Sam - September 20, 2016

How to Install OpenVPN in 15 minutes on and Connect using OSX



OpenVPN is pretty much the most secure protocol available that is easy to setup and wildly supported across all major devices. Unlike other protocols such as IKEv2 you’ll find that OpenVPN is supported on Mac OSX, Windows, Linux, Android, Windows Phone, etc.

These guys are competitors to DigitalOcean and provide slightly higher specifications with their cloud instances. I will write another article showing the main differences between the two.

Let’s get started

This guide can be used on any Ubuntu platform but I’ll specifically be talking about setting up on (competitor to DigitalOcean).

Step 1 – Create your cloud instance

I will be using Ubuntu 16.04 x64 on the $5 per month plan which includes 768mb ram and 1TB bandwidth per month which is more than enough for a personal VPN.

Find the perfect Proxy Product.

Proxyrack offers a multiple options to suit most use cases, if you are unsure our 3 Day Trial allows you to test them all.

Residential proxies

Never get blocked, choose your location
View all option available

Datacenter proxies

Super fast and reliable
View all option available

3 Day Trial

Test all products to find the best fit
View all option available

Step 2 – Update and install packages

Since this is a brand new server it’s always a good habit to update your repositories and make sure your packages are the latest versions available to minimize any security risks or outdated software.

sudo apt-get -y update && sudo apt-get -y upgrade

Now let’s install OpenVPN and the certification generator

sudo apt-get -y install openvpn bind9 easy-rsa

Step 3 – Configure OpenVPN /etc/openvpn/server.conf

Paste everything below into the file /etc/openvpn/server.conf

In the next step we will replace the text IP_ADDRESS

port 443
proto udp
dev tun
ca      easy-rsa/keys/ca.crt
cert    easy-rsa/keys/server.crt
key     easy-rsa/keys/server.key
dh      dh2048.pem
keepalive 10 30
status openvpn-status.log 20
status-version 2
push "redirect-gateway def1"
push "dhcp-option DNS"
push "dhcp-option DNS"

# Username and Password authentication.
plugin /usr/lib/openvpn/ login
verb 4
log-append /var/log/openvpn.log

Now replace the part at the top that says IP_ADDRESS with your primary devices IP and change the last subnet to .0

You can do this in a single command like below:

ip route get | awk '{print $NF; exit}' | sed 's/\.[0-9]*$/.0/'


Now replace this part:


With this:


Step 3 – Certificate generation

Let’s copy across the easy-rsa generation files

cp -r /usr/share/easy-rsa/ /etc/openvpn/

You can edit the variables in /etc/openvpn/easy-rsa/vars but this is not required and since we are wanting to set this up as quickly as possible we will skip this

Now run the command:

openssl dhparam -out /etc/openvpn/dh2048.pem 2048

This will take some time and will output numerous dots and + signs.

Now run

./clean-all && ./build-ca

You will be asked to enter a bunch of variables, you can just keep pressing enter and use the default values

root@vpn-tutorial:/etc/openvpn/easy-rsa# ./build-ca
Generating a 2048 bit RSA private key
writing new private key to 'ca.key'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [Fort-Funston]:
Organizational Unit Name (eg, section) [MyOrganizationalUnit]:
Common Name (eg, your name or your server's hostname) [Fort-Funston CA]:
Name [EasyRSA]:
Email Address [me@myhost.mydomain]:

Next let’s generate the server.key file

./build-key-server server

Just like above, you can keep pressing ENTER and use the default variables the only additional thing it will bring up is the certification request, you can use the default values for this too.


root@vpn-tutorial:/etc/openvpn/easy-rsa# ./build-key-server server
Generating a 2048 bit RSA private key
writing new private key to 'server.key'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [Fort-Funston]:
Organizational Unit Name (eg, section) [MyOrganizationalUnit]:
Common Name (eg, your name or your server's hostname) [server]:
Name [EasyRSA]:
Email Address [me@myhost.mydomain]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :PRINTABLE:'CA'
localityName          :PRINTABLE:'SanFrancisco'
organizationName      :PRINTABLE:'Fort-Funston'
commonName            :PRINTABLE:'server'
name                  :PRINTABLE:'EasyRSA'
emailAddress          :IA5STRING:'me@myhost.mydomain'
Certificate is to be certified until Sep 18 06:16:20 2026 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

When it asks you if you want to

Sign the certificate? [y/n]

Choose yes (enter y)

1 out of 1 certificate requests certified, commit? [y/n]

Choose yes (enter y)

Step 4 – iptables rules and more

We need to enter one iptables with your primary network interface.

You will need to know what your interface name is which you can get from ifconfig or alternatively use this command:

iptables -t nat -A POSTROUTING -o `ip route get | awk '{ print $5; exit }'` -j MASQUERADE

Now we have to enable IP forwarding by executing the following command:

sudo sysctl -w net.ipv4.ip_forward=1

Step 5 – Add a user

Now we simply need to add a user to our server, since we are authenticating with PAM (the linux user system) we can just use the inbuilt user management system.

Add the user by typing:

useradd vpnusername

Now set a password:

passwd vpnusername

Enter the password twice for confirmation


root@vpn-tutorial:/etc/openvpn# passwd vpnuseruser
Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully

Great.. We are almost done!

The last two things we need to do are:

Restart OpenVPN service

Run this command to restart the service

service openvpn restart

You can get a full list of commands by typing the same as here:

root@vpn-tutorial:/etc/openvpn# service openvpn
Usage: /etc/init.d/openvpn {start|stop|reload|restart|force-reload|cond-restart|soft-restart|status}

Install OpenVPN on OSX and create our configuration file

We are going to use Homebrew for Mac OSX, if you don’t have this you can install it with one command by visiting

Now that you have it installed simply install the openvpn package by typing

brew install openvpn

You won’t need to answer any prompts but this will take some time to complete

Once this has been completed, or while it is running (if you want to save time) we will need to create our .ovpn configuration file.

This is a simple file with some parameters that openvpn will read to connect to our server.

Copy this to a local file on your Desktop and name it “myconnection.ovpn” (or whatever you want)

dev tun
proto udp
resolv-retry infinite
verb 3
route-method exe
route-delay 2
setenv opt block-outside-dns
remote YOUR_IP_ADDRESS 443

Now you just need to replace two variables inside this file

Replace YOUR_IP_ADDRESS with the servers IP address (your vultr instance IP).

Replace YOUR_CERTIFICATE with the ca.crt contents that are inside /etc/openvpn/easy-rsa/keys/ca.crt

You can get this by typing the following command on your server

cat /etc/openvpn/easy-rsa/keys/ca.crt


root@vpn-tutorial:~# cat /etc/openvpn/easy-rsa/keys/ca.crt

Now save the file

We’re ready to connect!

Great, assuming that everything has gone to plan we’re not ready to connect to our personal OpenVPN server.

On our local computer you can initiate the connection by typing:

sudo openvpn –config ~/Desktop/myconnection.ovpn

You will probably be first prompted for your password since we are executing using sudo, enter your local OSX password here.

Then you will be prompted to enter your username and password in our case it was vpnusername and whatever password you chose previously.

sbook:~ scross$ sudo openvpn --config ~/Desktop/myconnection.ovpn 
Tue Sep 20 16:07:39 2016 Unrecognized option or missing parameter(s) in myconnection.ovpn:14: block-outside-dns (2.3.10)
Tue Sep 20 16:07:39 2016 OpenVPN 2.3.10 x86_64-apple-darwin15.2.0 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Jan  6 2016
Tue Sep 20 16:07:39 2016 library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.09
Enter Auth Username:vpnusername
Enter Auth Password:

There will then be a bunch of more messages, some will look like errors such as:

"ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address"

You can safely ignore this, it is just OpenVPN doing its thing.


Now load up your web browser and visit you should now see your server / cloud instance IP address instead of your usual IP.

Give yourself a pat on the back if it was your first time setting up a VPN server and connecting.

If you have any issues at all setting it up, just comment below and we can troubleshoot it together.

Find the perfect Proxy Product.

Proxyrack offers a multiple options to suit most use cases, if you are unsure our 3 Day Trial allows you to test them all.

Residential proxies

Never get blocked, choose your location
View all option available

Datacenter proxies

Super fast and reliable
View all option available

3 Day Trial

Test all products to find the best fit
View all option available

Get Started by signing up for a Proxy Product