openvpn-install/README.md

##openvpn-install
OpenVPN [road warrior](http://en.wikipedia.org/wiki/Road_warrior_%28computing%29) installer for Debian, Ubuntu and CentOS.

This script will let you setup your own VPN server in no more than a minute, even if you haven't used OpenVPN before. It isn't bulletproof but has been designed to be as unobtrusive and universal as possible.

##Fork
This fork includes :
- No logs
- No comp-lzo [compression is a vector for oracle attacks, e.g. CRIME or BREACH](https://github.com/BetterCrypto/Applied-Crypto-Hardening/pull/91#issuecomment-75388575)
- Better encryption (see below)
- Avoid DNS leak
- UFW support
- TLS 1.2 only
- Strong ciphers, DH keys and certificates. (see variants)
- AES-256-CBC and SHA-512 for HMAC (instead of BF-128-CBC and SHA1)
- Run server in unprivileged mode, reducing risks to the system
- TLS-auth to help [thwart DoS attacks](https://openvpn.net/index.php/open-source/documentation/howto.html#security) and provide a 2nd line of defense to the TLS channel.
- [FDN's DNS Servers](http://www.fdn.fr/actions/dns/)
- Nearest [OpenNIC DNS Servers](https://www.opennicproject.org/)
- [DNS.WATCH DNS Servers](https://dns.watch/index)
- Up-to-date OpenVPN (2.3.11) thanks to [EPEL](http://fedoraproject.org/wiki/EPEL) and [swupdate.openvpn.net](https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos)
- Support for either SNAT or MASQUERADE for forwarding
- Every feature of the [original script](https://github.com/Nyr/openvpn-install) (I check periodically to sync the latest commits from source)

## Variants

When you lauch the script you will be asked to choose a mode. Both will work the same way, but *slow* has higher encryption settings, so it may slow down your connection and take more time to install.

If you're just using your VPN at home, you may choose "fast". But if you're often using public Wi-Fi or traveling a lot, you choose use *slow*.

FYI, "fast" is still more secured than default OpenVPN settings.

### Slow (high encryption)
Features :
- 4096 bits RSA private key
- 4096 bits Diffie-Hellman key
- 256 bits AES-GCM
- SHA-384 RSA certificate

### Fast (lower encryption)
Features :
- 2048 bits RSA private key
- 2048 bits Diffie-Hellman key
- 128 bits AES-GCM
- SHA-256 RSA certificate

## Compatibility

The script is made to work on these OS :
- Debian 7
- Debian 8
- Ubuntu 12.04 LTS
- Ubuntu 14.04 LTS
- Ubuntu 15.10
- Ubuntu 16.04 LTS
- CentOS 6
- CentOS 7

Each one has been test by myself.

##Installation

Run the script and follow the assistant:

```
wget https://raw.githubusercontent.com/Angristan/OpenVPN-install/master/openvpn-install.sh
chmod +x openvpn-install.sh
./openvpn-install.sh
```

Once it ends, you can run it again to add more users, remove some of them or even completely uninstall OpenVPN.


You can get a cheap VPS for 3€/month at [PulseHeberg](https://bit.ly/pulse-vpn).

## Licence

Based on the work of [Nyr](https://github.com/Nyr/openvpn-install)

[MIT Licence](https://raw.githubusercontent.com/Angristan/openvpn-install-nyr/master/LICENSE)
First commit 2013-05-14 14:04:19 +02:00			`##openvpn-install`
CentOS support and other improvements 2015-02-11 19:51:19 +01:00			`OpenVPN [road warrior](http://en.wikipedia.org/wiki/Road_warrior_%28computing%29) installer for Debian, Ubuntu and CentOS.`
First commit 2013-05-14 14:04:19 +02:00
CentOS support and other improvements 2015-02-11 19:51:19 +01:00			`This script will let you setup your own VPN server in no more than a minute, even if you haven't used OpenVPN before. It isn't bulletproof but has been designed to be as unobtrusive and universal as possible.`
First commit 2013-05-14 14:04:19 +02:00
Add legacy version 2016-03-13 15:41:05 +01:00			`##Fork`
Update README.md 2016-03-08 23:16:52 +01:00			`This fork includes :`
The BIG update 2016-03-19 17:38:34 +01:00			`- No logs`
Update README.md 2016-03-21 18:36:08 +01:00			`- No comp-lzo [compression is a vector for oracle attacks, e.g. CRIME or BREACH](https://github.com/BetterCrypto/Applied-Crypto-Hardening/pull/91#issuecomment-75388575)`
The BIG update 2016-03-19 17:38:34 +01:00			`- Better encryption (see below)`
Add new features 2016-06-10 14:54:04 +02:00			`- Avoid DNS leak`
			`- UFW support`
Update README.md 2016-03-08 23:16:52 +01:00			`- TLS 1.2 only`
Add new features 2016-06-10 14:54:04 +02:00			`- Strong ciphers, DH keys and certificates. (see variants)`
The BIG update 2016-03-19 17:38:34 +01:00			`- AES-256-CBC and SHA-512 for HMAC (instead of BF-128-CBC and SHA1)`
Support ios openvpn connect using CBC, SHA128 tls-cipher. Update readme. 2016-04-12 11:38:14 +02:00			`- Run server in unprivileged mode, reducing risks to the system`
			`- TLS-auth to help [thwart DoS attacks](https://openvpn.net/index.php/open-source/documentation/howto.html#security) and provide a 2nd line of defense to the TLS channel.`
Add FDN's DNS Servers 2016-03-08 23:51:02 +01:00			`- [FDN's DNS Servers](http://www.fdn.fr/actions/dns/)`
The BIG update 2016-03-19 17:38:34 +01:00			`- Nearest [OpenNIC DNS Servers](https://www.opennicproject.org/)`
Add DNS.WATCH DNS resolvers 2016-06-11 00:33:57 +02:00			`- [DNS.WATCH DNS Servers](https://dns.watch/index)`
OpenVPN 2.3.10 -> 2.3.11 2016-05-10 22:56:34 +02:00			`- Up-to-date OpenVPN (2.3.11) thanks to [EPEL](http://fedoraproject.org/wiki/EPEL) and [swupdate.openvpn.net](https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos)`
merging readme changes 2016-05-11 00:29:43 +02:00			`- Support for either SNAT or MASQUERADE for forwarding`
Update README.md 2016-03-09 16:46:56 +01:00			`- Every feature of the [original script](https://github.com/Nyr/openvpn-install) (I check periodically to sync the latest commits from source)`
Update README.md 2016-03-08 23:16:52 +01:00
The BIG update 2016-03-19 17:38:34 +01:00			`## Variants`
Add legacy version 2016-03-13 15:41:05 +01:00
The BIG update 2016-03-19 17:38:34 +01:00			`When you lauch the script you will be asked to choose a mode. Both will work the same way, but slow has higher encryption settings, so it may slow down your connection and take more time to install.`
Update README.md 2016-03-15 21:36:05 +01:00
The BIG update 2016-03-19 17:38:34 +01:00			`If you're just using your VPN at home, you may choose "fast". But if you're often using public Wi-Fi or traveling a lot, you choose use slow.`
Update README.md 2016-03-15 21:36:05 +01:00
The BIG update 2016-03-19 17:38:34 +01:00			`FYI, "fast" is still more secured than default OpenVPN settings.`
Update README.md 2016-03-15 21:36:05 +01:00
The BIG update 2016-03-19 17:38:34 +01:00			`### Slow (high encryption)`
			`Features :`
			`- 4096 bits RSA private key`
			`- 4096 bits Diffie-Hellman key`
			`- 256 bits AES-GCM`
			`- SHA-384 RSA certificate`
Add legacy version 2016-03-13 15:41:05 +01:00
Undo TLS-CIPHER changes in f376ce91 in deference to harvester57's pull request 2016-04-29 22:00:09 +02:00			`### Fast (lower encryption)`
The BIG update 2016-03-19 17:38:34 +01:00			`Features :`
			`- 2048 bits RSA private key`
			`- 2048 bits Diffie-Hellman key`
Undo TLS-CIPHER changes in f376ce91 in deference to harvester57's pull request 2016-04-29 22:00:09 +02:00			`- 128 bits AES-GCM`
			`- SHA-256 RSA certificate`
Add legacy version 2016-03-13 15:41:05 +01:00
The BIG update 2016-03-19 17:38:34 +01:00			`## Compatibility`
Add a little explanation 2016-03-13 15:53:09 +01:00
The BIG update 2016-03-19 17:38:34 +01:00			`The script is made to work on these OS :`
			`- Debian 7`
Add legacy version 2016-03-13 15:41:05 +01:00			`- Debian 8`
The BIG update 2016-03-19 17:38:34 +01:00			`- Ubuntu 12.04 LTS`
			`- Ubuntu 14.04 LTS`
Add legacy version 2016-03-13 15:41:05 +01:00			`- Ubuntu 15.10`
Ubuntu 16.04 compatibility 2016-05-06 20:32:53 +02:00			`- Ubuntu 16.04 LTS`
Clear up supported OS 2016-03-14 21:20:03 +01:00			`- CentOS 6`
			`- CentOS 7`
Add legacy version 2016-03-13 15:41:05 +01:00
The BIG update 2016-03-19 17:38:34 +01:00			`Each one has been test by myself.`
Add a little explanation 2016-03-13 15:53:09 +01:00
The BIG update 2016-03-19 17:38:34 +01:00			`##Installation`
Add a little explanation 2016-03-13 15:53:09 +01:00
The BIG update 2016-03-19 17:38:34 +01:00			`Run the script and follow the assistant:`
Add legacy version 2016-03-13 15:41:05 +01:00
The BIG update 2016-03-19 17:38:34 +01:00			```
update link 2016-06-10 16:12:02 +02:00			`wget https://raw.githubusercontent.com/Angristan/OpenVPN-install/master/openvpn-install.sh`
The BIG update 2016-03-19 17:38:34 +01:00			`chmod +x openvpn-install.sh`
			`./openvpn-install.sh`
			```
Update README.md 2016-03-15 21:37:58 +01:00
The BIG update 2016-03-19 17:38:34 +01:00			`Once it ends, you can run it again to add more users, remove some of them or even completely uninstall OpenVPN.`
Add legacy version 2016-03-13 15:41:05 +01:00
Update README.md 2016-01-01 13:53:28 +01:00
Update README.md 2016-07-28 10:44:16 +02:00			`You can get a cheap VPS for 3€/month at [PulseHeberg](https://bit.ly/pulse-vpn).`
Update README.md 2016-01-01 13:53:28 +01:00
			`## Licence`

Add legacy version 2016-03-13 15:41:05 +01:00			`Based on the work of [Nyr](https://github.com/Nyr/openvpn-install)`
Update README.md 2016-01-01 13:53:46 +01:00
			`[MIT Licence](https://raw.githubusercontent.com/Angristan/openvpn-install-nyr/master/LICENSE)`