OpenVPN image on Scaleway

Launch your OpenVPN app on Scaleway servers in minutes.



The install process is fully automatic. Once your server is booted up, run

scw-ovpn status

To check if your server is ready.

Creating a new user


scw-ovpn create your_user

To create a new user certificate. You can now download it using show or serve.

Downloading your user configuration

There are multiple way to download your configuration file, the simplest being to run

scw-ovpn serve your_user

This method starts an http server serving your client config: This method does not use encryption to transfer your configuration.

You can also download your configuration using the command line using either:

scw exec your_server scw-ovpn show your_user > your_user.ovpn


ssh root@your_server_ip scw-ovpn show your_user > your_user.ovpn

Removing an user

In order to prevent a client from connecting again, its certificate has to be revoked.

It can be done using

$ scw-ovpn revoke your_user

Do not try to remove the client certificate from the easy-rsa keys directory, as it does not prevent the client from connecting again.



By default, the server starts two openvpn instances running on tcp port 443 and udp port 1194.

You can list currently running instances using

$ # <protocol> <port> <subnet suffix> <service status>
$ scw-ovpn list-instances
udp    1194   0   active
tcp    443    1   active

Each instance is backed by a systemd service, for instance openvpn@udp_1194_0 and openvpn@tcp_443_1.

You can play with instances using

$ scw-ovpn add-instance udp 4242 3
$ scw-ovpn del-instance udp 4242 3

add-instance checks if another service uses the same tcp and port or subnet id.

The scw-ovpn-gen-server hook generates the server configuration on instance start and reload.


Instances have unbridged independant interfaces, running on separate subnets.

The subnet for each instance is made using a prefix and the instance subnet ID, for both ipv4 and ipv6.

You can configure this prefix in /etc/openvpn/

The prefixes currently are for ipv4, and fd42:5ca1:e3a7::0/48 for ipv6 (see rfc6598 for ipv4 and rfc4193 for ipv6).

The next 8 bit block for ipv4 and 16 bit block for ipv6 is the correct representation of the subnet ID, which makes up a /24subnet for ipv4 as well as a /64 subnet for ipv6.


Nat is configured using a service running at boot, which runs scw-setup-nat before the openvpn server starts.

This is a SNAT based setup, so the IP addresses of the machine are looked up at boot. The script assumes the name of the main interface is eth0.

IPv6 is also NATed.


The image also runs an unbound powered DNS relay to the resolvers of the host (by default scaleway DNS servers).

This relays only accepts connections from the vpn server.

The unbound configuration is generated on each boot by the setup-unbound service, which runs scw-setup-unbound.

If you change the subnet prefixes in /etc/openvpn/, you should restart setup-unbound first, then unbound, or restart your server.


As previously stated, IPv6 is currently NATed.

In order to avoid IPv6 leaks out of the VPN, we always offers the client an IP, even if the server does not have any valid route to the internet. It also routes 2000::/3 (all currently assignable IPs) to the VPN.

This setup should make the client fallback to IPv4 if the scaleway server does not feature IPv6 connectivity.


The current setup uses:

  • the AES-256-CBC cipher
  • enforces a minimum TLS version of 1.2
  • the SHA256 authentication message digest
  • the default TLS ciphers, for better compatibility
  • a static PSK for TLS auth

Certificates are generated using easy-rsa, and properly checked for revocation.

Some of these parameters can be changed in the /etc/openvpn/ config file.

How to hack

This image is meant to be used on a Scaleway server.

We use the Docker’s building system and convert it at the end to a disk image that will boot on real servers without Docker. Note that the image is still runnable as a Docker container for debug or for inheritance.




Get your VPN server ready to use in one-click with the OpenVPN InstantApp

This page shows you how to use the OpenVPN InstantApp on your C1 server.

OpenVPN is an open-source software application that implements virtual private network (VPN) techniques for creating secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. The OpenVPN InstantApp is a fast and simple way to protect your online privacy and surf anonymously.

OpenVPN InstantApp comes with:

  • OpenVPN server
  • A client configuration profile to setup your client


  • You have an account and are logged into
  • You have configured your SSH Key
  • You have installed a VPN client on your local machine

There are three steps to begin with the OpenVPN InstantApp

  • Create and start a new C1 server using the OpenVPN InstantApp
  • Download the client profile on your local machine
  • Configure your client

Step 1 – Create and start a new C1 server using the OpenVPN InstantApp

First, we need to create a new server using the OpenVPN InstantApp. Click the “Create Server” button in the control panel.

Control Panel

You land on the server creation page where you must input information and choose an image.

Create server basic information

After inputting your server basic information, select the OpenVPN image for your server.
On the ImageHub tab, select OpenVPN and click the “Create Server” button.

The server is starting with a fully configured and ready to use OpenVPN server.

Step 2 – Download the client profile on your local machine

The OpenVPN server running, connect it with ssh. The message of the day (MOTD) when you connect your server displays the path and the url to retrieve the VPN client file that we will use to connect to the VPN server.

Welcome on Openvpn on Scaleway' C1.

 * Kernel:           GNU/Linux 3.2.34-30 armv7l - Marvell (Proprietary)
                     - This kernel has the best performances on this hardware
                     - For mainline kernel with latest features and plenty of modules, use a 3.17 kernel instead
 * Distribution:     Openvpn (2015-06-10) on Ubuntu 14.10
 * Internal ip:
 * External ip:
 * Disk /dev/nbd0:   scw-app-openvpn-utopic-2015-06-11_10:08 (l_ssd 50G)
 * Uptime:           10:36:52 up  2:24,  1 user,  load average: 0.26, 0.22, 0.23

 * Documentation:
 * Community:
 * Image source:

OpenVPN server is listening on ports 443/TCP and 1194/UDP.
A client configuration file is available on /root/client.ovpn or at
This configuration file contains all the certificates and

Download the configuration file from the URL displayed in the MOTD. We assume that you have already installed a VPN client.

Open the configuration with you VPN client.

Control Panel

Once the configuration is loaded, start a new connection using the VPN profile we just installed.

Control Panel

You are now connected and all your traffic is routed through the OpenVPN server. You can validate is fine by looking that your public IP match the public IP of the server.


With the OpenVPN InstantApp you can easily protect your online privacy and surf anonymously. No heavy setup actions are required to get it works and create secure point-to-point connections.

If you have any suggestion or question about this tutorial, please leave a comment.

Leave a Comment

Your email address will not be published. Required fields are marked *