Easily deploy a secure OpenVPN server on Debian, Ubuntu, Fedora, CentOS, Arch Linux, Oracle Linux, Rocky Linux, and AlmaLinux with this automated script.

• Quick Setup: Configure your VPN server in seconds.
• Customizable Security: Enhanced encryption settings for maximum security.
• User Management: Easily add, remove, or manage clients.
• Multi-Platform: Compatible with various Linux distributions.
• Automated Headless Install: Fully automated installation for seamless deployment.

Note: Distributions marked with 🤖 are regularly tested.

curl -O https://raw.githubusercontent.com/AnonVM/OpenVPN-Installer/main/setup.sh
chmod +x setup.sh

sudo ./setup.sh

Follow the prompts to configure your VPN server.

After installation, rerun the script to:

• Add a Client
• Remove a Client
• Uninstall OpenVPN

Client configuration files (.ovpn) will be saved in your home directory. Use them with your preferred OpenVPN client.

You can automate the installation process:

AUTO_INSTALL=y ./setup.sh

Or set environment variables:

export AUTO_INSTALL=y
./setup.sh

Customizable options include:

• APPROVE_INSTALL=y
• APPROVE_IP=y
• IPV6_SUPPORT=n
• PORT_CHOICE=1
• PROTOCOL_CHOICE=1
• DNS=1
• COMPRESSION_ENABLED=n
• CUSTOMIZE_ENC=n
• CLIENT=clientname
• PASS=1

To set the server endpoint behind NAT:

ENDPOINT=$(curl -4 ifconfig.co)

For more customization, modify the installQuestions() function in the script.

To automate user addition:

#!/bin/bash
export MENU_OPTION="1"
export CLIENT="foo"
export PASS="1"
./setup.sh

OpenVPN defaults to strong encryption settings, further enhanced by this script:

• AES-GCM: Provides confidentiality, integrity, and authenticity.
• TLS 1.2: Enforced for optimal security.
• ECDSA: Default certificate type for efficiency and security.
• tls-crypt: Enabled by default for additional privacy and DoS protection.

• AnonVM: Privacy focused secure hostiing

• Windows: Official OpenVPN Community Client
• Linux: Use the openvpn package from your distribution. APT repository for Debian/Ubuntu
• macOS: Tunnelblick, Viscosity, OpenVPN for Mac
• Android: OpenVPN for Android
• iOS: OpenVPN Connect

No. Even though this script enhances security, if you're trying to hide from the NSA, a VPN may not be enough. Review your threat models carefully.

Refer to the OpenVPN Manual for detailed documentation on all options.

Open an issue to discuss significant changes before submitting a PR.

Warning: This section has not been updated for OpenVPN 2.5 and later.

• Default: Compression is disabled to prevent VORACLE attacks.
• Supported: LZ0 and LZ4 (v1/v2) algorithms, though not recommended.

• Default: TLS 1.2 enforced with tls-version-min 1.2.
• Support: TLS 1.2 is available since OpenVPN 2.3.3.

• Default: ECDSA with prime256v1 curve.
• Supported: ECDSA curves (prime256v1, secp384r1, secp521r1) and RSA keys (2048, 3072, 4096 bits).

• Default: AES-128-GCM.
• Supported Ciphers: AES-GCM and AES-CBC with varying key lengths.

• Default: TLS-ECDHE-* with AES-128-GCM and SHA256.
• Supported: Configurable based on certificate type (ECDSA or RSA).

• Default: ECDH with prime256v1.
• Supported: ECDH and classic DH keys.

• Default: SHA256.
• Supported: SHA256, SHA384, SHA512.

• Default: tls-crypt enabled for privacy and DoS protection.
• Supported: Both tls-auth and tls-crypt.