OpenVPN installer for Debian, Ubuntu, Fedora, CentOS, Arch Linux, Oracle Linux, Rocky Linux and AlmaLinux.
This script will let you setup your own secure VPN server in just a few seconds.
You can also check out wireguard-install, a simple installer for a simpler, safer, faster and more modern VPN protocol.
First, get the script and make it executable:
curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh
chmod +x openvpn-install.sh
Then run it:
./openvpn-install.sh
You need to run the script as root and have the TUN module enabled.
The first time you run it, you'll have to follow the assistant and answer a few questions to setup your VPN server.
When OpenVPN is installed, you can run the script again, and you will get the choice to:
In your home directory, you will have .ovpn
files. These are the client configuration files. Download them from your server and connect using your favorite OpenVPN client.
If you have any question, head to the FAQ first. Please read everything before opening an issue.
PLEASE do not send me emails or private messages asking for help. The only place to get help is the issues. Other people may be able to help and in the future, other users may also run into the same issue as you. My time is not available for free just for you, you're not special.
It's also possible to run the script headless, e.g. without waiting for user input, in an automated manner.
Example usage:
AUTO_INSTALL=y ./openvpn-install.sh
# or
export AUTO_INSTALL=y
./openvpn-install.sh
A default set of variables will then be set, by passing the need for user input.
If you want to customise your installation, you can export them or specify them on the same line, as shown above.
APPROVE_INSTALL=y
APPROVE_IP=y
IPV6_SUPPORT=n
PORT_CHOICE=1
PROTOCOL_CHOICE=1
DNS=1
COMPRESSION_ENABLED=n
CUSTOMIZE_ENC=n
CLIENT=clientname
PASS=1
If the server is behind NAT, you can specify its endpoint with the ENDPOINT
variable. If the endpoint is the public IP address which it is behind, you can use ENDPOINT=$(curl -4 ifconfig.co)
(the script will default to this). The endpoint can be an IPv4 or a domain.
Other variables can be set depending on your choice (encryption, compression). You can search for them in the installQuestions()
function of the script.
Password-protected clients are not supported by the headless installation method since user input is expected by Easy-RSA.
The headless install is more-or-less idempotent, in that it has been made safe to run multiple times with the same parameters, e.g. by a state provisioner like Ansible/Terraform/Salt/Chef/Puppet. It will only install and regenerate the Easy-RSA PKI if it doesn't already exist, and it will only install OpenVPN and other upstream dependencies if OpenVPN isn't already installed. It will recreate all local config and re-generate the client file on each headless run.
It's also possible to automate the addition of a new user. Here, the key is to provide the (string) value of the MENU_OPTION
variable along with the remaining mandatory variables before invoking the script.
The following Bash script adds a new user foo
to an existing OpenVPN configuration
#!/bin/bash
export MENU_OPTION="1"
export CLIENT="foo"
export PASS="1"
./openvpn-install.sh
nobody
/nogroup
The script supports these OS and architectures:
i386 | amd64 | armhf | arm64 | |
---|---|---|---|---|
Amazon Linux 2 |
|
|
|
|
Arch Linux |
|
|
|
|
CentOS 7 |
|
|
|
|
CentOS 8 |
|
|
|
|
Debian >= 9 |
|
|
|
|
Fedora >= 27 |
|
|
|
|
Ubuntu 16.04 |
|
|
|
|
Ubuntu >= 18.04 |
|
|
|
|
Oracle Linux 8 |
|
|
|
|
Rocky Linux 8 |
|
|
|
|
AlmaLinux 8 |
|
|
|
|
To be noted:
systemd
.amd64
only.This script is based on the great work of Nyr and its contributors.
Since 2016, the two scripts have diverged and are not alike anymore, especially under the hood. The main goal of the script was enhanced security. But since then, the script has been completely rewritten and a lot a features have been added. The script is only compatible with recent distributions though, so if you need to use a very old server or client, I advise using Nyr's script.
More Q&A in FAQ.md.
Q: Which provider do you recommend?
A: I recommend these:
Q: Which OpenVPN client do you recommend?
A: If possible, an official OpenVPN 2.4 client.
openvpn
package from your distribution. There is an official APT repository for Debian/Ubuntu based distributions.Q: Am I safe from the NSA by using your script?
A: Please review your threat models. Even if this script has security in mind and uses state-of-the-art encryption, you shouldn't be using a VPN if you want to hide from the NSA.
Q: Is there an OpenVPN documentation?
A: Yes, please head to the OpenVPN Manual, which references all the options.
More Q&A in FAQ.md.
Solutions that provision a ready to use OpenVPN server based on this script in one go are available for:
openvpn-terraform-install
We use shellcheck and shfmt to enforce bash styling guidelines and good practices. They are executed for each commit / PR with GitHub Actions, so you can check the configuration here.
OpenVPN's default settings are pretty weak regarding encryption. This script aims to improve that.
OpenVPN 2.4 was a great update regarding encryption. It added support for ECDSA, ECDH, AES GCM, NCP and tls-crypt.
If you want more information about an option mentioned below, head to the OpenVPN manual. It is very complete.
Most of OpenVPN's encryption-related stuff is managed by Easy-RSA. Defaults parameters are in the vars.example file.
By default, OpenVPN doesn't enable compression. This script provides support for LZ0 and LZ4 (v1/v2) algorithms, the latter being more efficient.
However, it is discouraged to use compression since the VORACLE attack makes use of it.
OpenVPN accepts TLS 1.0 by default, which is nearly 20 years old.
With tls-version-min 1.2
we enforce TLS 1.2, which the best protocol available currently for OpenVPN.
TLS 1.2 is supported since OpenVPN 2.3.3.
OpenVPN uses an RSA certificate with a 2048 bits key by default.
OpenVPN 2.4 added support for ECDSA. Elliptic curve cryptography is faster, lighter and more secure.
This script provides:
prime256v1
/secp384r1
/secp521r1
curves2048
/3072
/4096
bits keysIt defaults to ECDSA with prime256v1
.
OpenVPN uses SHA-256
as the signature hash by default, and so does the script. It provides no other choice as of now.
By default, OpenVPN uses BF-CBC
as the data channel cipher. Blowfish is an old (1993) and weak algorithm. Even the official OpenVPN documentation admits it.
The default is BF-CBC, an abbreviation for Blowfish in Cipher Block Chaining mode.
Using BF-CBC is no longer recommended, because of its 64-bit block size. This small block size allows attacks based on collisions, as demonstrated by SWEET32. See https://community.openvpn.net/openvpn/wiki/SWEET32 for details.Security researchers at INRIA published an attack on 64-bit block ciphers, such as 3DES and Blowfish. They show that they are able to recover plaintext when the same data is sent often enough, and show how they can use cross-site scripting vulnerabilities to send data of interest often enough. This works over HTTPS, but also works for HTTP-over-OpenVPN. See https://sweet32.info/ for a much better and more elaborate explanation.
OpenVPN's default cipher, BF-CBC, is affected by this attack.
Indeed, AES is today's standard. It's the fastest and more secure cipher available today. SEED and Camellia are not vulnerable to date but are slower than AES and relatively less trusted.
Of the currently supported ciphers, OpenVPN currently recommends using AES-256-CBC or AES-128-CBC. OpenVPN 2.4 and newer will also support GCM. For 2.4+, we recommend using AES-256-GCM or AES-128-GCM.
AES-256 is 40% slower than AES-128, and there isn't any real reason to use a 256 bits key over a 128 bits key with AES. (Source: 1,2). Moreover, AES-256 is more vulnerable to Timing attacks.
AES-GCM is an AEAD cipher which means it simultaneously provides confidentiality, integrity, and authenticity assurances on the data.
The script supports the following ciphers:
AES-128-GCM
AES-192-GCM
AES-256-GCM
AES-128-CBC
AES-192-CBC
AES-256-CBC
And defaults to AES-128-GCM
.
OpenVPN 2.4 added a feature called "NCP": Negotiable Crypto Parameters. It means you can provide a cipher suite like with HTTPS. It is set to AES-256-GCM:AES-128-GCM
by default and overrides the --cipher
parameter when used with an OpenVPN 2.4 client. For the sake of simplicity, the script set both the --cipher
and --ncp-cipher
to the cipher chosen above.
OpenVPN 2.4 will negotiate the best cipher available by default (e.g ECDHE+AES-256-GCM)
The script proposes the following options, depending on the certificate:
TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256
TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
It defaults to TLS-ECDHE-*-WITH-AES-128-GCM-SHA256
.
OpenVPN uses a 2048 bits DH key by default.
OpenVPN 2.4 added support for ECDH keys. Elliptic curve cryptography is faster, lighter and more secure.
Also, generating a classic DH keys can take a long, looong time. ECDH keys are ephemeral: they are generated on-the-fly.
The script provides the following options:
prime256v1
/secp384r1
/secp521r1
curves2048
/3072
/4096
bits keysIt defaults to prime256v1
.
From the OpenVPN wiki, about --auth
:
Authenticate data channel packets and (if enabled) tls-auth control channel packets with HMAC using message digest algorithm alg. (The default is SHA1 ). HMAC is a commonly used message authentication algorithm (MAC) that uses a data string, a secure hash algorithm, and a key, to produce a digital signature.
If an AEAD cipher mode (e.g. GCM) is chosen, the specified --auth algorithm is ignored for the data channel, and the authentication method of the AEAD cipher is used instead. Note that alg still specifies the digest used for tls-auth.
The script provides the following choices:
SHA256
SHA384
SHA512
It defaults to SHA256
.
tls-auth
and tls-crypt
From the OpenVPN wiki, about tls-auth
:
Add an additional layer of HMAC authentication on top of the TLS control channel to mitigate DoS attacks and attacks on the TLS stack.
In a nutshell, --tls-auth enables a kind of "HMAC firewall" on OpenVPN's TCP/UDP port, where TLS control channel packets bearing an incorrect HMAC signature can be dropped immediately without response.
About tls-crypt
:
Encrypt and authenticate all control channel packets with the key from keyfile. (See --tls-auth for more background.)
Encrypting (and authenticating) control channel packets:
- provides more privacy by hiding the certificate used for the TLS connection,
- makes it harder to identify OpenVPN traffic as such,
- provides "poor-man's" post-quantum security, against attackers who will never know the pre-shared key (i.e. no forward secrecy).
So both provide an additional layer of security and mitigate DoS attacks. They aren't used by default by OpenVPN.
tls-crypt
is an OpenVPN 2.4 feature that provides encryption in addition to authentication (unlike tls-auth
). It is more privacy-friendly.
The script supports both and uses tls-crypt
by default.
You can say thanks if you want!
Many thanks to the contributors and Nyr's original work.
This project is under the MIT Licence
这个指令是使用 "wget" 命令下载一个文件。其中,"https://git.io/vpn" 是文件的 URL 地址,"-O openvpn-install.sh" 指示将下载的文件重命名为 "openvpn-install.sh"。
1 依赖安装 sudo yum install openssl sudo yum install lzop sudo yum install libssl-dev sudo yum install easy-rsa yum -y install zlib zlib-devel openssl openssl-devel pcre pcre-devel yum install openvpn 2
命令行模式 建议使用brew,应用安装非常简单 /bin/zsh -c "$(curl -fsSL https://gitee.com/cunkai/HomebrewCN/raw/master/Homebrew.sh)" brew Install openvpn 下载给到的配置文件(这里我放到了/Users/snz/Documents/work/) sudo openvpn --config /U
OpenVPN for Android Description With the new VPNService of Android API level 14+ (Ice Cream Sandwich) it is possible to create a VPN service that does not need root access. This project is a port of O
我的自定义食谱通过以下方式安装openvpn: 上述代码在centos 6中工作正常,在centos 7(systemd)中失败 错误: /bin/systemctl启用openvpn-没有这样的文件或目录 似乎在systemd上服务的名称是不同的:openvpn@server我如何检测到这一点?
我正在运行社区OpenVPN服务器(在CIS级RHEL 7上)实例,我可以从我的笔记本电脑连接它,没有任何问题。在连接的同时,我可以使用私有IP SSH到OpenVPN服务器实例,但除此之外什么也做不了。甚至不是同一子网中的不同实例。假设我的VPN服务器在< code>10.100.0.0/28子网中,VPN客户端子网是:< code>192.168.10.0/24,并且我希望SSH到< code
我在公网服务器上搭建了openvpn-server,在内网的机器192.168.0.106上通过openvpn-client连接上,并且获取到了分配地址:10.8.0.6。 在外网的机器通过openvpn-client连接openvpn-server上,ping 10.8.0.6 是有应答的,说明隧道创建成功了。但是我通过 ping 192.168.0.106 无法应答,这是什么原因? 这是我内网
问题内容: 我最近安装了隐私vpn,事实证明启用的openvpn会破坏docker。 当我尝试运行时,出现以下错误 禁用vpn可以解决此问题(但是我宁愿不禁用它)。有什么办法可以使这两者和平共处?我使用debian jessie,并且我的openvpn具有以下版本字符串 很多人通过禁用openvpn来“解决”此问题,因此我专门询问如何使这两个工具同时工作。 如果这有什么不同,我的vpn提供程序是:
我最近安装了privacy vpn,结果发现启用的openvpn会破坏Docker。 当我尝试运行时,我得到以下错误 禁用vpn可以解决这个问题(不过,我宁愿不禁用它)。有没有办法使这两者和平共处?我使用debian jessie,我的openvpn有以下版本字符串 null