01 // The 30-second answer

You want a Pterodactyl panel running. You do not want to copy-paste 80 commands. You want a one-liner that handles dependencies, the database, the web server, SSL, and Wings, and gets you to the login screen.

That one-liner exists, and it is maintained by the pterodactyl-installer GitHub organisation. On a fresh Ubuntu 22.04 or 24.04 LTS VPS, run:

bash <(curl -s https://pterodactyl-installer.se)

Choose option 0 (Panel only), 1 (Wings only), or 2 (both on one node). Answer the prompts. Wait 8–15 minutes. Done.

That is the answer. The rest of this guide explains why you should read the script before running it, which forks are trustworthy, what to do when it fails, and the eight things you must still do manually after it finishes — because the script does not harden anything for you.

If you would rather follow each step by hand and understand every command, see our comprehensive Pterodactyl setup guide instead. If you are comparing panel options, our Pterodactyl vs Pelican comparison covers the 2026 fork-vs-original decision.

02 // Should you trust an install script at all?

Every guide on the internet skips this question. They drop a bash <(curl -s ...) one-liner and move on. That is irresponsible, because what you are actually doing is downloading code from the internet and executing it as root, sight unseen.

Here is the honest assessment of the risk:

  • The script itself is not the problem. The pterodactyl-installer organisation is well-known, the source is on GitHub with hundreds of contributors, and it has been audited countless times by the community.
  • The pattern is the problem. If pterodactyl-installer.se is ever compromised, or if a man-in-the-middle attack hits the HTTPS connection (rare, but not zero), you will run hostile code as root on a fresh VPS that probably has SSH keys for your other servers cached in ~/.ssh.
  • The mitigation is 30 seconds of work. Open the script source on GitHub. Skim it. The actual installation logic lives in install.sh and the per-component scripts under installers/. You do not need to understand every line — you need to confirm it is doing what you expect (apt installs, MySQL config, Nginx vhost, Lets Encrypt) and not, for example, exfiltrating data to an unknown URL.

Once you have read the source once, you can run the one-liner with confidence. The point is not paranoia — the point is that blind trust at root level is the actual security risk, not the install script itself. The same logic applies to every bash <(curl ...) you encounter.

For the broader security picture once the panel is running, see our Pterodactyl security hardening guide — it has a 20-row audit checklist that catches the things the install script will not.

03 // The community scripts compared

There is more than one Pterodactyl install script floating around. Here is what is actually on the SERP in 2026, and which to use:

ScriptMaintained?Wings included?Recommended?
pterodactyl-installer (official org)Yes — activeYes (option 1 or 2)Yes — this one
VilhelmPrytz forkArchived — redirects to org aboven/aUse the org version, not the personal fork
guldkage/Pterodactyl-InstallerYesYesWorkable alternative, smaller community
Random Pastebin / Discord scriptsUnknownUnknownNo. Never run these.
Hosting provider one-click installersVendor-maintainedUsuallyFine if you trust the vendor; you lose flexibility

Use the official pterodactyl-installer organisation. The pterodactyl-installer.se domain is the convenience redirect to the latest install.sh in that repo. Anything else — especially scripts copy-pasted from random tutorials — is a security gamble.

Before you run anything, your VPS should look like this:

  • Fresh Ubuntu 22.04 LTS or 24.04 LTS (Debian 11/12 also supported but less battle-tested)
  • 2GB RAM minimum (4GB recommended), 2 vCPU, 25GB disk
  • A domain or subdomain with an A record pointing to the VPS public IP — verify with dig +short panel.yourdomain.com before running the script, or Lets Encrypt will fail
  • Root SSH access (or a sudo user; the script will prompt for sudo)
  • Port 80, 443, 8080, and 2022 open in your provider firewall

If you do not have a VPS yet, our Hostinger KVM VPS review covers the cheapest viable option (KVM 2 at ~€7/month with 8GB RAM is the sweet spot for a Panel + Wings node hosting up to 10–15 game servers).

Now SSH in as root and run:

apt update && apt upgrade -y
bash <(curl -s https://pterodactyl-installer.se)

Here is what each part of the second line does:

  • curl -s https://pterodactyl-installer.se — downloads the latest install.sh silently from the convenience redirect (which points at the GitHub raw URL of the official org).
  • <(...) — bash process substitution. The script content becomes a temporary file descriptor.
  • bash — executes the script. Process substitution is preferred over curl ... | bash because the latter has been shown to be vulnerable to slow-loris-style server-side attacks where the server can detect it is piping to bash and serve different content than what you would have seen in a browser.

You will then see an interactive menu. Answer:

  • Component: 0 Panel, 1 Wings, or 2 both. Choose 2 for a single-node home setup.
  • FQDN: the domain you set the A record on, e.g. panel.yourdomain.com.
  • MySQL credentials: the script generates strong defaults; accept them or override.
  • Admin user: your panel login username, email, and password.
  • Lets Encrypt email: a real email you control (used for cert renewal warnings).
  • Timezone: your local timezone (e.g. Europe/Berlin) for log timestamps.

The script will then chew through ~12–15 minutes of apt install, composer install, MySQL setup, Nginx vhost generation, and Lets Encrypt cert issuance. When it finishes, you can log in at https://panel.yourdomain.com.

05 // Pelican has no install script — and that is by design

If you have read our Pterodactyl vs Pelican comparison, you know Pelican is the maintained 2026 fork. A reasonable next question is: does Pelican have its own one-line install script?

No, deliberately not. The Pelican team chose a different approach: a guided web installer that runs in your browser. You install the Pelican CLI tool, run pelican-installer, and walk through configuration via a UI rather than answering CLI prompts.

Why does this matter for the install-script decision?

  • If you want speed: the Pterodactyl one-liner is faster (10–15 minutes vs ~20 minutes for the Pelican guided installer).
  • If you want auditability: the Pelican web installer is harder to MITM (you are inspecting and approving each step in a UI rather than executing whatever a remote URL serves).
  • If you want to script it: Pterodactyl wins clearly — you can drop the one-liner into a Terraform provisioner or a Cloud-Init script for fully automated VPS provisioning. Pelican’s GUI-first model is harder to automate.

For most home users the speed difference is irrelevant. Pick your panel based on the comparison criteria that matter (community size, ecosystem, update cadence) — not on whether a one-liner exists.

06 // Common errors and how to debug them

Roughly 30 percent of first-time install attempts fail somewhere. Here are the failures I see most often in community Discord channels and how to fix each:

Error: Lets Encrypt failed / Failed authorization procedure

Cause: the FQDN you gave the script does not yet resolve to your VPS public IP. Lets Encrypt cannot validate ownership.

Fix: exit the script, run dig +short panel.yourdomain.com on the VPS, confirm it returns the VPS public IP. If not, fix the A record at your DNS provider and wait 5 minutes for propagation. Re-run the script.

Error: Composer killed or Out of memory

Cause: Composer needs ~512MB peak to install Panel dependencies. On a 1GB VPS with no swap, the kernel OOM-killer murders it mid-install.

Fix: add a 2GB swap file before re-running:

fallocate -l 2G /swapfile
chmod 600 /swapfile
mkswap /swapfile
swapon /swapfile
echo '/swapfile none swap sw 0 0' >> /etc/fstab

Error: MySQL ERROR 1045: Access denied

Cause: a previous failed install left a partial MariaDB config with credentials the script does not know about.

Fix: purge MariaDB completely and re-run:

apt purge mariadb-server mariadb-client mariadb-common -y
rm -rf /etc/mysql /var/lib/mysql
apt autoremove -y

Error: Wings starts but panel shows node as offline

Cause: firewall blocking port 8080 (Wings API) or 2022 (Wings SFTP), or the panel-generated config in /etc/pterodactyl/config.yml has the wrong panel URL.

Fix: check ufw status and ensure 8080/tcp and 2022/tcp are allowed. Then check Wings logs with journalctl -u wings -n 100 for the actual error. If the config file is wrong, regenerate it from the Panel UI (Admin → Nodes → your node → Configuration tab → copy the YAML).

Error: The script appears to have stalled at "npm install"

Cause: npm is slow on small VPS, especially if the registry has rate-limited your IP.

Fix: wait. It can take 5–8 minutes on a 2 vCPU box. If it is still hanging after 15 minutes, check htop in another SSH session — if no node process is running, kill the script and re-run with npm config set fetch-retries 5 first.

For deeper debugging, the script logs to /var/log/pterodactyl-installer.log. Always read the last 50 lines (tail -n 50 /var/log/pterodactyl-installer.log) before giving up.

07 // After the script: 8 things you must do manually

The install script is a great deal — but it does not harden anything. It runs the components and configures them with sensible defaults. Production-grade security is your job. These are the eight things you must do before exposing the panel to the internet seriously:

  1. Enable the firewall. The script does not configure UFW. Run: ufw allow 22 && ufw allow 80 && ufw allow 443 && ufw allow 8080 && ufw allow 2022 && ufw enable. Block everything else.
  2. Set up 2FA on the admin account. Log in → Account Settings → Two-Factor Authentication → scan QR with Authy/Aegis. Without this, a leaked admin password = full compromise.
  3. Disable root SSH login. Edit /etc/ssh/sshd_config: set PermitRootLogin no and PasswordAuthentication no. Add a non-root sudo user first or you will lock yourself out.
  4. Configure automated backups. The panel has a Backups feature, but it does not back up the panel database itself. Set up a nightly mysqldump cron + offsite copy to S3/Backblaze.
  5. Subscribe to GitHub Security Advisories for both pterodactyl/panel and pterodactyl/wings. Critical CVEs land 2–3 times a year and you have ~24 hours to patch.
  6. Set the panel update cron. Add a weekly cron that runs cd /var/www/pterodactyl && php artisan p:upgrade on a maintenance window — or do it manually monthly.
  7. Lock down the database. The script binds MariaDB to 127.0.0.1 by default (good). Confirm with ss -tlnp | grep 3306 — you should see only loopback. Never expose 3306 to the internet.
  8. Configure fail2ban for SSH and the panel. Default Ubuntu has it ready: apt install fail2ban -y && systemctl enable --now fail2ban. The panel logs failed logins in MySQL but does not rate-limit by default.

If that list looks daunting, our Pterodactyl security hardening guide has each step expanded with the actual commands and a 20-row audit checklist with localStorage progress tracking. Bookmark it and tick boxes as you go.

For DDoS protection beyond the panel itself, our game server DDoS protection guide covers the full mitigation strategy — Cloudflare for HTTP-only services has limits that matter for game traffic.

08 // Frequently asked questions

Is the Pterodactyl install script safe to run?

The official pterodactyl-installer organisation on GitHub is well-known and audited by hundreds of contributors. The script itself is the safest community installer for the panel. The risk is not the script — it is running ANY one-liner without reading it first. Open the source on GitHub, read it once, then run it. (Section 02 above explains why this matters.)

How long does the install script take?

Roughly 8–15 minutes on a 2 vCPU / 2GB VPS with reasonable network. Most of that time is apt installing PHP, MariaDB, Redis, and Nginx, plus Composer pulling vendor dependencies. Wings install alone is faster (under 5 minutes).

Does the script work on Debian or AlmaLinux?

Officially yes for Debian 11/12 and AlmaLinux/RockyLinux 8/9. In practice we strongly recommend Ubuntu 22.04 or 24.04 LTS — that is what 90% of community help threads assume, and the script is most heavily tested there.

Is there a Pelican install script?

No, by design. Pelican ships a guided web installer instead of a community shell script. See section 05 above for why this is a deliberate choice.

Can I run the script if I already have Nginx or Apache installed?

It is possible but not recommended. The script assumes a clean VPS and configures its own web server vhost. If you have an existing reverse proxy or another web app, install the panel manually following the comprehensive setup guide — or spin up a fresh VPS just for the panel.

What happens if the script fails halfway through?

The installer logs to /var/log/pterodactyl-installer.log. Read the last 50 lines (tail -n 50 /var/log/pterodactyl-installer.log) to see the actual error. The most common causes are: domain A record not propagated yet (Lets Encrypt fails), insufficient RAM (Composer OOM), or an existing MySQL install with conflicting credentials. Fix the root cause and re-run the script — it is idempotent on most steps. Section 06 above lists the top 5 failures with copy-paste fixes.

Should I install Panel and Wings on the same server?

For a single-node setup with under 30 game servers, yes — choose option 2 (both). For larger deployments, separate them: Panel on a small VPS (2GB RAM is fine; it does not run game workloads) and Wings on the bigger node(s) where game servers actually run. The script supports both topologies.

Is bash <(curl ...) a security risk?

Yes, in principle. Anyone who can MITM the HTTPS connection or compromise the host serving the script can run arbitrary code as root on your VPS. In practice, pterodactyl-installer.se is hosted on a domain owned by a known maintainer and the script is mirrored on GitHub for review. Mitigate by reading the source on GitHub first, then either downloading and inspecting locally, or accepting the residual risk on a fresh single-purpose VPS. The bigger risk is running scripts you found in random Discord channels or pastebin links — never do that.

09 // Next steps

You have a working Pterodactyl panel. Here is what to do next, in priority order:

  1. Harden the install — work through the security hardening guide with its 20-row audit checklist. Do not skip this; the install script does not configure firewall, 2FA, or fail2ban.
  2. Add your first node and game server — if you ran option 0 (Panel only), you need to install Wings on the game server node next. Re-run the script on that node and choose option 1.
  3. Set up backups — the panel has a built-in backup feature for game server data, but you also need to back up the panel database. A nightly mysqldump + offsite copy is enough for most setups.
  4. Compare to alternatives — if this experience felt clunky, our Pterodactyl vs Pelican comparison covers the 2026 fork question, and our panels hub lists every option side-by-side.
  5. Plan for DDoS — if your servers will be public-facing, read our game server DDoS protection guide before announcing the IP anywhere. Cloudflare is not enough for game traffic.

If something broke that this guide did not cover, post it in the official Pterodactyl Discord — that is where script maintainers and seasoned admins answer. Tag your VPS provider, OS version, and the line in /var/log/pterodactyl-installer.log where it failed.