openvpn #9

Supports: xenial trusty
Add to new model


Installs and configures OpenVPN and creates client .ovpn config files. This Charm uses the luxflux-openvpn Puppet module for the heavy lifting. After installation, you can find the client config files in /home/ubuntu/*.ovpn.


This charm provides OpenVPN Community VPN.

This Charm installs and configures the VPN service and creates client certificates. What can you do with this Charm?

  1. Give remote users secure access to an internal network and let them use internal DNS servers.
  2. Secure remote users' communications by tunneling all their traffic through a secure connection.


Deploy the application and you're ready to go!

juju deploy openvpn

Please note that this charm must be deployed on physical or virtual machines. This Charm does not work in LXC/LXD containers. Also note that changing the key settings will cause existing client configs to fail.


This Charm exposes the number of connected clients using a juju metric.

$ juju metrics --all
UNIT        TIMESTAMP                METRIC     VALUE
openvpn/0   2016-11-27T15:05:25Z     users      1

You can find more detailed status information on the unit itself.

# On the openvpn unit
sudo cat /var/log/openvpn/openvpn-server1-status.log


  • push-dns [True]: Set to False if clients shouldn't use the server's DNS settings.
  • push-default-gateway [True]: Set to False if you want to use the VPN only for connections to servers in the private subnet. By default, ALL traffic will go over the VPN. Note that NetworkManager uses the VPN as default gateway regardless of server config. Use openvpn from the commandline to enable this behavior.
  • port and protocol [443:tcp]: 443:tcp and 8080:tcp have the least chance of being blocked by firewalls. 1194:udp is the fastest.
  • key-* : Information for key certificate. You don't actually need to change this.

How do I get the OpenVPN client config file?

An OpenVPN client needs a config file to connect to the OpenVPN server. This Charm generates these config files for each client and puts them in /home/ubuntu/<client-name>.ovpn. You can download these config files using the Juju CLI. See the clients config option for more info.

juju scp openvpn/0:~/<client-name>.ovpn .

How do I connect to the VPN?

The client config file works with any OpenVPN-compatible client on any OS. Use the instructions linked below or refer to the generic OpenVPN instructions for your OS.

Connect an Ubuntu Desktop

Install OpenVPN client

Install the OpenVPN network-manager integration. This will add the "VPN connections" menu in the network applet.

sudo apt install network-manager-openvpn-gnome

Add VPN using config file

  1. Click the Network applet.
  2. Choose VPN connections > Configure VPN as shown in the picture below.

  1. Click "Add".

  1. Scroll all the way down and click "import a saved VPN configuration".

  1. Select the .ovpn config file, add the VPN, and connect using the network applet.

  2. [Optional] Regardless of server configuration, NetworkManager uses the VPN as default gateway, effectively sending ALL traffic over the VPN. If you set push-default-gateway to False and want NetworkManager to respect that setting, you need extra configuration on the client. Edit the VPN connection > IPv4 Settings > Routes...'.

  1. [Optional] Then mark "Use this connection only for resources on its network."

Connect an Ubuntu Server

Use the following instructions to connect an Ubuntu server to the VPN.

sudo apt install openvpn
sudo openvpn --config <client-name>.ovpn
# Use the following command if you want to use the DNS settings that the OpenVPN server pushes
sudo openvpn --config <client-name>.ovpn --script-security 2 --up /etc/openvpn/update-resolv-conf --down /etc/openvpn/update-resolv-conf

Known limitations

  • NetworkManager uses the VPN as default gateway regardless of server config. Follow steps 6. and 7. to disable this.
  • For cases where the VPN is not be the default gateway, and DNS settings are enabled, it is important to keep in mind that the clients will have two options for DNS nameservers: a public one (from the clients network) and a private one (from the network behind the VPN). The openvpn cli client will strictly use the private nameserver. Network Manager is a little bit smarter. Network Manager will send the DNS query to the public nameserver unless the url address is part of the search domain of the private network. This means that if the search domain on the private network is, queries for will be send to the private DNS server and queries for will be send to the public DNS server. More information:
  • If you use the VPN on Google Compute Engine with push-default-gateway=False, then traffic to GCE VM's will not go over the VPN by default. This is because each GCE VM is in a network, so it has no idea which networks it has acces to, i.e. which networks it should push to VPN clients. You will need to manually add a route in the VPN clients if you want this to happen.

Contact Information


Report bugs in the layer-openvpn Github repo.


This software was created in the IBCN research group of Ghent University in Belgium. This software is used in Tengu, a project that aims to make experimenting with data frameworks and tools as easy as possible.


(string) Space-separated list with names of users to generate config for.
(boolean) Will multiple users connect using the same client config? (yes = True)
(string) Space separated list of extra deb packages to install.
(string) List of signing keys for install_sources package sources, per charmhelpers standard format (a yaml list of strings encoded as a string). The keys should be the full ASCII armoured GPG public keys. While GPG key ids are also supported and looked up on a keyserver, operators should be aware that this mechanism is insecure. null can be used if a standard package signing key is used that will already be installed on the machine, and for PPA sources where the package signing key is securely retrieved from Launchpad.
(string) List of extra apt sources, per charm-helpers standard format (a yaml list of strings encoded as a string). Each source may be either a line that can be added directly to sources.list(5), or in the form ppa:<user>/<ppa-name> for adding Personal Package Archives, or a distribution component to enable.
(string) City field for RSA certificate.
(string) Country field for RSA certificate.
(string) Email field for RSA certificate.
(string) Organization field for RSA certificate.
(string) Province field for RSA certificate.
(string) The status of service-affecting packages will be set to this value in the dpkg database. Valid values are "install" and "hold".
(int) Port for VPN traffic. Default is 443 since it isn't likely to be blocked by the firewall.
(string) Protocol for VPN communication (tcp|udp). Tcp on port 443 is least likely to be blocked by firewalls. Udp on port 1194 is fastest.
(string) Puppet gpg key used to configure Puppetlabs apt sources. You can find and verify this key at
-----BEGIN PGP PUBLIC KEY BLOCK----- mQINBFe2Iz4BEADqbv/nWmR26bsivTDOLqrfBEvRu9kSfDMzYh9Bmik1A8Z036Eg h5+TZD8Rrd5TErLQ6eZFmQXk9yKFoa9/C4aBjmsL/u0yeMmVb7/66i+x3eAYGLzV FyunArjtefZyxq0B2mdRHE8kwl5XGl8015T5RGHCTEhpX14O9yigI7gtliRoZcl3 hfXtedcvweOf9VrV+t5LF4PrZejom8VcB5CE2pdQ+23KZD48+Cx/sHSLHDtahOTQ 5HgwOLK7rBll8djFgIqP/UvhOqnZGIsg4MzTvWd/vwanocfY8BPwwodpX6rPUrD2 aXPsaPeM3Q0juDnJT03c4i0jwCoYPg865sqBBrpOQyefxWD6UzGKYkZbaKeobrTB xUKUlaz5agSK12j4N+cqVuZUBAWcokXLRrcftt55B8jz/Mwhx8kl6Qtrnzco9tBG T5JN5vXMkETDjN/TqfB0D0OsLTYOp3jj4hpMpG377Q+6D71YuwfAsikfnpUtEBxe NixXuKAIqrgG8trfODV+yYYWzfdM2vuuYiZW9pGAdm8ao+JalDZss3HL7oVYXSJp MIjjhi78beuNflkdL76ACy81t2TvpxoPoUIG098kW3xd720oqQkyWJTgM+wV96bD ycmRgNQpvqHYKWtZIyZCTzKzTTIdqg/sbE/D8cHGmoy0eHUDshcE0EtxsQARAQAB tEhQdXBwZXQsIEluYy4gUmVsZWFzZSBLZXkgKFB1cHBldCwgSW5jLiBSZWxlYXNl IEtleSkgPHJlbGVhc2VAcHVwcGV0LmNvbT6JAj4EEwECACgFAle2Iz4CGwMFCQlm AYAGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEH9DgoDvjTSfIN0P/jcCRzK8 WIdhcNz5dkj7xRZb8Oft2yDfenQmzb1SwGGa96IwJFcjF4Nq7ymcDUqunS2DEDb2 gCucsqmW1ubkaggsYbc9voz/SQwhsQpBjfWbuyOX9DWmW6av/aB1F85wP79gyfqT uidTGxQE6EhDbLe7tuvxOHfM1bKsUtI+0n9TALLLHfXUEdtaXCwMlJuO1IIn1PWa H7HzyEjw6OW/cy73oM9nuErBIio1O60slPLOW2XNhdWZJCRWkcXyuumRjoepz7WN 1JgsLOTcB7rcQaBP3pDN0O/Om5dlDQ6oYitoJs/F0gfEgwK68Uy8k8sUR+FLLJqM o0CwOg6CeWU4ShAEd1xZxVYW6VOOKlz9x9dvjIVDn2SlTBDmLS99ySlQS57rjGPf GwlRUnuZP4OeSuoFNNJNb9PO6XFSP66eNHFbEpIoBU7phBzwWpTXNsW+kAcY8Rno 8GzKR/2FRsxe5Nhfh8xy88U7BA0tqxWdqpk/ym+wDcgHBfSRt0dPFnbaHAiMRlgX J/NPHBQtkoEdQTKA+ICxcNTUMvsPDQgZcU1/ViLMN+6kZaGNDVcPeMgDvqxu0e/T b3uYiId38HYbHmD6rDrOQL/2VPPXbdGbxDGQUgX1DfdOuFXw1hSTilwI1KdXxUXD sCsZbchgliqGcI1l2En62+6pI2x5XQqqiJ7+ =HpaX -----END PGP PUBLIC KEY BLOCK-----
(boolean) Do not set to false if you don't know what you're doing. Should the connecting clients use the VPN server for ALL connections? (yes = True) If this is False then the client will not use the VPN for ANY connections unless the client configures routes manually.
(boolean) Should the connecting clients use the same DNS and search domain as the OpenVPN server? (yes = True)