• Stars
    star
    10,394
  • Rank 3,315 (Top 0.07 %)
  • Language
    Shell
  • License
    MIT License
  • Created about 8 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Set up your own OpenVPN server on Debian, Ubuntu, Fedora, CentOS or Arch Linux.

openvpn-install

Test Lint Say Thanks!

OpenVPN installer for Debian, Ubuntu, Fedora, CentOS, Arch Linux, Oracle Linux, Rocky Linux and AlmaLinux.

This script will let you setup your own secure VPN server in just a few seconds.

You can also check out wireguard-install, a simple installer for a simpler, safer, faster and more modern VPN protocol.

Usage

First, get the script and make it executable:

curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh
chmod +x openvpn-install.sh

Then run it:

./openvpn-install.sh

You need to run the script as root and have the TUN module enabled.

The first time you run it, you'll have to follow the assistant and answer a few questions to setup your VPN server.

When OpenVPN is installed, you can run the script again, and you will get the choice to:

  • Add a client
  • Remove a client
  • Uninstall OpenVPN

In your home directory, you will have .ovpn files. These are the client configuration files. Download them from your server and connect using your favorite OpenVPN client.

If you have any question, head to the FAQ first. Please read everything before opening an issue.

PLEASE do not send me emails or private messages asking for help. The only place to get help is the issues. Other people may be able to help and in the future, other users may also run into the same issue as you. My time is not available for free just for you, you're not special.

Headless install

It's also possible to run the script headless, e.g. without waiting for user input, in an automated manner.

Example usage:

AUTO_INSTALL=y ./openvpn-install.sh

# or

export AUTO_INSTALL=y
./openvpn-install.sh

A default set of variables will then be set, by passing the need for user input.

If you want to customise your installation, you can export them or specify them on the same line, as shown above.

  • APPROVE_INSTALL=y
  • APPROVE_IP=y
  • IPV6_SUPPORT=n
  • PORT_CHOICE=1
  • PROTOCOL_CHOICE=1
  • DNS=1
  • COMPRESSION_ENABLED=n
  • CUSTOMIZE_ENC=n
  • CLIENT=clientname
  • PASS=1

If the server is behind NAT, you can specify its endpoint with the ENDPOINT variable. If the endpoint is the public IP address which it is behind, you can use ENDPOINT=$(curl -4 ifconfig.co) (the script will default to this). The endpoint can be an IPv4 or a domain.

Other variables can be set depending on your choice (encryption, compression). You can search for them in the installQuestions() function of the script.

Password-protected clients are not supported by the headless installation method since user input is expected by Easy-RSA.

The headless install is more-or-less idempotent, in that it has been made safe to run multiple times with the same parameters, e.g. by a state provisioner like Ansible/Terraform/Salt/Chef/Puppet. It will only install and regenerate the Easy-RSA PKI if it doesn't already exist, and it will only install OpenVPN and other upstream dependencies if OpenVPN isn't already installed. It will recreate all local config and re-generate the client file on each headless run.

Headless User Addition

It's also possible to automate the addition of a new user. Here, the key is to provide the (string) value of the MENU_OPTION variable along with the remaining mandatory variables before invoking the script.

The following Bash script adds a new user foo to an existing OpenVPN configuration

#!/bin/bash
export MENU_OPTION="1"
export CLIENT="foo"
export PASS="1"
./openvpn-install.sh

Features

  • Installs and configures a ready-to-use OpenVPN server
  • Iptables rules and forwarding managed in a seamless way
  • If needed, the script can cleanly remove OpenVPN, including configuration and iptables rules
  • Customisable encryption settings, enhanced default settings (see Security and Encryption below)
  • OpenVPN 2.4 features, mainly encryption improvements (see Security and Encryption below)
  • Variety of DNS resolvers to be pushed to the clients
  • Choice to use a self-hosted resolver with Unbound (supports already existing Unbound installations)
  • Choice between TCP and UDP
  • NATed IPv6 support
  • Compression disabled by default to prevent VORACLE. LZ4 (v1/v2) and LZ0 algorithms available otherwise.
  • Unprivileged mode: run as nobody/nogroup
  • Block DNS leaks on Windows 10
  • Randomised server certificate name
  • Choice to protect clients with a password (private key encryption)
  • Many other little things!

Compatibility

The script supports these Linux distributions:

Support
AlmaLinux 8 βœ…
Amazon Linux 2 βœ…
Arch Linux βœ…
CentOS 7 βœ… πŸ€–
CentOS Stream >= 8 βœ… πŸ€–
Debian >= 10 βœ… πŸ€–
Fedora >= 35 βœ… πŸ€–
Oracle Linux 8 βœ…
Rocky Linux 8 βœ…
Ubuntu >= 18.04 βœ… πŸ€–

To be noted:

  • The script is regularly tested against the distributions marked with a πŸ€– only.
    • It's only test on amd64 architecture.
  • It should work on older versions such as Debian 8+, Ubuntu 16.04+ and previous Fedora releases. But versions not in the table above are not officially supported.
    • It should also support versions between the LTS versions, but these are not tested.
  • The script requires systemd.

Fork

This script is based on the great work of Nyr and its contributors.

Since 2016, the two scripts have diverged and are not alike anymore, especially under the hood. The main goal of the script was enhanced security. But since then, the script has been completely rewritten and a lot a features have been added. The script is only compatible with recent distributions though, so if you need to use a very old server or client, I advise using Nyr's script.

FAQ

More Q&A in FAQ.md.

Q: Which provider do you recommend?

A: I recommend these:

  • Vultr: Worldwide locations, IPv6 support, starting at $5/month
  • Hetzner: Germany, Finland and USA. IPv6, 20 TB of traffic, starting at 4.5€/month
  • Digital Ocean: Worldwide locations, IPv6 support, starting at $4/month

Q: Which OpenVPN client do you recommend?

A: If possible, an official OpenVPN 2.4 client.


Q: Am I safe from the NSA by using your script?

A: Please review your threat models. Even if this script has security in mind and uses state-of-the-art encryption, you shouldn't be using a VPN if you want to hide from the NSA.


Q: Is there an OpenVPN documentation?

A: Yes, please head to the OpenVPN Manual, which references all the options.


More Q&A in FAQ.md.

One-stop solutions for public cloud

Solutions that provision a ready to use OpenVPN server based on this script in one go are available for:

Contributing

Discuss changes

Please open an issue before submitting a PR if you want to discuss a change, especially if it's a big one.

Code formatting

We use shellcheck and shfmt to enforce bash styling guidelines and good practices. They are executed for each commit / PR with GitHub Actions, so you can check the configuration here.

Security and Encryption

Warning This has not been updated for OpenVPN 2.5 and later.

OpenVPN's default settings are pretty weak regarding encryption. This script aims to improve that.

OpenVPN 2.4 was a great update regarding encryption. It added support for ECDSA, ECDH, AES GCM, NCP and tls-crypt.

If you want more information about an option mentioned below, head to the OpenVPN manual. It is very complete.

Most of OpenVPN's encryption-related stuff is managed by Easy-RSA. Defaults parameters are in the vars.example file.

Compression

By default, OpenVPN doesn't enable compression. This script provides support for LZ0 and LZ4 (v1/v2) algorithms, the latter being more efficient.

However, it is discouraged to use compression since the VORACLE attack makes use of it.

TLS version

OpenVPN accepts TLS 1.0 by default, which is nearly 20 years old.

With tls-version-min 1.2 we enforce TLS 1.2, which the best protocol available currently for OpenVPN.

TLS 1.2 is supported since OpenVPN 2.3.3.

Certificate

OpenVPN uses an RSA certificate with a 2048 bits key by default.

OpenVPN 2.4 added support for ECDSA. Elliptic curve cryptography is faster, lighter and more secure.

This script provides:

  • ECDSA: prime256v1/secp384r1/secp521r1 curves
  • RSA: 2048/3072/4096 bits keys

It defaults to ECDSA with prime256v1.

OpenVPN uses SHA-256 as the signature hash by default, and so does the script. It provides no other choice as of now.

Data channel

By default, OpenVPN uses BF-CBC as the data channel cipher. Blowfish is an old (1993) and weak algorithm. Even the official OpenVPN documentation admits it.

The default is BF-CBC, an abbreviation for Blowfish in Cipher Block Chaining mode.

Using BF-CBC is no longer recommended, because of its 64-bit block size. This small block size allows attacks based on collisions, as demonstrated by SWEET32. See https://community.openvpn.net/openvpn/wiki/SWEET32 for details. Security researchers at INRIA published an attack on 64-bit block ciphers, such as 3DES and Blowfish. They show that they are able to recover plaintext when the same data is sent often enough, and show how they can use cross-site scripting vulnerabilities to send data of interest often enough. This works over HTTPS, but also works for HTTP-over-OpenVPN. See https://sweet32.info/ for a much better and more elaborate explanation.

OpenVPN's default cipher, BF-CBC, is affected by this attack.

Indeed, AES is today's standard. It's the fastest and more secure cipher available today. SEED and Camellia are not vulnerable to date but are slower than AES and relatively less trusted.

Of the currently supported ciphers, OpenVPN currently recommends using AES-256-CBC or AES-128-CBC. OpenVPN 2.4 and newer will also support GCM. For 2.4+, we recommend using AES-256-GCM or AES-128-GCM.

AES-256 is 40% slower than AES-128, and there isn't any real reason to use a 256 bits key over a 128 bits key with AES. (Source: 1,2). Moreover, AES-256 is more vulnerable to Timing attacks.

AES-GCM is an AEAD cipher which means it simultaneously provides confidentiality, integrity, and authenticity assurances on the data.

The script supports the following ciphers:

  • AES-128-GCM
  • AES-192-GCM
  • AES-256-GCM
  • AES-128-CBC
  • AES-192-CBC
  • AES-256-CBC

And defaults to AES-128-GCM.

OpenVPN 2.4 added a feature called "NCP": Negotiable Crypto Parameters. It means you can provide a cipher suite like with HTTPS. It is set to AES-256-GCM:AES-128-GCM by default and overrides the --cipher parameter when used with an OpenVPN 2.4 client. For the sake of simplicity, the script set both the --cipher and --ncp-cipher to the cipher chosen above.

Control channel

OpenVPN 2.4 will negotiate the best cipher available by default (e.g ECDHE+AES-256-GCM)

The script proposes the following options, depending on the certificate:

  • ECDSA:
    • TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
    • TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
  • RSA:
    • TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256
    • TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384

It defaults to TLS-ECDHE-*-WITH-AES-128-GCM-SHA256.

Diffie-Hellman key exchange

OpenVPN uses a 2048 bits DH key by default.

OpenVPN 2.4 added support for ECDH keys. Elliptic curve cryptography is faster, lighter and more secure.

Also, generating a classic DH keys can take a long, looong time. ECDH keys are ephemeral: they are generated on-the-fly.

The script provides the following options:

  • ECDH: prime256v1/secp384r1/secp521r1 curves
  • DH: 2048/3072/4096 bits keys

It defaults to prime256v1.

HMAC digest algorithm

From the OpenVPN wiki, about --auth:

Authenticate data channel packets and (if enabled) tls-auth control channel packets with HMAC using message digest algorithm alg. (The default is SHA1 ). HMAC is a commonly used message authentication algorithm (MAC) that uses a data string, a secure hash algorithm, and a key, to produce a digital signature.

If an AEAD cipher mode (e.g. GCM) is chosen, the specified --auth algorithm is ignored for the data channel, and the authentication method of the AEAD cipher is used instead. Note that alg still specifies the digest used for tls-auth.

The script provides the following choices:

  • SHA256
  • SHA384
  • SHA512

It defaults to SHA256.

tls-auth and tls-crypt

From the OpenVPN wiki, about tls-auth:

Add an additional layer of HMAC authentication on top of the TLS control channel to mitigate DoS attacks and attacks on the TLS stack.

In a nutshell, --tls-auth enables a kind of "HMAC firewall" on OpenVPN's TCP/UDP port, where TLS control channel packets bearing an incorrect HMAC signature can be dropped immediately without response.

About tls-crypt:

Encrypt and authenticate all control channel packets with the key from keyfile. (See --tls-auth for more background.)

Encrypting (and authenticating) control channel packets:

  • provides more privacy by hiding the certificate used for the TLS connection,
  • makes it harder to identify OpenVPN traffic as such,
  • provides "poor-man's" post-quantum security, against attackers who will never know the pre-shared key (i.e. no forward secrecy).

So both provide an additional layer of security and mitigate DoS attacks. They aren't used by default by OpenVPN.

tls-crypt is an OpenVPN 2.4 feature that provides encryption in addition to authentication (unlike tls-auth). It is more privacy-friendly.

The script supports both and uses tls-crypt by default.

Say thanks

You can say thanks if you want!

Credits & Licence

Many thanks to the contributors and Nyr's original work.

This project is under the MIT Licence

Star History

Star History Chart

More Repositories

1

wireguard-install

WireGuard VPN installer for Linux servers
Shell
5,660
star
2

nginx-autoinstall

Compile NGINX from source with custom modules and patches on Debian and Ubuntu
Shell
605
star
3

docker-pleroma

Docker image for the Pleroma federated social network
Elixir
328
star
4

feedbin-docker

Self-host your own Feedbin RSS reader in Docker
Dockerfile
213
star
5

awesome-stars

A curated list of my GitHub stars!
150
star
6

arch-linux-install

My Arch Linux installation notes
86
star
7

local-dns-resolver

Script to install a local Unbound DNS resolver on your Linux machine with DNSSEC support
Shell
77
star
8

ansible-roles

My Ansible roles for Debian/Ubuntu
67
star
9

awesome-lxc-lxd

A curated list of awesome LXC and LXD tools, libraries and related projects.
43
star
10

Casper-XYZ

Custom Ghost theme for my blog, based on Casper
CSS
37
star
11

ansible-restic

Ansible role for restic
Jinja
31
star
12

palette

Extract color palette from an image with k-means and k-NN // Project for the AI/ML class at Hanyang University
Python
30
star
13

firstfm-ios

The alternative last.fm client for iOS made with SwiftUI
Swift
26
star
14

gitlab-repo-dl

Mass repositories downloader for GitLab
Shell
25
star
15

ansible-wireguard

Ansible role for Wireguard - setup a mesh private network for your servers
Jinja
22
star
16

php-xdebug-docker

Debug PHP with Xdebug inside Docker. Tested with PhpStorm and VS Code.
Dockerfile
21
star
17

back-to-the-future

πŸš€ No more empty squares on your GitHub profile.
Shell
19
star
18

nixos-config

My NixOS configuration files
Nix
16
star
19

node-chat-app

A simple node chat app to train with socket.io
JavaScript
16
star
20

larafeed

Feed reader for the web, built with Laravel and Vue
PHP
14
star
21

docker-diaspora

A Docker image for the Diaspora* federated social network
Dockerfile
14
star
22

dockerfiles

Dockerfiles πŸ‹
Dockerfile
13
star
23

ansible-base

Ansible "base" role
Jinja
13
star
24

trakt-cli

A CLI for trakt.tv
Go
13
star
25

hiveway-fix

A chrome extension to fix Hiveway
JavaScript
13
star
26

GNU-Linux

Put RMS in your browser.
JavaScript
12
star
27

server-status

A little Bash script that checks if a server is up or down with ICMP, and sends a mail with status update.
Shell
12
star
28

ansible-php-fpm

Ansible role for PHP-FPM
11
star
29

youtube-dl-mp3

Simply convert a Youtube video into a .mp3 audio file using youtube-dl
Shell
11
star
30

sqlite3-c-examples

SQLite 3 examples in C
C
11
star
31

ansible-caddy

Ansible role for Caddy
Jinja
8
star
32

angristan

✨special ✨ repository
Python
8
star
33

firstfm-android

Android client for Last.fm written in Kotlin. School project.
Kotlin
7
star
34

OpenNIC-cli

Set the nearest OpenNIC servers as your DNS resolvers on you GNU/Linux machine
Shell
6
star
35

LinuxKernelBuild

Sccript to compile and install the Linux Kernel from source
Shell
6
star
36

docker-isso

Alpine-based docker image for the Isso Python commenting system
Dockerfile
6
star
37

AngristanRPiBot

Quelques scripts pour faire un bot Twitter en Python/Bash sur un Raspberry Pi.
Python
5
star
38

Cours-de-japonais

Fiches de japonais pour dΓ©butant (WIP)
5
star
39

docker-searx

Alpine-based Docker image for the Searx metasearch engine
Dockerfile
4
star
40

ansible-prometheus

Ansible role for Prometheus
Jinja
4
star
41

meetndo

Meetup website made with Ruby on Rails // Project for the Software Engineering class at Hanyang University
Ruby
4
star
42

s3-destroyer

Empty an S3 bucket as fast as possible πŸ’¨
Go
3
star
43

spark-project-esgi

Python
3
star
44

OpenVPN-install-old

OpenVPN installation script for Debian 8 - discontinued
Shell
3
star
45

electron-cat-poly-pdf

Electron app to draw polygons on a cat and export it to PDF
JavaScript
3
star
46

spotify-search-proxy

API that proxies Spotify's search API with cache
Go
3
star
47

ansible-docker

Ansible role for Debian and Docker
3
star
48

ansible-kibana

Ansible role for Kibana
Jinja
3
star
49

bsport-exporter

An exporter for bsport.io to track workouts sessions πŸ’ͺ
Go
3
star
50

ansible-node-exporter

Ansible role for Node exporter
Jinja
3
star
51

ai-assign-2

Assignment for the Introduction to Artificial Intelligence class at Hanyang University
Python
3
star
52

bsport-charts

Generate graphs to visualize Bsport sessions over time πŸ’ͺ
Go
3
star
53

docker-hastebin

Alpine-based Docker image for Hastebin, the node.js paste service
JavaScript
3
star
54

isso-to-disqus

This tool generates an Disqus-compatible WXR-like XML file from an Isso SQLite database file.
Python
3
star
55

docker-ghost

Alpine-based Docker image for the Ghost publishing platform
Dockerfile
3
star
56

openfoodfacts-api-c

Simple program to get product information from the Open Food Facts API, in C.
C
2
star
57

ansible-yarn

Ansible role to install Yarn
2
star
58

twitter-pic-bot

A very simple Ruby bot that tweets random pictures from a directory
Ruby
2
star
59

ansible-alertmanager

Ansible role for Prometheus Alertmanager
2
star
60

ansible-blackbox-exporter

Ansible role for Prometheus Blackbox exporter
2
star
61

sample-socket-io-server

Basic websocket server with node.js and socket.io
JavaScript
2
star
62

go-wallet-bdd-test

School assignment: Simple wallet using Behavior-driven development
Go
2
star
63

ansible-varnish

Simple Ansible role for Varnish on Debian/Ubuntu
2
star
64

advent-of-code-2021

Advent of Code 2021 with Go
Go
2
star
65

ansible-elasticsearch

Ansible role for Elasticsearch
Jinja
2
star
66

gist-stats-cron

1
star
67

node-weather-app

A basic CLI aysnc node weather app to train with promises
JavaScript
1
star
68

ansible-netdata

Simple Ansible role for Netdata
1
star
69

ansible-grafana

Ansible role for Grafana
1
star
70

julia-playground

Damn, Julia
Julia
1
star
71

java-ram-simulation

Java
1
star
72

ansible-postgres-exporter

Ansible role for postgres_exporter
Jinja
1
star
73

docker-riot

Alpine-based Docker images for Riot, the web Matrix client
Dockerfile
1
star
74

solid-library-kata

Go
1
star
75

ansible-powershell

Installs Powershell on Debian from the Microsoft APT repository
1
star
76

vuejs-hello-world

Discovering Vue
JavaScript
1
star
77

advent-of-code-2023

Go
1
star
78

ansible-redis

Ansible role for Redis
1
star
79

ansible-redis-exporter

Ansible role for redis-exporter
Jinja
1
star
80

ansible-zfs-auto-snapshot

zfs-auto-snapshot Ansible role
Shell
1
star
81

bitcoin-telegram-bot

Telegram bot that sends the BTC price every minute. (Assignment)
Python
1
star
82

bool2-crystal

Crystal
1
star
83

node-web-server

A simple node web server to train with express and handlebars
JavaScript
1
star