--- title: Installing OpenVPN on a Scaleway Instance running Ubuntu 24.04 description: Discover how to install OpenVPN on Ubuntu 24.04 and later versions with this detailed tutorial. Follow our step-by-step guide to set up a secure VPN connection effortlessly. tags: vpn OpenVPN Ubuntu products: - instances dates: validation: 2025-07-16 posted: 2019-01-16 validation_frequency: 12 difficulty: beginner usecase: - deploy-external-software ecosystem: - third-party --- import Requirements from '@macros/iam/requirements.mdx' Learn how to install and configure OpenVPN on Ubuntu 24.04 LTS with this comprehensive guide. Follow our step-by-step instructions to establish a secure VPN connection via your Scaleway Instance with ease. - A Scaleway account logged into the [console](https://console.scaleway.com) - [Owner](/iam/concepts/#owner) status or [IAM permissions](/iam/concepts/#permission) allowing you to perform actions in the intended Organization - An [SSH key](/organizations-and-projects/how-to/create-ssh-key/) - An [Instance](/instances/how-to/create-an-instance/) running on Ubuntu 24.04 LTS ## Installing OpenVPN and Easy-RSA 1. Connect to your Instance via SSH. ```bash root@ ``` 2. Update the package list and upgrade already installed packages: ```bash apt update apt upgrade -y ``` 3. Install OpenVPN and Easy-RSA using `apt`: ```bash apt install -y openvpn easy-rsa ``` ## Setting up the Certificate Authority (CA) 1. Create a directory for Easy-RSA and navigate to it: ```bash mkdir -p ~/openvpn-ca cd ~/openvpn-ca ``` 2. Initialize the Public Key Infrastructure (PKI): ```bash cp -r /usr/share/easy-rsa/* /etc/openvpn/easy-rsa/ cd /etc/openvpn/easy-rsa/ ./easyrsa init-pki ``` 3. Build the Certificate Authority (CA): ```bash ./easyrsa build-ca ``` You will be prompted to set a passphrase and provide a Common Name (e.g., "OpenVPN-CA"). ## Generating server and client certificates 1. Generate the server certificate and key: ```bash ./easyrsa gen-req server nopass ./easyrsa sign-req server server ``` Approve the signing request when prompted. 2. Generate Diffie-Hellman parameters: ```bash ./easyrsa gen-dh ``` 3. Generate a shared secret for additional security: ```bash openvpn --genkey secret /etc/openvpn/ta.key ``` ## Configuring the OpenVPN Server 1. Copy the necessary files to the OpenVPN directory: ```bash cp pki/ca.crt pki/private/server.key pki/issued/server.crt /etc/openvpn/ cp /etc/openvpn/easy-rsa/pki/dh.pem /etc/openvpn/ cp /etc/openvpn/ta.key /etc/openvpn/ ``` 2. Create the OpenVPN server configuration file: ```bash nano /etc/openvpn/server.conf ``` 3. Add the following configuration: ``` port 1194 proto udp dev tun ca ca.crt cert server.crt key server.key dh dh.pem auth SHA256 tls-auth ta.key 0 server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" keepalive 10 120 cipher AES-256-GCM user nobody group nogroup persist-key persist-tun status openvpn-status.log log-append /var/log/openvpn.log verb 3 ``` Save and exit the editor. ## Enabling IP forwarding and configuring the firewall 1. Enable IP forwarding: ```bash echo 'net.ipv4.ip_forward=1' | tee -a /etc/sysctl.conf sysctl -p ``` 2. Configure the firewall ([UFW](/tutorials/installation-uncomplicated-firewall/)): ```bash ufw allow 1194/udp ufw allow OpenSSH ``` 3. Edit the UFW configuration to allow forwarding: ```bash nano /etc/ufw/before.rules ``` 4. Add the following lines before the `*filter` line: ``` *nat :POSTROUTING ACCEPT [0:0] -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE COMMIT ``` 5. Save and exit, then reload UFW: ```bash ufw disable ufw enable ``` ## Starting the OpenVPN server 1. Start and enable the OpenVPN service: ```bash systemctl start openvpn@server systemctl enable openvpn@server ``` 2. Check the status of the OpenVPN service: ```bash systemctl status openvpn@server ``` Ensure it is active and running. ## Generating client configuration 1. Generate client certificates: ```bash cd /etc/openvpn/easy-rsa/ ./easyrsa gen-req client1 nopass ./easyrsa sign-req client client1 ``` Approve the signing request when prompted. 2. Create the client configuration file: On your server, create a new client configuration file named `client1.ovpn`: ```bash nano ~/client1.ovpn ``` 3. Add the following configuration in the file, replacing `your_server_ip_or_domain` with your server's IP address or domain name: ``` client dev tun proto udp remote your_server_ip_or_domain 1194 resolv-retry infinite nobind persist-key persist-tun remote-cert-tls server auth SHA256 cipher AES-256-GCM verb 3 -----BEGIN CERTIFICATE----- # Insert the content of /etc/openvpn/ca.crt here -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- # Insert the content of /etc/openvpn/easy-rsa/pki/issued/client1.crt here -----END CERTIFICATE----- -----BEGIN PRIVATE KEY----- # Insert the content of /etc/openvpn/easy-rsa/pki/private/client1.key here -----END PRIVATE KEY----- -----BEGIN OpenVPN Static key V1----- # Insert the content of /etc/openvpn/ta.key here -----END OpenVPN Static key V1----- key-direction 1 ``` Replace the placeholder text (e.g., `# Insert the content of /etc/openvpn/ca.crt here`) with the actual contents of the respective files. You can use the `cat` command to display the contents of each file and then copy and paste them into the appropriate sections of the `client1.ovpn` file. - For example: ```bash cat /etc/openvpn/ca.crt ``` Copy the output and paste it between the `` and `` tags in the `client1.ovpn` file. 4. Transfer the client configuration file to the client device: Use a secure method to transfer the `client1.ovpn` file to the device you intend to use as a client. You can use `scp` (secure copy) for this purpose: ```bash scp ~/client1.ovpn user@client_device_ip:/path/to/destination/ ``` Replace `user` with your username on the client device, `client_device_ip` with the client's IP address, and `/path/to/destination/` with the desired directory on the client device. 5. Install OpenVPN on the client device: Ensure that the OpenVPN client is installed on your client device. Installation methods vary depending on the operating system: - **Linux:** ```bash apt update apt install -y openvpn ``` - **Windows:** Download and install the OpenVPN client from the [official website](https://openvpn.net/community-downloads/). - **macOS:** Download and install [Tunnelblick](https://tunnelblick.net/), a free OpenVPN client for macOS. 6. Connect to the VPN: - **Linux:** Use the following command to start the VPN connection: ```bash openvpn --config /path/to/client1.ovpn ``` - **Windows/macOS:** Import the `client1.ovpn` file into your OpenVPN client application and initiate the connection through the application's interface. 7. Verify the connection: Once connected, verify that your public IP address matches the VPN server's IP address, indicating that your internet traffic is being routed through the VPN. You can check your public IP address by visiting [WhatIsMyIP.com](https://www.whatismyip.com/) or a similar service. Your OpenVPN server is now configured on your Ubuntu 24.04 LTS instance, and your client device is set up to connect securely. ## Maintenance For ongoing maintenance, remember to renew your Let's Encrypt certificates regularly (they expire every 90 days). You can automate this process with a cron job: ```bash echo "0 0 1 */2 * certbot renew --quiet" | tee -a /etc/crontab ``` This cron job runs the `certbot renew` command on the first day of every second month at midnight.