wiki:OpenvpnSoftwareRepos

Introduction

This page contains instructions for using OpenVPN project's own software repositories. For a list of unofficial repositories please refer to the Unofficial OpenVPN software repositories page.

For OpenVPN 3 Linux, see the dedicated OpenVPN 3 Linux page.

Latest OpenVPN releases are available in the OpenVPN project's apt repositories. This allow you to use more up-to-date version of OpenVPN than what is typically available in your distribution's repositories. Please note that all commands listed below have to be run as root, e.g. using sudo or su.

Pre-built Linux binaries are only available for Debian and Ubuntu. This is so for two reasons:

  • Official Debian and Ubuntu repositories tend to have fairly old OpenVPN versions available
  • The Fedora and Fedora EPEL provides fairly up-to-date OpenVPN releases for supported Fedora and Red Hat Enterprise Linux (including clones such as CentOS, Scientific Linux) releases.

All packages are available in amd64/x86_64 flavours. Additionally, arm64/aarch64 flavours might be available for newer distributions and i386 flavour might be available for older distributions. Even if a package is built on a particular OS, it does not mean it won't work on older and/or newer versions of the same distro, or even on a different operating system. If you encountered any issues with the package, please file a new bug report.

CentOS / Fedora / Red Hat Enterprise Linux

There are two alternatives here for OpenVPN packages. Fedora carries are reasonably up-to-date release in the main repositories. For CentOS and Red Hat Enterprise Linux (RHEL) the Fedora EPEL repositories which contains the last OpenVPN releases when the distribution was released. All of these packages are considered to be stable for enterprise usage and will essentially just get bug and security fixes during the lifetime of the distribution. OpenVPN major releases will only be added to the next Fedora release.

To get newer releases than the main Fedora and EPEL repositories provides, consider using the OpenVPN packages from the Fedora Copr repository. The Copr repository will always have the latest OpenVPN releases available.

Using Fedora EPEL (CentOS / RHEL)

Ensure you have the Fedora EPEL repository enabled. CentOS users may do this easily by installing the epel-release package via yum install. Red Hat Enterprise Linux users need to install this package manually, as described in the Fedora EPEL wiki page. Then just run yum install openvpn.

Using Fedora Copr

CentOS/RHEL users: Ensure you have the yum-plugin-copr package installed (can be installed via yum).

Then run these commands:

    [root@host:~]# yum copr enable dsommers/openvpn-release-2.6   # for OpenVPN 2.6 releases
    [root@host:~]# yum copr enable dsommers/openvpn-release       # for OpenVPN 2.5 releases
    ...
    [root@host:~]# yum install openvpn

The dsommers/openvpn-release-2.6 Copr repository currently contains the latest stable OpenVPN release.

The dsommers/openvpn-release Copr repository contains the latest 2.5.x OpenVPN release. For new installations it is recommended to use the 2.6.x release, 2.5.x releases are only provided for a short period to give users some time to migrate to 2.6. For details see SupportedVersions.

To test OpenVPN beta releases, the dsommers/openvpn-beta Copr repository contains builds for all recent Fedora, Red hat Enterprise Linux and CentOS/CentOS Stream releases.

There are also nightly builds of the master branch available in dsommers/openvpn-git Copr repository. Testing welcome but not intended for production use!

If you have OpenVPN already installed, it will be upgraded to the latest available version.

Data Channel Offload support (DCO)

The Data Channel Offload support is available in OpenVPN 2.6 beta releases and newer and in OpenVPN 3 Linux. The needed Linux kernel module is available for Fedora and Red Hat Enterprise Linux 8 and newer. To get the needed kmod-ovpn-dco package, the dsommers/openvpn3 Copr repository need to be enabled as well.

Debian / Ubuntu: Using OpenVPN apt repositories

We maintain several OpenVPN (OSS) software repositories. To setup the repositories you need to change to the root user. Typically this is done using sudo:

$ sudo -s

Then import the public GPG key that is used to sign the packages:

# mkdir -p /etc/apt/keyrings # directory does not exist on older releases
# curl -fsSL https://swupdate.openvpn.net/repos/repo-public.gpg | gpg --dearmor > /etc/apt/keyrings/openvpn-repo-public.gpg

Next you need to create a sources.list fragment (as root) so that apt can find the new OpenVPN packages. One way to do it is this:

# echo "deb [arch=<arch> signed-by=/etc/apt/keyrings/openvpn-repo-public.gpg] https://build.openvpn.net/debian/openvpn/<version> <osrelease> main" > /etc/apt/sources.list.d/openvpn-aptrepo.list

Where <arch> can be one of

  1. amd64
  2. arm64

Where <version> can be one of

  1. stable: stable releases only - no alphas, betas or RCs
  2. testing: latest releases, including alphas/betas/RCs
  3. release/2.3: OpenVPN 2.3 releases
  4. release/2.4: OpenVPN 2.4 releases, including alphas/betas/RCs
  5. release/2.5: OpenVPN 2.5 releases, including alphas/betas/RCs
  6. release/2.6: OpenVPN 2.6 releases, including alphas/betas/RCs

and <osrelease> depends your distribution:

  • buster (Debian 10.x)
  • bullseye (Debian 11.x)
  • bookworm (Debian 12.x)
  • focal (Ubuntu 20.04 LTS)
  • jammy (Ubuntu 22.04 LTS)
  • noble (Ubuntu 24.04 LTS)

This list may be incomplete. Please check the repository web page for the complete list of releases.

Examples:

# Always get the latest package, even Beta versions
# echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/openvpn-repo-public.gpg] http://build.openvpn.net/debian/openvpn/testing jammy main" > /etc/apt/sources.list.d/openvpn-aptrepo.list
# Only get a specific version, do not upgrade to newer major version automatically
# echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/openvpn-repo-public.gpg] http://build.openvpn.net/debian/openvpn/release/2.6 bullseye main" > /etc/apt/sources.list.d/openvpn-aptrepo.list

Now you're set for installing OpenVPN. Note that packages built for older operating system releases might work just fine on newer release of the same operating system.

Installing OpenVPN

On Debian/Ubuntu use

$ apt-get update && apt-get install openvpn

To additionally install the DCO kernel driver use

$ apt-get install openvpn-dco-dkms

Notes on expired keys

If the apt signing key expires, apt will complain when refreshing the package cache (e.g. apt-get update). In that case just download the key again as described above.

Debian Snapshot Builds

Debian snapshot development builds are available as well. To use them:

# mkdir -p /etc/apt/keyrings # directory does not exist on older Debian/Ubuntu releases
# curl -fsSL https://build.openvpn.net/debian/snapshots/snapshots-key.asc > /etc/apt/keyrings/openvpn-repo-snapshots.asc
# echo "deb [signed-by=/etc/apt/keyrings/openvpn-repo-snapshots.asc] https://build.openvpn.net/debian/snapshots/<osrelease> <osrelease> main" > /etc/apt/sources.list.d/openvpn-snapshots.list
# apt-get install openvpn

To test a specific build with a specific patch you might need to install a specific snapshot build. You can do this with apt by providing the exact version to install:

# apt-get install openvpn=2.7-1719406367

See https://build.openvpn.net/debian/snapshots/ for a current list of valid osrelease values. Only amd64 snapshot builds are available currently.

Note that these are intended to provide an easy way to test patches or latest master, not for production use. If you notice any problems, let us know!

Last modified 5 months ago Last modified on 06/26/24 16:03:21