💽 Official OpenVPN image on Scaleway
Branch: master
Clone or download
Type Name Latest commit message Commit time
Failed to load latest commit information.
latest fix new interface due to new hardware May 9, 2018
.gitignore Initial multiarch support Mar 8, 2016
.travis.yml Added .travis.yml Jan 14, 2015
LICENSE s/online labs/scaleway/g May 5, 2015
README.md add documentation Jul 31, 2017
manifest.json upgrade to new build system May 2, 2018


OpenVPN image on Scaleway

Build Status Scaleway ImageHub Run on Scaleway

Launch your OpenVPN app on Scaleway servers in minutes.



The install process is fully automatic. Once your server is booted up, run

scw-ovpn status

To check if your server is ready.

Creating a new user


scw-ovpn create your_user

To create a new user certificate. You can now download it using show or serve.

Downloading your user configuration

There are multiple way to download your configuration file, the simplest being to run

scw-ovpn serve your_user

This method starts an http server serving your client config: This method does not use encryption to transfer your configuration.

You can also download your configuration using the command line using either:

scw exec your_server scw-ovpn show your_user > your_user.ovpn


ssh root@your_server_ip scw-ovpn show your_user > your_user.ovpn

Removing an user

In order to prevent a client from connecting again, its certificate has to be revoked.

It can be done using

$ scw-ovpn revoke your_user

Do not try to remove the client certificate from the easy-rsa keys directory, as it does not prevent the client from connecting again.



By default, the server starts two openvpn instances running on tcp port 443 and udp port 1194.

You can list currently running instances using

$ # <protocol> <port> <subnet suffix> <service status>
$ scw-ovpn list-instances
udp    1194   0   active
tcp    443    1   active

Each instance is backed by a systemd service, for instance openvpn@udp_1194_0 and openvpn@tcp_443_1.

You can play with instances using

$ scw-ovpn add-instance udp 4242 3
$ scw-ovpn del-instance udp 4242 3

add-instance checks if another service uses the same tcp and port or subnet id.

The scw-ovpn-gen-server hook generates the server configuration on instance start and reload.


Instances have unbridged independant interfaces, running on separate subnets.

The subnet for each instance is made using a prefix and the instance subnet ID, for both ipv4 and ipv6.

You can configure this prefix in /etc/openvpn/scw-vars.sh.

The prefixes currently are for ipv4, and fd42:5ca1:e3a7::0/48 for ipv6 (see rfc6598 for ipv4 and rfc4193 for ipv6).

The next 8 bit block for ipv4 and 16 bit block for ipv6 is the correct representation of the subnet ID, which makes up a /24 subnet for ipv4 as well as a /64 subnet for ipv6.


Nat is configured using a service running at boot, which runs scw-setup-nat before the openvpn server starts.

This is a SNAT based setup, so the IP addresses of the machine are looked up at boot. The script assumes the name of the main interface is eth0.

IPv6 is also NATed.


The image also runs an unbound powered DNS relay to the resolvers of the host (by default scaleway DNS servers).

This relays only accepts connections from the vpn server.

The unbound configuration is generated on each boot by the setup-unbound service, which runs scw-setup-unbound.

If you change the subnet prefixes in /etc/openvpn/scw-vars.sh, you should restart setup-unbound first, then unbound, or restart your server.


As previously stated, IPv6 is currently NATed.

In order to avoid IPv6 leaks out of the VPN, we always offers the client an IP, even if the server does not have any valid route to the internet. It also routes 2000::/3 (all currently assignable IPs) to the VPN.

This setup should make the client fallback to IPv4 if the scaleway server does not feature IPv6 connectivity.


The current setup uses:

  • the AES-256-CBC cipher
  • enforces a minimum TLS version of 1.2
  • the SHA256 authentication message digest
  • the default TLS ciphers, for better compatibility
  • a static PSK for TLS auth

Certificates are generated using easy-rsa, and properly checked for revocation.

Some of these parameters can be changed in the /etc/openvpn/scw-vars.sh config file.

How to hack

This image is meant to be used on a Scaleway server.

We use the Docker's building system and convert it at the end to a disk image that will boot on real servers without Docker. Note that the image is still runnable as a Docker container for debug or for inheritance.

More info

A project by Scaleway