How To Run OpenVPN Automatically On Debian With A Static IP Address

When you’re running a VPN connection, it’s usually most reliable to run OpenVPN as a service. Somewhat strangely, it’s not that easy to do on Debian when you’re working with a static IP address.

Several systems are in conflict, and it takes a bit of extra care to straighten things out. This guide explains exactly how to set this up reliably.

In this tutorial you will learn:

  • How to Install OpenVPN and Resolvconf on Debian.
  • How to Disable NetworkManager.
  • How to Configure Your Static IP.
  • How to Configure OpenVPN.

OpenVPN Client as a Service on Debian.

OpenVPN Client as a Service on Debian.

Software Requirements and Conventions Used

Software Requirements and Linux Command Line Conventions
Category Requirements, Conventions or Software Version Used
System Debian Stable, Testing, or Sid
Software OpenVPN, Resolvconf
Other Privileged access to your Linux system as root or via the sudo command.
Conventions # – requires given linux commands to be executed with root privileges either directly as a root user or by use of sudo command
$ – requires given linux commands to be executed as a regular non-privileged user

How to Install OpenVPN and Resolvconf

There are a couple of components that you’ll need to get this all set up. Obviously, you’re going to need OpenVPN, but you’re also going to need Resolvconf. It’s a dedicated service that automatically updates the resolv.conf file. Normally, it will work in conjunction with your network interfaces configuration, but OpenVPN also comes with scripts that utilize it to work with your VPN’s DNS.

Start off by installing both OpenVPN and Resolvconf on your system. They’re both available in the default Debian repositories, so you can just grab them with Apt.

$ sudo apt install openvpn resolvconf

How to Disable NetworkManager

Disable NetworkManager on Debian

Disable NetworkManager on Debian.

Unless you’re running a minimal or headless Debian install, NetworkManager is going to be running your network connections by default. That’s usually a good thing, but if you’re looking to use a static IP address, NetworkManager can be a major pain.

NetworkManager will get in the way of your static IP configuration, and it absolutely will screw up your DNS. The best thing that you can do is stop and disable it. Before you shut down NetworkManager, make sure that you have your OpenVPN configuration files from your provider.

$ sudo systemctl stop NetworkManager
$ sudo systemctl disable NetworkManager

How to Configure Your Static IP

You can now start to set up your static IP configuration. You actually don’t need to use a static IP for this to work. If you want to keep on using DHCP, you can leave this part out.

Configure a Static IP on Debian

Configure a Static IP on Debian.

To use a static IP, open up /etc/network/interfaces with your text editor of choice. On the first line, you’ll see auto lo. Add your current network interface to that line. You can find it by running ip a, if you aren’t sure.

Toward the bottom of the file, you’ll see a line like the one below. Substitute your own interface and change dhcp to static.

iface eth0 inet dhcp


iface eth0 inet static

Below that, you’ll need to set up the following lines to match your network connection. Indent each one with four spaces.


The dns-nameservers line is where you can specify the nameservers that you want to use when not connected to your VPN. These are the servers that will also be used to establish the connection to the VPN. You can use external DNS, point it at your router, or use something like DNSCrypt.

How to Configure OpenVPN

Now, you’re ready to move on to OpenVPN. Copy the OpenVPN configuration from your VPN provider into /etc/openvpn. In order to make everything automatic, there are a couple of modifications that you’ll need to make. First, create another file in the OpenVPN folder called, auth.txt. Inside that file, put your VPN username on the first line and your password on the second one.

OpenVPN Client Configuration Service on Debian

OpenVPN Client Configuration on Debian.

Open your VPN configuration file. Locate the line auth-user-pass, and append auth.txt to the end of it, so it looks like, auth-user-pass auth.txt.

Toward the bottom of the file, before the keys, add in the following three lines to make OpenVPN update your nameservers when it starts and exits.

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

Save the file and exit. Speaking of that file, it’s a good idea to rename it to something simple and easily identifiable. Leave on the .conf extension, though.

OpenVPN Client Defaults on Debian

OpenVPN Client Defaults on Debian.

There’s one more file that you need to edit. It controls which configurations OpenVPN starts by default. With your text editor, open up /etc/default/openvpn. Towards the top of the file, you’ll find several commented lines that begin with AUTOSTART. Uncomment one, and edit it contain the name of your OpenVPN configuration file without the .conf extension.


When you’re done, save the file and close it.

Double-check all of your configurations, and restart your computer. If everything lines up, it’ll boot up and immediately connect to your VPN. You can check that everything is working properly with the extended test on DNSLeakTest. You should only see your VPN’s IP and DNS.


Your Debian system should now be configured to use OpenVPN as a service on start-up. More importantly, though, it should be using the correct DNS to prevent leaks and other DNS related problems. Whenever you start up or shut down OpenVPN, your computer will toggle between your VPN’s DNS servers and the ones you configured during the static IP setup.