OpenVPN installer for Debian, Ubuntu, Fedora, CentOS, Oracle Linux and Arch Linux.
This script will let you setup your own secure VPN server in just a few seconds.
You can also check out wireguard-install, a simple installer for a simpler, safer, faster and more modern VPN protocol.
First, get the script and make it executable:
curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh chmod +x openvpn-install.sh
Then run it:
You need to run the script as root and have the TUN module enabled.
The first time you run it, you'll have to follow the assistant and answer a few questions to setup your VPN server.
When OpenVPN is installed, you can run the script again, and you will get the choice to:
- Add a client
- Remove a client
- Uninstall OpenVPN
In your home directory, you will have
.ovpn files. These are the client configuration files. Download them from your server and connect using your favorite OpenVPN client.
If you have any question, head to the FAQ first. Please read everything before opening an issue.
PLEASE do not send me emails or private messages asking for help. The only place to get help is the issues. Other people may be able to help and in the future, other users may also run into the same issue as you. My time is not available for free just for you, you're not special.
It's also possible to run the script headless, e.g. without waiting for user input, in an automated manner.
AUTO_INSTALL=y ./openvpn-install.sh # or export AUTO_INSTALL=y ./openvpn-install.sh
A default set of variables will then be set, by passing the need for user input.
If you want to customise your installation, you can export them or specify them on the same line, as shown above.
If the server is behind NAT, you can specify its endpoint with the
ENDPOINT variable. If the endpoint is the public IP address which it is behind, you can use
ENDPOINT=$(curl -4 ifconfig.co) (the script will default to this). The endpoint can be an IPv4 or a domain.
Other variables can be set depending on your choice (encryption, compression). You can search for them in the
installQuestions() function of the script.
Password-protected clients are not supported by the headless installation method since user input is expected by Easy-RSA.
The headless install is more-or-less idempotent, in that it has been made safe to run multiple times with the same parameters, e.g. by a state provisioner like Ansible/Terraform/Salt/Chef/Puppet. It will only install and regenerate the Easy-RSA PKI if it doesn't already exist, and it will only install OpenVPN and other upstream dependencies if OpenVPN isn't already installed. It will recreate all local config and re-generate the client file on each headless run.
Headless User Addition
It's also possible to automate the addition of a new user. Here, the key is to provide the (string) value of the
MENU_OPTION variable along with the remaining mandatory variables before invoking the script.
The following Bash script adds a new user
foo to an existing OpenVPN configuration
#!/bin/bash export MENU_OPTION="1" export CLIENT="foo" export PASS="1" ./openvpn-install.sh
- Installs and configures a ready-to-use OpenVPN server
- Iptables rules and forwarding managed in a seamless way
- If needed, the script can cleanly remove OpenVPN, including configuration and iptables rules
- Customisable encryption settings, enhanced default settings (see Security and Encryption below)
- OpenVPN 2.4 features, mainly encryption improvements (see Security and Encryption below)
- Variety of DNS resolvers to be pushed to the clients
- Choice to use a self-hosted resolver with Unbound (supports already existing Unbound installations)
- Choice between TCP and UDP
- NATed IPv6 support
- Compression disabled by default to prevent VORACLE. LZ4 (v1/v2) and LZ0 algorithms available otherwise.
- Unprivileged mode: run as
- Block DNS leaks on Windows 10
- Randomised server certificate name
- Choice to protect clients with a password (private key encryption)
- Many other little things!
The script supports these OS and architectures:
|Amazon Linux 2||❔||✅||❔||❔|
|Debian >= 9||✅||✅||✅||✅|
|Fedora >= 27||❔||✅||❔||❔|
|Ubuntu >= 18.04||✅||✅||✅||✅|
|Oracle Linux 8||❌||✅||❌||❔|
To be noted:
- It should work on Debian 8+ and Ubuntu 16.04+. But versions not in the table above are not officially supported.
- The script requires
- The script is regularly tested against
This script is based on the great work of Nyr and its contributors.
Since 2016, the two scripts have diverged and are not alike anymore, especially under the hood. The main goal of the script was enhanced security. But since then, the script has been completely rewritten and a lot a features have been added. The script is only compatible with recent distributions though, so if you need to use a very old server or client, I advise using Nyr's script.
Was this answer helpful?
I encoutered some documentation issues regarding ISPConfig combined with Let's Encrypt. This is...
Install OpenVPN on a Virtual Server / VPS OpenVPN road warrior installer for Debian, Ubuntu and...
DirectAdmin is a web hosting control panel with a graphical user interface which was designed to...
Powered by WHMCompleteSolution