OpenVPN Install

OpenVPN installer for Debian, Ubuntu, Fedora, CentOS, Oracle Linux and Arch Linux.

This script will let you setup your own secure VPN server in just a few seconds.

You can also check out wireguard-install, a simple installer for a simpler, safer, faster and more modern VPN protocol.

Usage

First, get the script and make it executable:

curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh
chmod +x openvpn-install.sh

Then run it:

./openvpn-install.sh

You need to run the script as root and have the TUN module enabled.

The first time you run it, you'll have to follow the assistant and answer a few questions to setup your VPN server.

When OpenVPN is installed, you can run the script again, and you will get the choice to:

  • Add a client
  • Remove a client
  • Uninstall OpenVPN

In your home directory, you will have .ovpn files. These are the client configuration files. Download them from your server and connect using your favorite OpenVPN client.

If you have any question, head to the FAQ first. Please read everything before opening an issue.

PLEASE do not send me emails or private messages asking for help. The only place to get help is the issues. Other people may be able to help and in the future, other users may also run into the same issue as you. My time is not available for free just for you, you're not special.

Headless install

It's also possible to run the script headless, e.g. without waiting for user input, in an automated manner.

Example usage:

AUTO_INSTALL=y ./openvpn-install.sh

# or

export AUTO_INSTALL=y
./openvpn-install.sh

A default set of variables will then be set, by passing the need for user input.

If you want to customise your installation, you can export them or specify them on the same line, as shown above.

  • APPROVE_INSTALL=y
  • APPROVE_IP=y
  • IPV6_SUPPORT=n
  • PORT_CHOICE=1
  • PROTOCOL_CHOICE=1
  • DNS=1
  • COMPRESSION_ENABLED=n
  • CUSTOMIZE_ENC=n
  • CLIENT=clientname
  • PASS=1

If the server is behind NAT, you can specify its endpoint with the ENDPOINT variable. If the endpoint is the public IP address which it is behind, you can use ENDPOINT=$(curl -4 ifconfig.co) (the script will default to this). The endpoint can be an IPv4 or a domain.

Other variables can be set depending on your choice (encryption, compression). You can search for them in the installQuestions() function of the script.

Password-protected clients are not supported by the headless installation method since user input is expected by Easy-RSA.

The headless install is more-or-less idempotent, in that it has been made safe to run multiple times with the same parameters, e.g. by a state provisioner like Ansible/Terraform/Salt/Chef/Puppet. It will only install and regenerate the Easy-RSA PKI if it doesn't already exist, and it will only install OpenVPN and other upstream dependencies if OpenVPN isn't already installed. It will recreate all local config and re-generate the client file on each headless run.

Headless User Addition

It's also possible to automate the addition of a new user. Here, the key is to provide the (string) value of the MENU_OPTION variable along with the remaining mandatory variables before invoking the script.

The following Bash script adds a new user foo to an existing OpenVPN configuration

#!/bin/bash
export MENU_OPTION="1"
export CLIENT="foo"
export PASS="1"
./openvpn-install.sh

Features

  • Installs and configures a ready-to-use OpenVPN server
  • Iptables rules and forwarding managed in a seamless way
  • If needed, the script can cleanly remove OpenVPN, including configuration and iptables rules
  • Customisable encryption settings, enhanced default settings (see Security and Encryption below)
  • OpenVPN 2.4 features, mainly encryption improvements (see Security and Encryption below)
  • Variety of DNS resolvers to be pushed to the clients
  • Choice to use a self-hosted resolver with Unbound (supports already existing Unbound installations)
  • Choice between TCP and UDP
  • NATed IPv6 support
  • Compression disabled by default to prevent VORACLE. LZ4 (v1/v2) and LZ0 algorithms available otherwise.
  • Unprivileged mode: run as nobody/nogroup
  • Block DNS leaks on Windows 10
  • Randomised server certificate name
  • Choice to protect clients with a password (private key encryption)
  • Many other little things!

Compatibility

The script supports these OS and architectures:

  i386 amd64 armhf arm64
Amazon Linux 2
Arch Linux
CentOS 7
CentOS 8
Debian >= 9
Fedora >= 27
Ubuntu 16.04
Ubuntu >= 18.04
Oracle Linux 8

To be noted:

  • It should work on Debian 8+ and Ubuntu 16.04+. But versions not in the table above are not officially supported.
  • The script requires systemd.
  • The script is regularly tested against amd64 only.

Fork

This script is based on the great work of Nyr and its contributors.

Since 2016, the two scripts have diverged and are not alike anymore, especially under the hood. The main goal of the script was enhanced security. But since then, the script has been completely rewritten and a lot a features have been added. The script is only compatible with recent distributions though, so if you need to use a very old server or client, I advise using Nyr's script.

Was this answer helpful?

 Print this Article

Also Read

How to install DirectAdmin, Full DirectAdmin Installation Guide

DirectAdmin is a web hosting control panel with a graphical user interface which was designed to...

Create SSL Certificates for ISPConfig using Let's Encrypt

I encoutered some documentation issues regarding ISPConfig combined with Let's Encrypt. This is...

OpenVPN road warrior installer for Debian, Ubuntu and CentOS

Install OpenVPN on a Virtual Server / VPS OpenVPN road warrior installer for Debian, Ubuntu and...

Powered by WHMCompleteSolution