Why OpenVPN, and when to pick it
OpenVPN is the veteran of self-hosted VPNs: over twenty years old, audited to death, and supported by every VPN app and router on the planet. It is not the fastest option - WireGuard beats it on speed and battery - but it has one trick WireGuard lacks: it can run over TCP on port 443, the same port as normal HTTPS. That lets it slip through restrictive hotel, office and airport firewalls that block everything except web traffic.
Where OpenVPN is not the right tool is heavy, DPI-based censorship. Systems like Russia's TSPU can fingerprint and block plain OpenVPN just as they block plain WireGuard. If your goal is bypassing that kind of blocking, use our VLESS + Reality guide instead. Pick OpenVPN when you want a rock-solid, universally compatible personal VPN and the freedom to hide on port 443.
- A cheap KVM-based VPS running Ubuntu 22.04 or 24.04 (the installer supports Ubuntu 18.04 and newer).
- root SSH access - your provider emails this after you pay.
- About 10 minutes. A well-maintained script does the hard parts (certificates, firewall, routing) for you.
root. Prefer the fastest modern protocol instead? See our WireGuard guide.Step 1: Connect and update the server
Log in over SSH (replace with your server's IP) and install the latest updates:
ssh root@YOUR_SERVER_IP
apt update && apt upgrade -y
Step 2: Download the installer
We will use the well-known open-source angristan/openvpn-install script. It installs OpenVPN, generates all the certificates, sets up the firewall and routing, and manages client files - the parts that make a manual OpenVPN setup painful. Download it and make it runnable:
curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh
chmod +x openvpn-install.sh
Step 3: Run it and answer the questions
Start the installer:
./openvpn-install.sh
It asks a short list of questions. For most people the defaults are right - here is what to choose:
- Public IP: it detects your server's IP automatically. Accept it unless the server is behind NAT.
- Protocol:
UDPis the default and is faster - keep it for everyday use. ChooseTCPonly if you specifically need to hide on port 443 (see the tip below). - Port: keep the default
1194for UDP. If you picked TCP to get through a strict firewall, set the port to443. - DNS: pick a public resolver such as Cloudflare or Quad9 so your lookups do not leak to your local provider.
- Cipher and certificate: just accept the defaults - the script uses modern, safe settings (AES-128-GCM, ECDSA).
- Client name: type a short name for your first device, for example
phone. - Password protection: the script asks whether the client should be passwordless or password-protected. Adding a password means a stolen
.ovpnfile is useless without it - worth it for a phone or laptop that could be lost.
The script runs for a minute and finishes by creating a client config file ending in .ovpn in the /root folder.
TCP and port 443 at these questions - decide now, because to change the protocol or port later you have to remove OpenVPN and reinstall. On 443 your VPN uses the same port as HTTPS, so it slips past hotel, cafe and airport firewalls that filter only by port number. It is not invisible, though: smart DPI can still tell it is a VPN, so this is not a censorship bypass (for that use VLESS + Reality, linked above). And TCP is noticeably slower - wrapping your TCP traffic inside a TCP tunnel can collapse under packet loss (the "TCP meltdown" effect) - so use it only when a network blocks UDP.Step 4: Get the .ovpn file onto your device
Everything a client needs is inside that single .ovpn file - keys, certificates and settings. Copy it from the server to your computer with scp (run this on your computer, replacing the name and IP):
scp root@YOUR_SERVER_IP:/root/phone.ovpn .
To get it onto a phone, use whatever is handy: send the .ovpn to yourself in a messenger's "Saved Messages", drop it in your cloud drive and delete it afterwards, or pull it off the server with a graphical SFTP app such as Cyberduck or FileZilla. Treat the file like a password - anyone who has it can connect as you, so delete stray copies once your device is set up.
Step 5: Install a client app and connect
The official OpenVPN Connect app works on every platform; on desktop you can also use lighter alternatives. Pick yours, import the .ovpn file, and connect.
Android: install OpenVPN Connect from Google Play. Open it, choose Import Profile -> File, pick your .ovpn file, then tap the switch to connect.
iPhone and iPad: install OpenVPN Connect from the App Store. Share the .ovpn file to the app (or use Import -> File), then toggle it on and allow the VPN profile.
Windows: install OpenVPN Connect, click Import Profile -> Upload File, select your .ovpn, then press connect.
macOS: install OpenVPN Connect or the free Tunnelblick. Import the .ovpn file and connect.
Linux desktop: install the CLI with apt install openvpn and connect with openvpn --config phone.ovpn, or import the file into NetworkManager for a click-to-connect toggle.
Step 6: Add or remove devices later
Give every device its own profile so you can revoke one without disturbing the others. To add a laptop or revoke a lost phone, just run the installer again - it detects the existing server and offers a menu:
./openvpn-install.sh
Choose Add a new user to create another .ovpn, or Revoke existing user to cut off a device for good.
Step 7: Verify it works
With the client connected, confirm two things on our own Network tools page. First, the internet should now show your server's IP - shown at the top of the page. Second, open the DNS Leak Test tab: the resolvers listed should be the DNS you picked in Step 3, never your home ISP. If both look right, your OpenVPN tunnel is live.
Common mistakes
- Cloud provider firewall. Big hosts - AWS, Oracle Cloud, Azure, Google Cloud - have their own Security Groups in the web panel, separate from Ubuntu's firewall, and your port is often closed there by default. Open your chosen port (
1194/udp, or443/tcp) in the provider's panel too, not just inufw. - Wrong protocol expectations. UDP is faster but some restrictive networks block it - if a public Wi-Fi refuses to connect, that is when the TCP-443 build earns its keep.
- Sharing one profile. Loading the same
.ovpnon two devices at once causes drops. Generate a separate profile per device. - OpenVPN for censorship. Plain OpenVPN, even on 443, is detectable by advanced DPI. In heavily censored networks use VLESS + Reality instead.
The honest limits
A self-hosted OpenVPN server is private from your local network and your ISP, but the usual limits of self-hosting still apply: your VPS provider can see the IP addresses connecting to the server and, on a virtual machine, can snapshot its RAM. To reduce what your own server keeps on disk, follow up with our guide on how to make your VPS keep no logs. And as always, a VPN changes where your traffic appears to come from - it does not put you above the law of wherever you live.
/etc/openvpn/ somewhere safe, keep the system updated with apt upgrade, and revoke any profile you no longer use. If you ever want to remove everything, re-run the installer and choose Remove OpenVPN.