juju deploy openvpn

16.04 LTS 14.04 LTS

Discuss this charm

Share your thoughts on this charm with the community on discourse.

Join the discussion


This charm provides OpenVPN Community VPN.

This Charm installs and configures the VPN service and creates client certificates. What can you do with this Charm?

  1. Give remote users secure access to an internal network and let them use internal DNS servers.
  2. Secure remote users' communications by tunneling all their traffic through a secure connection.


Deploy the application and you're ready to go!

juju deploy openvpn

Please note that this charm must be deployed on physical or virtual machines. This Charm does not work in LXC/LXD containers. Also note that changing the key settings will cause existing client configs to fail.


This Charm exposes the number of connected clients using a juju metric.

$ juju metrics --all
UNIT        TIMESTAMP                METRIC     VALUE
openvpn/0   2016-11-27T15:05:25Z     users      1

You can find more detailed status information on the unit itself.

# On the openvpn unit
sudo cat /var/log/openvpn/openvpn-server1-status.log


  • push-dns [True]: Set to False if clients shouldn't use the server's DNS settings.
  • push-default-gateway [True]: Set to False if you want to use the VPN only for connections to servers in the private subnet. By default, ALL traffic will go over the VPN. Note that NetworkManager uses the VPN as default gateway regardless of server config. Use openvpn from the commandline to enable this behavior.
  • port and protocol [443:tcp]: 443:tcp and 8080:tcp have the least chance of being blocked by firewalls. 1194:udp is the fastest.
  • key-* : Information for key certificate. You don't actually need to change this.

How do I get the OpenVPN client config file?

An OpenVPN client needs a config file to connect to the OpenVPN server. This Charm generates these config files for each client and puts them in /home/ubuntu/<client-name>.ovpn. You can download these config files using the Juju CLI. See the clients config option for more info.

juju scp openvpn/0:~/<client-name>.ovpn .

How do I connect to the VPN?

The client config file works with any OpenVPN-compatible client on any OS. Use the instructions linked below or refer to the generic OpenVPN instructions for your OS.

Connect an Ubuntu Desktop

Install OpenVPN client

Install the OpenVPN network-manager integration. This will add the "VPN connections" menu in the network applet.

sudo apt install network-manager-openvpn-gnome

Add VPN using config file

  1. Click the Network applet.
  2. Choose VPN connections > Configure VPN as shown in the picture below.

  1. Click "Add".

  1. Scroll all the way down and click "import a saved VPN configuration".

  1. Select the .ovpn config file, add the VPN, and connect using the network applet.

  2. [Optional] Regardless of server configuration, NetworkManager uses the VPN as default gateway, effectively sending ALL traffic over the VPN. If you set push-default-gateway to False and want NetworkManager to respect that setting, you need extra configuration on the client. Edit the VPN connection > IPv4 Settings > Routes...'.

  1. [Optional] Then mark "Use this connection only for resources on its network."

Connect an Ubuntu Server

Use the following instructions to connect an Ubuntu server to the VPN.

sudo apt install openvpn
sudo openvpn --config <client-name>.ovpn
# Use the following command if you want to use the DNS settings that the OpenVPN server pushes
sudo openvpn --config <client-name>.ovpn --script-security 2 --up /etc/openvpn/update-resolv-conf --down /etc/openvpn/update-resolv-conf

Known limitations

  • NetworkManager uses the VPN as default gateway regardless of server config. Follow steps 6. and 7. to disable this.
  • For cases where the VPN is not be the default gateway, and DNS settings are enabled, it is important to keep in mind that the clients will have two options for DNS nameservers: a public one (from the clients network) and a private one (from the network behind the VPN). The openvpn cli client will strictly use the private nameserver. Network Manager is a little bit smarter. Network Manager will send the DNS query to the public nameserver unless the url address is part of the search domain of the private network. This means that if the search domain on the private network is, queries for will be send to the private DNS server and queries for will be send to the public DNS server. More information:
  • If you use the VPN on Google Compute Engine with push-default-gateway=False, then traffic to GCE VM's will not go over the VPN by default. This is because each GCE VM is in a network, so it has no idea which networks it has acces to, i.e. which networks it should push to VPN clients. You will need to manually add a route in the VPN clients if you want this to happen.

Contact Information


Report bugs in the layer-openvpn Github repo.


This software was created in the IBCN research group of Ghent University in Belgium. This software is used in Tengu, a project that aims to make experimenting with data frameworks and tools as easy as possible.