How to create an automated VPN system with a Telegram bot for issuing time-limited keys?
Hello. Could you please advise on how to create an automated VPN system where a Telegram bot would issue user keys for a specific period of time? I tried to set up OpenVPN but couldn’t figure out the configuration. If there are ready-made solutions or instructions for implementing such a system, please share the information.
Creating a Telegram VPN bot for issuing time-limited keys is easier than wrestling with raw OpenVPN configs—ready-made GitHub projects like rwlist/ovpn-bot or mopkob1/openvpntelegrambot handle the heavy lifting with Docker. These setups automate profile generation, expiry enforcement, and bot commands, turning your server into a full vpn bot telegram service in under an hour. You’ll get commands like /generate user1 7d spitting out OpenVPN keys that auto-expire, perfect for trial users or paid access.
Contents
- Telegram VPN Bot: Overview and Architecture
- Choosing Your VPN Protocol
- Provisioning the VPN Server with Docker
- Setting Up the Telegram Bot
- Key Generation and Bot Integration
- Handling Time-Limited Keys and Auto-Revocation
- Security, Logging, and Scaling Tips
- Monetization with Trials and Payments
- Sources
- Conclusion
Telegram VPN Bot: Overview and Architecture
Picture this: a user pings your Telegram VPN bot with /start, picks a plan, and boom—gets a config file or QR code valid for exactly 7 days. No manual cert juggling. That’s the core of a solid telegram vpn setup.
These systems typically split into three layers. First, the VPN server (OpenVPN, WireGuard, or something lighter like VLESS via Xray). Second, a management layer—either raw scripts or a panel like Marzban—for cranking out keys. Third, the Telegram bot itself, wired via API to create users, issue configs, and kill expired ones.
Why bother? Manual OpenVPN drove you nuts because it demands PKI setup, CRLs for revocation, and client.ovpn tweaks. Bots fix that. Projects like yarodya1/telegram-vpn-bot fork existing code to glue Marzban (a Shadowsocks/Xray panel) to Telegram, auto-issuing VLESS links. Others, like the Habr tutorial on Dockerized OpenVPN + bot, walk you through two containers: one for the VPN, one for the bot handling /newuser and /revoke.
It’s not rocket science. Spin up a VPS (Ubuntu 22.04 works great), Docker install, clone a repo, tweak .env, and you’re live. Users love it—search for “vpn бот тг” and you’ll see thousands hunting these monthly.
Choosing Your VPN Protocol
OpenVPN? It’s battle-tested, supports client certs with built-in expiry, and has killer bot integrations. But it’s heavier on CPU than WireGuard.
WireGuard shines for speed—minimal configs, QR-friendly. Bots like those in GitHub searches generate wg-quick files on demand. VLESS (via Xray or Outline) is stealthy, great for censorship dodge, and panels like Remna make key issuance trivial, as in refreakk/TelegramVPNBotRemna.
Stuck on OpenVPN from your try? Good choice for starters. rwlist/ovpn-bot uses the kylemanna/openvpn Docker image. It runs /init for server setup, then /generate name 30d for profiles with --expire. WireGuard? Swap to a wg-easy container.
Quick pick: OpenVPN if you need revocation lists. WireGuard for mobile-first. VLESS for “vpn through bot” invisibility.
| Protocol | Pros for Bots | Cons | Bot Readiness |
|---|---|---|---|
| OpenVPN | Expiry flags, CRL revoke | Heavier | High (ovpn-bot) |
| WireGuard | QR codes, fast gen | No native expiry | Medium |
| VLESS | Auto-keys via API | Panel-dependent | High (Marzban bots) |
Test one. You’ll iterate fast.
Provisioning the VPN Server with Docker
Docker makes this painless—no apt hell. Grab a VPS with 1GB RAM, open UDP 1194 (or TCP 443 for stealth).
For OpenVPN, clone mopkob1/openvpntelegrambot:
git clone https://github.com/mopkob1/openvpntelegrambot.git
cd openvpntelegrambot
cp .env.example .env
Edit .env: set HOSTNAME=your.domain.com, ADMIN_TELEGRAM_ID=your_chat_id. Then:
docker-compose up --build -d
./init.sh # Builds PKI, CRL
That spins openvpn-as (Access Server? No, community edition) and the bot container. Port-forward, firewall with ufw: ufw allow 1194/udp.
Marzban alternative from yarodya1/telegram-vpn-bot? Same flow, but adds Shadowsocks/VLESS:
git clone https://github.com/yarodya1/telegram-vpn-bot.git
cp env.dist .env && cp env.marzban.dist .env.marzban
docker-compose up -d
./refresh.sh # Pulls certs, starts services
Your old OpenVPN woes? This abstracts them. No more easy-rsa dances.
Setting Up the Telegram Bot
Bots are free via BotFather. Message @BotFather on Telegram, /newbot, grab the token.
In your repo’s .env: BOT_TOKEN=123:ABC.... Webhook mode for production—secure, low overhead:
curl -F "url=https://your.domain.com/webhook" https://api.telegram.org/bot$BOT_TOKEN/setWebhook
Polling works for dev. Commands? Repos pre-build them: /start, /generate, /status. Customize in bot.go or Python equivalent.
From rwlist/ovpn-bot README: Go-based, dead simple. Build: go build, run with env vars. It listens for /init (server setup) and user gens.
Habr’s guide nails it: post-init, wire webhook, test /newuser. Users get client.ovpn attachments.
Pro tip: Add inline keyboards for duration picks—1d, 7d, 30d. Makes it feel pro.
Key Generation and Bot Integration
Here’s the magic. Bot hears /generate alice 7d, calls VPN API/script.
In ovpn-bot: Internally runs ovpn_run --proto udp --port 1194 --expire 7d alice. Outputs .ovpn with embedded certs/keys.
Marzban bots hit REST API: POST /api/user with expiry timestamp. Response: VLESS URL or QR.
Code snippet (Python-ish, from patterns in repos):
import requests
# Bot handler
def generate_key(chat_id, duration_days):
user = {"username": f"user_{chat_id}", "expire": int(time.time()) + duration_days*86400}
resp = requests.post("http://marzban:8000/api/user", json=user)
config = resp.json()["sub_url"]
bot.send_document(chat_id, config.encode('utf-8'), caption="Your VPN key!")
Attach as file or QR. Users import to OpenVPN Connect app.
Your config struggles? Bots serialize it all—remote, certs, keys—in one .ovpn blob.
Handling Time-Limited Keys and Auto-Revocation
Time limits kill abuse. Methods:
-
Built-in expiry: OpenVPN
--expire Nd. Profile dies client-side after N days. -
Short cert validity:
ovpn_initpki --days 7. Bot revokes via CRL on access check. -
Cron cleanup: In mopkob1 repo, cron in container:
ovpn_revoke expired_user; openvpn --genkey; docker exec push crl.pem.
Vc.ru case study adds auto-disable: poll panel API hourly, nuke expired subs.
Test: Generate 1h key, wait, ping server—should 401. Solid.
But what if users share? Rate-limit gens per chat_id. Log everything.
Security, Logging, and Scaling
Don’t skimp. HTTPS webhook: Certbot in Docker. Firewall: iptables drop all but 443/1194.
Env secrets: Docker secrets or .env ignored in git.
Logging: Bot to file, VPN to syslog. Prometheus? Overkill for start.
Scale: Multi-server? Central DB (SQLite/Postgres) tracks users. Load-balance bots.
Rate-limits: 1 gen/hour per user. Admin-only /revokeall.
Common pit: Expose admin ID securely. Use 2FA on VPS.
Monetization with Trials and Payments
Free tier? Issue 1d key on /trial. Paid? Integrate YooKassa or CryptoBot.
From vc.ru: Trial QR, then auto-charge via Telegram Payments API. Panel tracks usage, cuts access.
Bot flow:
/buy 30d→ Inline pay button → Webhook confirms → Gen key.
GitHub bots lack payments—add @pyrogram or aiogram lib. Start free, monetize later.
Real services do 100s users/month this way. Yours could too.
Sources
- GitHub - yarodya1/telegram-vpn-bot
- GitHub - rwlist/ovpn-bot
- GitHub - mopkob1/openvpntelegrambot
- Habr - OpenVPN + Telegram bot in Docker
- vc.ru - Creating a Telegram VPN bot with auto-pay and trial
- GitHub - refreakk/TelegramVPNBotRemna
Conclusion
A Telegram VPN bot with time-limited keys transforms your setup from config nightmare to user-friendly service—pick ovpn-bot for OpenVPN quickstart or Marzban for VLESS scale. Deploy on Docker today, test expiry flows, and expand to payments. You’ll handle “vpn бот” demand like a pro, with keys that vanish on schedule. Questions on tweaks? Dive into those repos; they’re gold.