diff --git a/debian/vyos-1x.postinst b/debian/vyos-1x.postinst
index 0597fbc66..5fadddc86 100644
--- a/debian/vyos-1x.postinst
+++ b/debian/vyos-1x.postinst
@@ -1,58 +1,63 @@
 #!/bin/sh -e
 if ! deb-systemd-helper --quiet was-enabled salt-minion.service; then
     # Enables the unit on first installation, creates new
     # symlinks on upgrades if the unit file has changed.
     deb-systemd-helper disable salt-minion.service >/dev/null || true
 fi
 
 if [ -x "/etc/init.d/salt-minion" ]; then
     update-rc.d -f salt-minion remove >/dev/null
 fi
 
 # Add minion user for salt-minion
 if ! grep -q '^minion' /etc/passwd; then
     adduser --quiet --firstuid 100 --system --disabled-login --ingroup vyattacfg --gecos "salt minion user" --shell /bin/vbash minion
     adduser --quiet minion frrvty
     adduser --quiet minion sudo
     adduser --quiet minion adm
     adduser --quiet minion dip
     adduser --quiet minion disk
     adduser --quiet minion users
 fi
 
+# OpenVPN should get its own user
+if ! grep -q '^openvpn' /etc/passwd; then
+    adduser --quiet --firstuid 100 --system --group --shell /usr/sbin/nologin openvpn
+fi
+
 # Add RADIUS operator user for RADIUS authenticated users to map to
 if ! grep -q '^radius_user' /etc/passwd; then
     adduser --quiet --firstuid 1001 --disabled-login --ingroup users --gecos "radius user" --shell /bin/vbash radius_user
     adduser --quiet radius_user frrvty
     adduser --quiet radius_user vyattaop
     adduser --quiet radius_user operator
     adduser --quiet radius_user adm
     adduser --quiet radius_user dip
     adduser --quiet radius_user users
 fi
 
 # Add RADIUS admin user for RADIUS authenticated users to map to
 if ! grep -q '^radius_priv_user' /etc/passwd; then
     adduser --quiet --firstuid 1001 --disabled-login --ingroup vyattacfg --gecos "radius privileged user" --shell /bin/vbash radius_priv_user
     adduser --quiet radius_priv_user frrvty
     adduser --quiet radius_priv_user vyattacfg
     adduser --quiet radius_priv_user sudo
     adduser --quiet radius_priv_user adm
     adduser --quiet radius_priv_user dip
     adduser --quiet radius_priv_user disk
     adduser --quiet radius_priv_user users
 fi
 
 # add hostsd group for vyos-hostsd
 if ! grep -q '^hostsd' /etc/group; then
     addgroup --quiet --system hostsd
 fi
 
 # add dhcpd user for dhcp-server
 if ! grep -q '^dhcpd' /etc/passwd; then
     adduser --quiet --system --disabled-login --no-create-home --home /run/dhcp-server dhcpd
     adduser --quiet dhcpd hostsd
 fi
 
 # ensure hte proxy user has a proper shell
 chsh -s /bin/sh proxy