openvpn-install
Set up your own OpenVPN server on Debian, Ubuntu, Fedora, CentOS or Arch Linux.
Top Related Projects
🔒 OpenVPN server in a Docker container complete with an EasyRSA PKI CA
OpenVPN road warrior installer for Ubuntu, Debian, AlmaLinux, Rocky Linux, CentOS and Fedora
Scripts to build your own IPsec VPN server, with IPsec/L2TP, Cisco IPsec and IKEv2
Set up a personal VPN in the cloud
Streisand sets up a new server running your choice of WireGuard, OpenConnect, OpenSSH, OpenVPN, Shadowsocks, sslh, Stunnel, or a Tor bridge. It also generates custom instructions for all of these services. At the end of the run you are given an HTML file with instructions that can be shared with friends, family members, and fellow activists.
OpenVPN is an open source VPN daemon
Quick Overview
The angristan/openvpn-install repository is a Bash script that automates the installation and configuration of an OpenVPN server on Linux. It simplifies the process of setting up a VPN server, making it accessible to users with limited technical expertise.
Pros
- Easy to use, with a user-friendly interactive setup process
- Supports multiple Linux distributions (Ubuntu, Debian, CentOS, Fedora, etc.)
- Includes options for customizing server settings and client configurations
- Regularly updated and maintained by the community
Cons
- Limited to OpenVPN protocol only, not supporting other VPN protocols
- May not be suitable for complex enterprise-level VPN deployments
- Requires root access to install and configure, which may pose security risks if not used carefully
- Some advanced features may require manual configuration outside the script
Getting Started
To use the OpenVPN installation script, follow these steps:
- Ensure you have root access to a supported Linux server.
- Run the following command to download and execute the script:
wget https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh -O openvpn-install.sh
chmod +x openvpn-install.sh
./openvpn-install.sh
- Follow the interactive prompts to configure your OpenVPN server.
- Once the installation is complete, you can use the same script to add or revoke client certificates.
Note: Always review scripts before running them with root privileges to ensure security.
Competitor Comparisons
🔒 OpenVPN server in a Docker container complete with an EasyRSA PKI CA
Pros of docker-openvpn
- Containerized solution, offering better isolation and easier deployment
- Supports Docker Compose for simplified multi-container setups
- Easier to manage and update due to Docker's versioning system
Cons of docker-openvpn
- Requires Docker knowledge and infrastructure
- May have slightly higher resource overhead due to containerization
- Less customization options compared to bare-metal installation
Code Comparison
openvpn-install:
#!/bin/bash
# OpenVPN installer for Debian, Ubuntu, Fedora, CentOS, and Arch Linux
# https://github.com/angristan/openvpn-install
# Detect Debian users running the script with "sh" instead of bash
if readlink /proc/$$/exe | grep -q "dash"; then
echo 'This installer needs to be run with "bash", not "sh".'
exit 1
fi
docker-openvpn:
FROM alpine:3.14
LABEL maintainer="Kyle Manna <kyle@kylemanna.com>"
RUN echo "http://dl-cdn.alpinelinux.org/alpine/edge/community/" >> /etc/apk/repositories && \
echo "http://dl-cdn.alpinelinux.org/alpine/edge/testing/" >> /etc/apk/repositories && \
apk add --update openvpn iptables bash easy-rsa openvpn-auth-pam google-authenticator pamtester && \
ln -s /usr/share/easy-rsa/easyrsa /usr/local/bin && \
rm -rf /tmp/* /var/tmp/* /var/cache/apk/* /var/cache/distfiles/*
OpenVPN road warrior installer for Ubuntu, Debian, AlmaLinux, Rocky Linux, CentOS and Fedora
Pros of openvpn-install
- Simpler and more straightforward script with fewer options
- Easier to understand and modify for basic use cases
- Faster setup process for users who don't need advanced features
Cons of openvpn-install
- Limited customization options compared to angristan's version
- Fewer security features and hardening options
- Less frequent updates and maintenance
Code Comparison
openvpn-install:
#!/bin/bash
#
# https://github.com/Nyr/openvpn-install
#
# Copyright (c) 2013 Nyr. Released under the MIT License.
# Detect Debian users running the script with "sh" instead of bash
angristan/openvpn-install:
#!/bin/bash
#
# https://github.com/angristan/openvpn-install
#
# This script will let you set up your own VPN server in no more than a minute,
# even if you haven't used OpenVPN before. It has been designed to be as
# unobtrusive and universal as possible.
The angristan version offers more advanced features, customization options, and regular updates. It's suitable for users who need fine-grained control over their OpenVPN setup. The Nyr version is simpler and easier to use for basic installations but lacks some of the advanced features and security options provided by the angristan fork.
Scripts to build your own IPsec VPN server, with IPsec/L2TP, Cisco IPsec and IKEv2
Pros of setup-ipsec-vpn
- Supports a wider range of devices natively, including iOS and Android without additional apps
- Generally faster performance due to lower overhead of IPsec protocol
- Easier to set up on client devices, often with built-in support
Cons of setup-ipsec-vpn
- Less flexible in terms of encryption options compared to OpenVPN
- May be easier for firewalls to detect and block IPsec traffic
- Potentially more vulnerable to certain types of attacks
Code Comparison
setup-ipsec-vpn:
wget https://git.io/vpnsetup -O vpnsetup.sh
sudo sh vpnsetup.sh
openvpn-install:
wget https://git.io/vpn -O openvpn-install.sh
sudo bash openvpn-install.sh
Both scripts offer a straightforward installation process, but setup-ipsec-vpn uses sh
while openvpn-install uses bash
. The openvpn-install script provides more interactive options during setup, allowing for greater customization.
setup-ipsec-vpn is ideal for users who prioritize native device support and ease of client setup, while openvpn-install offers more flexibility and potentially better security options for advanced users. The choice between the two depends on specific use cases and security requirements.
Set up a personal VPN in the cloud
Pros of algo
- Supports multiple VPN protocols (WireGuard, IPsec/IKEv2)
- Enhanced security features and modern encryption standards
- Automated setup process for various cloud providers
Cons of algo
- More complex setup compared to openvpn-install
- Limited customization options
- Requires more system resources
Code comparison
algo:
- name: Install strongSwan
apt:
name:
- strongswan
- libstrongswan-standard-plugins
state: present
openvpn-install:
if [[ -e /etc/debian_version ]]; then
apt-get update
apt-get install openvpn iptables openssl ca-certificates -y
Both repositories aim to simplify VPN setup, but algo focuses on a more comprehensive, multi-protocol approach with enhanced security features. openvpn-install provides a straightforward OpenVPN setup script, making it easier for beginners but potentially less secure.
algo's automated setup process supports various cloud providers, while openvpn-install is primarily designed for manual server setup. The code snippets show that algo uses Ansible for configuration management, whereas openvpn-install relies on shell scripts for a more direct installation process.
Overall, algo offers a more robust and secure solution but requires more resources and expertise, while openvpn-install provides a simpler, more accessible option for basic VPN needs.
Streisand sets up a new server running your choice of WireGuard, OpenConnect, OpenSSH, OpenVPN, Shadowsocks, sslh, Stunnel, or a Tor bridge. It also generates custom instructions for all of these services. At the end of the run you are given an HTML file with instructions that can be shared with friends, family members, and fellow activists.
Pros of Streisand
- Supports multiple VPN protocols (OpenVPN, WireGuard, etc.) and additional services like Tor bridges
- Automated setup for various cloud providers (AWS, DigitalOcean, etc.)
- Includes additional security features like DNS-over-HTTPS and firewall configuration
Cons of Streisand
- More complex setup process compared to the simpler OpenVPN-only solution
- Requires more system resources due to multiple services running
- Less frequently updated than the OpenVPN-install script
Code Comparison
OpenVPN-install:
#!/bin/bash
# OpenVPN installer for Debian, Ubuntu, and CentOS
# Detect OS and define variables
Streisand:
- name: Set up OpenVPN
include_role:
name: openvpn
- name: Set up WireGuard
include_role:
name: wireguard
The OpenVPN-install script is a single Bash script focused on OpenVPN setup, while Streisand uses Ansible playbooks to manage multiple services and configurations. Streisand's approach allows for more flexibility and modularity but comes with increased complexity.
OpenVPN is an open source VPN daemon
Pros of openvpn
- Official repository maintained by OpenVPN Inc.
- Comprehensive documentation and extensive community support
- Regular updates and security patches
Cons of openvpn
- More complex setup process for beginners
- Requires manual configuration for many features
- Less user-friendly for quick deployments
Code comparison
openvpn:
static void
do_init_frame_net(struct frame *frame)
{
frame_reserve_frame_net(frame);
frame->buf.len = 0;
}
openvpn-install:
if [[ -e /etc/debian_version ]]; then
os="debian"
group_name="nogroup"
elif [[ -e /etc/centos-release || -e /etc/redhat-release ]]; then
os="centos"
group_name="nobody"
The openvpn repository contains the core OpenVPN software written in C, focusing on the VPN protocol implementation. In contrast, openvpn-install is a Bash script that automates the installation and configuration process, making it more accessible for users who prefer a quick setup without delving into manual configurations.
While openvpn provides a robust and flexible foundation for VPN deployments, openvpn-install offers a streamlined approach for rapid deployment on various Linux distributions. The choice between the two depends on the user's needs, technical expertise, and desired level of customization.
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual CopilotREADME
openvpn-install
OpenVPN installer for Debian, Ubuntu, Fedora, CentOS, Arch Linux, Oracle Linux, Rocky Linux and AlmaLinux.
This script will let you setup your own secure VPN server in just a few seconds.
You can also check out wireguard-install, a simple installer for a simpler, safer, faster and more modern VPN protocol.
Usage
First, get the script and make it executable:
curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh
chmod +x openvpn-install.sh
Then run it:
./openvpn-install.sh
You need to run the script as root and have the TUN module enabled.
The first time you run it, you'll have to follow the assistant and answer a few questions to setup your VPN server.
When OpenVPN is installed, you can run the script again, and you will get the choice to:
- Add a client
- Remove a client
- Uninstall OpenVPN
In your home directory, you will have .ovpn
files. These are the client configuration files. Download them from your server and connect using your favorite OpenVPN client.
If you have any question, head to the FAQ first. Please read everything before opening an issue.
PLEASE do not send me emails or private messages asking for help. The only place to get help is the issues. Other people may be able to help and in the future, other users may also run into the same issue as you. My time is not available for free just for you, you're not special.
Headless install
It's also possible to run the script headless, e.g. without waiting for user input, in an automated manner.
Example usage:
AUTO_INSTALL=y ./openvpn-install.sh
# or
export AUTO_INSTALL=y
./openvpn-install.sh
A default set of variables will then be set, by passing the need for user input.
If you want to customise your installation, you can export them or specify them on the same line, as shown above.
APPROVE_INSTALL=y
APPROVE_IP=y
IPV6_SUPPORT=n
PORT_CHOICE=1
PROTOCOL_CHOICE=1
DNS=1
COMPRESSION_ENABLED=n
CUSTOMIZE_ENC=n
CLIENT=clientname
PASS=1
If the server is behind NAT, you can specify its endpoint with the ENDPOINT
variable. If the endpoint is the public IP address which it is behind, you can use ENDPOINT=$(curl -4 ifconfig.co)
(the script will default to this). The endpoint can be an IPv4 or a domain.
Other variables can be set depending on your choice (encryption, compression). You can search for them in the installQuestions()
function of the script.
Password-protected clients are not supported by the headless installation method since user input is expected by Easy-RSA.
The headless install is more-or-less idempotent, in that it has been made safe to run multiple times with the same parameters, e.g. by a state provisioner like Ansible/Terraform/Salt/Chef/Puppet. It will only install and regenerate the Easy-RSA PKI if it doesn't already exist, and it will only install OpenVPN and other upstream dependencies if OpenVPN isn't already installed. It will recreate all local config and re-generate the client file on each headless run.
Headless User Addition
It's also possible to automate the addition of a new user. Here, the key is to provide the (string) value of the MENU_OPTION
variable along with the remaining mandatory variables before invoking the script.
The following Bash script adds a new user foo
to an existing OpenVPN configuration
#!/bin/bash
export MENU_OPTION="1"
export CLIENT="foo"
export PASS="1"
./openvpn-install.sh
Features
- Installs and configures a ready-to-use OpenVPN server
- Iptables rules and forwarding managed in a seamless way
- If needed, the script can cleanly remove OpenVPN, including configuration and iptables rules
- Customisable encryption settings, enhanced default settings (see Security and Encryption below)
- OpenVPN 2.4 features, mainly encryption improvements (see Security and Encryption below)
- Variety of DNS resolvers to be pushed to the clients
- Choice to use a self-hosted resolver with Unbound (supports already existing Unbound installations)
- Choice between TCP and UDP
- NATed IPv6 support
- Compression disabled by default to prevent VORACLE. LZ4 (v1/v2) and LZ0 algorithms available otherwise.
- Unprivileged mode: run as
nobody
/nogroup
- Block DNS leaks on Windows 10
- Randomised server certificate name
- Choice to protect clients with a password (private key encryption)
- Many other little things!
Compatibility
The script supports these Linux distributions:
Support | |
---|---|
AlmaLinux 8 | â |
Amazon Linux 2 | â |
Arch Linux | â |
CentOS 7 | â ð¤ |
CentOS Stream >= 8 | â ð¤ |
Debian >= 10 | â ð¤ |
Fedora >= 35 | â ð¤ |
Oracle Linux 8 | â |
Rocky Linux 8 | â |
Ubuntu >= 18.04 | â ð¤ |
To be noted:
- The script is regularly tested against the distributions marked with a ð¤ only.
- It's only tested on
amd64
architecture.
- It's only tested on
- It should work on older versions such as Debian 8+, Ubuntu 16.04+ and previous Fedora releases. But versions not in the table above are not officially supported.
- It should also support versions between the LTS versions, but these are not tested.
- The script requires
systemd
.
Fork
This script is based on the great work of Nyr and its contributors.
Since 2016, the two scripts have diverged and are not alike anymore, especially under the hood. The main goal of the script was enhanced security. But since then, the script has been completely rewritten and a lot a features have been added. The script is only compatible with recent distributions though, so if you need to use a very old server or client, I advise using Nyr's script.
FAQ
More Q&A in FAQ.md.
Q: Which provider do you recommend?
A: I recommend these:
- Vultr: Worldwide locations, IPv6 support, starting at $5/month
- Hetzner: Germany, Finland and USA. IPv6, 20 TB of traffic, starting at 4.5â¬/month
- Digital Ocean: Worldwide locations, IPv6 support, starting at $4/month
Q: Which OpenVPN client do you recommend?
A: If possible, an official OpenVPN 2.4 client.
- Windows: The official OpenVPN community client.
- Linux: The
openvpn
package from your distribution. There is an official APT repository for Debian/Ubuntu based distributions. - macOS: Tunnelblick, Viscosity, OpenVPN for Mac.
- Android: OpenVPN for Android.
- iOS: The official OpenVPN Connect client.
Q: Am I safe from the NSA by using your script?
A: Please review your threat models. Even if this script has security in mind and uses state-of-the-art encryption, you shouldn't be using a VPN if you want to hide from the NSA.
Q: Is there an OpenVPN documentation?
A: Yes, please head to the OpenVPN Manual, which references all the options.
More Q&A in FAQ.md.
One-stop solutions for public cloud
Solutions that provision a ready to use OpenVPN server based on this script in one go are available for:
- AWS using Terraform at
openvpn-terraform-install
- Terraform AWS module
openvpn-ephemeral
Contributing
Discuss changes
Please open an issue before submitting a PR if you want to discuss a change, especially if it's a big one.
Code formatting
We use shellcheck and shfmt to enforce bash styling guidelines and good practices. They are executed for each commit / PR with GitHub Actions, so you can check the configuration here.
Security and Encryption
Warning This has not been updated for OpenVPN 2.5 and later.
OpenVPN's default settings are pretty weak regarding encryption. This script aims to improve that.
OpenVPN 2.4 was a great update regarding encryption. It added support for ECDSA, ECDH, AES GCM, NCP and tls-crypt.
If you want more information about an option mentioned below, head to the OpenVPN manual. It is very complete.
Most of OpenVPN's encryption-related stuff is managed by Easy-RSA. Defaults parameters are in the vars.example file.
Compression
By default, OpenVPN doesn't enable compression. This script provides support for LZ0 and LZ4 (v1/v2) algorithms, the latter being more efficient.
However, it is discouraged to use compression since the VORACLE attack makes use of it.
TLS version
OpenVPN accepts TLS 1.0 by default, which is nearly 20 years old.
With tls-version-min 1.2
we enforce TLS 1.2, which the best protocol available currently for OpenVPN.
TLS 1.2 is supported since OpenVPN 2.3.3.
Certificate
OpenVPN uses an RSA certificate with a 2048 bits key by default.
OpenVPN 2.4 added support for ECDSA. Elliptic curve cryptography is faster, lighter and more secure.
This script provides:
- ECDSA:
prime256v1
/secp384r1
/secp521r1
curves - RSA:
2048
/3072
/4096
bits keys
It defaults to ECDSA with prime256v1
.
OpenVPN uses SHA-256
as the signature hash by default, and so does the script. It provides no other choice as of now.
Data channel
By default, OpenVPN uses BF-CBC
as the data channel cipher. Blowfish is an old (1993) and weak algorithm. Even the official OpenVPN documentation admits it.
The default is BF-CBC, an abbreviation for Blowfish in Cipher Block Chaining mode.
Using BF-CBC is no longer recommended, because of its 64-bit block size. This small block size allows attacks based on collisions, as demonstrated by SWEET32. See https://community.openvpn.net/openvpn/wiki/SWEET32 for details. Security researchers at INRIA published an attack on 64-bit block ciphers, such as 3DES and Blowfish. They show that they are able to recover plaintext when the same data is sent often enough, and show how they can use cross-site scripting vulnerabilities to send data of interest often enough. This works over HTTPS, but also works for HTTP-over-OpenVPN. See https://sweet32.info/ for a much better and more elaborate explanation.
OpenVPN's default cipher, BF-CBC, is affected by this attack.
Indeed, AES is today's standard. It's the fastest and more secure cipher available today. SEED and Camellia are not vulnerable to date but are slower than AES and relatively less trusted.
Of the currently supported ciphers, OpenVPN currently recommends using AES-256-CBC or AES-128-CBC. OpenVPN 2.4 and newer will also support GCM. For 2.4+, we recommend using AES-256-GCM or AES-128-GCM.
AES-256 is 40% slower than AES-128, and there isn't any real reason to use a 256 bits key over a 128 bits key with AES. (Source: 1,2). Moreover, AES-256 is more vulnerable to Timing attacks.
AES-GCM is an AEAD cipher which means it simultaneously provides confidentiality, integrity, and authenticity assurances on the data.
The script supports the following ciphers:
AES-128-GCM
AES-192-GCM
AES-256-GCM
AES-128-CBC
AES-192-CBC
AES-256-CBC
And defaults to AES-128-GCM
.
OpenVPN 2.4 added a feature called "NCP": Negotiable Crypto Parameters. It means you can provide a cipher suite like with HTTPS. It is set to AES-256-GCM:AES-128-GCM
by default and overrides the --cipher
parameter when used with an OpenVPN 2.4 client. For the sake of simplicity, the script set both the --cipher
and --ncp-cipher
to the cipher chosen above.
Control channel
OpenVPN 2.4 will negotiate the best cipher available by default (e.g ECDHE+AES-256-GCM)
The script proposes the following options, depending on the certificate:
- ECDSA:
TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
- RSA:
TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256
TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
It defaults to TLS-ECDHE-*-WITH-AES-128-GCM-SHA256
.
Diffie-Hellman key exchange
OpenVPN uses a 2048 bits DH key by default.
OpenVPN 2.4 added support for ECDH keys. Elliptic curve cryptography is faster, lighter and more secure.
Also, generating a classic DH keys can take a long, looong time. ECDH keys are ephemeral: they are generated on-the-fly.
The script provides the following options:
- ECDH:
prime256v1
/secp384r1
/secp521r1
curves - DH:
2048
/3072
/4096
bits keys
It defaults to prime256v1
.
HMAC digest algorithm
From the OpenVPN wiki, about --auth
:
Authenticate data channel packets and (if enabled) tls-auth control channel packets with HMAC using message digest algorithm alg. (The default is SHA1 ). HMAC is a commonly used message authentication algorithm (MAC) that uses a data string, a secure hash algorithm, and a key, to produce a digital signature.
If an AEAD cipher mode (e.g. GCM) is chosen, the specified --auth algorithm is ignored for the data channel, and the authentication method of the AEAD cipher is used instead. Note that alg still specifies the digest used for tls-auth.
The script provides the following choices:
SHA256
SHA384
SHA512
It defaults to SHA256
.
tls-auth
and tls-crypt
From the OpenVPN wiki, about tls-auth
:
Add an additional layer of HMAC authentication on top of the TLS control channel to mitigate DoS attacks and attacks on the TLS stack.
In a nutshell, --tls-auth enables a kind of "HMAC firewall" on OpenVPN's TCP/UDP port, where TLS control channel packets bearing an incorrect HMAC signature can be dropped immediately without response.
About tls-crypt
:
Encrypt and authenticate all control channel packets with the key from keyfile. (See --tls-auth for more background.)
Encrypting (and authenticating) control channel packets:
- provides more privacy by hiding the certificate used for the TLS connection,
- makes it harder to identify OpenVPN traffic as such,
- provides "poor-man's" post-quantum security, against attackers who will never know the pre-shared key (i.e. no forward secrecy).
So both provide an additional layer of security and mitigate DoS attacks. They aren't used by default by OpenVPN.
tls-crypt
is an OpenVPN 2.4 feature that provides encryption in addition to authentication (unlike tls-auth
). It is more privacy-friendly.
The script supports both and uses tls-crypt
by default.
Say thanks
You can say thanks if you want!
Credits & Licence
Many thanks to the contributors and Nyr's original work.
This project is under the MIT Licence
Star History
Top Related Projects
🔒 OpenVPN server in a Docker container complete with an EasyRSA PKI CA
OpenVPN road warrior installer for Ubuntu, Debian, AlmaLinux, Rocky Linux, CentOS and Fedora
Scripts to build your own IPsec VPN server, with IPsec/L2TP, Cisco IPsec and IKEv2
Set up a personal VPN in the cloud
Streisand sets up a new server running your choice of WireGuard, OpenConnect, OpenSSH, OpenVPN, Shadowsocks, sslh, Stunnel, or a Tor bridge. It also generates custom instructions for all of these services. At the end of the run you are given an HTML file with instructions that can be shared with friends, family members, and fellow activists.
OpenVPN is an open source VPN daemon
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual Copilot