---
meta:
  title: Installing OpenVPN on Ubuntu 20.04 or later
  description: Discover how to install OpenVPN on Ubuntu 20.04 and later versions with this detailed tutorial. Follow our step-by-step guide to set up a secure VPN connection effortlessly.
content:
  h1: Installing OpenVPN on Ubuntu 20.04 or later
  paragraph: Discover how to install OpenVPN on Ubuntu 20.04 and later versions with this detailed tutorial. Follow our step-by-step guide to set up a secure VPN connection effortlessly.
tags: vpn OpenVPN Ubuntu Bionic-Beaver
categories:
  - instances
dates:
  validation: 2024-07-02
  posted: 2019-01-16
---

OpenVPN is an open-source software to run a virtual Private Network (VPN) to create secure point-to-point or site-to-site connections in routed or bridged configurations. The software uses a proprietary security protocol that uses SSL/TLS for key exchange.

<Macro id="requirements" />

- A Scaleway account logged into the [console](https://console.scaleway.com)
- [Owner](/identity-and-access-management/iam/concepts/#owner) status or [IAM permissions](/identity-and-access-management/iam/concepts/#permission) allowing you to perform actions in the intended Organization
- An [SSH key](/identity-and-access-management/organizations-and-projects/how-to/create-ssh-key/)
- An [Instance](/compute/instances/how-to/create-an-instance/) running on Ubuntu 20.04 or later

## Installing Easy-RSA

The first step in building an OpenVPN configuration is to establish a PKI (Public Key Infrastructure). It is composed of the following elements:

  - a public and private key for the server and each client
  - the certification authority (CA) and the key used to identify servers as well as the client certificate

OpenVPN supports two-way certificate-based authentication, this means that the client must authenticate the server certificate and the server must authenticate the client certificate before mutual trust is established.

Both the server and the client will authenticate each other. First, the certificate needs to be signed by the certification authority (CA) then, the information in the header (common name of the certificate or the certificate type) of the authenticated certificate can be tested.

1. [Connect to your Instance](/compute/instances/how-to/connect-to-instance/) via SSH.
2. Update the package List:
   ```sh
   apt update
   apt upgrade -y
   ```

3. Install OpenVPN and Easy-RSA:
   ```sh
   apt install -y openvpn easy-rsa
   ```

4. Set Up the CA Directory:
   ```sh
   make-cadir ~/openvpn-ca
   cd ~/openvpn-ca
   ```

5. Initialize the PKI:
   ```sh
   ./easyrsa init-pki
   ```

6. Build the Certificate Authority:
   ```sh
   ./easyrsa build-ca nopass
   ```

7. Generate the server certificate and key:
   ```sh
   ./easyrsa gen-req server nopass
   ./easyrsa sign-req server server
   ```

8. Generate the Diffie-Hellman parameters:
   ```sh
   ./easyrsa gen-dh
   ```

9. Generate a shared secret:
   ```sh
   openvpn --genkey secret ta.key
   ```

## Configuring the OpenVPN server

1. Copy the server certificate and key files:
   ```sh
   cp pki/ca.crt pki/private/server.key pki/issued/server.crt ta.key /etc/openvpn/
   ```

2. Create the OpenVPN Server configuration file:
   ```sh
   nano /etc/openvpn/server.conf
   ```
   Add the following configuration, save the file and quit `nano`:
   ```conf
   port 1194
   proto udp
   dev tun
   ca ca.crt
   cert server.crt
   key server.key
   dh dh.pem
   auth SHA256
   tls-auth ta.key 0
   server 10.8.0.0 255.255.255.0
   ifconfig-pool-persist ipp.txt
   push "redirect-gateway def1 bypass-dhcp"
   push "dhcp-option DNS 8.8.8.8"
   push "dhcp-option DNS 8.8.4.4"
   keepalive 10 120
   cipher AES-256-CBC
   user nobody
   group nogroup
   persist-key
   persist-tun
   status openvpn-status.log
   log-append /var/log/openvpn.log
   verb 3
   ```

## Setting up a Let's Encrypt TLS certificate

1. Install Certbot:
   ```sh
   apt install -y certbot
   ```

2. Obtain the TLS certificate:
   ```sh
   certbot certonly --standalone -d your_domain
   ```
   <Message type="tip">
      Make sure to replace `your_domain` with your actual domain name. **You need to ensure that your domain points to the IP address of your Scaleway Instance.**
   </Message>

3. Configure OpenVPN to use the Let's Encrypt certificate:
   - Update the `server.conf` file to use the Let's Encrypt certificate and key:
     ```conf
     ca /etc/letsencrypt/live/your_domain/fullchain.pem
     cert /etc/letsencrypt/live/your_domain/cert.pem
     key /etc/letsencrypt/live/your_domain/privkey.pem
     ```

## Enabling IP forwarding and adjusting the firewall

1. Enable IP forwarding:
   ```sh
   echo 1 > /proc/sys/net/ipv4/ip_forward
   ```
   - Make the change permanent by editing the `sysctl.conf` file:
     ```sh
     nano /etc/sysctl.conf
     ```
     Uncomment the following line:
     ```sh
     net.ipv4.ip_forward=1
     ```

2. Configure the firewall of the Instance (UFW):
   ```sh
   ufw allow 1194/udp
   ufw allow OpenSSH
   ufw enable
   ```

   Add the following rules to `before.rules` to allow forwarding:
   ```sh
   nano /etc/ufw/before.rules
   ```
   Add these lines before the `*filter` line:
   ```sh
   *nat
   :POSTROUTING ACCEPT [0:0]
   -A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
   COMMIT
   ```

## Starting the OpenVPN server

1. Start and enable OpenVPN:
   ```sh
   systemctl start openvpn@server
   systemctl enable openvpn@server
   ```

2. Check the status of the OpenVPN server:
   ```sh
   systemctl status openvpn@server
   ```

## Setting up client configuration

1. Generate client certificates:
   ```sh
   cd ~/openvpn-ca
   ./easyrsa gen-req client1 nopass
   ./easyrsa sign-req client client1
   ```

2. Create the client configuration file:
   ```sh
   nano ~/client1.ovpn
   ```
   Add the following configuration:
   ```conf
   client
   dev tun
   proto udp
   remote your_domain 1194
   resolv-retry infinite
   nobind
   persist-key
   persist-tun
   ca ca.crt
   cert client1.crt
   key client1.key
   tls-auth ta.key 1
   cipher AES-256-CBC
   verb 3
   ```

3. Transfer the client configuration files to the remote (client) machine:
   ```sh
   scp ~/openvpn-ca/pki/ca.crt ~/openvpn-ca/pki/issued/client1.crt ~/openvpn-ca/pki/private/client1.key ta.key user@your_client_machine:~/client1/
   scp ~/client1.ovpn user@your_client_machine:~/client1/
   ```

Your OpenVPN server is now set up on your Scaleway Instance, secured with a Let's Encrypt certificate, and ready for clients to connect. Follow the client configuration steps for each device you want to connect to your VPN.

<Message type="tip">
    For ongoing maintenance, remember to renew your Let's Encrypt certificates regularly (they expire every 90 days), and you can automate this with a cron job:
    ```sh
    echo "0 0 1 */2 * certbot renew --quiet" | crontab -
    ```
</Message>