Installing OpenVPN on a Scaleway Instance running Ubuntu 24.04
Learn how to install and configure OpenVPN on Ubuntu 24.04 LTS with this comprehensive guide. Follow our step-by-step instructions to establish a secure VPN connection via your Scaleway Instance with ease.
Before you start
To complete the actions presented below, you must have:
- A Scaleway account logged into the console
- Owner status or IAM permissions allowing you to perform actions in the intended Organization
- An SSH key
- An Instance running on Ubuntu 24.04 LTS
Installing OpenVPN and Easy-RSA
- Connect to your Instance via SSH.
root@<YOUR_INSTANCE_IP>
- Update the package list and upgrade already installed packages:
apt update apt upgrade -y
- Install OpenVPN and Easy-RSA using
apt
:apt install -y openvpn easy-rsa
Setting up the Certificate Authority (CA)
-
Create a directory for Easy-RSA and navigate to it:
mkdir -p ~/openvpn-ca cd ~/openvpn-ca
-
Initialize the Public Key Infrastructure (PKI):
cp -r /usr/share/easy-rsa/* /etc/openvpn/easy-rsa/ cd /etc/openvpn/easy-rsa/ ./easyrsa init-pki
-
Build the Certificate Authority (CA):
./easyrsa build-ca
You will be prompted to set a passphrase and provide a Common Name (e.g., "OpenVPN-CA").
Generating server and client certificates
- Generate the server certificate and key:
Approve the signing request when prompted.
./easyrsa gen-req server nopass ./easyrsa sign-req server server
- Generate Diffie-Hellman parameters:
./easyrsa gen-dh
- Generate a shared secret for additional security:
openvpn --genkey secret /etc/openvpn/ta.key
Configuring the OpenVPN Server
- Copy the necessary files to the OpenVPN directory:
cp pki/ca.crt pki/private/server.key pki/issued/server.crt /etc/openvpn/ cp /etc/openvpn/easy-rsa/pki/dh.pem /etc/openvpn/ cp /etc/openvpn/ta.key /etc/openvpn/
- Create the OpenVPN server configuration file:
nano /etc/openvpn/server.conf
- Add the following configuration:
Save and exit the editor.
port 1194 proto udp dev tun ca ca.crt cert server.crt key server.key dh dh.pem auth SHA256 tls-auth ta.key 0 server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" keepalive 10 120 cipher AES-256-GCM user nobody group nogroup persist-key persist-tun status openvpn-status.log log-append /var/log/openvpn.log verb 3
Enabling IP forwarding and configuring the firewall
- Enable IP forwarding:
echo 'net.ipv4.ip_forward=1' | tee -a /etc/sysctl.conf sysctl -p
- Configure the firewall (UFW):
ufw allow 1194/udp ufw allow OpenSSH
- Edit the UFW configuration to allow forwarding:
nano /etc/ufw/before.rules
- Add the following lines before the
*filter
line:*nat :POSTROUTING ACCEPT [0:0] -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE COMMIT
- Save and exit, then reload UFW:
ufw disable ufw enable
Starting the OpenVPN server
-
Start and enable the OpenVPN service:
systemctl start openvpn@server systemctl enable openvpn@server
-
Check the status of the OpenVPN service:
systemctl status openvpn@server
Ensure it is active and running.
Generating client configuration
-
Generate client certificates:
cd /etc/openvpn/easy-rsa/ ./easyrsa gen-req client1 nopass ./easyrsa sign-req client client1
Approve the signing request when prompted.
-
Create the client configuration file: On your server, create a new client configuration file named
client1.ovpn
:nano ~/client1.ovpn
-
Add the following configuration in the file, replacing
your_server_ip_or_domain
with your server's IP address or domain name:client dev tun proto udp remote your_server_ip_or_domain 1194 resolv-retry infinite nobind persist-key persist-tun remote-cert-tls server auth SHA256 cipher AES-256-GCM verb 3 <ca> -----BEGIN CERTIFICATE----- # Insert the content of /etc/openvpn/ca.crt here -----END CERTIFICATE----- </ca> <cert> -----BEGIN CERTIFICATE----- # Insert the content of /etc/openvpn/easy-rsa/pki/issued/client1.crt here -----END CERTIFICATE----- </cert> <key> -----BEGIN PRIVATE KEY----- # Insert the content of /etc/openvpn/easy-rsa/pki/private/client1.key here -----END PRIVATE KEY----- </key> <tls-auth> -----BEGIN OpenVPN Static key V1----- # Insert the content of /etc/openvpn/ta.key here -----END OpenVPN Static key V1----- </tls-auth> key-direction 1
-
Transfer the client configuration file to the client device: Use a secure method to transfer the
client1.ovpn
file to the device you intend to use as a client. You can usescp
(secure copy) for this purpose:scp ~/client1.ovpn user@client_device_ip:/path/to/destination/
Replace
user
with your username on the client device,client_device_ip
with the client's IP address, and/path/to/destination/
with the desired directory on the client device. -
Install OpenVPN on the client device: Ensure that the OpenVPN client is installed on your client device. Installation methods vary depending on the operating system:
-
Linux:
apt update apt install -y openvpn
-
Windows:
Download and install the OpenVPN client from the official website.
-
macOS:
Download and install Tunnelblick, a free OpenVPN client for macOS.
-
-
Connect to the VPN:
-
Linux:
Use the following command to start the VPN connection:
openvpn --config /path/to/client1.ovpn
-
Windows/macOS:
Import the
client1.ovpn
file into your OpenVPN client application and initiate the connection through the application's interface.
-
-
Verify the connection: Once connected, verify that your public IP address matches the VPN server's IP address, indicating that your internet traffic is being routed through the VPN. You can check your public IP address by visiting WhatIsMyIP.com or a similar service.
Your OpenVPN server is now configured on your Ubuntu 24.04 LTS instance, and your client device is set up to connect securely.
Maintenance
For ongoing maintenance, remember to renew your Let's Encrypt certificates regularly (they expire every 90 days). You can automate this process with a cron job:
echo "0 0 1 */2 * certbot renew --quiet" | tee -a /etc/crontab
This cron job runs the certbot renew
command on the first day of every second month at midnight.
Visit our Help Center and find the answers to your most frequent questions.
Visit Help Center