OpenVPN with Username/Password authentication Ubuntu

Installing OpenVPN Server on Ubuntu server with Username and Password Authentication using Auth PAM plugin and disable SSH login for VPN server.


In this tutorial, I will document the process of how to install OpenVPN on a Ubuntu 18.04 server and have it authenticate clients using username and password.

Update OS

sudo apt-get update
sudo apt-get upgrade

Install OpenVPN and setup directories

sudo apt-get install -y openvpn openssl
sudo mkdir -p /etc/openvpn/server
sudo mkdir -p /var/log/openvpn
sudo cp /usr/share/doc/openvpn/examples/sample-keys/openssl.cnf /etc/openvpn/server/

Generate keys and certificates

Create a bash file (from Medium Article)

# Place this in /etc/openvpn/server/

# Copyright © 2014 Steffan Karger <[email protected]>

if [[ $EUID -ne 0 ]]; then
   echo "This script must be run as root" 
   exit 1

set -eu

command -v openssl >/dev/null 2>&1 || { echo >&2 "Unable to find openssl. Please make sure openssl is installed and in your path."; exit 1; }

if [ ! -f openssl.cnf ]
	echo "Please run this script from the sample directory"
	exit 1

# Generate static key for tls-auth (or static key mode)
openvpn --genkey --secret ta.key

# Create required directories and files
mkdir -p sample-ca
rm -f sample-ca/index.txt
touch sample-ca/index.txt
touch sample-ca/index.txt.attr
echo "01" > sample-ca/serial

# Generate CA key and cert
openssl req -new -newkey rsa:4096 -days 3650 -nodes -x509 \
	-extensions easyrsa_ca -keyout sample-ca/ca.key -out sample-ca/ca.crt \
	-subj "/C=VN/ST=SAIGON/L=SAIGON/O=OpenVPN-TEST/[email protected]" \
	-config openssl.cnf

# Create server key and cert
openssl req -new -nodes -config openssl.cnf -extensions server \
	-keyout sample-ca/server.key -out sample-ca/server.csr \
	-subj "/C=VN/ST=SAIGON/O=OpenVPN-TEST/CN=VPN-Server/[email protected]"

openssl ca -batch -config openssl.cnf -extensions server \
	-out sample-ca/server.crt -in sample-ca/server.csr

# Generate DH parameters
openssl dhparam -out dh2048.pem 2048

cp /etc/openvpn/server/dh2048.pem /etc/openvpn/
cp /etc/openvpn/server/sample-ca/server.crt /etc/openvpn/server/sample-ca/server.key /etc/openvpn/server/sample-ca/ca.crt /etc/openvpn/
cd /etc/openvpn/server/

sudo chmod +x
sudo ./

Create OpenVPN server configuration file

# Place this in /etc/openvpn/server.conf

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh2048.pem
plugin /usr/lib/x86_64-linux-gnu/openvpn/plugins/ /etc/pam.d/login
push "redirect-gateway def1"
push "dhcp-option DNS"
push "dhcp-option DNS"
keepalive 10 120
user nobody
group nogroup
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
log-append /var/log/openvpn/openvpn.log
verb 3

You may have to change the plugin path (/usr/lib/x86_64-linux-gnu/openvpn/plugins/ based on your OS and OpenVPN version. These are some paths where I have found it (I will may update this list in future):


Start OpenVPN service, configure it to autostart on boot and check its status

sudo systemctl start [email protected]
sudo systemctl enable [email protected]
sudo systemctl status [email protected]

Enable IP forwarding and setup IPtables rules

sudo echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
sudo sysctl -p
# You will may have to change eth0 to the interface name that you have
sudo iptables -A FORWARD -i eth0 -o tun0 -m state --state ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A FORWARD -s -o eth0 -j ACCEPT
sudo iptables -t nat -A POSTROUTING -s ! -d -o eth0 -j MASQUERADE

Make IPtables rules persistent (after reboots)

sudo apt-get install -y iptables-persistent
sudo iptables-save > /etc/iptables/rules.v4

HUH! Server config all done, lets add new user and disable its SSH login. You may repeat this process for adding new users afterwards.

sudo adduser saad
sudo passwd saad
sudo echo "DenyUsers saad" >> /etc/ssh/sshd_config
sudo systemctl reload sshd.service

Copy the content from /etc/openvpn/ca.crt, you will need it for client configuration file.

Client configuration file

dev tun
redirect-gateway def1
remote -- vpn server public ip here -- 1194 udp
comp-lzo yes
remote-cert-tls server
-- ca.crt content here --

And this is done, you should be able to connect to the OpenVPN server using the user (saad in this tutorial) and password.

Feel free to comment below if you are facing any issues, I would love to help you out. If you want me to set up everything for you then feel free to contact me on Fiverr:

14 thoughts on “OpenVPN with Username/Password authentication Ubuntu”

  1. how can i set a username and password in server file i have need to connect client with server .. when i try to connect here is need ofauth username and password

    1. In server configuration, you just need to specify that you want PAM plugin to be used for authentication and you just need to add “auth-user-pass” flag in client config to use user/pass based authentication.

  2. Hello,
    I’ve follow your instructions and try VPN server from Windows OpenVPN GUI and have this error
    Sat Jan 16 18:35:26 2021 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Sat Jan 16 18:35:26 2021 TLS Error: TLS handshake failed

    Could you please help ?
    Thanks, Phil

      1. Thanks for your answer !
        but yes I have added he ca.crt file content inside the client configuration.
        This link,or%20TCP%20port%20number%201194).&text=Another%20possible%20cause%20is%20that,for%20the%20openvpn.exe%20binary.
        suggest firewall issues but I have applied your Iptables rules ….
        My server is located on AWS …. Any idea ?

          1. Yes I have allowed inbound traffic on port 1194 in your EC2’s security group on AWS,
            but telnet : Unable to connect to remote host: Resource temporarily unavailable …
            But if make the same try on a Nordvpn server I have the same result for telnet and I SUCCEED to connect to this Nordvpn server ….

        1. Try with tcp Protocol : telnet OK (regular as telnet use tcp),
          but infinite loop with error msg : Connection reset, restarting [0]

        2. Hey Saad,
          I’ve made a mistake cos in server.conf “client-cert-not-required” is deprecated (Ubuntu 20.04 ?)
          I put “verify-client-cert none” instead and ALL IS WORKING !
          Many thanks for your tutorial !

  3. Hi I followed your steps and I can successfull connect to my vpn. But after I’m connected I cant visit any website, its like there is no internet connection 🙁 can you help me ?

  4. Hi Saad,
    Very nice article and thanks.
    I have a question: if I want use radius server like Freeradius for username and password, which change should be done in pam module.


Leave a Comment

Your email address will not be published. Required fields are marked *