Easily deploy a secure OpenVPN server on Debian, Ubuntu, Fedora, CentOS, Arch Linux, Oracle Linux, Rocky Linux, and AlmaLinux with this automated script.
- Quick Setup: Configure your VPN server in seconds.
- Customizable Security: Enhanced encryption settings for maximum security.
- User Management: Easily add, remove, or manage clients.
- Multi-Platform: Compatible with various Linux distributions.
- Automated Headless Install: Fully automated installation for seamless deployment.
Distribution | Support |
---|---|
AlmaLinux 8 | ✅ |
Amazon Linux 2 | ✅ |
Arch Linux | ✅ |
CentOS 7 | ✅ 🤖 |
CentOS Stream >= 8 | ✅ 🤖 |
Debian >= 10 | ✅ 🤖 |
Fedora >= 35 | ✅ 🤖 |
Oracle Linux 8 | ✅ |
Rocky Linux 8 | ✅ |
Ubuntu >= 18.04 | ✅ 🤖 |
Note: Distributions marked with 🤖 are regularly tested.
curl -O https://raw.githubusercontent.com/AnonVM/OpenVPN-Installer/main/setup.sh
chmod +x setup.sh
sudo ./setup.sh
Follow the prompts to configure your VPN server.
After installation, rerun the script to:
- Add a Client
- Remove a Client
- Uninstall OpenVPN
Client configuration files (.ovpn
) will be saved in your home directory. Use them with your preferred OpenVPN client.
You can automate the installation process:
AUTO_INSTALL=y ./setup.sh
Or set environment variables:
export AUTO_INSTALL=y
./setup.sh
Customizable options include:
APPROVE_INSTALL=y
APPROVE_IP=y
IPV6_SUPPORT=n
PORT_CHOICE=1
PROTOCOL_CHOICE=1
DNS=1
COMPRESSION_ENABLED=n
CUSTOMIZE_ENC=n
CLIENT=clientname
PASS=1
To set the server endpoint behind NAT:
ENDPOINT=$(curl -4 ifconfig.co)
For more customization, modify the installQuestions()
function in the script.
To automate user addition:
#!/bin/bash
export MENU_OPTION="1"
export CLIENT="foo"
export PASS="1"
./setup.sh
OpenVPN defaults to strong encryption settings, further enhanced by this script:
- AES-GCM: Provides confidentiality, integrity, and authenticity.
- TLS 1.2: Enforced for optimal security.
- ECDSA: Default certificate type for efficiency and security.
- tls-crypt: Enabled by default for additional privacy and DoS protection.
- AnonVM: Privacy focused secure hostiing
- Windows: Official OpenVPN Community Client
- Linux: Use the
openvpn
package from your distribution. APT repository for Debian/Ubuntu - macOS: Tunnelblick, Viscosity, OpenVPN for Mac
- Android: OpenVPN for Android
- iOS: OpenVPN Connect
No. Even though this script enhances security, if you're trying to hide from the NSA, a VPN may not be enough. Review your threat models carefully.
Refer to the OpenVPN Manual for detailed documentation on all options.
Open an issue to discuss significant changes before submitting a PR.
Warning: This section has not been updated for OpenVPN 2.5 and later.
- Default: Compression is disabled to prevent VORACLE attacks.
- Supported: LZ0 and LZ4 (v1/v2) algorithms, though not recommended.
- Default: TLS 1.2 enforced with
tls-version-min 1.2
. - Support: TLS 1.2 is available since OpenVPN 2.3.3.
- Default: ECDSA with
prime256v1
curve. - Supported: ECDSA curves (
prime256v1
,secp384r1
,secp521r1
) and RSA keys (2048, 3072, 4096 bits).
- Default: AES-128-GCM.
- Supported Ciphers: AES-GCM and AES-CBC with varying key lengths.
- Default:
TLS-ECDHE-*
with AES-128-GCM and SHA256. - Supported: Configurable based on certificate type (ECDSA or RSA).
- Default: ECDH with
prime256v1
. - Supported: ECDH and classic DH keys.
- Default: SHA256.
- Supported: SHA256, SHA384, SHA512.
- Default:
tls-crypt
enabled for privacy and DoS protection. - Supported: Both
tls-auth
andtls-crypt
.