Merge remote-tracking branch 'master'

This commit is contained in:
randomshell 2020-08-04 17:44:41 +00:00
commit 00f77871d4
7 changed files with 65 additions and 57 deletions

6
.github/FUNDING.yml vendored
View File

@ -1,3 +1,3 @@
patreon: angristan patreon: stanislas
liberapay: angristan liberapay: stanislas
ko_fi: angristan ko_fi: stanislas

10
.github/dependabot.yml vendored Normal file
View File

@ -0,0 +1,10 @@
version: 2
updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "daily"
assignees:
- "angristan"
reviewers:
- "angristan"

View File

@ -1,25 +1,21 @@
on: on: push
push:
branches:
- master
pull_request:
branches:
- master
name: Lint name: Lint
jobs: jobs:
shellcheck: shellcheck:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@master - uses: actions/checkout@v2
- name: shellcheck - name: shellcheck
uses: ludeeus/action-shellcheck@0.0.1 uses: ludeeus/action-shellcheck@0.5.0
env: env:
SHELLCHECK_OPTS: -e SC1091,SC2164,SC2034,SC1072,SC1073,SC1009 SHELLCHECK_OPTS: -e SC1091,SC2164,SC2034,SC1072,SC1073,SC1009
shfmt: shfmt:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@master - uses: actions/checkout@v2
- name: shfmt - name: shfmt
uses: bltavares/actions/shfmt@master uses: bltavares/actions/shfmt@master
env: env:

View File

@ -21,7 +21,7 @@ jobs:
- centos-7-x64 - centos-7-x64
- centos-8-x64 - centos-8-x64
steps: steps:
- uses: actions/checkout@master - uses: actions/checkout@v2
- name: Setup doctl - name: Setup doctl
uses: digitalocean/action-doctl@v2 uses: digitalocean/action-doctl@v2
@ -51,7 +51,7 @@ jobs:
- name: Setup remote server (Debian/Ubuntu) - name: Setup remote server (Debian/Ubuntu)
if: steps.server_os.outputs.value == 'debian' || steps.server_os.outputs.value == 'ubuntu' if: steps.server_os.outputs.value == 'debian' || steps.server_os.outputs.value == 'ubuntu'
uses: appleboy/ssh-action@master uses: appleboy/ssh-action@v0.1.2
with: with:
host: ${{ steps.server_ip.outputs.value }} host: ${{ steps.server_ip.outputs.value }}
username: root username: root
@ -60,7 +60,7 @@ jobs:
- name: Setup remote server (Fedora) - name: Setup remote server (Fedora)
if: steps.server_os.outputs.value == 'fedora' if: steps.server_os.outputs.value == 'fedora'
uses: appleboy/ssh-action@master uses: appleboy/ssh-action@v0.1.2
with: with:
host: ${{ steps.server_ip.outputs.value }} host: ${{ steps.server_ip.outputs.value }}
username: root username: root
@ -69,7 +69,7 @@ jobs:
- name: Setup remote server (CentOS) - name: Setup remote server (CentOS)
if: steps.server_os.outputs.value == 'centos' if: steps.server_os.outputs.value == 'centos'
uses: appleboy/ssh-action@master uses: appleboy/ssh-action@v0.1.2
with: with:
host: ${{ steps.server_ip.outputs.value }} host: ${{ steps.server_ip.outputs.value }}
username: root username: root
@ -77,7 +77,7 @@ jobs:
script: set -x && yum install -y git script: set -x && yum install -y git
- name: Download repo and checkout current commit - name: Download repo and checkout current commit
uses: appleboy/ssh-action@master uses: appleboy/ssh-action@v0.1.2
with: with:
host: ${{ steps.server_ip.outputs.value }} host: ${{ steps.server_ip.outputs.value }}
username: root username: root
@ -85,7 +85,7 @@ jobs:
script: set -x && git clone https://github.com/angristan/openvpn-install.git && cd openvpn-install && git checkout ${{ github.event.pull_request.head.sha }} script: set -x && git clone https://github.com/angristan/openvpn-install.git && cd openvpn-install && git checkout ${{ github.event.pull_request.head.sha }}
- name: Run openvpn-install.sh in headless mode - name: Run openvpn-install.sh in headless mode
uses: appleboy/ssh-action@master uses: appleboy/ssh-action@v0.1.2
with: with:
host: ${{ steps.server_ip.outputs.value }} host: ${{ steps.server_ip.outputs.value }}
username: root username: root

2
FAQ.md
View File

@ -10,7 +10,7 @@ You can, of course, it's even recommended, update the `openvpn` package with you
**Q:** How do I check for DNS leaks? **Q:** How do I check for DNS leaks?
**A:** Go to [dnsleaktest.com](https://dnsleaktest.com/) or [ipleak.net](https://ipleak.net/) with your browser. Only your server's IP should show up. **A:** Go to [browserleaks.com](https://browserleaks.com/dns) or [ipleak.net](https://ipleak.net/) (both perform IPv4 and IPv6 check) with your browser. Only your server's IP should show up.
--- ---

View File

@ -37,7 +37,7 @@ In your home directory, you will have `.ovpn` files. These are the client config
If you have any question, head to the [FAQ](#faq) first. Please read everything before opening an issue. If you have any question, head to the [FAQ](#faq) first. Please read everything before opening an issue.
**PLEASE do net send me emails or private messages asking for help.** The only place to get help is the issues. Other people may be able to help and in the future, other users may also run into the same issue as you. My time is not available for free just for you, you're not special. **PLEASE do not send me emails or private messages asking for help.** The only place to get help is the issues. Other people may be able to help and in the future, other users may also run into the same issue as you. My time is not available for free just for you, you're not special.
### Headless install ### Headless install
@ -117,13 +117,12 @@ The script supports these OS and architectures:
| --------------- | ---- | ----- | ----- | ----- | | --------------- | ---- | ----- | ----- | ----- |
| Amazon Linux 2 | ❔ | ✅ | ❔ | ❔ | | Amazon Linux 2 | ❔ | ✅ | ❔ | ❔ |
| Arch Linux | ❔ | ✅ | ❔ | ✅ | | Arch Linux | ❔ | ✅ | ❔ | ✅ |
| CentOS 7 | ❔ | ✅ | ❌ | ✅ | | CentOS 7 | ✅ | ✅ | ✅ | ✅ |
| CentOS 8 | ❌ | ✅ | ❔ | ❔ | | CentOS 8 | ❌ | ✅ | ❌ | ✅ |
| Debian 8 | ✅ | ✅ | ❌ | ❌ | | Debian >= 9 | ✅ | ✅ | ✅ | ✅ |
| Debian >= 9 | ❌ | ✅ | ✅ | ✅ |
| Fedora >= 27 | ❔ | ✅ | ❔ | ❔ | | Fedora >= 27 | ❔ | ✅ | ❔ | ❔ |
| Ubuntu 16.04 | ✅ | ✅ | ❌ | ❌ | | Ubuntu 16.04 | ✅ | ✅ | ❌ | ❌ |
| Ubuntu >= 18.04 | | ✅ | ✅ | ✅ | | Ubuntu >= 18.04 | | ✅ | ✅ | ✅ |
To be noted: To be noted:
@ -146,8 +145,9 @@ More Q&A in [FAQ.md](FAQ.md).
**A:** I recommend these: **A:** I recommend these:
- [Vultr](https://goo.gl/Xyd1Sc): Worldwide locations, IPv6 support, starting at \$3.50/month - [Vultr](https://goo.gl/Xyd1Sc): Worldwide locations, IPv6 support, starting at \$3.50/month
- [PulseHeberg](https://goo.gl/76yqW5): France, unlimited bandwidth, starting at €3/month - [Hetzner](https://hetzner.cloud/?ref=ywtlvZsjgeDq): Germany, IPv6, 20 TB of traffic, starting at €3/month
- [Digital Ocean](https://goo.gl/qXrNLK): Worldwide locations, IPv6 support, starting at \$5/month - [Digital Ocean](https://goo.gl/qXrNLK): Worldwide locations, IPv6 support, starting at \$5/month
- [PulseHeberg](https://goo.gl/76yqW5): France, unlimited bandwidth, starting at €3/month
--- ---
@ -183,7 +183,22 @@ Solutions that provision a ready to use OpenVPN server based on this script in o
- AWS using Terraform at [`openvpn-terraform-install`](https://github.com/dumrauf/openvpn-terraform-install) - AWS using Terraform at [`openvpn-terraform-install`](https://github.com/dumrauf/openvpn-terraform-install)
## Contributing / Code formatting ## Contributing
### Contributors hall-of-fame
Thanks ❤️
[![](https://sourcerer.io/fame/angristan/angristan/openvpn-install/images/0)](https://github.com/angristan/openvpn-install/graphs/contributors)
[![](https://sourcerer.io/fame/angristan/angristan/openvpn-install/images/1)](https://github.com/angristan/openvpn-install/graphs/contributors)
[![](https://sourcerer.io/fame/angristan/angristan/openvpn-install/images/2)](https://github.com/angristan/openvpn-install/graphs/contributors)
[![](https://sourcerer.io/fame/angristan/angristan/openvpn-install/images/3)](https://github.com/angristan/openvpn-install/graphs/contributors)
[![](https://sourcerer.io/fame/angristan/angristan/openvpn-install/images/4)](https://github.com/angristan/openvpn-install/graphs/contributors)
[![](https://sourcerer.io/fame/angristan/angristan/openvpn-install/images/5)](https://github.com/angristan/openvpn-install/graphs/contributors)
[![](https://sourcerer.io/fame/angristan/angristan/openvpn-install/images/6)](https://github.com/angristan/openvpn-install/graphs/contributors)
[![](https://sourcerer.io/fame/angristan/angristan/openvpn-install/images/7)](https://github.com/angristan/openvpn-install/graphs/contributors)
### Code formatting
We use [shellcheck](https://github.com/koalaman/shellcheck) and [shfmt](https://github.com/mvdan/sh) to enforce bash styling guidelines and good practices. They are executed for each commit / PR with GitHub Actions, so you can check the configuration [here](https://github.com/angristan/openvpn-install/blob/master/.github/workflows/push.yml). We use [shellcheck](https://github.com/koalaman/shellcheck) and [shfmt](https://github.com/mvdan/sh) to enforce bash styling guidelines and good practices. They are executed for each commit / PR with GitHub Actions, so you can check the configuration [here](https://github.com/angristan/openvpn-install/blob/master/.github/workflows/push.yml).
@ -195,13 +210,13 @@ OpenVPN 2.4 was a great update regarding encryption. It added support for ECDSA,
If you want more information about an option mentioned below, head to the [OpenVPN manual](https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage). It is very complete. If you want more information about an option mentioned below, head to the [OpenVPN manual](https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage). It is very complete.
Most of OpenVPN's encryption-related stuff is managed by [Easy-RSA](https://github.com/OpenVPN/easy-rsa). Defaults parameters are in the [vars.example](https://github.com/OpenVPN/easy-rsa/blob/v3.0.6/easyrsa3/vars.example) file. Most of OpenVPN's encryption-related stuff is managed by [Easy-RSA](https://github.com/OpenVPN/easy-rsa). Defaults parameters are in the [vars.example](https://github.com/OpenVPN/easy-rsa/blob/v3.0.7/easyrsa3/vars.example) file.
### Compression ### Compression
By default, OpenVPN doesn't enable compression. This script provides support for LZ0 and LZ4 (v1/v2) algorithms, the latter being more efficient. By default, OpenVPN doesn't enable compression. This script provides support for LZ0 and LZ4 (v1/v2) algorithms, the latter being more efficient.
However, it is discouraged to use compression since it since the [VORACLE attack](https://protonvpn.com/blog/voracle-attack/) makes use of it. However, it is discouraged to use compression since the [VORACLE attack](https://protonvpn.com/blog/voracle-attack/) makes use of it.
### TLS version ### TLS version

View File

@ -18,14 +18,13 @@ function tunAvailable() {
function checkOS() { function checkOS() {
if [[ -e /etc/debian_version ]]; then if [[ -e /etc/debian_version ]]; then
OS="debian" OS="debian"
# shellcheck disable=SC1091
source /etc/os-release source /etc/os-release
if [[ $ID == "debian" || $ID == "raspbian" ]]; then if [[ $ID == "debian" || $ID == "raspbian" ]]; then
if [[ $VERSION_ID -lt 8 ]]; then if [[ $VERSION_ID -lt 9 ]]; then
echo "⚠️ Your version of Debian is not supported." echo "⚠️ Your version of Debian is not supported."
echo "" echo ""
echo "However, if you're using Debian >= 8 or unstable/testing then you can continue, at your own risk." echo "However, if you're using Debian >= 9 or unstable/testing then you can continue, at your own risk."
echo "" echo ""
until [[ $CONTINUE =~ (y|n) ]]; do until [[ $CONTINUE =~ (y|n) ]]; do
read -rp "Continue? [y/n]: " -e CONTINUE read -rp "Continue? [y/n]: " -e CONTINUE
@ -51,7 +50,6 @@ function checkOS() {
fi fi
fi fi
elif [[ -e /etc/system-release ]]; then elif [[ -e /etc/system-release ]]; then
# shellcheck disable=SC1091
source /etc/os-release source /etc/os-release
if [[ $ID == "fedora" ]]; then if [[ $ID == "fedora" ]]; then
OS="fedora" OS="fedora"
@ -61,7 +59,7 @@ function checkOS() {
if [[ ! $VERSION_ID =~ (7|8) ]]; then if [[ ! $VERSION_ID =~ (7|8) ]]; then
echo "⚠️ Your version of CentOS is not supported." echo "⚠️ Your version of CentOS is not supported."
echo "" echo ""
echo "The script only support CentOS 7." echo "The script only support CentOS 7 and CentOS 8."
echo "" echo ""
exit 1 exit 1
fi fi
@ -315,7 +313,7 @@ function installQuestions() {
echo " 12) NextDNS (Anycast: worldwide)" echo " 12) NextDNS (Anycast: worldwide)"
echo " 13) Custom" echo " 13) Custom"
until [[ $DNS =~ ^[0-9]+$ ]] && [ "$DNS" -ge 1 ] && [ "$DNS" -le 13 ]; do until [[ $DNS =~ ^[0-9]+$ ]] && [ "$DNS" -ge 1 ] && [ "$DNS" -le 13 ]; do
read -rp "DNS [1-12]: " -e -i 3 DNS read -rp "DNS [1-12]: " -e -i 11 DNS
if [[ $DNS == 2 ]] && [[ -e /etc/unbound/unbound.conf ]]; then if [[ $DNS == 2 ]] && [[ -e /etc/unbound/unbound.conf ]]; then
echo "" echo ""
echo "Unbound is already installed." echo "Unbound is already installed."
@ -653,11 +651,6 @@ function installOpenVPN() {
apt-get update apt-get update
apt-get -y install ca-certificates gnupg apt-get -y install ca-certificates gnupg
# We add the OpenVPN repo to get the latest version. # We add the OpenVPN repo to get the latest version.
if [[ $VERSION_ID == "8" ]]; then
echo "deb http://build.openvpn.net/debian/openvpn/stable jessie main" >/etc/apt/sources.list.d/openvpn.list
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
apt-get update
fi
if [[ $VERSION_ID == "16.04" ]]; then if [[ $VERSION_ID == "16.04" ]]; then
echo "deb http://build.openvpn.net/debian/openvpn/stable xenial main" >/etc/apt/sources.list.d/openvpn.list echo "deb http://build.openvpn.net/debian/openvpn/stable xenial main" >/etc/apt/sources.list.d/openvpn.list
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add - wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
@ -695,7 +688,7 @@ function installOpenVPN() {
if [[ ! -d /etc/openvpn/server/easy-rsa/ ]]; then if [[ ! -d /etc/openvpn/server/easy-rsa/ ]]; then
local version="3.0.7" local version="3.0.7"
wget -O ~/easy-rsa.tgz https://github.com/OpenVPN/easy-rsa/releases/download/v${version}/EasyRSA-${version}.tgz wget -O ~/easy-rsa.tgz https://github.com/OpenVPN/easy-rsa/releases/download/v${version}/EasyRSA-${version}.tgz
mkdir /etc/openvpn/server/easy-rsa mkdir -p /etc/openvpn/server/easy-rsa
tar xzf ~/easy-rsa.tgz --strip-components=1 --directory /etc/openvpn/server/easy-rsa tar xzf ~/easy-rsa.tgz --strip-components=1 --directory /etc/openvpn/server/easy-rsa
rm -f ~/easy-rsa.tgz rm -f ~/easy-rsa.tgz
@ -720,11 +713,6 @@ function installOpenVPN() {
# Create the PKI, set up the CA, the DH params and the server certificate # Create the PKI, set up the CA, the DH params and the server certificate
./easyrsa init-pki ./easyrsa init-pki
# Workaround to remove unharmful error until easy-rsa 3.0.7
# https://github.com/OpenVPN/easy-rsa/issues/261
sed -i 's/^RANDFILE/#RANDFILE/g' pki/openssl-easyrsa.cnf
./easyrsa --batch build-ca nopass ./easyrsa --batch build-ca nopass
if [[ $DH_TYPE == "2" ]]; then if [[ $DH_TYPE == "2" ]]; then
@ -1034,9 +1022,9 @@ verb 3" >>/etc/openvpn/server/client-template.txt
function newClient() { function newClient() {
echo "" echo ""
echo "Tell me a name for the client." echo "Tell me a name for the client."
echo "Use one word only, no special characters." echo "The name must consist of alphanumeric character. It may also include an underscore or a dash."
until [[ $CLIENT =~ ^[a-zA-Z0-9_]+$ ]]; do until [[ $CLIENT =~ ^[a-zA-Z0-9_-]+$ ]]; do
read -rp "Client name: " -e CLIENT read -rp "Client name: " -e CLIENT
done done
@ -1193,7 +1181,6 @@ function removeUnbound() {
function removeOpenVPN() { function removeOpenVPN() {
echo "" echo ""
# shellcheck disable=SC2034
read -rp "Do you really want to remove OpenVPN? [y/n]: " -e -i n REMOVE read -rp "Do you really want to remove OpenVPN? [y/n]: " -e -i n REMOVE
if [[ $REMOVE == 'y' ]]; then if [[ $REMOVE == 'y' ]]; then
# Get OpenVPN port from the configuration # Get OpenVPN port from the configuration