Launch your OpenVPN app on Scaleway servers in minutes.
The install process is fully automatic. Once your server is booted up, run
To check if your server is ready.
Creating a new user
scw-ovpn create your_user
To create a new user certificate. You can now download it using
Downloading your user configuration
There are multiple way to download your configuration file, the simplest being to run
scw-ovpn serve your_user
This method starts an http server serving your client config: This method does not use encryption to transfer your configuration.
You can also download your configuration using the command line using either:
scw exec your_server scw-ovpn show your_user > your_user.ovpn
ssh root@your_server_ip scw-ovpn show your_user > your_user.ovpn
Removing an user
In order to prevent a client from connecting again, its certificate has to be revoked.
It can be done using
$ scw-ovpn revoke your_user
Do not try to remove the client certificate from the easy-rsa keys directory, as it does not prevent the client from connecting again.
By default, the server starts two openvpn instances running on tcp port 443 and udp port 1194.
You can list currently running instances using
$ # <protocol> <port> <subnet suffix> <service status> $ scw-ovpn list-instances udp 1194 0 active tcp 443 1 active
Each instance is backed by a systemd service, for instance
You can play with instances using
$ scw-ovpn add-instance udp 4242 3 $ scw-ovpn del-instance udp 4242 3
add-instance checks if another service uses the same tcp and port or subnet id.
scw-ovpn-gen-server hook generates the server configuration on instance start and reload.
Instances have unbridged independant interfaces, running on separate subnets.
The subnet for each instance is made using a prefix and the instance subnet ID, for both ipv4 and ipv6.
You can configure this prefix in
The next 8 bit block for ipv4 and 16 bit block for ipv6 is the correct representation of the subnet ID, which makes up a
/24subnet for ipv4 as well as a
/64 subnet for ipv6.
Nat is configured using a service running at boot, which runs
scw-setup-nat before the openvpn server starts.
This is a
SNAT based setup, so the IP addresses of the machine are looked up at boot. The script assumes the name of the main interface is
IPv6 is also NATed.
The image also runs an unbound powered DNS relay to the resolvers of the host (by default scaleway DNS servers).
This relays only accepts connections from the vpn server.
The unbound configuration is generated on each boot by the
setup-unbound service, which runs
If you change the subnet prefixes in
/etc/openvpn/scw-vars.sh, you should restart
setup-unbound first, then
unbound, or restart your server.
As previously stated, IPv6 is currently NATed.
In order to avoid IPv6 leaks out of the VPN, we always offers the client an IP, even if the server does not have any valid route to the internet. It also routes
2000::/3 (all currently assignable IPs) to the VPN.
This setup should make the client fallback to IPv4 if the scaleway server does not feature IPv6 connectivity.
The current setup uses:
- enforces a minimum TLS version of 1.2
SHA256authentication message digest
- the default TLS ciphers, for better compatibility
- a static PSK for TLS auth
Certificates are generated using easy-rsa, and properly checked for revocation.
Some of these parameters can be changed in the
/etc/openvpn/scw-vars.sh config file.
How to hack
This image is meant to be used on a Scaleway server.
We use the Docker’s building system and convert it at the end to a disk image that will boot on real servers without Docker. Note that the image is still runnable as a Docker container for debug or for inheritance.
Get your VPN server ready to use in one-click with the OpenVPN InstantApp
This page shows you how to use the OpenVPN InstantApp on your C1 server.
OpenVPN is an open-source software application that implements virtual private network (VPN) techniques for creating secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. The OpenVPN InstantApp is a fast and simple way to protect your online privacy and surf anonymously.
OpenVPN InstantApp comes with:
- OpenVPN server
- A client configuration profile to setup your client
- You have an account and are logged into cloud.scaleway.com
- You have configured your SSH Key
- You have installed a VPN client on your local machine
There are three steps to begin with the OpenVPN InstantApp
- Create and start a new C1 server using the OpenVPN InstantApp
- Download the client profile on your local machine
- Configure your client
First, we need to create a new server using the OpenVPN InstantApp. Click the “Create Server” button in the control panel.
You land on the server creation page where you must input information and choose an image.
After inputting your server basic information, select the OpenVPN image for your server.
On the ImageHub tab, select OpenVPN and click the “Create Server” button.
The server is starting with a fully configured and ready to use OpenVPN server.
The OpenVPN server running, connect it with ssh. The message of the day (MOTD) when you connect your server displays the
path and the
url to retrieve the VPN client file that we will use to connect to the VPN server.
Download the configuration file from the
URL displayed in the MOTD. We assume that you have already installed a VPN client.
Open the configuration with you VPN client.
Once the configuration is loaded, start a new connection using the VPN profile we just installed.
You are now connected and all your traffic is routed through the OpenVPN server. You can validate is fine by looking that your public IP match the public IP of the server.
With the OpenVPN InstantApp you can easily protect your online privacy and surf anonymously. No heavy setup actions are required to get it works and create secure point-to-point connections.
If you have any suggestion or question about this tutorial, please leave a comment.