Virtual Private Networks

5 Ways to Install OpenVPN on Ubuntu 14.04, 16.04, 18.04

OpenVPN is an open source Virtual Private Network (VPN) software solution that rivals similar commercially available products. It allows you to use PKI (Public Key Infrastructure) and SSL/TLS certificates to establish a secure connection between almost any networking device and a remote VPN server.

This article explains how to install the OpenVPN client on an Ubuntu 16.04.x or 18.04.x headless server. Ubuntu is a derivative of the Linux operating system. It is presumed you will SSH to your command terminal and that you have root access privileges. You may be able to modify these instructions for your own purposes if you are working on a similar platform.


Free vs. Paid Editions

For a long time there was only one (1) OpenVPN product line called simply OpenVPN. That's not the case anymore. In 2017, the traditional OpenVPN product (free) was rebranded OpenVPN CE (Community Edition). The change occurred due to a business decision to turn OpenVPN into a for-profit organization. The CE version is the familiar free edition anyone can use, and is CLI (Command Line Interface) driven only. This means you need to use a terminal emulator to modify its settings and behavior. At the same time, a new paid product called OpenVPN Access Server was introduced.

Unless specified otherwise, "OpenVPN" references in this article mean the Community Edition OpenVPN client or server software of the same name.

OpenVPN Access Server

What is the difference between OpenVPN Community Edition and OpenVPN Access Server? OpenVPN AS is a commercial or business edition of the traditional OpenVPN product and is oriented toward organizations running multiple VPN servers. OpenVPN Access Server is operated via an HTTP (Web) interface that includes a pre-packaged installer to standup an OpenVPN server, and a simple setup process for add-on support such as RADIUS login servers, LDAP, centralized user management, and a host of other features that are common in business environments.

Pre-Installation Decisions

There are a few things you need to figure out prior to beginning the installation process. Your decisions will guide you in selecting the best installation option for your particular scenario.

The instructions below cover installation options for the client portion only of OpenVPN Community Edition (CE). This is what the average user needs to install. If you are connecting to a VPN server, you need a corresponding VPN client that uses the same VPN protocol. OpenVPN is a VPN protocol.

Encryption Libraries

OpenVPN depends upon other programs for various functions which may or may not support all of OpenVPN's features. By default, OpenVPN utilizes OpenSSL for SSL and TLS encryption, but allows the use of mbedTLS (PolarSSL) as well. OpenVPN will function ONLY with either of these cryptographic libraries.1 As of version 2.4.0, when building from source code you may choose to build OpenVPN with native support for mbedTLS.2 Under that circumstance, if OpenSSL is not already present, it will not be installed. This is the antithesis of the default behavior of OpenVPN installers, which is to install OpenSSL if it is not already present.

Linux Distro Packages

If you have another version of Linux, you may be able to modify the code examples in this guide as necessary, but there’s no guarantee your changes will work properly. If you’re using one of the packages mentioned below, you’re in luck as there are pre-built packages (though you’ll have to figure out for yourself how to install and configure them).

It's not uncommon for even the official OpenVPN installation guides to lag behind the current OpenVPN version.

Official pre-built software packages for OpenVPN v2 for the Linux distributions listed below are available via the OpenVPN website:

  • Ubuntu
  • RedHat
  • CentOS
  • Debian
  • openSUSE

You do NOT need to fill out the Purchase License form if you will be using OpenVPN for personal use only.

Which Version of OpenVPN Should I Install?

OpenVPN currently has three (3) primary version pathways:

  1. Default OpenVPN version for your operating system
  2. Most recent: OpenVPN v2.x
  3. Cutting edge: OpenVPN v3

OpenVPN v3 is in active development, but should be considered experimental at this time. The only method of installing it is to compile it from source code. For the brave, the OpenVPN v3 (Linux) GitHub repository is here.

If you want the most up-to-date of the current, stable release, as of this writing that is 2.4.7, but of course that is subject to change. OpenVPN version numbers represent Branch.Major Version.Minor Version. So, 2.4.7 is branch 2, major version 4, minor version 7.

It's not clear when Version 3 will become mainstream, but at the moment it appears it's going to be quite awhile. New features are currently planned through at least version 2.6.

For a list of OpenVPN versions with details on supported TLS levels and cryptographic ciphers, see OpenVPN Version List and Changelogs.

These instructions explain the process of installing the Client-side OpenVPN program on a Linux device. They were tested on an Ubuntu 16.04.x headless server, and should also work on Ubuntu 14.04.x and Ubuntu 18.04.x. They should also work more-or-less as-is on any other Debian-based Linux distro. Other Linux variants will have a similar installation process.

This guide explains how to install and configure a CLIENT-side VPN connection only. The server end of the process is not discussed. If you are accessing a 3rd party VPN service, this guide is what you need. If that is the case, you are in need of a VPN client.

You will create an OpenVPN virtual network interface that acts as a conduit between your device and a remote VPN server.

The overall process is:

  1. Install OpenVPN platform
  2. Configure OpenVPN
  3. Edit firewall (if necessary)
  4. Setup auto-start OpenVPN service daemon
  5. Reboot

Before getting started with coding, let’s review the scope of this guide as it relates to coding instructions. This guide pertains to:

  • Client-side VPN software installation
  • Ubuntu LTS versions 14.04, 16.04, and 18.04, with an emphasis on 16.04 LTS

Repositories and Packages

Repositories and Packages are explained below. You may also skip this info and go directly to the code.


A repository is a collection of software program files and metadata about those files. There are several types of repositories, but all you need to know about them for the purpose of this guide is most program files are stored in one of two (2) types: Main and Universe.

All "Main" repositories are operated by Canonical; the company that created and maintains Ubuntu. You can think of Main repositories as official repositories.

The "Universe" repository type indicates community owned and operated sources of software. They function just like official repositories, except they are maintained by community members (i.e. the public).

Personal Package Archives

What is a PPA? A Personal Package Archive (PPA) is a repository of non-official packages. They are what makes up the "Universe" repositories. PPAs are intended to allow software authors to publish updates outside of the official ("main") packaging system. Any package downloaded and installed via the Main repositories has been thoroughly vetted by Canonical staff prior to release. You could think of the Main repositories as store fronts in an official Ubuntu Store, sort of like the Apple Store or Google Play Store. That is just an analogy to help you better understand the concept.

A Brief Word on Git

I recommend against using Git to install OpenVPN simply because it results in more work. First, you must be more diligent in verifying you are downloading the correct version. And secondly, if you clone the repository you will likely end up with a large number of files you don't need. The other methods described above are more straightforward. I love Git. It's great for software development environments. However, it's usually not the ideal choice when sharing installation files with consumers. Naturally, it all depends on the situation, but I would argue that is certainly the case with OpenVPN with its myriad of old, stable, and experimental versions.


I decided to add this brief section of information regarding Easy-RSA, even though it is unnecessary for Client VPN installations. Many OpenVPN tutorials instruct the user to install it, but the vast majority of them don't explain why or what it is. You may skip this section if you only want the required files for operating a VPN client.

Easy-RSA is explained here for educational purposes only.

You do not need to install Easy-RSA to connect to a VPN as a client device. Easy-RSA is used by VPN servers to manage PKI certificates.

Easy-RSA is utility that builds and manages PKI Certificate Authorities (PKI CAs). PKI stands for Public Key Infrastructure and basically refers to a system of keys that validate the identity of two remote devices with one another. PKIs use a aystem of a shared public key and a private key (not shared) and is only known by the device being connected to. In laymen's terms, this means the Easy-RSA allows your device to create what are called certificate authority root certificates, and request and sign them. It also allows the use of Certificate Revocation Lists (CRLs), which are basically a blacklist of known, invalid certificates.

There's no harm done installing Easy-RSA, even if you ever need it. If you never use your device to act as a VPN server and/or to create PKI certificates, you will never need it installed. Client-side VPN connections do not create their own security certificates.

Should I Install Easy-RSA?

If you are running a VPN server on your Ubuntu device and/or you have a need to create PKI Certificate Authorities (PKI CAs). If you do have that need, and you don't install Easy-RSA or a similar certificate authority manager, users will be limited to connecting to your VPN server via a simple login/password method only.

Easy-RSA 2 vs 3

If you decide to install Easy-RSA, make sure you choose the correct version. Easy-RSA 3 is designed for Linux. Easy-RSA 2 is for Windows. Furthermore, the Windows-based installer is built-in to the Windows installer of OpenVPN. While this article and website is all about Linux, I am mentioning these facts here to clarify why you don't want to download Easy-RSA 2 for a Linux box.

Installing Easy-RSA 3

The installation of Easy-RSA is explained in the Walkthrough scenarios below.

Installation Walkthroughs

Aside from version, you must decide if you want to install OpenVPN via an installer package (easier) or compile the source code directly on your server. If you choose the latter, you may modify these instructions slightly to install it on other flavors of Linux as the process is very similar (particularly for Debian-based Linux forks).

There are two (2) different package-install methods of installing OpenVPN. The first usses Ubuntu's official packaging repository (Method 1). The second uses OpenVPN's official repository (Method 2).

These instructions pertain to installing OpenVPN only. They do not cover how to install mbedTLS (PolarSSL), which introduces a variety of nuances that complicate the installation process if OpenVPN is built with it instead of OpenSSL (the default).

Remember that this guide is about getting you connected to an existing 3rd party VPN, where your device will be acting as a VPN Client. This guide is not about standing up a VPN server.

Method 1: Official Package Installer

The simplest method of installing OpenVPN is to use Ubuntu's built-in package management system. A packet manager is a concept built into all Linux distributions. New software releases can be compiled into a installation "package" for easy install by users. Packages are programs built from source code. They are nothing more than a container for delivering and installing programs on an end-user machine in one shot.

A primary benefit of installing software on a Linux device via any package repository is if the software package is updated, end users subscribed to the repository will be notified automatically.

Method 1 Installation (OpenVPN Client Only)

Open a command line terminal and execute the following code:

apt -y install openvpn

Method 1 Installation (OpenVPN Client + Server)

Only follow this set of instructions if you intend to install a VPN server and/or you wish to install a Certificate Authority manager on your device for some other reason.

These instructions will install the most recent versions of OpenVPN and Easy-RSA from an official Ubuntu repository.

apt -y install openvpn easy-rsa

As explained above under Repositories, installing from an official Ubuntu ("main") repository will often result in the installation of software that is not the most current. Indeed, when I installed OpenVPN while writing the original version of this article, the result was a rather old version of OpenVPN. Also note this occurred on an instance of Ubuntu 16.04, which may be why the OpenVPN version was so old (even though being on Ubuntu 16.04 and 18.04 is no excuse as 16.04 is still a Long-Term Release and well under its maintenance window).

Result (method 1)

After installation, let's verify which version was installed.

openvpn –version

Ubuntu 16.04 reports: 2.3.10 dtd JAN-2016

It's unwise to install an OpenVPN version prior to the 2.4 branch (check out the related article, OpenVPN Version List and Changelogs)

Given the fact this version is quite old and not even the 2.4 branch, perhaps I ought to try Method 2 instead.


After the installation process completes, jump ahead to OpenVPN Client Configuration.

Method 2: OpenVPN Repository Package

Your next option is to install OpenVPN via OpenVPN's public repository.

Acquire the corresponding public key for the repository's Certificate Authority, and add the OpenVPN repo to your apt repository list.

Ubuntu 14.04.x

Add an OpenVPN repository link to the stable edition of OpenVPN. This will be the most recent production version for your platform (something in the 2.4 platform as of this writing).

wget -O -|apt-key add -
echo "deb trusty main" > /etc/apt/sources.list.d/openvpn-aptrepo.list

Ubuntu 16.04.x

Add an OpenVPN repository link to the stable edition of OpenVPN. This will be the most recent production version for your platform (something in the 2.4 platform as of this writing).

wget -O -|apt-key add -
echo "deb xenial main" > /etc/apt/sources.list.d/openvpn-aptrepo.list

Ubuntu 18.04.x

Add an OpenVPN repository link to the stable edition of OpenVPN. This will be the most recent production version for your platform (something in the 2.4 platform as of this writing).

wget -O -|apt-key add -
echo "deb bionic main" > /etc/apt/sources.list.d/openvpn-aptrepo.list

OpenVPN's repositories above are all Debian based, but they run just fine on Ubuntu distributions.

Next, call the apt installation process. Notice that just like if you were to use the official Ubuntu repositories (Method 1), you have the option to install Easy-RSA, if you believe you may want to operate a VPN server on the current device at some point in the future.

Method 2 Installation (OpenVPN Client Only)

apt -y update && apt -y install openvpn

Method 2 Installation (OpenVPN Client + Server)

apt -y update && apt -y install openvpn easy-rsa

Result (method 2)

Method 2 will result in something like this. Your exact results will vary, depending on a variety of circumstances.

OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 19 2019
library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.08

Notice which versions of OpenVPN and OpenSSL were reportedly installed. The example above shows the OpenVPN version installed is the current version (2.4.7), but the OpenSSL version is old. Does that seem odd? Yes. Yes, it is.

The reported version of OpenSSL is still current (1.0.2 branch), but seems rather old. This is a combination of two factors: First, since the operating system is Ubuntu, the OpenSSL for Ubuntu was run. As of this writing, that installs what is reportedly version 1.0.2g of OpenSSL. However, that is not technically correct.

It's not uncommon for Ubuntu's official repositories to lag behind current regards to third-party software releases. OpenVPN's Wiki underscores this point, noting Ubuntu and Debian are the only Linux distributions for which there are official pre-built repositories. It states in part, "Official Ubuntu and Debian repositories tend to have fairly old OpenVPN versions available."

Aside from repository installer versions, there is another, related discrepancy between the effective versions of OpenSSL in Ubuntu and the operating system's reported versions. This issue is explored in some detail in two related articles: False Version Reporting in Ubuntu 16.04 and Clear as Mud: OpenSSL and Ubuntu's Versioning System.


Jump ahead to OpenVPN Client Configuration.

Method 3: Direct Download

Method 3 uses installers downloaded directly from OpenVPN's website. The download links below are specific to Ubuntu. The ".deb" file extension refers to Debian. Debian is a branch of Linux. Ubuntu is derived from Debian.

Downloading the Installer (.deb)

Type the following commands, consecutively. First, set your working directory to the location where you'd like the debian file installer to be stored:

cd ~

Now, execute the appropriate command to download the installation file based on your Ubuntu version. These commands will preserve the filename assigned by OpenVPN's web servers.

The --content-disposition flag instructs the wget process to preserve the orgiginal filename, if indicated.

Ubuntu 14.04 32-bit

wget --content-disposition

Ubuntu 14.04 64-bit

wget --content-disposition

Ubuntu 16.04 32-bit

wget --content-disposition

Ubuntu 16.04 64-bit

wget --content-disposition

As of version 18.04, Ubuntu is no longer offered in 32-bit variants.

Ubuntu 18.04 64-bit

wget --content-disposition

Run the .deb Installer

.deb files are Debian Installer Packages. Activating these installers requires the use of dpkg, which may be invoked directly or indirectly via the apt command. Note that apt calls the dpkg process. The difference between them is apt will check for uninstalled program dependencies and prompt the user to install them before running the dpkg installer.

The syntax for dpkg is:

sudo dpkg {filename}

Here is an example demonstrating the command on Ubuntu 16.04 64-bit installer for OpenVPN 2.4.7:

sudo dpkg openvpn-as-2.4.7-Ubuntu16.amd_64.deb

The syntax for apt is:

sudo apt install {filename}

Here is an example demonstrating the command on Ubuntu 16.04 64-bit installer for OpenVPN 2.4.7:

sudo apt install openvpn-as-2.4.7-Ubuntu16.amd_64.deb


Jump ahead to OpenVPN Client Configuration.

Method 4: Build OpenVPN 2.x from Source Code

Since OpenVPN is completely open-source, you may just want to compile it yourself from source code.

All of the source files are compressed, so you will need to acquire a single file and then decompress and expand the archives. Acquire the source code either via wget command in a terminal (see below) or visiting the OpenVPN Community Edition (CE) Downloads web page at Either will provide you with the most recent stable version. I'll run through your options below using wget. The path names are the same if you're using a web browser to grab the source files.

First, login as the root user and ensure you're in the home directory. Type the following commands, consecutively:

sudo -i
cd ~

Next, decide which file decompression utility will be required and verify it is installed.

Step 1: Decompression and Unpacking

You have three (3) choices of file extensions. What are their differences?

  1. .zip (zip)
    • Lossy compression
    • Most popular/well known file compression format
    • Deompression + archiving
    • No further actions are required after decompression (i.e. the files are fully extracted at that point)
  2. .gz (gzip)
    • Lossy compression
    • Purportedly more efficient but slower compression method (vs. .zip)
    • Useful when an archive contains a large number of files
    • Requires the extra step of extracting all files from the .tar file
  3. .xz (xz)
    • Different compression algorithm
    • Loss-less compression format
    • Faster to compress/de-compress
    • Larger compressed file size
    • Requires the extra step of extracting all files from the .tar file

Regardless of which file type you choose, they all decompress to a single TAR file. TAR stands for Tape ARchive. TAR files are uncomporessed file archives. They have been a standard container for file storage for a very long time in the Unix/Linux world. Once the original file is decompressed, the resulting TAR file is expanded to reveal all the individual files contained within the archive. Nearly all Linux distributions should understand TAR natively, but ZIP/UNZIP are normally not installed by default.

It doesn't matter which file extension you download. You will end up with the same end result: a .tar file that needs its contents extracted.

Verify you have one or another of these utilities installed. If not, you'll find instructions below on how to install them.

Downloading the zip File

Is unzip installed?

unzip -v

If not, install it in:

apt install -y unzip

Grab the corresponding source file archive.


Extract the source files.


You will see a whole bunch of filenames scroll up your terminal screen. Presuming that is the case, you have successfully extracted the source files.


You should see something like:


Verify the source files were extracted properly.

ls openvpn-2.4.7

Remove the archive file.


Downloading the GZIP File

Is gzip installed?

gzip --version

If not, install it:

apt install -y gzip

Grab the corresponding source file archive.


Decompress the gzip file and unpack the resulting .tar file using a single command.

tar -zxf openvpn-latest-stable.tar.gz

Verify you have successfully extracted the source files.


You should see something like:

openvpn-2.4.7 openvpn-latest-stable.tar.gz

Verify the source files were extracted properly.

ls openvpn-2.4.7

Remove the archive file.

rm openvpn-latest-stable.tar.gz

Downloading the XZ File

xz --help

If not, install it:

apt install -y xz

Grab the corresponding source file archive.


Decompress the gzip file and unpack the resulting .tar file using a single command.

tar -xf openvpn-latest-stable.tar.gz

Verify you have successfully extracted the source files.


You should see something like:

openvpn-2.4.7 openvpn-latest-stable.tar.xz

Verify the source files were extracted properly.

ls openvpn-2.4.7

Remove the archive file.

rm openvpn-latest-stable.tar.xz

Step 2: Run the Installer

Change directory to that of the files you just downloaded. For example:

cd openvpn-2.4.7

Execute the following commands:

make install

Step 3: Installing Easy-RSA [Optional]

Installing Easy-RSA is optional and completely unnecessary unless you will be setting up your device as a VPN server (Easy-RSA's purpose is described above). Linux requires Easy-RSA v3.

If you do wish to install it, you should continue with your methodology of installing from source code. The process is more labor-intensive than installing Easy-RSA via other methods. You will have to navigate to OpenVPN's GitHub page to find the latest version (3.06 as of this writing):

Look for the source code download. Installing Easy-RSA via source code is more complicated than the other methods described briefly in this document. Either way, Easy-RSA is not necessary for a client-side installation of OpenVPN, and is beyond the scope of this document.

Step 4: Client Configuration

Jump ahead to OpenVPN Client Configuration.

Method 5: Build OpenVPN 3 from Source Code

So, you're up for some adventure? Installing OpenVPN version 3 means you will be testing out the cutting edge version of OpenVPN.

OpenVPN 3 is currently a client-only version of OpenVPN. There is no server implementation at this time (October 2019). I know that sounds odd. What does it connect to? OpenVPN 3 will connect to OpenVPN 2.x CE (Community Edition) servers and OpenVPN 2.x AS (Access Server) editions. Also note OpenVPN v3 does not require running the OpenVPN process as root! This is a significant improvement from a security standpoint.

Installing OpenVPN 3

You should consider OpenVPN 3 as experimental product. Think of it as an alpha release. Mostly baked, but not quite done yet. Expect bugs. Expect disconnects. Expect frustrating events. While OpenVPN 3 can be combiled from source code, given its experimental nature and the fact OpenVPN now has a dedicated repository for version 3, this is the recommended path to installing it.

To setup the OpenVPN repository, you must be logged in as root.

sudo -i
cd ~

Get the OpenVPN 3 repository public certificate authority key and add it to your list of keys apt is aware of.

apt-key add

There's a slight chance your wget command does not support HTTPS. If you did not receive an error message when executing the command above, then skip the line below and keep going. If you did receive an error message, execute this command:

apt install apt-transport-https

Based on your Ubuntu version, install the corresponding OpenVPN 3 repository path.

Ubuntu 14.04 [Not Supported]

You cannot install OpenVPN 3 on Ubuntu versions prior to 16.04. OpenVPN 3 uses the D-Bus architecture. Ubuntu added limited D-Bus support in versions 15.04 and 15.10, but it is insufficient to run OpenVPN 3. Besides, they are no longer supported, having reached EOL (End Of Life) in 2016.

Ubuntu 16.04 32-bit

It's unclear whether or not OpenVPN 3 supports 32-bit platforms. After searching extensively, I could not locate any information indicating whether or not 32-bit platforms are supported. I would surmise if the platform supports D-Bus then it should work, but that is not a foregone conclusion. At this point, I suspect it would work on a 32-bit Ubuntu 16.04 operating system, but have not verified this.

Follow the instructions below for Ubuntu 16.04 64-bit installs.

Ubuntu 16.04 64-bit

wget -O /etc/apt/sources.list.d/openvpn3.list

Ubuntu 18.04 (64-bit)

Note: Ubuntu 18.04 is only available as a 64-bit version.

wget -O /etc/apt/sources.list.d/openvpn3.list

Update apt Cache and Run Installer

apt -y update && apt -y install openvpn3

OpenVPN 3 Client Configuration

OpenVPN 3 configuration is unique. For the time being, consult

OpenVPN Client Configuration

OpenVPN is a double-edged sword in some respects. It has a variety of configuraiton options for both client and server connections. As a result, it's highly preferable to have a good understanding of the server configuration you wish to connect to. If you will be connecting to a third-party VPN server, the server operator should inform you which protocols are acceptable for their service. Likewise, when connecting to a corporate network, someone should inform you ahead of time of its parameters. Normally, a third-party (of any type) will provide a client configuration template to guide you in setting up your OpenVPN client to connect to their server(s).

Default Client Configuration File

The default configuration file is found on GitHub at


1mbedtls (PolarSSL) began in OpenVPN 2.3.3

2 Requires OpenVPN 2.4.x or higher, mbedTLS version 2.0.0 or higher already installed, and building OpenVPN from source code. It is then possible to force installation of mbedTLS instead of OpenSSL. [Reference: OpenVPN Readme]