angristan / openvpn-install

openvpn-install OpenVPN installer for Debian, Ubuntu, Fedora, openSUSE, CentOS, Amazon Linux, Arch Linux, Oracle Linux, Rocky Linux and AlmaLinux. This script will let you setup and manage your own secure VPN server in just a few seconds. What is this? This script is meant to be run on your own server, whether it's a VPS or a dedicated server, or even a computer at home. Once set up, you will be able to generate client configuration files for every device you want to connect. Each client will be able to route its internet traffic through the server, fully encrypted. Why OpenVPN? OpenVPN was the de facto standard for open-source VPNs when this script was created. WireGuard came later and is simpler and faster for most use cases. Check out wireguard-install. That said, OpenVPN still makes sense when you need: • **TCP support**: works in restrictive environments where UDP is blocked (corporate networks, airports, hotels, etc.) • **Password-protected private keys**: WireGuard configs store the private key in plain text • **Legacy compatibility**: clients exist for pretty much every platform, including older systems Features • Installs and configures a ready-to-use OpenVPN server • CLI interface for automation and scripting (non-interactive mode with JSON output) • Certificate renewal for both client and server certificates • List and monitor connected clients • Immediate client disconnect on certificate revocation (via management interface) • Uses official OpenVPN repositories when possible for the latest stable releases • Firewall rules and forwarding managed seamlessly (native firewalld and nftables support, iptables fallback) • Configurable VPN subnets (IPv4: default , IPv6: default ) • Configurable tunnel MTU (default: ) • If needed, the script can cleanly remove OpenVPN, including configuration and firewall rules • Customisable encryption settings, enhanced default settings (see Security and Encryption below) • Uses latest OpenVPN features when available (see Security and Encryption below) • Variety of DNS resolvers to be pushed to the clients • Choice to use a self-hosted resolver with Unbound (supports already existing Unbound installations) • Choice between TCP and UDP • Flexible IPv4/IPv6 support: • IPv4 or IPv6 server endpoint (how clients connect) • IPv4-only, IPv6-only, or dual-stack clients (VPN addressing and internet access) • All combinations supported: 4→4, 4→4/6, 4→6, 6→4, 6→6, 6→4/6 • Automatic leak prevention: blocks undesired protocol in single-stack modes • Unprivileged mode: run as / • Block DNS leaks on Windows 10 • Randomised server certificate name • Choice to protect clients with a password (private key encryption) • Option to allow multiple devices to use the same client profile simultaneously (disables persistent IP addresses) • **Peer fingerprint authentication** (OpenVPN 2.6+): Simplified WireGuard-like authentication without a CA • Many other little things! Compatibility The script supports these Linux distributions: | | Support | | ------------------- | ------- | | AlmaLinux >= 8 | ✅ 🤖 | | Amazon Linux 2023 | ✅ 🤖 | | Arch Linux | ✅ 🤖 | | CentOS Stream >= 8 | ✅ 🤖 | | Debian >= 11 | ✅ 🤖 | | Fedora >= 40 | ✅ 🤖 | | openSUSE Leap >= 16 | ✅ 🤖 | | openSUSE Tumbleweed | ✅ 🤖 | | Oracle Linux >= 8 | ✅ 🤖 | | Rocky Linux >= 8 | ✅ 🤖 | | Ubuntu >= 18.04 | ✅ 🤖 | To be noted: • The script is regularly tested against the distributions marked with a 🤖 only. • It's only tested on architecture. • The script requires . Recommended providers • Vultr: Worldwide locations, IPv6 support, starting at \$2.5/month • Hetzner: Worldwide locations, IPv6, 20 TB of traffic, starting at €3.59/month • Digital Ocean: Worldwide locations, IPv6 support, starting at \$4/month Usage First, download the script on your server and make it executable: You need to run the script as root and have the TUN module enabled. Interactive Mode The easiest way to get started is the interactive menu: This will guide you through installation and client management. In your home directory, you will have files. These are the client configuration files. Download them from your server (using for example) and connect using your favorite OpenVPN client. If you have any question, head to the FAQ first. And if you need help, you can open a discussion. Please search existing issues and discussions first. CLI Mode > [!WARNING] > API compatibility is not guaranteed. Breaking changes may occur between versions. If you use this script programmatically (e.g., in automation or CI/CD), pin to a specific commit rather than using the master branch. For automation and scripting, use the CLI interface: Commands Run for command-specific options. Client Management List all clients: JSON output for scripting: Server Management Show connected clients (data refreshes every 60 seconds): Install Options The command supports many options for customization: **Network Options:** • - Public IP or hostname for clients (default: auto-detected) • - Endpoint IP version (default: ) • - Server listening IP (default: auto-detected) • - Enable IPv4 for VPN clients (default: enabled) • - Disable IPv4 for VPN clients • - Enable IPv6 for VPN clients (default: disabled) • - Disable IPv6 for VPN clients • - IPv4 VPN subnet (default: ) • - IPv6 VPN subnet (default: ) • - OpenVPN port (default: ) • - Use random port (49152-65535) • - Protocol (default: ) • - Tunnel MTU (default: ) **DNS Options:** • - DNS provider (default: ). Options: , , , , , , , , , , , , • - Custom primary DNS (requires ) • - Custom secondary DNS (requires ) **Security Options:** • - Data cipher (default: ). Options: , , , , , , • - Certificate type (default: ) • - ECDSA curve (default: ). Options: , , • - RSA key size (default: ) • - HMAC algorithm (default: ). Options: , , • - TLS mode (default: ). Options: , , • - Authentication mode (default: ). Options: (CA-based), (peer-fingerprint, requires OpenVPN 2.6+) • - Minimum TLS version (def…