# Install openvpn with Homebrew, apk, chocolatey, apt, dnf, Nix, pacman, scoop, winget, zypper

SSL/TLS VPN implementing OSI layer 2 or 3 secure network extension. Version 2.7.5 via Homebrew; verified 2026-07-02.

## Install

```sh
sudo av install brew:openvpn
```

## Agent safety answer

openvpn controls VPN connectivity and can route agent traffic through private networks.

- **Credential access:** Reads VPN profiles, private keys, certificates, passwords, and auth files.
- **Remote mutation:** Primarily changes network reachability, not application data.
- **Publish/artifact risk:** Can expose private network access to downstream tools.
- **Recommended control:** Gate VPN start, config reads, and private-key handling.
- **Agent-use guidance:** Allow config validation; require approval before connecting or reading credential material.

Additional install commands:

### macOS

- Homebrew (100%):

```sh
brew install openvpn
```

  Evidence: local Homebrew formula metadata

### Linux

- apk (92%):

```sh
sudo apk add openvpn
```

  Evidence: Alpine Linux edge package indexes: openvpn from https://dl-cdn.alpinelinux.org/alpine/edge/main/x86_64/APKINDEX.tar.gz

- Debian apt (92%):

```sh
sudo apt install openvpn
```

  Evidence: Debian stable package indexes: openvpn from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz

- dnf (92%):

```sh
sudo dnf install openvpn
```

  Evidence: Fedora Rawhide package metadata: openvpn from https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/repodata/e5ca8ce900cd68f5419e1c39ae517343100b306336cbaeb70a3c153121d95094-primary.xml.zst

- Nix (92%):

```sh
nix profile install nixpkgs#openvpn
```

  Evidence: nixpkgs package indexes: openvpn from https://raw.githubusercontent.com/NixOS/nixpkgs/master/pkgs/top-level/all-packages.nix

- pacman (92%):

```sh
sudo pacman -S openvpn
```

  Evidence: Arch Linux sync databases: openvpn from https://geo.mirror.pkgbuild.com/extra/os/x86_64/extra.db.tar.gz

- zypper (92%):

```sh
sudo zypper install openvpn
```

  Evidence: openSUSE Tumbleweed package metadata: openvpn from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst

### Windows

- Chocolatey (92%):

```sh
choco install openvpn
```

  Evidence: Chocolatey community package catalog: openvpn from http://community.chocolatey.org/api/v2/Packages?$filter=IsLatestVersion&$select=Id&$top=1000&$skiptoken='11','openssh'

- Scoop (92%):

```sh
scoop install extras/openvpn
```

  Evidence: Scoop official bucket manifest trees: bucket/openvpn.json from https://api.github.com/repos/ScoopInstaller/Extras/git/trees/master?recursive=1

- winget (92%):

```sh
winget install --id OpenVPNTechnologies.OpenVPN -e
```

  Evidence: Windows Package Manager source index: OpenVPNTechnologies.OpenVPN from https://cdn.winget.microsoft.com/cache/source.msix

## Package facts

- **Package key:** brew:openvpn
- **Package manager:** Homebrew
- **Package manager page:** <https://formulae.brew.sh/formula/openvpn>
- **Version:** 2.7.5
- **Source summary:** SSL/TLS VPN implementing OSI layer 2 or 3 secure network extension
- **Homepage:** <https://openvpn.net/community/>
- **Repository:** <https://github.com/OpenVPN/openvpn>
- **Upstream docs:** <https://openvpn.github.io/openvpn>
- **License:** GPL-2.0-only WITH openvpn-openssl-exception
- **Source archive:** <https://swupdate.openvpn.net/community/releases/openvpn-2.7.5.tar.gz>
- **Last updated:** 2026-07-02T16:40:57Z
- **Generated:** 2026-07-08T07:18:31+00:00

## Executables

- openvpn (cli)
- openvpn (alias)

## Dependencies

- lz4
- lzo
- openssl@3
- pkcs11-helper

## Build dependencies

- pkgconf

## Install behavior

- Post-install hook: not defined
- Service: declared
- Bottle: available on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux

## Freshness

- Page generated: 2026-07-08
- Package-manager version: 2.7.5
- Package-manager updated: 2026-07-02
- Local data: ok
- Upstream repository: https://openvpn.net/community/
- info: Release/tag comparison is only available for GitHub repositories.
## Project history and usage

OpenVPN is a long-running open source VPN implementation built around SSL/TLS, TUN/TAP virtual network interfaces, and a single userspace daemon that can act as client or server. It became one of the default choices for self-hosted and commercial VPN deployments because it crossed operating-system, firewall, NAT, and package-manager boundaries better than many older VPN stacks.

### Project history

OpenVPN was created by James Yonan and traces its public history to 2001. The project chose a custom VPN protocol using SSL/TLS for key exchange and OpenSSL for cryptography rather than implementing IPsec, PPTP, or L2TP.

OpenVPN 1.x was mainly a point-to-point tool. OpenVPN 2.0 was the major architectural step: the official how-to and manual describe scalable multi-client TCP/UDP server mode, where many clients connect to a single server process and share one TUN or TAP interface.

The 2.x line added features that made OpenVPN practical in mixed networks: certificate-based TLS deployments, username/password authentication hooks, pushed routes and DNS options, management interfaces, plugins and scripts, IPv6 support, Windows service improvements, and continued crypto and platform updates.

### Adoption history

OpenVPN spread through Unix and Linux distributions, router firmware, VPN providers, and enterprise remote-access setups because it used ordinary TCP or UDP ports, worked through many NAT and firewall environments, and could be configured with plain text profile files. Package availability across Linux, BSD, macOS, Windows package managers, and router-oriented ecosystems made .ovpn profiles a portable operational artifact.

OpenVPN Inc. built commercial products such as Access Server and OpenVPN Connect around the open source Community Edition while continuing to support the community project. That split gave the protocol a dual life: a free daemon for administrators and a managed product line for organizations.

### How it is used

Operators use OpenVPN to build routed layer-3 VPNs with TUN devices, bridged layer-2 VPNs with TAP devices, site-to-site tunnels, road-warrior remote access, lab networks, router-based VPN clients, and compatibility endpoints for commercial VPN services. A typical deployment combines server and client configuration files, certificates or username/password credentials, route pushes, firewall rules, and system services.

Package users care about the single openvpn executable because it is both the client and the server. That keeps scripting, service supervision, and container use straightforward, while configuration complexity lives in profile files and PKI assets.

### Why package nerds care

OpenVPN is one of the canonical networking packages where packaging is operations: binaries, services, sample configs, plugin paths, systemd or launchd integration, certificate locations, and kernel TUN/TAP support all affect whether the package is usable.

Its long history also makes it a compatibility anchor. Even as WireGuard changed expectations for small VPN codebases, OpenVPN remains important for existing .ovpn profiles, mature server deployments, commercial-provider compatibility, and environments that need TLS-style transport flexibility.

### Timeline

- 2001: James Yonan releases the first OpenVPN versions.
- 2005: OpenVPN 2.0 establishes multi-client server mode as the core scalable deployment pattern.
- 2013-era 2.3 line: OpenVPN documentation notes complete IPv6 and PolarSSL support among 2.3 improvements.
- 2017-era 2.4 line: the project adds modern client/server negotiation features and continues improving Windows service behavior.
- 2020s: OpenVPN Community Edition continues through the 2.5, 2.6, and 2.7 lines while OpenVPN Inc. maintains commercial Access Server and OpenVPN Connect products around the protocol.

### Related projects

- OpenVPN is related to OpenVPN Access Server, OpenVPN Connect, EasyRSA, Tunnelblick, NetworkManager-openvpn, OpenWrt and other router firmware integrations, SoftEther VPN's OpenVPN protocol support, WireGuard, IPsec, and TLS libraries such as OpenSSL and mbed TLS.

### Sources

- <https://blog.openvpn.net/the-history-of-openvpn/>
- <https://community.openvpn.net/>
- <https://github.com/OpenVPN/openvpn>
- <https://openvpn.net/access-server-or-community/>
- <https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html>
- <https://openvpn.net/community-docs/how-to.html>
- <https://openvpn.net/community/>


## Security Notes

broad file, network, media, or database tool signal. formula declares a Homebrew service.

- **Geiger risk:** orange / medium
- broad file, network, media, or database tool signal
- formula declares a Homebrew service


## Configuration and credential file locations

These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.


## Configuration files

- macOS: ~/Library/Application Support/OpenVPN, ~/Library/Application Support/Tunnelblick/Configurations
- Unix: ~/.openvpn, $XDG_CONFIG_HOME/openvpn, ~/.config/openvpn

## Credential files

- macOS: ~/Library/Application Support/OpenVPN, ~/Library/Application Support/Tunnelblick/Configurations
- Unix: ~/.openvpn, $XDG_CONFIG_HOME/openvpn, ~/.config/openvpn
## Source Database Details

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** openvpn
- **Version Scheme:** 0
- **Revision:** 0
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** no
- **URL Keys:** stable

## Other Package-Manager Records

- Debian apt - openvpn - 2.6.14-1+deb13u1: normalized package name match | Debian stable package indexes: openvpn from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz | virtual private network daemon | https://openvpn.net/
- Nix - openvpn: normalized package name match | nixpkgs package indexes: openvpn from https://raw.githubusercontent.com/NixOS/nixpkgs/master/pkgs/top-level/all-packages.nix
- Ubuntu apt - openvpn - 2.6.9-1ubuntu4: normalized package name match | Ubuntu 24.04 LTS package indexes: openvpn from https://archive.ubuntu.com/ubuntu/dists/noble/main/binary-amd64/Packages.gz | virtual private network daemon | https://openvpn.net/
- apk - openvpn - 2.7.3-r0: normalized package name match | Alpine Linux edge package indexes: openvpn from https://dl-cdn.alpinelinux.org/alpine/edge/main/x86_64/APKINDEX.tar.gz | Robust, and highly configurable VPN (Virtual Private Network) | https://openvpn.net/
- apk - openvpn-auth-pam - 2.7.3-r0: normalized package name match | Alpine Linux edge package indexes: openvpn-auth-pam from https://dl-cdn.alpinelinux.org/alpine/edge/main/x86_64/APKINDEX.tar.gz | OpenVPN plugin for PAM authentication | https://openvpn.net/
- apk - openvpn-dev - 2.7.3-r0: normalized package name match | Alpine Linux edge package indexes: openvpn-dev from https://dl-cdn.alpinelinux.org/alpine/edge/main/x86_64/APKINDEX.tar.gz | Robust, and highly configurable VPN (Virtual Private Network) (development files) | https://openvpn.net/
- apk - openvpn-doc - 2.7.3-r0: normalized package name match | Alpine Linux edge package indexes: openvpn-doc from https://dl-cdn.alpinelinux.org/alpine/edge/main/x86_64/APKINDEX.tar.gz | Robust, and highly configurable VPN (Virtual Private Network) (documentation) | https://openvpn.net/
- apk - openvpn-openrc - 2.7.3-r0: normalized package name match | Alpine Linux edge package indexes: openvpn-openrc from https://dl-cdn.alpinelinux.org/alpine/edge/main/x86_64/APKINDEX.tar.gz | Robust, and highly configurable VPN (Virtual Private Network) (OpenRC init scripts) | https://openvpn.net/
- dnf - openvpn - 2.7.4-1.fc45: normalized package name match | Fedora Rawhide package metadata: openvpn from https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/repodata/e5ca8ce900cd68f5419e1c39ae517343100b306336cbaeb70a3c153121d95094-primary.xml.zst | A full-featured TLS VPN solution | https://community.openvpn.net/
- dnf - openvpn-devel - 2.7.4-1.fc45: normalized package name match | Fedora Rawhide package metadata: openvpn-devel from https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/repodata/e5ca8ce900cd68f5419e1c39ae517343100b306336cbaeb70a3c153121d95094-primary.xml.zst | Development headers and examples for OpenVPN plug-ins | https://community.openvpn.net/
- pacman - openvpn - 2.7.4-1: normalized package name match | Arch Linux sync databases: openvpn from https://geo.mirror.pkgbuild.com/extra/os/x86_64/extra.db.tar.gz | An easy-to-use, robust and highly configurable VPN (Virtual Private Network) | https://openvpn.net/index.php/open-source.html
- zypper - openvpn - 2.6.14-2.3: normalized package name match | openSUSE Tumbleweed package metadata: openvpn from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst | Full-featured SSL VPN solution using a TUN/TAP Interface | https://openvpn.net/
- zypper - openvpn-auth-pam-plugin - 2.6.14-2.3: normalized package name match | openSUSE Tumbleweed package metadata: openvpn-auth-pam-plugin from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst | OpenVPN auth-pam plugin | https://openvpn.net/
- zypper - openvpn-devel - 2.6.14-2.3: normalized package name match | openSUSE Tumbleweed package metadata: openvpn-devel from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst | OpenVPN plugin header | https://openvpn.net/
- zypper - openvpn-down-root-plugin - 2.6.14-2.3: normalized package name match | openSUSE Tumbleweed package metadata: openvpn-down-root-plugin from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst | OpenVPN down-root plugin | https://openvpn.net/
- Chocolatey - openvpn: normalized package name match | Chocolatey community package catalog: openvpn from http://community.chocolatey.org/api/v2/Packages?$filter=IsLatestVersion&$select=Id&$top=1000&$skiptoken='11','openssh'


## Related links

- [Secret-risk packages](https://www.automicvault.com/pkg/secret-risk-packages/) - Has protected-tool coverage, approval-gate, or non-low Geiger security signals.
- [Terminal utility packages](https://www.automicvault.com/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata.
- [Networking and protocol packages](https://www.automicvault.com/pkg/networking-protocol-tools/) - Matched network, protocol, or remote-service metadata.
- [Security and crypto packages](https://www.automicvault.com/pkg/security-crypto-tools/) - Matched security, identity, cryptography, password, signing, or certificate metadata.
- [lz4](https://www.automicvault.com/pkg/brew/lz4/) - Runtime dependency declared by Homebrew.
- [openssl@3](https://www.automicvault.com/pkg/brew/openssl-3/) - Runtime dependency declared by Homebrew.
- [pkgconf](https://www.automicvault.com/pkg/brew/pkgconf/) - Build dependency declared by Homebrew.
- [wireguard-tools](https://www.automicvault.com/pkg/brew/wireguard-tools/) - Shares av.db curated category or tags: cli, network-security, networking, tunneling, vpn.
- [dsvpn](https://www.automicvault.com/pkg/brew/dsvpn/) - Shares av.db curated category or tags: cli, networking, tunneling, vpn.
- [fastd](https://www.automicvault.com/pkg/brew/fastd/) - Shares av.db curated category or tags: cli, networking, tunneling, vpn.
- [onioncat](https://www.automicvault.com/pkg/brew/onioncat/) - Shares av.db curated category or tags: cli, networking, tunneling, vpn.
- [openfortivpn](https://www.automicvault.com/pkg/brew/openfortivpn/) - Shares av.db curated category or tags: cli, networking, tls, vpn.
- [openiked](https://www.automicvault.com/pkg/brew/openiked/) - Shares av.db curated category or tags: cli, network-security, networking, vpn.
- [sshuttle](https://www.automicvault.com/pkg/brew/sshuttle/) - Shares av.db curated category or tags: cli, networking, tunneling, vpn.
- [tinc](https://www.automicvault.com/pkg/brew/tinc/) - Shares av.db curated category or tags: cli, networking, tunneling, vpn.
- [pure-ftpd](https://www.automicvault.com/pkg/brew/pure-ftpd/) - Security-sensitive metadata or terminology overlaps. Shared terms: cli, networking, openssl, openssl-3, secure.

## Combined YAML source

View the package source record on GitHub. [combined/openvpn.yml](https://github.com/automic-vault/db/blob/main/combined/openvpn.yml)


## Sources

- Nucleus package database
- Geiger risk classifier
- package-page enrichment
- curated configuration and credential file locations
- curated package history
- package version freshness
- av.db category and tag curation
- package relationship graph
- external package-manager database matches
- cross-ecosystem install command graph
- curated agent safety answer
