NavigationContentFooter
Jump toSuggest an edit

Installing OpenVPN on a Scaleway Instance running Ubuntu 24.04

Reviewed on 06 January 2025Published on 16 January 2019
  • vpn
  • OpenVPN
  • Ubuntu

Learn how to install and configure OpenVPN on Ubuntu 24.04 LTS with this comprehensive guide. Follow our step-by-step instructions to establish a secure VPN connection via your Scaleway Instance with ease.

Before you start

To complete the actions presented below, you must have:

  • A Scaleway account logged into the console
  • Owner status or IAM permissions allowing you to perform actions in the intended Organization
  • An SSH key
  • An Instance running on Ubuntu 24.04 LTS

Installing OpenVPN and Easy-RSA

  1. Connect to your Instance via SSH.
    root@<YOUR_INSTANCE_IP>
  2. Update the package list and upgrade already installed packages:
    apt update
    apt upgrade -y
  3. Install OpenVPN and Easy-RSA using apt:
    apt install -y openvpn easy-rsa

Setting up the Certificate Authority (CA)

  1. Create a directory for Easy-RSA and navigate to it:

    mkdir -p ~/openvpn-ca
    cd ~/openvpn-ca
  2. Initialize the Public Key Infrastructure (PKI):

    cp -r /usr/share/easy-rsa/* /etc/openvpn/easy-rsa/
    cd /etc/openvpn/easy-rsa/
    ./easyrsa init-pki
  3. Build the Certificate Authority (CA):

    ./easyrsa build-ca

    You will be prompted to set a passphrase and provide a Common Name (e.g., “OpenVPN-CA”).

Generating server and client certificates

  1. Generate the server certificate and key:
    ./easyrsa gen-req server nopass
    ./easyrsa sign-req server server
    Approve the signing request when prompted.
  2. Generate Diffie-Hellman parameters:
    ./easyrsa gen-dh
  3. Generate a shared secret for additional security:
    openvpn --genkey secret /etc/openvpn/ta.key

Configuring the OpenVPN Server

  1. Copy the necessary files to the OpenVPN directory:
    cp pki/ca.crt pki/private/server.key pki/issued/server.crt /etc/openvpn/
    cp /etc/openvpn/easy-rsa/pki/dh.pem /etc/openvpn/
    cp /etc/openvpn/ta.key /etc/openvpn/
  2. Create the OpenVPN server configuration file:
    nano /etc/openvpn/server.conf
  3. Add the following configuration:
    port 1194
    proto udp
    dev tun
    ca ca.crt
    cert server.crt
    key server.key
    dh dh.pem
    auth SHA256
    tls-auth ta.key 0
    server 10.8.0.0 255.255.255.0
    ifconfig-pool-persist ipp.txt
    push "redirect-gateway def1 bypass-dhcp"
    push "dhcp-option DNS 8.8.8.8"
    push "dhcp-option DNS 8.8.4.4"
    keepalive 10 120
    cipher AES-256-GCM
    user nobody
    group nogroup
    persist-key
    persist-tun
    status openvpn-status.log
    log-append /var/log/openvpn.log
    verb 3
    Save and exit the editor.

Enabling IP forwarding and configuring the firewall

  1. Enable IP forwarding:
    echo 'net.ipv4.ip_forward=1' | tee -a /etc/sysctl.conf
    sysctl -p
  2. Configure the firewall (UFW):
    ufw allow 1194/udp
    ufw allow OpenSSH
  3. Edit the UFW configuration to allow forwarding:
    nano /etc/ufw/before.rules
  4. Add the following lines before the *filter line:
    *nat
    :POSTROUTING ACCEPT [0:0]
    -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
    COMMIT
  5. Save and exit, then reload UFW:
    ufw disable
    ufw enable

Starting the OpenVPN server

  1. Start and enable the OpenVPN service:

    systemctl start openvpn@server
    systemctl enable openvpn@server
  2. Check the status of the OpenVPN service:

    systemctl status openvpn@server

    Ensure it is active and running.

Generating client configuration

  1. Generate client certificates:

    cd /etc/openvpn/easy-rsa/
    ./easyrsa gen-req client1 nopass
    ./easyrsa sign-req client client1

    Approve the signing request when prompted.

  2. Create the client configuration file: On your server, create a new client configuration file named client1.ovpn:

    nano ~/client1.ovpn
  3. Add the following configuration in the file, replacing your_server_ip_or_domain with your server’s IP address or domain name:

    client
    dev tun
    proto udp
    remote your_server_ip_or_domain 1194
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    remote-cert-tls server
    auth SHA256
    cipher AES-256-GCM
    verb 3
    <ca>
    -----BEGIN CERTIFICATE-----
    # Insert the content of /etc/openvpn/ca.crt here
    -----END CERTIFICATE-----
    </ca>
    <cert>
    -----BEGIN CERTIFICATE-----
    # Insert the content of /etc/openvpn/easy-rsa/pki/issued/client1.crt here
    -----END CERTIFICATE-----
    </cert>
    <key>
    -----BEGIN PRIVATE KEY-----
    # Insert the content of /etc/openvpn/easy-rsa/pki/private/client1.key here
    -----END PRIVATE KEY-----
    </key>
    <tls-auth>
    -----BEGIN OpenVPN Static key V1-----
    # Insert the content of /etc/openvpn/ta.key here
    -----END OpenVPN Static key V1-----
    </tls-auth>
    key-direction 1
    Note

    Replace the placeholder text (e.g., # Insert the content of /etc/openvpn/ca.crt here) with the actual contents of the respective files. You can use the cat command to display the contents of each file and then copy and paste them into the appropriate sections of the client1.ovpn file.

    • For example:
      cat /etc/openvpn/ca.crt

    Copy the output and paste it between the <ca> and </ca> tags in the client1.ovpn file.

  4. Transfer the client configuration file to the client device: Use a secure method to transfer the client1.ovpn file to the device you intend to use as a client. You can use scp (secure copy) for this purpose:

    scp ~/client1.ovpn user@client_device_ip:/path/to/destination/

    Replace user with your username on the client device, client_device_ip with the client’s IP address, and /path/to/destination/ with the desired directory on the client device.

  5. Install OpenVPN on the client device: Ensure that the OpenVPN client is installed on your client device. Installation methods vary depending on the operating system:

    • Linux:

      apt update
      apt install -y openvpn
    • Windows:

      Download and install the OpenVPN client from the official website.

    • macOS:

      Download and install Tunnelblick, a free OpenVPN client for macOS.

  6. Connect to the VPN:

    • Linux:

      Use the following command to start the VPN connection:

      openvpn --config /path/to/client1.ovpn
    • Windows/macOS:

      Import the client1.ovpn file into your OpenVPN client application and initiate the connection through the application’s interface.

  7. Verify the connection: Once connected, verify that your public IP address matches the VPN server’s IP address, indicating that your internet traffic is being routed through the VPN. You can check your public IP address by visiting WhatIsMyIP.com or a similar service.

Your OpenVPN server is now configured on your Ubuntu 24.04 LTS instance, and your client device is set up to connect securely.

Maintenance

For ongoing maintenance, remember to renew your Let’s Encrypt certificates regularly (they expire every 90 days). You can automate this process with a cron job:

echo "0 0 1 */2 * certbot renew --quiet" | tee -a /etc/crontab

This cron job runs the certbot renew command on the first day of every second month at midnight.

Was this page helpful?
API DocsScaleway consoleDedibox consoleScaleway LearningScaleway.comPricingBlogCareers
© 2023-2025 – Scaleway