script used “myvpn” as the instance name, replace “server” with that)

# 4.2 Verify the port is listening
sudo ss -tulpn | grep 1194

You should see something like:

udp   0   0 0.0.0.0:1194  0.0.0.0:*  LISTEN  1234/openvpn

5. Firewall Configuration (UFW)

The script automatically adds a rule, but double‑check:

sudo ufw allow 1194/udp   # replace 1194 if you used a custom port
sudo ufw reload
sudo ufw status numbered

The ufw status output should include:

[ 1] 1194/udp  ALLOW IN    Anywhere

If you prefer nftables you can replace UFW with:

sudo apt install nftables -y
sudo systemctl enable nftables
sudo systemctl start nftables

# Add a rule
sudo nft add rule inet filter input udp dport 1194 accept

6. Obtain the Client Configuration File

The installer creates a .ovpn file for each client. By default, it is stored in:

/home/<your‑user>/client-configs/files/

If you ran the script as root, the location may be /root/client-configs/files/.

Copy the file to a secure location on your laptop or phone. For example, on Linux/macOS:

scp <user>@<anchor‑ip>:/home/<user>/client-configs/files/<client>.ovpn .

On Windows, use WinSCP or another SFTP client.


7. Connect from a Client

macOS / Linux

sudo openvpn --config <client>.ovpn

You will be prompted for the certificate’s passphrase (if you set one). Once connected, you’ll see:

Initialization Sequence Completed

Windows

  1. Download and install OpenVPN GUI.
  2. Place the <client>.ovpn file in C:\Program Files\OpenVPN\config\.
  3. Right‑click the OpenVPN icon in the system tray → Connect.
  4. Accept any security prompts.

Android / iOS

  1. Install the official OpenVPN Connect app.
  2. Import the .ovpn file (via email, cloud storage, or direct transfer).
  3. Tap Connect and you’re in.

8. Adding More Clients Later

If you need a new client, just re‑run the script:

sudo ./openvpn-install.sh

Answer “Yes” when asked if you want to add a new client, give it a name, and it will generate a fresh .ovpn file in the same client-configs/files/ directory.


9. Basic Security Tips

What Why
Use a unique, strong client certificate passphrase Prevents anyone who steals the .ovpn file from connecting.
Disable root login over SSH Keeps the droplet safe. sudo ufw deny ssh and use key‑based auth only.
Limit the UFW port Keep the OpenVPN port open only for your IP if you’re the sole user.
Regularly update sudo apt update && sudo apt upgrade -y.

10. Quick Recap

  1. Update droplet, install ufw if needed.
  2. Download openvpn-install.sh and make it executable.
  3. Run it – answer the prompts (anchor IP, port, protocol, clients).
  4. Verify the server is listening and firewall allows UDP 1194.
  5. Copy the .ovpn client file from /home/<user>/client-configs/files/.
  6. Connect with any OpenVPN client app.

That’s it! Your DigitalOcean Ubuntu droplet is now an OpenVPN server, ready to securely tunnel any device that has the client credentials. Happy VPNing!