Installation OpenVPN can be installed through package managers on most platforms or built from source for custom configurations. Choose the method that best fits your needs.
Linux
macOS
Windows
FreeBSD
OpenBSD
Debian/Ubuntu Install from the official repositories: sudo apt update sudo apt install openvpn
Enable TUN/TAP driver Load the TUN/TAP kernel module: Enable IP forwarding for routing: echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward
The modprobe command needs to be run once per reboot. Most distributions handle this automatically when using package manager installations.
Red Hat/CentOS/Fedora Install using yum or dnf: # RHEL/CentOS 7 sudo yum install epel-release sudo yum install openvpn # RHEL/CentOS 8+ and Fedora sudo dnf install openvpn
See the Fedora package repository for the latest versions. Arch Linux openSUSE sudo zypper install openvpn
Gentoo sudo emerge net-vpn/openvpn
Homebrew Install OpenVPN using Homebrew: The TUN/TAP driver is included and will be installed automatically. Verify installation Expected output: OpenVPN 2.6.x x86_64-apple-darwin library versions: OpenSSL 3.x.x, LZO 2.x
Windows installer Download the community-provided Windows installer from: openvpn.net/community-downloads/ The installer includes:
OpenVPN executable and service
TAP-Windows adapter driver
GUI application for managing connections
dco-win driver for kernel acceleration (Windows 10 2004+/Windows Server 2022+)
You may need to selectively disable the Windows firewall for the TAP adapter after installation.
Configuration location Place configuration files in: C:\Program Files\OpenVPN\config\
On Windows, use double backslashes in configuration file paths:
"C:\\Program Files\\OpenVPN\\config\\ca.crt"
Using pkg TUN/TAP driver FreeBSD ships with the TUN/TAP driver built-in. Device nodes (tap0-tap3, tun0-tun3) are created by default. FreeBSD 14 includes the ovpn(4) driver for kernel-level OpenVPN acceleration (DCO), which OpenVPN 2.6+ will use automatically if available.
Using pkg_add TUN device setup OpenBSD dynamically creates TUN devices. Create an empty hostname file for each interface: sudo touch /etc/hostname.tun0 sudo touch /etc/hostname.tun1
This creates the devices at boot time. Build from source Building from source gives you the latest features and allows custom configuration options.
Download source code
Download the latest release: wget https://openvpn.net/community-downloads/openvpn-2.6.x.tar.gz tar -zxf openvpn-2.6.x.tar.gz cd openvpn-2.6.x
Or clone from the Git repository: git clone https://github.com/OpenVPN/openvpn cd openvpn git checkout release/2.6
Install build dependencies
Debian/Ubuntu
RHEL/CentOS/Fedora
macOS
sudo apt install build-essential libssl-dev liblzo2-dev \ liblz4-dev libpam0g-dev libnl-genl-3-dev libcap-ng-dev
sudo dnf install gcc make openssl-devel lzo-devel lz4-devel \ pam-devel libnl3-devel libcap-ng-devel
brew install openssl lzo lz4
OpenSSL 1.1.0 or higher is required. Alternatively, you can use mbed TLS 2.0 or higher.
Configure build options
From a release tarball: From Git repository checkout: autoreconf -i -v -f ./configure
View all configuration options: Example with custom OpenSSL location: ./configure OPENSSL_CFLAGS="-I/usr/local/include" \ OPENSSL_LIBS="-L/usr/local/lib -lssl -lcrypto"
Compile and install
By default, this installs to /usr/local/sbin/openvpn.
Verify installation
Expected output: OpenVPN 2.6.x x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] library versions: OpenSSL 3.0.x, LZO 2.10 Originally developed by James Yonan Copyright (C) 2002-2025 OpenVPN Inc <[email protected] >
Test the installation Verify that OpenVPN is working correctly with these basic tests:
Test crypto functionality
Generate a test key and verify crypto operations: openvpn --genkey secret key openvpn --test-crypto --secret key
Expected output:
Test SSL/TLS negotiations (optional)
Run a loopback test using sample configurations (runs for 2 minutes): Terminal 1: openvpn --config sample/sample-config-files/loopback-server
Terminal 2 (simultaneously): openvpn --config sample/sample-config-files/loopback-client
This test uses insecure sample certificates and should only be used for testing.
Install Easy-RSA For managing SSL/TLS certificates, install the Easy-RSA toolkit:
git clone https://github.com/OpenVPN/easy-rsa cd easy-rsa/easyrsa3
Easy-RSA provides scripts for generating and managing:
Certificate Authority (CA)
Server certificates and keys
Client certificates and keys
Diffie-Hellman parameters
Many package managers also provide Easy-RSA as a separate package: apt install easy-rsa or brew install easy-rsa
Next steps
Quick start guide Set up your first VPN connection
Configuration examples Explore sample configurations for various scenarios
System requirements reference Before installation, ensure your system meets these requirements:
Component Requirement TUN/TAP driver User-space control of virtual point-to-point IP or Ethernet device Crypto library OpenSSL 1.1.0+ or mbed TLS 2.0+ Linux only libnl-gen for kernel netlink supportLinux only libcap-ng for capability handlingOptional LZO library for compression Optional LZ4 library for compression
Troubleshooting
On Linux, load the module: sudo modprobe tun lsmod | grep tun
Verify the device exists:
OpenVPN requires root privileges to create TUN/TAP devices. Run with sudo: sudo openvpn --config client.conf
For production, consider dropping privileges after initialization: user openvpn group openvpn
Check your OpenSSL version: OpenVPN 2.6 requires OpenSSL 1.1.0 or higher. Upgrade if necessary: # Debian/Ubuntu sudo apt install libssl-dev # RHEL/CentOS/Fedora sudo dnf install openssl-devel