Bernhard.Linz/openvpn-install
1
0
Fork 0
mirror of https://github.com/angristan/openvpn-install.git synced 2025-03-13 14:13:14 +01:00
Code Issues Projects Releases Wiki Activity

Merge remote-tracking branch 'master'

Browse Source
This commit is contained in:
randomshell 2020-08-04 17:44:41 +00:00
commit 00f77871d4
7 changed files with 65 additions and 57 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
.github/FUNDING.yml vendored
View File

@ -1,3 +1,3 @@
patreon: angristan
liberapay: angristan
ko_fi: angristan
patreon: stanislas
liberapay: stanislas
ko_fi: stanislas

10
.github/dependabot.yml vendored Normal file
View File

@ -0,0 +1,10 @@
version: 2
updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "daily"
assignees:
- "angristan"
reviewers:
- "angristan"

30
.github/workflows/lint.yml vendored
View File

@ -1,26 +1,22 @@
on:
push:
branches:
- master
pull_request:
branches:
- master
on: push
name: Lint
jobs:
shellcheck:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
- name: shellcheck
uses: ludeeus/action-shellcheck@0.0.1
env:
SHELLCHECK_OPTS: -e SC1091,SC2164,SC2034,SC1072,SC1073,SC1009
- uses: actions/checkout@v2
- name: shellcheck
uses: ludeeus/action-shellcheck@0.5.0
env:
SHELLCHECK_OPTS: -e SC1091,SC2164,SC2034,SC1072,SC1073,SC1009
shfmt:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
- name: shfmt
uses: bltavares/actions/shfmt@master
env:
SHFMT_ARGS: -d
- uses: actions/checkout@v2
- name: shfmt
uses: bltavares/actions/shfmt@master
env:
SHFMT_ARGS: -d

12
.github/workflows/test.yml vendored
View File

@ -21,7 +21,7 @@ jobs:
- centos-7-x64
- centos-8-x64
steps:
- uses: actions/checkout@master
- uses: actions/checkout@v2
- name: Setup doctl
uses: digitalocean/action-doctl@v2
@ -51,7 +51,7 @@ jobs:
- name: Setup remote server (Debian/Ubuntu)
if: steps.server_os.outputs.value == 'debian' || steps.server_os.outputs.value == 'ubuntu'
uses: appleboy/ssh-action@master
uses: appleboy/ssh-action@v0.1.2
with:
host: ${{ steps.server_ip.outputs.value }}
username: root
@ -60,7 +60,7 @@ jobs:
- name: Setup remote server (Fedora)
if: steps.server_os.outputs.value == 'fedora'
uses: appleboy/ssh-action@master
uses: appleboy/ssh-action@v0.1.2
with:
host: ${{ steps.server_ip.outputs.value }}
username: root
@ -69,7 +69,7 @@ jobs:
- name: Setup remote server (CentOS)
if: steps.server_os.outputs.value == 'centos'
uses: appleboy/ssh-action@master
uses: appleboy/ssh-action@v0.1.2
with:
host: ${{ steps.server_ip.outputs.value }}
username: root
@ -77,7 +77,7 @@ jobs:
script: set -x && yum install -y git
- name: Download repo and checkout current commit
uses: appleboy/ssh-action@master
uses: appleboy/ssh-action@v0.1.2
with:
host: ${{ steps.server_ip.outputs.value }}
username: root
@ -85,7 +85,7 @@ jobs:
script: set -x && git clone https://github.com/angristan/openvpn-install.git && cd openvpn-install && git checkout ${{ github.event.pull_request.head.sha }}
- name: Run openvpn-install.sh in headless mode
uses: appleboy/ssh-action@master
uses: appleboy/ssh-action@v0.1.2
with:
host: ${{ steps.server_ip.outputs.value }}
username: root

2
FAQ.md
View File

@ -10,7 +10,7 @@ You can, of course, it's even recommended, update the `openvpn` package with you
**Q:** How do I check for DNS leaks?
**A:** Go to [dnsleaktest.com](https://dnsleaktest.com/) or [ipleak.net](https://ipleak.net/) with your browser. Only your server's IP should show up.
**A:** Go to [browserleaks.com](https://browserleaks.com/dns) or [ipleak.net](https://ipleak.net/) (both perform IPv4 and IPv6 check) with your browser. Only your server's IP should show up.
---

35
README.md
View File

@ -37,7 +37,7 @@ In your home directory, you will have `.ovpn` files. These are the client config
If you have any question, head to the [FAQ](#faq) first. Please read everything before opening an issue.
**PLEASE do net send me emails or private messages asking for help.** The only place to get help is the issues. Other people may be able to help and in the future, other users may also run into the same issue as you. My time is not available for free just for you, you're not special.
**PLEASE do not send me emails or private messages asking for help.** The only place to get help is the issues. Other people may be able to help and in the future, other users may also run into the same issue as you. My time is not available for free just for you, you're not special.
### Headless install
@ -117,13 +117,12 @@ The script supports these OS and architectures:
| --------------- | ---- | ----- | ----- | ----- |
| Amazon Linux 2 | ❔ | ✅ | ❔ | ❔ |
| Arch Linux | ❔ | ✅ | ❔ | ✅ |
| CentOS 7 | ❔ | ✅ | ❌ | ✅ |
| CentOS 8 | ❌ | ✅ | ❔ | ❔ |
| Debian 8 | ✅ | ✅ | ❌ | ❌ |
| Debian >= 9 | ❌ | ✅ | ✅ | ✅ |
| CentOS 7 | ✅ | ✅ | ✅ | ✅ |
| CentOS 8 | ❌ | ✅ | ❌ | ✅ |
| Debian >= 9 | ✅ | ✅ | ✅ | ✅ |
| Fedora >= 27 | ❔ | ✅ | ❔ | ❔ |
| Ubuntu 16.04 | ✅ | ✅ | ❌ | ❌ |
| Ubuntu >= 18.04 | | ✅ | ✅ | ✅ |
| Ubuntu >= 18.04 | | ✅ | ✅ | ✅ |
To be noted:
@ -146,8 +145,9 @@ More Q&A in [FAQ.md](FAQ.md).
**A:** I recommend these:
- [Vultr](https://goo.gl/Xyd1Sc): Worldwide locations, IPv6 support, starting at \$3.50/month
- [PulseHeberg](https://goo.gl/76yqW5): France, unlimited bandwidth, starting at €3/month
- [Hetzner](https://hetzner.cloud/?ref=ywtlvZsjgeDq): Germany, IPv6, 20 TB of traffic, starting at €3/month
- [Digital Ocean](https://goo.gl/qXrNLK): Worldwide locations, IPv6 support, starting at \$5/month
- [PulseHeberg](https://goo.gl/76yqW5): France, unlimited bandwidth, starting at €3/month
---
@ -183,7 +183,22 @@ Solutions that provision a ready to use OpenVPN server based on this script in o
- AWS using Terraform at [`openvpn-terraform-install`](https://github.com/dumrauf/openvpn-terraform-install)
## Contributing / Code formatting
## Contributing
### Contributors hall-of-fame
Thanks ❤️
[![](https://sourcerer.io/fame/angristan/angristan/openvpn-install/images/0)](https://github.com/angristan/openvpn-install/graphs/contributors)
[![](https://sourcerer.io/fame/angristan/angristan/openvpn-install/images/1)](https://github.com/angristan/openvpn-install/graphs/contributors)
[![](https://sourcerer.io/fame/angristan/angristan/openvpn-install/images/2)](https://github.com/angristan/openvpn-install/graphs/contributors)
[![](https://sourcerer.io/fame/angristan/angristan/openvpn-install/images/3)](https://github.com/angristan/openvpn-install/graphs/contributors)
[![](https://sourcerer.io/fame/angristan/angristan/openvpn-install/images/4)](https://github.com/angristan/openvpn-install/graphs/contributors)
[![](https://sourcerer.io/fame/angristan/angristan/openvpn-install/images/5)](https://github.com/angristan/openvpn-install/graphs/contributors)
[![](https://sourcerer.io/fame/angristan/angristan/openvpn-install/images/6)](https://github.com/angristan/openvpn-install/graphs/contributors)
[![](https://sourcerer.io/fame/angristan/angristan/openvpn-install/images/7)](https://github.com/angristan/openvpn-install/graphs/contributors)
### Code formatting
We use [shellcheck](https://github.com/koalaman/shellcheck) and [shfmt](https://github.com/mvdan/sh) to enforce bash styling guidelines and good practices. They are executed for each commit / PR with GitHub Actions, so you can check the configuration [here](https://github.com/angristan/openvpn-install/blob/master/.github/workflows/push.yml).
@ -195,13 +210,13 @@ OpenVPN 2.4 was a great update regarding encryption. It added support for ECDSA,
If you want more information about an option mentioned below, head to the [OpenVPN manual](https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage). It is very complete.
Most of OpenVPN's encryption-related stuff is managed by [Easy-RSA](https://github.com/OpenVPN/easy-rsa). Defaults parameters are in the [vars.example](https://github.com/OpenVPN/easy-rsa/blob/v3.0.6/easyrsa3/vars.example) file.
Most of OpenVPN's encryption-related stuff is managed by [Easy-RSA](https://github.com/OpenVPN/easy-rsa). Defaults parameters are in the [vars.example](https://github.com/OpenVPN/easy-rsa/blob/v3.0.7/easyrsa3/vars.example) file.
### Compression
By default, OpenVPN doesn't enable compression. This script provides support for LZ0 and LZ4 (v1/v2) algorithms, the latter being more efficient.
However, it is discouraged to use compression since it since the [VORACLE attack](https://protonvpn.com/blog/voracle-attack/) makes use of it.
However, it is discouraged to use compression since the [VORACLE attack](https://protonvpn.com/blog/voracle-attack/) makes use of it.
### TLS version

27
openvpn-install.sh
View File

@ -18,14 +18,13 @@ function tunAvailable() {
function checkOS() {
if [[ -e /etc/debian_version ]]; then
OS="debian"
# shellcheck disable=SC1091
source /etc/os-release
if [[ $ID == "debian" || $ID == "raspbian" ]]; then
if [[ $VERSION_ID -lt 8 ]]; then
if [[ $VERSION_ID -lt 9 ]]; then
echo "⚠️ Your version of Debian is not supported."
echo ""
echo "However, if you're using Debian >= 8 or unstable/testing then you can continue, at your own risk."
echo "However, if you're using Debian >= 9 or unstable/testing then you can continue, at your own risk."
echo ""
until [[ $CONTINUE =~ (y|n) ]]; do
read -rp "Continue? [y/n]: " -e CONTINUE
@ -51,7 +50,6 @@ function checkOS() {
fi
fi
elif [[ -e /etc/system-release ]]; then
# shellcheck disable=SC1091
source /etc/os-release
if [[ $ID == "fedora" ]]; then
OS="fedora"
@ -61,7 +59,7 @@ function checkOS() {
if [[ ! $VERSION_ID =~ (7|8) ]]; then
echo "⚠️ Your version of CentOS is not supported."
echo ""
echo "The script only support CentOS 7."
echo "The script only support CentOS 7 and CentOS 8."
echo ""
exit 1
fi
@ -315,7 +313,7 @@ function installQuestions() {
echo " 12) NextDNS (Anycast: worldwide)"
echo " 13) Custom"
until [[ $DNS =~ ^[0-9]+$ ]] && [ "$DNS" -ge 1 ] && [ "$DNS" -le 13 ]; do
read -rp "DNS [1-12]: " -e -i 3 DNS
read -rp "DNS [1-12]: " -e -i 11 DNS
if [[ $DNS == 2 ]] && [[ -e /etc/unbound/unbound.conf ]]; then
echo ""
echo "Unbound is already installed."
@ -653,11 +651,6 @@ function installOpenVPN() {
apt-get update
apt-get -y install ca-certificates gnupg
# We add the OpenVPN repo to get the latest version.
if [[ $VERSION_ID == "8" ]]; then
echo "deb http://build.openvpn.net/debian/openvpn/stable jessie main" >/etc/apt/sources.list.d/openvpn.list
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
apt-get update
fi
if [[ $VERSION_ID == "16.04" ]]; then
echo "deb http://build.openvpn.net/debian/openvpn/stable xenial main" >/etc/apt/sources.list.d/openvpn.list
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
@ -695,7 +688,7 @@ function installOpenVPN() {
if [[ ! -d /etc/openvpn/server/easy-rsa/ ]]; then
local version="3.0.7"
wget -O ~/easy-rsa.tgz https://github.com/OpenVPN/easy-rsa/releases/download/v${version}/EasyRSA-${version}.tgz
mkdir /etc/openvpn/server/easy-rsa
mkdir -p /etc/openvpn/server/easy-rsa
tar xzf ~/easy-rsa.tgz --strip-components=1 --directory /etc/openvpn/server/easy-rsa
rm -f ~/easy-rsa.tgz
@ -720,11 +713,6 @@ function installOpenVPN() {
# Create the PKI, set up the CA, the DH params and the server certificate
./easyrsa init-pki
# Workaround to remove unharmful error until easy-rsa 3.0.7
# https://github.com/OpenVPN/easy-rsa/issues/261
sed -i 's/^RANDFILE/#RANDFILE/g' pki/openssl-easyrsa.cnf
./easyrsa --batch build-ca nopass
if [[ $DH_TYPE == "2" ]]; then
@ -1034,9 +1022,9 @@ verb 3" >>/etc/openvpn/server/client-template.txt
function newClient() {
echo ""
echo "Tell me a name for the client."
echo "Use one word only, no special characters."
echo "The name must consist of alphanumeric character. It may also include an underscore or a dash."
until [[ $CLIENT =~ ^[a-zA-Z0-9_]+$ ]]; do
until [[ $CLIENT =~ ^[a-zA-Z0-9_-]+$ ]]; do
read -rp "Client name: " -e CLIENT
done
@ -1193,7 +1181,6 @@ function removeUnbound() {
function removeOpenVPN() {
echo ""
# shellcheck disable=SC2034
read -rp "Do you really want to remove OpenVPN? [y/n]: " -e -i n REMOVE
if [[ $REMOVE == 'y' ]]; then
# Get OpenVPN port from the configuration