mirror of
https://github.com/angristan/openvpn-install.git
synced 2025-03-14 06:33:17 +01:00
Merge remote-tracking branch 'master'
This commit is contained in:
commit
00f77871d4
6
.github/FUNDING.yml
vendored
6
.github/FUNDING.yml
vendored
@ -1,3 +1,3 @@
|
|||||||
patreon: angristan
|
patreon: stanislas
|
||||||
liberapay: angristan
|
liberapay: stanislas
|
||||||
ko_fi: angristan
|
ko_fi: stanislas
|
||||||
|
10
.github/dependabot.yml
vendored
Normal file
10
.github/dependabot.yml
vendored
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
version: 2
|
||||||
|
updates:
|
||||||
|
- package-ecosystem: "github-actions"
|
||||||
|
directory: "/"
|
||||||
|
schedule:
|
||||||
|
interval: "daily"
|
||||||
|
assignees:
|
||||||
|
- "angristan"
|
||||||
|
reviewers:
|
||||||
|
- "angristan"
|
16
.github/workflows/lint.yml
vendored
16
.github/workflows/lint.yml
vendored
@ -1,25 +1,21 @@
|
|||||||
on:
|
on: push
|
||||||
push:
|
|
||||||
branches:
|
|
||||||
- master
|
|
||||||
pull_request:
|
|
||||||
branches:
|
|
||||||
- master
|
|
||||||
|
|
||||||
name: Lint
|
name: Lint
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
shellcheck:
|
shellcheck:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@master
|
- uses: actions/checkout@v2
|
||||||
- name: shellcheck
|
- name: shellcheck
|
||||||
uses: ludeeus/action-shellcheck@0.0.1
|
uses: ludeeus/action-shellcheck@0.5.0
|
||||||
env:
|
env:
|
||||||
SHELLCHECK_OPTS: -e SC1091,SC2164,SC2034,SC1072,SC1073,SC1009
|
SHELLCHECK_OPTS: -e SC1091,SC2164,SC2034,SC1072,SC1073,SC1009
|
||||||
|
|
||||||
shfmt:
|
shfmt:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@master
|
- uses: actions/checkout@v2
|
||||||
- name: shfmt
|
- name: shfmt
|
||||||
uses: bltavares/actions/shfmt@master
|
uses: bltavares/actions/shfmt@master
|
||||||
env:
|
env:
|
||||||
|
12
.github/workflows/test.yml
vendored
12
.github/workflows/test.yml
vendored
@ -21,7 +21,7 @@ jobs:
|
|||||||
- centos-7-x64
|
- centos-7-x64
|
||||||
- centos-8-x64
|
- centos-8-x64
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@master
|
- uses: actions/checkout@v2
|
||||||
|
|
||||||
- name: Setup doctl
|
- name: Setup doctl
|
||||||
uses: digitalocean/action-doctl@v2
|
uses: digitalocean/action-doctl@v2
|
||||||
@ -51,7 +51,7 @@ jobs:
|
|||||||
|
|
||||||
- name: Setup remote server (Debian/Ubuntu)
|
- name: Setup remote server (Debian/Ubuntu)
|
||||||
if: steps.server_os.outputs.value == 'debian' || steps.server_os.outputs.value == 'ubuntu'
|
if: steps.server_os.outputs.value == 'debian' || steps.server_os.outputs.value == 'ubuntu'
|
||||||
uses: appleboy/ssh-action@master
|
uses: appleboy/ssh-action@v0.1.2
|
||||||
with:
|
with:
|
||||||
host: ${{ steps.server_ip.outputs.value }}
|
host: ${{ steps.server_ip.outputs.value }}
|
||||||
username: root
|
username: root
|
||||||
@ -60,7 +60,7 @@ jobs:
|
|||||||
|
|
||||||
- name: Setup remote server (Fedora)
|
- name: Setup remote server (Fedora)
|
||||||
if: steps.server_os.outputs.value == 'fedora'
|
if: steps.server_os.outputs.value == 'fedora'
|
||||||
uses: appleboy/ssh-action@master
|
uses: appleboy/ssh-action@v0.1.2
|
||||||
with:
|
with:
|
||||||
host: ${{ steps.server_ip.outputs.value }}
|
host: ${{ steps.server_ip.outputs.value }}
|
||||||
username: root
|
username: root
|
||||||
@ -69,7 +69,7 @@ jobs:
|
|||||||
|
|
||||||
- name: Setup remote server (CentOS)
|
- name: Setup remote server (CentOS)
|
||||||
if: steps.server_os.outputs.value == 'centos'
|
if: steps.server_os.outputs.value == 'centos'
|
||||||
uses: appleboy/ssh-action@master
|
uses: appleboy/ssh-action@v0.1.2
|
||||||
with:
|
with:
|
||||||
host: ${{ steps.server_ip.outputs.value }}
|
host: ${{ steps.server_ip.outputs.value }}
|
||||||
username: root
|
username: root
|
||||||
@ -77,7 +77,7 @@ jobs:
|
|||||||
script: set -x && yum install -y git
|
script: set -x && yum install -y git
|
||||||
|
|
||||||
- name: Download repo and checkout current commit
|
- name: Download repo and checkout current commit
|
||||||
uses: appleboy/ssh-action@master
|
uses: appleboy/ssh-action@v0.1.2
|
||||||
with:
|
with:
|
||||||
host: ${{ steps.server_ip.outputs.value }}
|
host: ${{ steps.server_ip.outputs.value }}
|
||||||
username: root
|
username: root
|
||||||
@ -85,7 +85,7 @@ jobs:
|
|||||||
script: set -x && git clone https://github.com/angristan/openvpn-install.git && cd openvpn-install && git checkout ${{ github.event.pull_request.head.sha }}
|
script: set -x && git clone https://github.com/angristan/openvpn-install.git && cd openvpn-install && git checkout ${{ github.event.pull_request.head.sha }}
|
||||||
|
|
||||||
- name: Run openvpn-install.sh in headless mode
|
- name: Run openvpn-install.sh in headless mode
|
||||||
uses: appleboy/ssh-action@master
|
uses: appleboy/ssh-action@v0.1.2
|
||||||
with:
|
with:
|
||||||
host: ${{ steps.server_ip.outputs.value }}
|
host: ${{ steps.server_ip.outputs.value }}
|
||||||
username: root
|
username: root
|
||||||
|
2
FAQ.md
2
FAQ.md
@ -10,7 +10,7 @@ You can, of course, it's even recommended, update the `openvpn` package with you
|
|||||||
|
|
||||||
**Q:** How do I check for DNS leaks?
|
**Q:** How do I check for DNS leaks?
|
||||||
|
|
||||||
**A:** Go to [dnsleaktest.com](https://dnsleaktest.com/) or [ipleak.net](https://ipleak.net/) with your browser. Only your server's IP should show up.
|
**A:** Go to [browserleaks.com](https://browserleaks.com/dns) or [ipleak.net](https://ipleak.net/) (both perform IPv4 and IPv6 check) with your browser. Only your server's IP should show up.
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
|
35
README.md
35
README.md
@ -37,7 +37,7 @@ In your home directory, you will have `.ovpn` files. These are the client config
|
|||||||
|
|
||||||
If you have any question, head to the [FAQ](#faq) first. Please read everything before opening an issue.
|
If you have any question, head to the [FAQ](#faq) first. Please read everything before opening an issue.
|
||||||
|
|
||||||
**PLEASE do net send me emails or private messages asking for help.** The only place to get help is the issues. Other people may be able to help and in the future, other users may also run into the same issue as you. My time is not available for free just for you, you're not special.
|
**PLEASE do not send me emails or private messages asking for help.** The only place to get help is the issues. Other people may be able to help and in the future, other users may also run into the same issue as you. My time is not available for free just for you, you're not special.
|
||||||
|
|
||||||
### Headless install
|
### Headless install
|
||||||
|
|
||||||
@ -117,13 +117,12 @@ The script supports these OS and architectures:
|
|||||||
| --------------- | ---- | ----- | ----- | ----- |
|
| --------------- | ---- | ----- | ----- | ----- |
|
||||||
| Amazon Linux 2 | ❔ | ✅ | ❔ | ❔ |
|
| Amazon Linux 2 | ❔ | ✅ | ❔ | ❔ |
|
||||||
| Arch Linux | ❔ | ✅ | ❔ | ✅ |
|
| Arch Linux | ❔ | ✅ | ❔ | ✅ |
|
||||||
| CentOS 7 | ❔ | ✅ | ❌ | ✅ |
|
| CentOS 7 | ✅ | ✅ | ✅ | ✅ |
|
||||||
| CentOS 8 | ❌ | ✅ | ❔ | ❔ |
|
| CentOS 8 | ❌ | ✅ | ❌ | ✅ |
|
||||||
| Debian 8 | ✅ | ✅ | ❌ | ❌ |
|
| Debian >= 9 | ✅ | ✅ | ✅ | ✅ |
|
||||||
| Debian >= 9 | ❌ | ✅ | ✅ | ✅ |
|
|
||||||
| Fedora >= 27 | ❔ | ✅ | ❔ | ❔ |
|
| Fedora >= 27 | ❔ | ✅ | ❔ | ❔ |
|
||||||
| Ubuntu 16.04 | ✅ | ✅ | ❌ | ❌ |
|
| Ubuntu 16.04 | ✅ | ✅ | ❌ | ❌ |
|
||||||
| Ubuntu >= 18.04 | ❌ | ✅ | ✅ | ✅ |
|
| Ubuntu >= 18.04 | ✅ | ✅ | ✅ | ✅ |
|
||||||
|
|
||||||
To be noted:
|
To be noted:
|
||||||
|
|
||||||
@ -146,8 +145,9 @@ More Q&A in [FAQ.md](FAQ.md).
|
|||||||
**A:** I recommend these:
|
**A:** I recommend these:
|
||||||
|
|
||||||
- [Vultr](https://goo.gl/Xyd1Sc): Worldwide locations, IPv6 support, starting at \$3.50/month
|
- [Vultr](https://goo.gl/Xyd1Sc): Worldwide locations, IPv6 support, starting at \$3.50/month
|
||||||
- [PulseHeberg](https://goo.gl/76yqW5): France, unlimited bandwidth, starting at €3/month
|
- [Hetzner](https://hetzner.cloud/?ref=ywtlvZsjgeDq): Germany, IPv6, 20 TB of traffic, starting at €3/month
|
||||||
- [Digital Ocean](https://goo.gl/qXrNLK): Worldwide locations, IPv6 support, starting at \$5/month
|
- [Digital Ocean](https://goo.gl/qXrNLK): Worldwide locations, IPv6 support, starting at \$5/month
|
||||||
|
- [PulseHeberg](https://goo.gl/76yqW5): France, unlimited bandwidth, starting at €3/month
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
@ -183,7 +183,22 @@ Solutions that provision a ready to use OpenVPN server based on this script in o
|
|||||||
|
|
||||||
- AWS using Terraform at [`openvpn-terraform-install`](https://github.com/dumrauf/openvpn-terraform-install)
|
- AWS using Terraform at [`openvpn-terraform-install`](https://github.com/dumrauf/openvpn-terraform-install)
|
||||||
|
|
||||||
## Contributing / Code formatting
|
## Contributing
|
||||||
|
|
||||||
|
### Contributors hall-of-fame
|
||||||
|
|
||||||
|
Thanks ❤️
|
||||||
|
|
||||||
|
[](https://github.com/angristan/openvpn-install/graphs/contributors)
|
||||||
|
[](https://github.com/angristan/openvpn-install/graphs/contributors)
|
||||||
|
[](https://github.com/angristan/openvpn-install/graphs/contributors)
|
||||||
|
[](https://github.com/angristan/openvpn-install/graphs/contributors)
|
||||||
|
[](https://github.com/angristan/openvpn-install/graphs/contributors)
|
||||||
|
[](https://github.com/angristan/openvpn-install/graphs/contributors)
|
||||||
|
[](https://github.com/angristan/openvpn-install/graphs/contributors)
|
||||||
|
[](https://github.com/angristan/openvpn-install/graphs/contributors)
|
||||||
|
|
||||||
|
### Code formatting
|
||||||
|
|
||||||
We use [shellcheck](https://github.com/koalaman/shellcheck) and [shfmt](https://github.com/mvdan/sh) to enforce bash styling guidelines and good practices. They are executed for each commit / PR with GitHub Actions, so you can check the configuration [here](https://github.com/angristan/openvpn-install/blob/master/.github/workflows/push.yml).
|
We use [shellcheck](https://github.com/koalaman/shellcheck) and [shfmt](https://github.com/mvdan/sh) to enforce bash styling guidelines and good practices. They are executed for each commit / PR with GitHub Actions, so you can check the configuration [here](https://github.com/angristan/openvpn-install/blob/master/.github/workflows/push.yml).
|
||||||
|
|
||||||
@ -195,13 +210,13 @@ OpenVPN 2.4 was a great update regarding encryption. It added support for ECDSA,
|
|||||||
|
|
||||||
If you want more information about an option mentioned below, head to the [OpenVPN manual](https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage). It is very complete.
|
If you want more information about an option mentioned below, head to the [OpenVPN manual](https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage). It is very complete.
|
||||||
|
|
||||||
Most of OpenVPN's encryption-related stuff is managed by [Easy-RSA](https://github.com/OpenVPN/easy-rsa). Defaults parameters are in the [vars.example](https://github.com/OpenVPN/easy-rsa/blob/v3.0.6/easyrsa3/vars.example) file.
|
Most of OpenVPN's encryption-related stuff is managed by [Easy-RSA](https://github.com/OpenVPN/easy-rsa). Defaults parameters are in the [vars.example](https://github.com/OpenVPN/easy-rsa/blob/v3.0.7/easyrsa3/vars.example) file.
|
||||||
|
|
||||||
### Compression
|
### Compression
|
||||||
|
|
||||||
By default, OpenVPN doesn't enable compression. This script provides support for LZ0 and LZ4 (v1/v2) algorithms, the latter being more efficient.
|
By default, OpenVPN doesn't enable compression. This script provides support for LZ0 and LZ4 (v1/v2) algorithms, the latter being more efficient.
|
||||||
|
|
||||||
However, it is discouraged to use compression since it since the [VORACLE attack](https://protonvpn.com/blog/voracle-attack/) makes use of it.
|
However, it is discouraged to use compression since the [VORACLE attack](https://protonvpn.com/blog/voracle-attack/) makes use of it.
|
||||||
|
|
||||||
### TLS version
|
### TLS version
|
||||||
|
|
||||||
|
@ -18,14 +18,13 @@ function tunAvailable() {
|
|||||||
function checkOS() {
|
function checkOS() {
|
||||||
if [[ -e /etc/debian_version ]]; then
|
if [[ -e /etc/debian_version ]]; then
|
||||||
OS="debian"
|
OS="debian"
|
||||||
# shellcheck disable=SC1091
|
|
||||||
source /etc/os-release
|
source /etc/os-release
|
||||||
|
|
||||||
if [[ $ID == "debian" || $ID == "raspbian" ]]; then
|
if [[ $ID == "debian" || $ID == "raspbian" ]]; then
|
||||||
if [[ $VERSION_ID -lt 8 ]]; then
|
if [[ $VERSION_ID -lt 9 ]]; then
|
||||||
echo "⚠️ Your version of Debian is not supported."
|
echo "⚠️ Your version of Debian is not supported."
|
||||||
echo ""
|
echo ""
|
||||||
echo "However, if you're using Debian >= 8 or unstable/testing then you can continue, at your own risk."
|
echo "However, if you're using Debian >= 9 or unstable/testing then you can continue, at your own risk."
|
||||||
echo ""
|
echo ""
|
||||||
until [[ $CONTINUE =~ (y|n) ]]; do
|
until [[ $CONTINUE =~ (y|n) ]]; do
|
||||||
read -rp "Continue? [y/n]: " -e CONTINUE
|
read -rp "Continue? [y/n]: " -e CONTINUE
|
||||||
@ -51,7 +50,6 @@ function checkOS() {
|
|||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
elif [[ -e /etc/system-release ]]; then
|
elif [[ -e /etc/system-release ]]; then
|
||||||
# shellcheck disable=SC1091
|
|
||||||
source /etc/os-release
|
source /etc/os-release
|
||||||
if [[ $ID == "fedora" ]]; then
|
if [[ $ID == "fedora" ]]; then
|
||||||
OS="fedora"
|
OS="fedora"
|
||||||
@ -61,7 +59,7 @@ function checkOS() {
|
|||||||
if [[ ! $VERSION_ID =~ (7|8) ]]; then
|
if [[ ! $VERSION_ID =~ (7|8) ]]; then
|
||||||
echo "⚠️ Your version of CentOS is not supported."
|
echo "⚠️ Your version of CentOS is not supported."
|
||||||
echo ""
|
echo ""
|
||||||
echo "The script only support CentOS 7."
|
echo "The script only support CentOS 7 and CentOS 8."
|
||||||
echo ""
|
echo ""
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
@ -315,7 +313,7 @@ function installQuestions() {
|
|||||||
echo " 12) NextDNS (Anycast: worldwide)"
|
echo " 12) NextDNS (Anycast: worldwide)"
|
||||||
echo " 13) Custom"
|
echo " 13) Custom"
|
||||||
until [[ $DNS =~ ^[0-9]+$ ]] && [ "$DNS" -ge 1 ] && [ "$DNS" -le 13 ]; do
|
until [[ $DNS =~ ^[0-9]+$ ]] && [ "$DNS" -ge 1 ] && [ "$DNS" -le 13 ]; do
|
||||||
read -rp "DNS [1-12]: " -e -i 3 DNS
|
read -rp "DNS [1-12]: " -e -i 11 DNS
|
||||||
if [[ $DNS == 2 ]] && [[ -e /etc/unbound/unbound.conf ]]; then
|
if [[ $DNS == 2 ]] && [[ -e /etc/unbound/unbound.conf ]]; then
|
||||||
echo ""
|
echo ""
|
||||||
echo "Unbound is already installed."
|
echo "Unbound is already installed."
|
||||||
@ -653,11 +651,6 @@ function installOpenVPN() {
|
|||||||
apt-get update
|
apt-get update
|
||||||
apt-get -y install ca-certificates gnupg
|
apt-get -y install ca-certificates gnupg
|
||||||
# We add the OpenVPN repo to get the latest version.
|
# We add the OpenVPN repo to get the latest version.
|
||||||
if [[ $VERSION_ID == "8" ]]; then
|
|
||||||
echo "deb http://build.openvpn.net/debian/openvpn/stable jessie main" >/etc/apt/sources.list.d/openvpn.list
|
|
||||||
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
|
|
||||||
apt-get update
|
|
||||||
fi
|
|
||||||
if [[ $VERSION_ID == "16.04" ]]; then
|
if [[ $VERSION_ID == "16.04" ]]; then
|
||||||
echo "deb http://build.openvpn.net/debian/openvpn/stable xenial main" >/etc/apt/sources.list.d/openvpn.list
|
echo "deb http://build.openvpn.net/debian/openvpn/stable xenial main" >/etc/apt/sources.list.d/openvpn.list
|
||||||
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
|
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
|
||||||
@ -695,7 +688,7 @@ function installOpenVPN() {
|
|||||||
if [[ ! -d /etc/openvpn/server/easy-rsa/ ]]; then
|
if [[ ! -d /etc/openvpn/server/easy-rsa/ ]]; then
|
||||||
local version="3.0.7"
|
local version="3.0.7"
|
||||||
wget -O ~/easy-rsa.tgz https://github.com/OpenVPN/easy-rsa/releases/download/v${version}/EasyRSA-${version}.tgz
|
wget -O ~/easy-rsa.tgz https://github.com/OpenVPN/easy-rsa/releases/download/v${version}/EasyRSA-${version}.tgz
|
||||||
mkdir /etc/openvpn/server/easy-rsa
|
mkdir -p /etc/openvpn/server/easy-rsa
|
||||||
tar xzf ~/easy-rsa.tgz --strip-components=1 --directory /etc/openvpn/server/easy-rsa
|
tar xzf ~/easy-rsa.tgz --strip-components=1 --directory /etc/openvpn/server/easy-rsa
|
||||||
rm -f ~/easy-rsa.tgz
|
rm -f ~/easy-rsa.tgz
|
||||||
|
|
||||||
@ -720,11 +713,6 @@ function installOpenVPN() {
|
|||||||
|
|
||||||
# Create the PKI, set up the CA, the DH params and the server certificate
|
# Create the PKI, set up the CA, the DH params and the server certificate
|
||||||
./easyrsa init-pki
|
./easyrsa init-pki
|
||||||
|
|
||||||
# Workaround to remove unharmful error until easy-rsa 3.0.7
|
|
||||||
# https://github.com/OpenVPN/easy-rsa/issues/261
|
|
||||||
sed -i 's/^RANDFILE/#RANDFILE/g' pki/openssl-easyrsa.cnf
|
|
||||||
|
|
||||||
./easyrsa --batch build-ca nopass
|
./easyrsa --batch build-ca nopass
|
||||||
|
|
||||||
if [[ $DH_TYPE == "2" ]]; then
|
if [[ $DH_TYPE == "2" ]]; then
|
||||||
@ -1034,9 +1022,9 @@ verb 3" >>/etc/openvpn/server/client-template.txt
|
|||||||
function newClient() {
|
function newClient() {
|
||||||
echo ""
|
echo ""
|
||||||
echo "Tell me a name for the client."
|
echo "Tell me a name for the client."
|
||||||
echo "Use one word only, no special characters."
|
echo "The name must consist of alphanumeric character. It may also include an underscore or a dash."
|
||||||
|
|
||||||
until [[ $CLIENT =~ ^[a-zA-Z0-9_]+$ ]]; do
|
until [[ $CLIENT =~ ^[a-zA-Z0-9_-]+$ ]]; do
|
||||||
read -rp "Client name: " -e CLIENT
|
read -rp "Client name: " -e CLIENT
|
||||||
done
|
done
|
||||||
|
|
||||||
@ -1193,7 +1181,6 @@ function removeUnbound() {
|
|||||||
|
|
||||||
function removeOpenVPN() {
|
function removeOpenVPN() {
|
||||||
echo ""
|
echo ""
|
||||||
# shellcheck disable=SC2034
|
|
||||||
read -rp "Do you really want to remove OpenVPN? [y/n]: " -e -i n REMOVE
|
read -rp "Do you really want to remove OpenVPN? [y/n]: " -e -i n REMOVE
|
||||||
if [[ $REMOVE == 'y' ]]; then
|
if [[ $REMOVE == 'y' ]]; then
|
||||||
# Get OpenVPN port from the configuration
|
# Get OpenVPN port from the configuration
|
||||||
|
Loading…
x
Reference in New Issue
Block a user