From 7a4f9278e7535f1272ea3c87b444effea70049bc Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Tue, 3 Mar 2020 23:04:18 +0100 Subject: [PATCH 001/132] Add new DNS option: NextDNS --- openvpn-install.sh | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 90ea433..4e7c2a1 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -294,7 +294,8 @@ function installQuestions () { echo " 9) Google (Anycast: worldwide)" echo " 10) Yandex Basic (Russia)" echo " 11) AdGuard DNS (Russia)" - echo " 12) Custom" + echo " 12) NextDNS (Worldwide)" + echo " 13) Custom" until [[ "$DNS" =~ ^[0-9]+$ ]] && [ "$DNS" -ge 1 ] && [ "$DNS" -le 12 ]; do read -rp "DNS [1-12]: " -e -i 3 DNS if [[ $DNS == 2 ]] && [[ -e /etc/unbound/unbound.conf ]]; then @@ -780,7 +781,11 @@ ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 176.103.130.130"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 176.103.130.131"' >> /etc/openvpn/server.conf ;; - 12) # Custom DNS + 12) # NextDNS + echo 'push "dhcp-option DNS 45.90.28.167"' >> /etc/openvpn/server.conf + echo 'push "dhcp-option DNS 45.90.30.167"' >> /etc/openvpn/server.conf + ;; + 13) # Custom DNS echo "push \"dhcp-option DNS $DNS1\"" >> /etc/openvpn/server.conf if [[ "$DNS2" != "" ]]; then echo "push \"dhcp-option DNS $DNS2\"" >> /etc/openvpn/server.conf From 3f2ad88cbf4519722be7446132535ca8256968f6 Mon Sep 17 00:00:00 2001 From: xPakrikx Date: Tue, 10 Mar 2020 10:43:13 +0100 Subject: [PATCH 002/132] Custom DNS option wrong value fix (#559) Custom DNS option wrong value fix --- openvpn-install.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 4e7c2a1..0c63227 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -296,7 +296,7 @@ function installQuestions () { echo " 11) AdGuard DNS (Russia)" echo " 12) NextDNS (Worldwide)" echo " 13) Custom" - until [[ "$DNS" =~ ^[0-9]+$ ]] && [ "$DNS" -ge 1 ] && [ "$DNS" -le 12 ]; do + until [[ "$DNS" =~ ^[0-9]+$ ]] && [ "$DNS" -ge 1 ] && [ "$DNS" -le 13 ]; do read -rp "DNS [1-12]: " -e -i 3 DNS if [[ $DNS == 2 ]] && [[ -e /etc/unbound/unbound.conf ]]; then echo "" @@ -314,7 +314,7 @@ function installQuestions () { unset DNS unset CONTINUE fi - elif [[ $DNS == "12" ]]; then + elif [[ $DNS == "13" ]]; then until [[ "$DNS1" =~ ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ ]]; do read -rp "Primary DNS: " -e DNS1 done From 6bb87ae716a1f4f85250bb2a71832602ad03bd3a Mon Sep 17 00:00:00 2001 From: randomshell <43271778+randomshell@users.noreply.github.com> Date: Sat, 14 Mar 2020 19:25:22 +0000 Subject: [PATCH 003/132] Install `semanage` command on CentoOS (#554) CentOS has selinux enabled by default but it hasn't the `semanage` command required to run OpenVPN on another port. 'policycoreutils-python*' match `policycoreutils-python' in CentOS 7 and `policycoreutils-python-utils` in Centos 8. --- openvpn-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 0c63227..d6508b2 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -625,7 +625,7 @@ function installOpenVPN () { apt-get install -y openvpn iptables openssl wget ca-certificates curl elif [[ "$OS" = 'centos' ]]; then yum install -y epel-release - yum install -y openvpn iptables openssl wget ca-certificates curl tar + yum install -y openvpn iptables openssl wget ca-certificates curl tar 'policycoreutils-python*' elif [[ "$OS" = 'amzn' ]]; then amazon-linux-extras install -y epel yum install -y openvpn iptables openssl wget ca-certificates curl From aab5e7b2ffe9221b73feaec59d65e613f42e2de5 Mon Sep 17 00:00:00 2001 From: Henry N Date: Thu, 26 Mar 2020 21:22:22 +0100 Subject: [PATCH 004/132] Fix getting pulic interface in IPv6 only (#578) In a IPv6 only environment, the variable $NIC would be empty and iptables in add-openvpn-rules.sh will fail by missing argument. --- openvpn-install.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/openvpn-install.sh b/openvpn-install.sh index d6508b2..ab84a6c 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -606,6 +606,9 @@ function installOpenVPN () { # Get the "public" interface from the default route NIC=$(ip -4 route ls | grep default | grep -Po '(?<=dev )(\S+)' | head -1) + if [[ -z "$NIC" ]] && [[ "$IPV6_SUPPORT" = 'y' ]]; then + NIC=$(ip -6 route show default | sed -ne 's/^default .* dev \([^ ]*\) .*$/\1/p') + fi if [[ "$OS" =~ (debian|ubuntu) ]]; then apt-get update From 14bcfbd531954ee13a5814235e15605879c7721f Mon Sep 17 00:00:00 2001 From: Stanislas Date: Thu, 26 Mar 2020 21:22:48 +0100 Subject: [PATCH 005/132] Run action on PRs (#582) --- .github/workflows/push.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml index f1a5ccb..c6a36b9 100644 --- a/.github/workflows/push.yml +++ b/.github/workflows/push.yml @@ -1,4 +1,4 @@ -on: push +on: [push, pull_request] name: ShellCheck jobs: shellcheck: From 130659b003c4edeec5a19e0da33db349f5fa77ae Mon Sep 17 00:00:00 2001 From: Henry N Date: Thu, 26 Mar 2020 21:24:20 +0100 Subject: [PATCH 006/132] Add explicit-exit-notify for UDP (#579) For faster reconnects with UDP is better to send the the explicit-exit-notify to server. With this the server can directly see, that the client will exit. --- openvpn-install.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/openvpn-install.sh b/openvpn-install.sh index ab84a6c..b0703d7 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -964,6 +964,7 @@ WantedBy=multi-user.target" > /etc/systemd/system/iptables-openvpn.service echo "client" > /etc/openvpn/client-template.txt if [[ "$PROTOCOL" = 'udp' ]]; then echo "proto udp" >> /etc/openvpn/client-template.txt + echo "explicit-exit-notify" >> /etc/openvpn/client-template.txt elif [[ "$PROTOCOL" = 'tcp' ]]; then echo "proto tcp-client" >> /etc/openvpn/client-template.txt fi From 23e533431a2954e52ce699af29b663f8563efff5 Mon Sep 17 00:00:00 2001 From: Henry N Date: Thu, 26 Mar 2020 21:24:50 +0100 Subject: [PATCH 007/132] Fix error messag mkdir /etc/iptables (#580) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix this error message: mkdir: cannot create directory ‘/etc/iptables’: File exists --- openvpn-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index b0703d7..d943f7e 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -900,7 +900,7 @@ verb 3" >> /etc/openvpn/server.conf fi # Add iptables rules in two scripts - mkdir /etc/iptables + mkdir -p /etc/iptables # Script to add rules echo "#!/bin/sh From 3d075c8708f9e75d7d1a48b3e225200f028f7900 Mon Sep 17 00:00:00 2001 From: Henry N Date: Thu, 26 Mar 2020 21:27:16 +0100 Subject: [PATCH 008/132] Print warning about empty public interface (#581) Warning, if cannot detect public interface, and give user a choice to continue or abord. --- openvpn-install.sh | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/openvpn-install.sh b/openvpn-install.sh index d943f7e..078d200 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -610,6 +610,19 @@ function installOpenVPN () { NIC=$(ip -6 route show default | sed -ne 's/^default .* dev \([^ ]*\) .*$/\1/p') fi + # $NIC can not be empty for script rm-openvpn-rules.sh + if [[ -z "$NIC" ]]; then + echo + echo "Can not detect public interface." + echo "This needs for setup MASQUERADE." + until [[ $CONTINUE =~ (y|n) ]]; do + read -rp "Continue? [y/n]: " -e CONTINUE + done + if [[ "$CONTINUE" = "n" ]]; then + exit 1 + fi + fi + if [[ "$OS" =~ (debian|ubuntu) ]]; then apt-get update apt-get -y install ca-certificates gnupg From 44105eb06068ef95ff3217924ee615e8757f7516 Mon Sep 17 00:00:00 2001 From: Henry N Date: Sat, 28 Mar 2020 15:40:51 +0100 Subject: [PATCH 009/132] Fix systemd unit issue on Debian 9 (#585) On Debian 9 the copy of unit file `/etc/systemd/system/openvpn@.service` has no effect, see #583. Same problem as #129 and #378, unit can not start on OpenVZ. It must execute `systemctl enable` before `systemctl restart`. So the new link to `/etc/systemd/system/openvpn@.service` was created before `systemctl restart`. Fix https://github.com/angristan/openvpn-install/issues/583 --- openvpn-install.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 078d200..d152fb6 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -887,8 +887,8 @@ verb 3" >> /etc/openvpn/server.conf fi systemctl daemon-reload - systemctl restart openvpn-server@server systemctl enable openvpn-server@server + systemctl restart openvpn-server@server elif [[ "$OS" == "ubuntu" ]] && [[ "$VERSION_ID" == "16.04" ]]; then # On Ubuntu 16.04, we use the package from the OpenVPN repo # This package uses a sysvinit service @@ -904,8 +904,8 @@ verb 3" >> /etc/openvpn/server.conf sed -i 's|/etc/openvpn/server|/etc/openvpn|' /etc/systemd/system/openvpn\@.service systemctl daemon-reload - systemctl restart openvpn@server systemctl enable openvpn@server + systemctl restart openvpn@server fi if [[ $DNS == 2 ]];then From 7ed9cac8d78e630b0f68c4446074d19725e1c4f9 Mon Sep 17 00:00:00 2001 From: randomshell <43271778+randomshell@users.noreply.github.com> Date: Tue, 31 Mar 2020 21:05:44 +0000 Subject: [PATCH 010/132] Change Adguard DNS to Anycast (#596) See map at https://adguard.com/en/adguard-dns/overview.html --- openvpn-install.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index d152fb6..edb703e 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -293,8 +293,8 @@ function installQuestions () { echo " 8) OpenDNS (Anycast: worldwide)" echo " 9) Google (Anycast: worldwide)" echo " 10) Yandex Basic (Russia)" - echo " 11) AdGuard DNS (Russia)" - echo " 12) NextDNS (Worldwide)" + echo " 11) AdGuard DNS (Anycast: worldwide)" + echo " 12) NextDNS (Anycast: worldwide)" echo " 13) Custom" until [[ "$DNS" =~ ^[0-9]+$ ]] && [ "$DNS" -ge 1 ] && [ "$DNS" -le 13 ]; do read -rp "DNS [1-12]: " -e -i 3 DNS From e123635e7ca50792523ea034bf2ed19749aeb690 Mon Sep 17 00:00:00 2001 From: Henry N Date: Thu, 2 Apr 2020 16:30:50 +0200 Subject: [PATCH 011/132] Add comments to some DNS options in code (#598) --- openvpn-install.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index edb703e..a9f1a03 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -745,7 +745,7 @@ ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf # DNS resolvers case $DNS in - 1) + 1) # Current system resolvers # Locate the proper resolv.conf # Needed for systems running systemd-resolved if grep -q "127.0.0.53" "/etc/resolv.conf"; then @@ -758,7 +758,7 @@ ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server.conf done ;; - 2) + 2) # Self-hosted DNS resolver (Unbound) echo 'push "dhcp-option DNS 10.8.0.1"' >> /etc/openvpn/server.conf ;; 3) # Cloudflare From d958c15909270b3cc5f0c6bd1b5e6fd0182135b0 Mon Sep 17 00:00:00 2001 From: Stanislas Date: Fri, 3 Apr 2020 11:13:57 +0200 Subject: [PATCH 012/132] =?UTF-8?q?=F0=9F=A4=A6=E2=80=8D=E2=99=82=EF=B8=8F?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index ca3cdf7..b6e90f0 100644 --- a/README.md +++ b/README.md @@ -33,7 +33,9 @@ When OpenVPN is installed, you can run the script again, and you will get the ch In your home directory, you will have `.ovpn` files. These are the client configuration files. Download them from your server and connect using your favorite OpenVPN client. -If you have any question, head to the [FAQ](#faq) first. +If you have any question, head to the [FAQ](#faq) and the [Wiki](https://github.com/angristan/openvpn-install/wiki/FAQ) first. Please read everything before opening an issue. + +**PLEASE do net send me emails or private messages asking for help.** The only place to get help is the issues. Other people may be able to help and in the future, other users may also run into the same issue as you. My time is not available for free just for you, you're not special. ### Headless install From d31efe9e7b6483325cb6aa7976db2e7f2e28b403 Mon Sep 17 00:00:00 2001 From: Stanislas Date: Sat, 4 Apr 2020 11:54:17 +0200 Subject: [PATCH 013/132] Move FAQ from wiki to git to allow contributions (#611) Signed-off-by: Stanislas Lange --- .github/ISSUE_TEMPLATE.md | 2 +- FAQ.md | 47 +++++++++++++++++++++++++++++++++++++++ README.md | 6 ++--- 3 files changed, 51 insertions(+), 4 deletions(-) create mode 100644 FAQ.md diff --git a/.github/ISSUE_TEMPLATE.md b/.github/ISSUE_TEMPLATE.md index 617414b..36bc569 100644 --- a/.github/ISSUE_TEMPLATE.md +++ b/.github/ISSUE_TEMPLATE.md @@ -7,7 +7,7 @@ Before opening an issue, please make sure: - Your issue is about the script, NOT OpenVPN itself - ⚠ PLEASE Post your OpenVPN version and OS for both the server and the client if needed -FYI, you can excute the script with `bash -x openvpn-install.sh` to enable debug mode. +FYI, you can execute the script with `bash -x openvpn-install.sh` to enable debug mode. You can format your comments with Markdown: https://guides.github.com/features/mastering-markdown/ ---> diff --git a/FAQ.md b/FAQ.md new file mode 100644 index 0000000..895c865 --- /dev/null +++ b/FAQ.md @@ -0,0 +1,47 @@ +# FAQ + +**Q:** The script has been updated since I installed OpenVPN. How do I update? + +**A:** You can't. Managing updates and new features from the script would require way too much work. Your only solution is to uninstall OpenVPN and reinstall with the updated script. + +You can, of course, it's even recommended, update the `openvpn` package with your package manager. + +--- + +**Q:** How do I check for DNS leaks? + +**A:** Go to [dnsleaktest.com](https://dnsleaktest.com/) or [ipleak.net](https://ipleak.net/) with your browser. Only your server's IP should show up. + +--- + +**Q:** Can I use an OpenVPN 2.3 client? + +**A:** Yes. I really recommend using an up-to-date client, but if you really need it, choose the following options: + +- No compression or LZ0 +- RSA certificate +- DH Key +- AES CBC +- tls-auth + +If your client is <2.3.3, remove `tls-version-min 1.2` from your `/etc/openvpn/server.conf` and `.ovpn` files. + +--- + +**Q:** IPv6 is not working on my Hetzner VM + +**A:** This an issue on their side. See https://angristan.xyz/fix-ipv6-hetzner-cloud/ + +--- + +**Q:** DNS is not working on my Linux client + +**A:** Make sure the `resolvconf` package is installed. If it does not solve the issue, look at https://wiki.archlinux.org/index.php/OpenVPN#Update_systemd-resolved_script + +--- + +**Q:** How to setup openVPN in a LXC container? (f.e. Proxmox) + +**A:** See https://github.com/Nyr/openvpn-install/wiki/How-to-setup-openVPN-in-a-LXC-container-(f.e.-Proxmox) + +--- diff --git a/README.md b/README.md index b6e90f0..f36e290 100644 --- a/README.md +++ b/README.md @@ -136,9 +136,7 @@ Since 2016, the two scripts have diverged and are not alike anymore, especially ## FAQ -**LOOK AT THE [WIKI](https://github.com/angristan/openvpn-install/wiki/FAQ) FOR MORE INFORMATION. PLEASE READ BOTH BEFORE OPENING AN ISSUE.** - -**PLEASE do net send me emails or private messages asking for help.** The only place to get help is the issues. Other people may be able to help and in the future, other users may also run into the same issue as you. +More Q&A in [FAQ.md](FAQ.md). **Q:** Which provider do you recommend? @@ -174,6 +172,8 @@ Since 2016, the two scripts have diverged and are not alike anymore, especially --- +More Q&A in [FAQ.md](FAQ.md). + ## One-stop solutions for public cloud Solutions that provision a ready to use OpenVPN server based on this script in one go are available for: From 7e7a494f595356625deda506fab65dc8a7520b59 Mon Sep 17 00:00:00 2001 From: Stanislas Date: Sat, 4 Apr 2020 11:55:08 +0200 Subject: [PATCH 014/132] Remove wiki link --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index f36e290..ecabc80 100644 --- a/README.md +++ b/README.md @@ -33,7 +33,7 @@ When OpenVPN is installed, you can run the script again, and you will get the ch In your home directory, you will have `.ovpn` files. These are the client configuration files. Download them from your server and connect using your favorite OpenVPN client. -If you have any question, head to the [FAQ](#faq) and the [Wiki](https://github.com/angristan/openvpn-install/wiki/FAQ) first. Please read everything before opening an issue. +If you have any question, head to the [FAQ](#faq) first. Please read everything before opening an issue. **PLEASE do net send me emails or private messages asking for help.** The only place to get help is the issues. Other people may be able to help and in the future, other users may also run into the same issue as you. My time is not available for free just for you, you're not special. From 6e8aeb3505fb206ac7dfc398825befd5766633e6 Mon Sep 17 00:00:00 2001 From: Henry N Date: Mon, 6 Apr 2020 14:41:10 +0200 Subject: [PATCH 015/132] Uninstallation: restart unbound only if not removed (#612) --- openvpn-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index a9f1a03..2b7c646 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -1130,7 +1130,6 @@ function removeUnbound () { # Remove OpenVPN-related config sed -i 's|include: \/etc\/unbound\/openvpn.conf||' /etc/unbound/unbound.conf rm /etc/unbound/openvpn.conf - systemctl restart unbound until [[ $REMOVE_UNBOUND =~ (y|n) ]]; do echo "" @@ -1157,6 +1156,7 @@ function removeUnbound () { echo "" echo "Unbound removed!" else + systemctl restart unbound echo "" echo "Unbound wasn't removed." fi From ef5d5faf30188d4d2a555e6914ff2fe415f17015 Mon Sep 17 00:00:00 2001 From: randomshell <43271778+randomshell@users.noreply.github.com> Date: Mon, 6 Apr 2020 12:51:58 +0000 Subject: [PATCH 016/132] Change = conditional to == (#591) --- openvpn-install.sh | 66 +++++++++++++++++++++++----------------------- 1 file changed, 33 insertions(+), 33 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 2b7c646..2a36390 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -31,7 +31,7 @@ function checkOS () { until [[ $CONTINUE =~ (y|n) ]]; do read -rp "Continue? [y/n]: " -e CONTINUE done - if [[ "$CONTINUE" = "n" ]]; then + if [[ "$CONTINUE" == "n" ]]; then exit 1 fi fi @@ -46,7 +46,7 @@ function checkOS () { until [[ $CONTINUE =~ (y|n) ]]; do read -rp "Continue? [y/n]: " -e CONTINUE done - if [[ "$CONTINUE" = "n" ]]; then + if [[ "$CONTINUE" == "n" ]]; then exit 1 fi fi @@ -54,10 +54,10 @@ function checkOS () { elif [[ -e /etc/system-release ]]; then # shellcheck disable=SC1091 source /etc/os-release - if [[ "$ID" = "fedora" ]]; then + if [[ "$ID" == "fedora" ]]; then OS="fedora" fi - if [[ "$ID" = "centos" ]]; then + if [[ "$ID" == "centos" ]]; then OS="centos" if [[ ! $VERSION_ID =~ (7|8) ]]; then echo "⚠️ Your version of CentOS is not supported." @@ -67,7 +67,7 @@ function checkOS () { exit 1 fi fi - if [[ "$ID" = "amzn" ]]; then + if [[ "$ID" == "amzn" ]]; then OS="amzn" if [[ ! $VERSION_ID == "2" ]]; then echo "⚠️ Your version of Amazon Linux is not supported." @@ -121,7 +121,7 @@ prefetch: yes' >> /etc/unbound/unbound.conf sed -i 's|# hide-version: no|hide-version: yes|' /etc/unbound/unbound.conf sed -i 's|use-caps-for-id: no|use-caps-for-id: yes|' /etc/unbound/unbound.conf - elif [[ "$OS" = "fedora" ]]; then + elif [[ "$OS" == "fedora" ]]; then dnf install -y unbound # Configuration @@ -131,7 +131,7 @@ prefetch: yes' >> /etc/unbound/unbound.conf sed -i 's|# hide-version: no|hide-version: yes|' /etc/unbound/unbound.conf sed -i 's|# use-caps-for-id: no|use-caps-for-id: yes|' /etc/unbound/unbound.conf - elif [[ "$OS" = "arch" ]]; then + elif [[ "$OS" == "arch" ]]; then pacman -Syu --noconfirm unbound # Get root servers list @@ -309,7 +309,7 @@ function installQuestions () { until [[ $CONTINUE =~ (y|n) ]]; do read -rp "Apply configuration changes to Unbound? [y/n]: " -e CONTINUE done - if [[ $CONTINUE = "n" ]];then + if [[ $CONTINUE == "n" ]];then # Break the loop and cleanup unset DNS unset CONTINUE @@ -606,7 +606,7 @@ function installOpenVPN () { # Get the "public" interface from the default route NIC=$(ip -4 route ls | grep default | grep -Po '(?<=dev )(\S+)' | head -1) - if [[ -z "$NIC" ]] && [[ "$IPV6_SUPPORT" = 'y' ]]; then + if [[ -z "$NIC" ]] && [[ "$IPV6_SUPPORT" == 'y' ]]; then NIC=$(ip -6 route show default | sed -ne 's/^default .* dev \([^ ]*\) .*$/\1/p') fi @@ -618,7 +618,7 @@ function installOpenVPN () { until [[ $CONTINUE =~ (y|n) ]]; do read -rp "Continue? [y/n]: " -e CONTINUE done - if [[ "$CONTINUE" = "n" ]]; then + if [[ "$CONTINUE" == "n" ]]; then exit 1 fi fi @@ -627,27 +627,27 @@ function installOpenVPN () { apt-get update apt-get -y install ca-certificates gnupg # We add the OpenVPN repo to get the latest version. - if [[ "$VERSION_ID" = "8" ]]; then + if [[ "$VERSION_ID" == "8" ]]; then echo "deb http://build.openvpn.net/debian/openvpn/stable jessie main" > /etc/apt/sources.list.d/openvpn.list wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add - apt-get update fi - if [[ "$VERSION_ID" = "16.04" ]]; then + if [[ "$VERSION_ID" == "16.04" ]]; then echo "deb http://build.openvpn.net/debian/openvpn/stable xenial main" > /etc/apt/sources.list.d/openvpn.list wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add - apt-get update fi # Ubuntu > 16.04 and Debian > 8 have OpenVPN >= 2.4 without the need of a third party repository. apt-get install -y openvpn iptables openssl wget ca-certificates curl - elif [[ "$OS" = 'centos' ]]; then + elif [[ "$OS" == 'centos' ]]; then yum install -y epel-release yum install -y openvpn iptables openssl wget ca-certificates curl tar 'policycoreutils-python*' - elif [[ "$OS" = 'amzn' ]]; then + elif [[ "$OS" == 'amzn' ]]; then amazon-linux-extras install -y epel yum install -y openvpn iptables openssl wget ca-certificates curl - elif [[ "$OS" = 'fedora' ]]; then + elif [[ "$OS" == 'fedora' ]]; then dnf install -y openvpn iptables openssl wget ca-certificates curl - elif [[ "$OS" = 'arch' ]]; then + elif [[ "$OS" == 'arch' ]]; then # Install required dependencies and upgrade the system pacman --needed --noconfirm -Syu openvpn iptables openssl wget ca-certificates curl fi @@ -727,9 +727,9 @@ function installOpenVPN () { # Generate server.conf echo "port $PORT" > /etc/openvpn/server.conf - if [[ "$IPV6_SUPPORT" = 'n' ]]; then + if [[ "$IPV6_SUPPORT" == 'n' ]]; then echo "proto $PROTOCOL" >> /etc/openvpn/server.conf - elif [[ "$IPV6_SUPPORT" = 'y' ]]; then + elif [[ "$IPV6_SUPPORT" == 'y' ]]; then echo "proto ${PROTOCOL}6" >> /etc/openvpn/server.conf fi @@ -811,7 +811,7 @@ ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf echo 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/server.conf # IPv6 network settings if needed - if [[ "$IPV6_SUPPORT" = 'y' ]]; then + if [[ "$IPV6_SUPPORT" == 'y' ]]; then echo 'server-ipv6 fd42:42:42:42::/112 tun-ipv6 push tun-ipv6 @@ -857,7 +857,7 @@ verb 3" >> /etc/openvpn/server.conf # Enable routing echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.d/20-openvpn.conf - if [[ "$IPV6_SUPPORT" = 'y' ]]; then + if [[ "$IPV6_SUPPORT" == 'y' ]]; then echo 'net.ipv6.conf.all.forwarding=1' >> /etc/sysctl.d/20-openvpn.conf fi # Apply sysctl rules @@ -873,7 +873,7 @@ verb 3" >> /etc/openvpn/server.conf fi # Finally, restart and enable OpenVPN - if [[ "$OS" = 'arch' || "$OS" = 'fedora' || "$OS" = 'centos' ]]; then + if [[ "$OS" == 'arch' || "$OS" == 'fedora' || "$OS" == 'centos' ]]; then # Don't modify package-provided service cp /usr/lib/systemd/system/openvpn-server@.service /etc/systemd/system/openvpn-server@.service @@ -923,7 +923,7 @@ iptables -I FORWARD 1 -i $NIC -o tun0 -j ACCEPT iptables -I FORWARD 1 -i tun0 -o $NIC -j ACCEPT iptables -I INPUT 1 -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" > /etc/iptables/add-openvpn-rules.sh - if [[ "$IPV6_SUPPORT" = 'y' ]]; then + if [[ "$IPV6_SUPPORT" == 'y' ]]; then echo "ip6tables -t nat -I POSTROUTING 1 -s fd42:42:42:42::/112 -o $NIC -j MASQUERADE ip6tables -I INPUT 1 -i tun0 -j ACCEPT ip6tables -I FORWARD 1 -i $NIC -o tun0 -j ACCEPT @@ -938,7 +938,7 @@ iptables -D FORWARD -i $NIC -o tun0 -j ACCEPT iptables -D FORWARD -i tun0 -o $NIC -j ACCEPT iptables -D INPUT -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" > /etc/iptables/rm-openvpn-rules.sh - if [[ "$IPV6_SUPPORT" = 'y' ]]; then + if [[ "$IPV6_SUPPORT" == 'y' ]]; then echo "ip6tables -t nat -D POSTROUTING -s fd42:42:42:42::/112 -o $NIC -j MASQUERADE ip6tables -D INPUT -i tun0 -j ACCEPT ip6tables -D FORWARD -i $NIC -o tun0 -j ACCEPT @@ -975,10 +975,10 @@ WantedBy=multi-user.target" > /etc/systemd/system/iptables-openvpn.service # client-template.txt is created so we have a template to add further users later echo "client" > /etc/openvpn/client-template.txt - if [[ "$PROTOCOL" = 'udp' ]]; then + if [[ "$PROTOCOL" == 'udp' ]]; then echo "proto udp" >> /etc/openvpn/client-template.txt echo "explicit-exit-notify" >> /etc/openvpn/client-template.txt - elif [[ "$PROTOCOL" = 'tcp' ]]; then + elif [[ "$PROTOCOL" == 'tcp' ]]; then echo "proto tcp-client" >> /etc/openvpn/client-template.txt fi echo "remote $IP $PORT @@ -1092,7 +1092,7 @@ function newClient () { function revokeClient () { NUMBEROFCLIENTS=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep -c "^V") - if [[ "$NUMBEROFCLIENTS" = '0' ]]; then + if [[ "$NUMBEROFCLIENTS" == '0' ]]; then echo "" echo "You have no existing clients!" exit 1 @@ -1101,7 +1101,7 @@ function revokeClient () { echo "" echo "Select the existing client certificate you want to revoke" tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | nl -s ') ' - if [[ "$NUMBEROFCLIENTS" = '1' ]]; then + if [[ "$NUMBEROFCLIENTS" == '1' ]]; then read -rp "Select one client [1]: " CLIENTNUMBER else read -rp "Select one client [1-$NUMBEROFCLIENTS]: " CLIENTNUMBER @@ -1137,17 +1137,17 @@ function removeUnbound () { read -rp "Do you want to completely remove Unbound? [y/n]: " -e REMOVE_UNBOUND done - if [[ "$REMOVE_UNBOUND" = 'y' ]]; then + if [[ "$REMOVE_UNBOUND" == 'y' ]]; then # Stop Unbound systemctl stop unbound if [[ "$OS" =~ (debian|ubuntu) ]]; then apt-get autoremove --purge -y unbound - elif [[ "$OS" = 'arch' ]]; then + elif [[ "$OS" == 'arch' ]]; then pacman --noconfirm -R unbound elif [[ "$OS" =~ (centos|amzn) ]]; then yum remove -y unbound - elif [[ "$OS" = 'fedora' ]]; then + elif [[ "$OS" == 'fedora' ]]; then dnf remove -y unbound fi @@ -1166,7 +1166,7 @@ function removeOpenVPN () { echo "" # shellcheck disable=SC2034 read -rp "Do you really want to remove OpenVPN? [y/n]: " -e -i n REMOVE - if [[ "$REMOVE" = 'y' ]]; then + if [[ "$REMOVE" == 'y' ]]; then # Get OpenVPN port from the configuration PORT=$(grep '^port ' /etc/openvpn/server.conf | cut -d " " -f 2) @@ -1210,11 +1210,11 @@ function removeOpenVPN () { rm /etc/apt/sources.list.d/openvpn.list apt-get update fi - elif [[ "$OS" = 'arch' ]]; then + elif [[ "$OS" == 'arch' ]]; then pacman --noconfirm -R openvpn elif [[ "$OS" =~ (centos|amzn) ]]; then yum remove -y openvpn - elif [[ "$OS" = 'fedora' ]]; then + elif [[ "$OS" == 'fedora' ]]; then dnf remove -y openvpn fi From 2c9c0ed0c31734110ba4a9c2fe7cb75db31298c3 Mon Sep 17 00:00:00 2001 From: randomshell <43271778+randomshell@users.noreply.github.com> Date: Fri, 10 Apr 2020 09:42:57 +0000 Subject: [PATCH 017/132] Improve sed line deletion (#608) --- openvpn-install.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 2a36390..e0bdb13 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -1120,7 +1120,7 @@ function revokeClient () { chmod 644 /etc/openvpn/crl.pem find /home/ -maxdepth 2 -name "$CLIENT.ovpn" -delete rm -f "/root/$CLIENT.ovpn" - sed -i "s|^$CLIENT,.*||" /etc/openvpn/ipp.txt + sed -i "/^$CLIENT,.*/d" /etc/openvpn/ipp.txt echo "" echo "Certificate for client $CLIENT revoked." @@ -1128,7 +1128,7 @@ function revokeClient () { function removeUnbound () { # Remove OpenVPN-related config - sed -i 's|include: \/etc\/unbound\/openvpn.conf||' /etc/unbound/unbound.conf + sed -i '/include: \/etc\/unbound\/openvpn.conf/d' /etc/unbound/unbound.conf rm /etc/unbound/openvpn.conf until [[ $REMOVE_UNBOUND =~ (y|n) ]]; do From 6989b0d326f22439afc66b03011a0afd1bf9e2fa Mon Sep 17 00:00:00 2001 From: randomshell <43271778+randomshell@users.noreply.github.com> Date: Fri, 10 Apr 2020 15:49:07 +0000 Subject: [PATCH 018/132] Add support for client-configuration-dir (#609) --- openvpn-install.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/openvpn-install.sh b/openvpn-install.sh index e0bdb13..4d97cd4 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -849,9 +849,12 @@ ncp-ciphers $CIPHER tls-server tls-version-min 1.2 tls-cipher $CC_CIPHER +client-config-dir /etc/openvpn/ccd status /var/log/openvpn/status.log verb 3" >> /etc/openvpn/server.conf + # Create client-config-dir dir + mkdir -p /etc/openvpn/ccd # Create log dir mkdir -p /var/log/openvpn From c2a4edc714bac411913095473d5859b8748c8ad3 Mon Sep 17 00:00:00 2001 From: Stanislas Date: Sat, 18 Apr 2020 21:18:54 +0200 Subject: [PATCH 019/132] Re-add SayThanks.io --- README.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/README.md b/README.md index ecabc80..b7cbd01 100644 --- a/README.md +++ b/README.md @@ -323,9 +323,7 @@ The script supports both and uses `tls-crypt` by default. ## Say thanks -*Sadly saythanks.io doesn't exist anymore... Thanks for the dozens of messages! It's really meaninful to me.* - -*Still want to help? Check the "sponsor" button at the top of the page!* +You can [say thanks](https://saythanks.io/to/angristan%40pm.me) if you want! ## Credits & Licence From 8e9ca3ad10bc094dfa898934b270285c50496ec8 Mon Sep 17 00:00:00 2001 From: Stanislas Date: Wed, 22 Apr 2020 11:26:57 +0200 Subject: [PATCH 020/132] Update issue templates --- .../bug-report---suport-request.md | 46 +++++++++++++++++++ .github/ISSUE_TEMPLATE/custom.md | 19 ++++++++ .github/ISSUE_TEMPLATE/feature_request.md | 30 ++++++++++++ 3 files changed, 95 insertions(+) create mode 100644 .github/ISSUE_TEMPLATE/bug-report---suport-request.md create mode 100644 .github/ISSUE_TEMPLATE/custom.md create mode 100644 .github/ISSUE_TEMPLATE/feature_request.md diff --git a/.github/ISSUE_TEMPLATE/bug-report---suport-request.md b/.github/ISSUE_TEMPLATE/bug-report---suport-request.md new file mode 100644 index 0000000..88599d4 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/bug-report---suport-request.md @@ -0,0 +1,46 @@ +--- +name: Bug report / Suport request +about: Create a report to help us improve +title: '' +labels: '' +assignees: '' + +--- + +**Checklist** + +[ ] I read the [README](https://github.com/angristan/openvpn-install/blob/master/README.md) +[ ] I read the [FAQ](https://github.com/angristan/openvpn-install/blob/master/FAQ.md) +[ ] I searched the [issues](https://github.com/angristan/openvpn-install/issues?q=is%3Aissue+) +[ ] My issue is about the script, and not OpenVPN itself + +<--- +If you need help with OpenVPN itself, please us the [community forums](https://forums.openvpn.net/) or [Stack Overflow](https://stackoverflow.com/questions/tagged/openvpn) +---> + +**Describe the issue** +A clear and concise description of what the bug is. + +**To Reproduce** +Steps to reproduce the behavior: +1. ... + +**Expected behavior** +A clear and concise description of what you expected to happen. + +**Logs** +If applicable, add logs or screenshots to help explain your problem. + +If you can reproduce the issue, please run the script in debug mode and post the output: `bash -x openvpn-install.sh` + +**Server (please complete the following information):** + - OS: [e.g. Debian 10] + - Hosting provider, if applicable [e.g. Vultr, AWS] + +**Client (if applicable) (please complete the following information):** + - Device: [e.g. iPhone6] + - OS: [e.g. iOS8.1] + - Client [e.g. OpenVPN Connect] + +**Additional context** +Add any other context about the problem here. diff --git a/.github/ISSUE_TEMPLATE/custom.md b/.github/ISSUE_TEMPLATE/custom.md new file mode 100644 index 0000000..74f5711 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/custom.md @@ -0,0 +1,19 @@ +--- +name: Custom issue template +about: Describe this issue template's purpose here. +title: '' +labels: '' +assignees: '' + +--- + +**Checklist** + +[ ] I read the [README](https://github.com/angristan/openvpn-install/blob/master/README.md) +[ ] I read the [FAQ](https://github.com/angristan/openvpn-install/blob/master/FAQ.md) +[ ] I searched the [issues](https://github.com/angristan/openvpn-install/issues?q=is%3Aissue+) +[ ] My issue is about the script, and not OpenVPN itself + +<--- +If you need help with OpenVPN itself, please us the [community forums](https://forums.openvpn.net/) or [Stack Overflow](https://stackoverflow.com/questions/tagged/openvpn) +---> diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md new file mode 100644 index 0000000..04527a0 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/feature_request.md @@ -0,0 +1,30 @@ +--- +name: Feature request +about: Suggest an idea for this project +title: '' +labels: '' +assignees: '' + +--- + +**Checklist** + +[ ] I read the [README](https://github.com/angristan/openvpn-install/blob/master/README.md) +[ ] I read the [FAQ](https://github.com/angristan/openvpn-install/blob/master/FAQ.md) +[ ] I searched the [issues](https://github.com/angristan/openvpn-install/issues?q=is%3Aissue+) + +<--- +If you need help with OpenVPN itself, please us the [community forums](https://forums.openvpn.net/) or [Stack Overflow](https://stackoverflow.com/questions/tagged/openvpn) +---> + +**Is your feature request related to a problem? Please describe.** +A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] + +**Describe the solution you'd like** +A clear and concise description of what you want to happen. + +**Describe alternatives you've considered** +A clear and concise description of any alternative solutions or features you've considered. + +**Additional context** +Add any other context or screenshots about the feature request here. From 2b9c10823283b533b717f7195b45bb3ced52bfe9 Mon Sep 17 00:00:00 2001 From: Stanislas Date: Wed, 22 Apr 2020 11:27:12 +0200 Subject: [PATCH 021/132] Delete ISSUE_TEMPLATE.md --- .github/ISSUE_TEMPLATE.md | 13 ------------- 1 file changed, 13 deletions(-) delete mode 100644 .github/ISSUE_TEMPLATE.md diff --git a/.github/ISSUE_TEMPLATE.md b/.github/ISSUE_TEMPLATE.md deleted file mode 100644 index 36bc569..0000000 --- a/.github/ISSUE_TEMPLATE.md +++ /dev/null @@ -1,13 +0,0 @@ - From 124606468d0e5f9538ac3080075c7cffcbe9100e Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Wed, 22 Apr 2020 11:33:47 +0200 Subject: [PATCH 022/132] Update issue templates --- ...est.md => bug-report-or-suport-request.md} | 29 ++++++++++--------- .github/ISSUE_TEMPLATE/custom.md | 19 ------------ .github/ISSUE_TEMPLATE/feature_request.md | 9 +++--- .github/ISSUE_TEMPLATE/somehting-else.md | 19 ++++++++++++ 4 files changed, 40 insertions(+), 36 deletions(-) rename .github/ISSUE_TEMPLATE/{bug-report---suport-request.md => bug-report-or-suport-request.md} (54%) delete mode 100644 .github/ISSUE_TEMPLATE/custom.md create mode 100644 .github/ISSUE_TEMPLATE/somehting-else.md diff --git a/.github/ISSUE_TEMPLATE/bug-report---suport-request.md b/.github/ISSUE_TEMPLATE/bug-report-or-suport-request.md similarity index 54% rename from .github/ISSUE_TEMPLATE/bug-report---suport-request.md rename to .github/ISSUE_TEMPLATE/bug-report-or-suport-request.md index 88599d4..f59acf9 100644 --- a/.github/ISSUE_TEMPLATE/bug-report---suport-request.md +++ b/.github/ISSUE_TEMPLATE/bug-report-or-suport-request.md @@ -1,5 +1,5 @@ --- -name: Bug report / Suport request +name: Bug report / Support request about: Create a report to help us improve title: '' labels: '' @@ -9,12 +9,12 @@ assignees: '' **Checklist** -[ ] I read the [README](https://github.com/angristan/openvpn-install/blob/master/README.md) -[ ] I read the [FAQ](https://github.com/angristan/openvpn-install/blob/master/FAQ.md) -[ ] I searched the [issues](https://github.com/angristan/openvpn-install/issues?q=is%3Aissue+) -[ ] My issue is about the script, and not OpenVPN itself +- [ ] I read the [README](https://github.com/angristan/openvpn-install/blob/master/README.md) +- [ ] I read the [FAQ](https://github.com/angristan/openvpn-install/blob/master/FAQ.md) +- [ ] I searched the [issues](https://github.com/angristan/openvpn-install/issues?q=is%3Aissue+) +- [ ] My issue is about the script, and not OpenVPN itself -<--- + @@ -23,6 +23,7 @@ A clear and concise description of what the bug is. **To Reproduce** Steps to reproduce the behavior: + 1. ... **Expected behavior** @@ -33,14 +34,16 @@ If applicable, add logs or screenshots to help explain your problem. If you can reproduce the issue, please run the script in debug mode and post the output: `bash -x openvpn-install.sh` -**Server (please complete the following information):** - - OS: [e.g. Debian 10] - - Hosting provider, if applicable [e.g. Vultr, AWS] +**Server if applicable):** -**Client (if applicable) (please complete the following information):** - - Device: [e.g. iPhone6] - - OS: [e.g. iOS8.1] - - Client [e.g. OpenVPN Connect] +- OS: [e.g. Debian 10] +- Hosting provider (if applicable): [e.g. Vultr, AWS] + +**Client (if applicable):** + +- Device: [e.g. iPhone6] +- OS: [e.g. iOS8.1] +- Client: [e.g. OpenVPN Connect] **Additional context** Add any other context about the problem here. diff --git a/.github/ISSUE_TEMPLATE/custom.md b/.github/ISSUE_TEMPLATE/custom.md deleted file mode 100644 index 74f5711..0000000 --- a/.github/ISSUE_TEMPLATE/custom.md +++ /dev/null @@ -1,19 +0,0 @@ ---- -name: Custom issue template -about: Describe this issue template's purpose here. -title: '' -labels: '' -assignees: '' - ---- - -**Checklist** - -[ ] I read the [README](https://github.com/angristan/openvpn-install/blob/master/README.md) -[ ] I read the [FAQ](https://github.com/angristan/openvpn-install/blob/master/FAQ.md) -[ ] I searched the [issues](https://github.com/angristan/openvpn-install/issues?q=is%3Aissue+) -[ ] My issue is about the script, and not OpenVPN itself - -<--- -If you need help with OpenVPN itself, please us the [community forums](https://forums.openvpn.net/) or [Stack Overflow](https://stackoverflow.com/questions/tagged/openvpn) ----> diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md index 04527a0..e5dd037 100644 --- a/.github/ISSUE_TEMPLATE/feature_request.md +++ b/.github/ISSUE_TEMPLATE/feature_request.md @@ -9,11 +9,12 @@ assignees: '' **Checklist** -[ ] I read the [README](https://github.com/angristan/openvpn-install/blob/master/README.md) -[ ] I read the [FAQ](https://github.com/angristan/openvpn-install/blob/master/FAQ.md) -[ ] I searched the [issues](https://github.com/angristan/openvpn-install/issues?q=is%3Aissue+) +- [ ] I read the [README](https://github.com/angristan/openvpn-install/blob/master/README.md) +- [ ] I read the [FAQ](https://github.com/angristan/openvpn-install/blob/master/FAQ.md) +- [ ] I searched the [issues](https://github.com/angristan/openvpn-install/issues?q=is%3Aissue+) +- [ ] My issue is about the script, and not OpenVPN itself -<--- + diff --git a/.github/ISSUE_TEMPLATE/somehting-else.md b/.github/ISSUE_TEMPLATE/somehting-else.md new file mode 100644 index 0000000..7f7058f --- /dev/null +++ b/.github/ISSUE_TEMPLATE/somehting-else.md @@ -0,0 +1,19 @@ +--- +name: Something else +about: +title: '' +labels: '' +assignees: '' + +--- + +**Checklist** + +- [ ] I read the [README](https://github.com/angristan/openvpn-install/blob/master/README.md) +- [ ] I read the [FAQ](https://github.com/angristan/openvpn-install/blob/master/FAQ.md) +- [ ] I searched the [issues](https://github.com/angristan/openvpn-install/issues?q=is%3Aissue+) +- [ ] My issue is about the script, and not OpenVPN itself + + From 2e17007cb3683d50313b21798b96df2d701c0cd5 Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Wed, 22 Apr 2020 11:35:19 +0200 Subject: [PATCH 023/132] Update issue templates --- .../ISSUE_TEMPLATE/{feature_request.md => feature-request.md} | 0 .github/ISSUE_TEMPLATE/somehting-else.md | 2 +- 2 files changed, 1 insertion(+), 1 deletion(-) rename .github/ISSUE_TEMPLATE/{feature_request.md => feature-request.md} (100%) diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature-request.md similarity index 100% rename from .github/ISSUE_TEMPLATE/feature_request.md rename to .github/ISSUE_TEMPLATE/feature-request.md diff --git a/.github/ISSUE_TEMPLATE/somehting-else.md b/.github/ISSUE_TEMPLATE/somehting-else.md index 7f7058f..08564b1 100644 --- a/.github/ISSUE_TEMPLATE/somehting-else.md +++ b/.github/ISSUE_TEMPLATE/somehting-else.md @@ -1,6 +1,6 @@ --- name: Something else -about: +about: Not a bug nor a feature request? title: '' labels: '' assignees: '' From 777bedaa38234904409c8017c86296606de60e77 Mon Sep 17 00:00:00 2001 From: randomshell <43271778+randomshell@users.noreply.github.com> Date: Wed, 22 Apr 2020 09:38:31 +0000 Subject: [PATCH 024/132] Add FAQ for DNS Leaks blocking (#627) --- FAQ.md | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/FAQ.md b/FAQ.md index 895c865..e6416b1 100644 --- a/FAQ.md +++ b/FAQ.md @@ -14,6 +14,41 @@ You can, of course, it's even recommended, update the `openvpn` package with you --- +**Q:** How do I fix DNS leaks? + +**A:** On Windows 10 DNS leaks are blocked by default with the `block-outside-dns` option. +On Linux you need to add these lines to your `.ovpn` file based on your Distribution. + +Debian 9, 10 and Ubuntu 16.04, 18.04 +``` +script-security 2 +up /etc/openvpn/update-resolv-conf +down /etc/openvpn/update-resolv-conf +``` + +Centos 6, 7 +``` +script-security 2 +up /usr/share/doc/openvpn-2.4.8/contrib/pull-resolv-conf/client.up +down /usr/share/doc/openvpn-2.4.8/contrib/pull-resolv-conf/client.down +``` + +Centos 8, Fedora 30, 31 +``` +script-security 2 +up /usr/share/doc/openvpn/contrib/pull-resolv-conf/client.up +down /usr/share/doc/openvpn/contrib/pull-resolv-conf/client.down +``` + +Arch Linux +``` +script-security 2 +up /usr/share/openvpn/contrib/pull-resolv-conf/client.up +down /usr/share/openvpn/contrib/pull-resolv-conf/client.down +``` + +--- + **Q:** Can I use an OpenVPN 2.3 client? **A:** Yes. I really recommend using an up-to-date client, but if you really need it, choose the following options: From fcc4cc4afd478012d629136921c7e79764174c00 Mon Sep 17 00:00:00 2001 From: randomshell <43271778+randomshell@users.noreply.github.com> Date: Wed, 22 Apr 2020 09:39:42 +0000 Subject: [PATCH 025/132] Add FAQ entry for sysctl and iptables changes (#626) --- FAQ.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/FAQ.md b/FAQ.md index e6416b1..18601a0 100644 --- a/FAQ.md +++ b/FAQ.md @@ -80,3 +80,11 @@ If your client is <2.3.3, remove `tls-version-min 1.2` from your `/etc/openvpn/s **A:** See https://github.com/Nyr/openvpn-install/wiki/How-to-setup-openVPN-in-a-LXC-container-(f.e.-Proxmox) --- + +**Q:** What syctl and iptables changes are made by the script? + +**A:** Iptables rules are saved at `/etc/iptables/add-openvpn-rules.sh` and `/etc/iptables/rm-openvpn-rules.sh`. They are managed by the service `/etc/systemd/system/iptables-openvpn.service` + +Sysctl options are at `/etc/sysctl.d/20-openvpn.conf` + +--- From 0188c442a287fd86b49e2c574362abf5a990d345 Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Thu, 23 Apr 2020 18:49:20 +0200 Subject: [PATCH 026/132] FAQ: Remove obsolete entry Fix #634 --- FAQ.md | 8 -------- 1 file changed, 8 deletions(-) diff --git a/FAQ.md b/FAQ.md index 18601a0..4c31f2f 100644 --- a/FAQ.md +++ b/FAQ.md @@ -75,16 +75,8 @@ If your client is <2.3.3, remove `tls-version-min 1.2` from your `/etc/openvpn/s --- -**Q:** How to setup openVPN in a LXC container? (f.e. Proxmox) - -**A:** See https://github.com/Nyr/openvpn-install/wiki/How-to-setup-openVPN-in-a-LXC-container-(f.e.-Proxmox) - ---- - **Q:** What syctl and iptables changes are made by the script? **A:** Iptables rules are saved at `/etc/iptables/add-openvpn-rules.sh` and `/etc/iptables/rm-openvpn-rules.sh`. They are managed by the service `/etc/systemd/system/iptables-openvpn.service` Sysctl options are at `/etc/sysctl.d/20-openvpn.conf` - ---- From 72c99f3e8f78d35469c9383d5b6ed445782d3c02 Mon Sep 17 00:00:00 2001 From: randomshell <43271778+randomshell@users.noreply.github.com> Date: Fri, 24 Apr 2020 16:00:59 +0000 Subject: [PATCH 027/132] Add FAQ for router clients (#629) --- FAQ.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/FAQ.md b/FAQ.md index 4c31f2f..80db057 100644 --- a/FAQ.md +++ b/FAQ.md @@ -80,3 +80,16 @@ If your client is <2.3.3, remove `tls-version-min 1.2` from your `/etc/openvpn/s **A:** Iptables rules are saved at `/etc/iptables/add-openvpn-rules.sh` and `/etc/iptables/rm-openvpn-rules.sh`. They are managed by the service `/etc/systemd/system/iptables-openvpn.service` Sysctl options are at `/etc/sysctl.d/20-openvpn.conf` + +--- + +**Q:** My router can't connect + +**A:** +- `Options error: No closing quotation (") in config.ovpn:46` : + + type `yes` when asked to customize encryption settings and choose `tls-auth` + +- `Options error: Unrecognized option or missing parameter(s) in config.ovpn:36: tls-version-min (2.3.2)` : + + see question "Can I use an OpenVPN 2.3 client?" From ecd2b45c9f1f5cc79c76a527d6306757997ea915 Mon Sep 17 00:00:00 2001 From: Stanislas Date: Sun, 26 Apr 2020 15:50:57 +0200 Subject: [PATCH 028/132] Delete issue template (blank still available) --- .github/ISSUE_TEMPLATE/somehting-else.md | 19 ------------------- 1 file changed, 19 deletions(-) delete mode 100644 .github/ISSUE_TEMPLATE/somehting-else.md diff --git a/.github/ISSUE_TEMPLATE/somehting-else.md b/.github/ISSUE_TEMPLATE/somehting-else.md deleted file mode 100644 index 08564b1..0000000 --- a/.github/ISSUE_TEMPLATE/somehting-else.md +++ /dev/null @@ -1,19 +0,0 @@ ---- -name: Something else -about: Not a bug nor a feature request? -title: '' -labels: '' -assignees: '' - ---- - -**Checklist** - -- [ ] I read the [README](https://github.com/angristan/openvpn-install/blob/master/README.md) -- [ ] I read the [FAQ](https://github.com/angristan/openvpn-install/blob/master/FAQ.md) -- [ ] I searched the [issues](https://github.com/angristan/openvpn-install/issues?q=is%3Aissue+) -- [ ] My issue is about the script, and not OpenVPN itself - - From 0481e10bcef6a52f415891e3c329cc88da1c7bb2 Mon Sep 17 00:00:00 2001 From: randomshell <43271778+randomshell@users.noreply.github.com> Date: Mon, 27 Apr 2020 08:39:33 +0000 Subject: [PATCH 029/132] Add FAQ for client-to-client (#631) --- FAQ.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/FAQ.md b/FAQ.md index 80db057..0fa5340 100644 --- a/FAQ.md +++ b/FAQ.md @@ -83,6 +83,12 @@ Sysctl options are at `/etc/sysctl.d/20-openvpn.conf` --- +**Q:** How can I access other clients connected to the same OpenVPN server? + +**A:** Add `client-to-client` to your `server.conf` + +--- + **Q:** My router can't connect **A:** From 957712e73d070da52eb6bb923cb016d8df455742 Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Mon, 27 Apr 2020 13:11:11 +0200 Subject: [PATCH 030/132] docs(readme): update compatibility matrix --- README.md | 25 +++++++++++-------------- 1 file changed, 11 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index b7cbd01..05eb8ab 100644 --- a/README.md +++ b/README.md @@ -107,20 +107,17 @@ export PASS="1" The script supports these OS and architectures: -| | i386 | amd64 | armhf | arm64 | -| -------------- | ---- | ----- | ----- | ----- | -| Amazon Linux 2 | ❔ | ✅ | ❔ | ❔ | -| Arch Linux | ❔ | ✅ | ❔ | ✅ | -| Centos 8 | ❌ | ✅ | ❔ | ❔ | -| CentOS 7 | ❔ | ✅ | ❌ | ✅ | -| Debian 8 | ✅ | ✅ | ❌ | ❌ | -| Debian 9 | ❌ | ✅ | ✅ | ✅ | -| Debian 10 | ❔ | ✅ | ✅ | ❔ | -| Fedora 27 | ❔ | ✅ | ❔ | ❔ | -| Fedora 28 | ❔ | ✅ | ❔ | ❔ | -| Ubuntu 16.04 | ✅ | ✅ | ❌ | ❌ | -| Ubuntu 18.04 | ❌ | ✅ | ✅ | ✅ | -| Ubuntu 19.04 | ❌ | ✅ | ✅ | ✅ | +| | i386 | amd64 | armhf | arm64 | +| --------------- | ---- | ----- | ----- | ----- | +| Amazon Linux 2 | ❔ | ✅ | ❔ | ❔ | +| Arch Linux | ❔ | ✅ | ❔ | ✅ | +| CentOS 7 | ❔ | ✅ | ❌ | ✅ | +| CentOS 8 | ❌ | ✅ | ❔ | ❔ | +| Debian 8 | ✅ | ✅ | ❌ | ❌ | +| Debian >= 9 | ❌ | ✅ | ✅ | ✅ | +| Fedora >= 27 | ❔ | ✅ | ❔ | ❔ | +| Ubuntu 16.04 | ✅ | ✅ | ❌ | ❌ | +| Ubuntu >= 18.04 | ❌ | ✅ | ✅ | ✅ | To be noted: From 3b0c2ace9048421468d60ac8f8f17fb319e58822 Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Mon, 27 Apr 2020 13:35:32 +0200 Subject: [PATCH 031/132] fix(checkOS): update Ubuntu/Debian compatibility check --- openvpn-install.sh | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 4d97cd4..9187ec6 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -22,11 +22,10 @@ function checkOS () { source /etc/os-release if [[ "$ID" == "debian" || "$ID" == "raspbian" ]]; then - if [[ ! $VERSION_ID =~ (8|9|10) ]]; then + if [[ "$VERSION_ID" -lt 8 ]]; then echo "⚠️ Your version of Debian is not supported." echo "" - echo "However, if you're using Debian >= 9 or unstable/testing then you can continue." - echo "Keep in mind they are not supported, though." + echo "However, if you're using Debian >= 8 or unstable/testing then you can continue, at your own risk." echo "" until [[ $CONTINUE =~ (y|n) ]]; do read -rp "Continue? [y/n]: " -e CONTINUE @@ -37,11 +36,11 @@ function checkOS () { fi elif [[ "$ID" == "ubuntu" ]];then OS="ubuntu" - if [[ ! $VERSION_ID =~ (16.04|18.04|19.04) ]]; then + MAJOR_UBUNTU_VERSION=$(echo "$VERSION_ID" | cut -d '.' -f1) + if [[ $MAJOR_UBUNTU_VERSION -lt 16 ]]; then echo "⚠️ Your version of Ubuntu is not supported." echo "" - echo "However, if you're using Ubuntu > 17 or beta, then you can continue." - echo "Keep in mind they are not supported, though." + echo "However, if you're using Ubuntu >= 16.04 or beta, then you can continue, at your own risk." echo "" until [[ $CONTINUE =~ (y|n) ]]; do read -rp "Continue? [y/n]: " -e CONTINUE From fe0b995bdf68b628ff38aa7529c64d6788881b93 Mon Sep 17 00:00:00 2001 From: John E <44390932+jmeubank@users.noreply.github.com> Date: Mon, 27 Apr 2020 04:56:34 -0700 Subject: [PATCH 032/132] feat(headless): make script idempotent This set of changes adjusts the script so that you can run it multiple times with the same input and not have any unexpected changes. This makes it appropriate for "enforcing state", as required by automated provisioners like Puppet, Salt, Chef, or Ansible. - Unbound, OpenVPN, easy-rsa, and other dependencies are only installed from upstream if they are not already present. This prevents multiple runs of the script from causing unexpected version upgrades. - The easy-rsa system is put in a folder called "easy-rsa-auto" so it can't conflict with the "easy-rsa" folder from some older OpenVPN packages - The easy-rsa CA is only initialized once - SERVER_CN and SERVER_NAME are randomly generated once and saved for future reference - File append ('>>') is only done strictly after a file is created with '>' (e.g. /etc/sysctl.d/20-openvpn.conf) - Clients are only added to easy-rsa once - If AUTO_INSTALL == y, then the script operates in install mode and doesn't enter manageMenu --- README.md | 2 + openvpn-install.sh | 224 +++++++++++++++++++++++++-------------------- 2 files changed, 129 insertions(+), 97 deletions(-) diff --git a/README.md b/README.md index 05eb8ab..bd82d07 100644 --- a/README.md +++ b/README.md @@ -72,6 +72,8 @@ Other variables can be set depending on your choice (encryption, compression). Y Password-protected clients are not supported by the headless installation method since user input is expected by Easy-RSA. +The headless install is more-or-less idempotent, in that it has been made safe to run multiple times with the same parameters, e.g. by a state provisioner like Ansible/Terraform/Salt/Chef/Puppet. It will only install and regenerate the Easy-RSA PKI if it doesn't already exist, and it will only install OpenVPN and other upstream dependencies if OpenVPN isn't already installed. It will recreate all local config and re-generate the client file on each headless run. + ### Headless User Addition It's also possible to automate the addition of a new user. Here, the key is to provide the (string) value of the `MENU_OPTION` variable along with the remaining mandatory variables before invoking the script. diff --git a/openvpn-install.sh b/openvpn-install.sh index 9187ec6..5a78e73 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -97,6 +97,7 @@ function initialCheck () { } function installUnbound () { + # If Unbound isn't installed, install it if [[ ! -e /etc/unbound/unbound.conf ]]; then if [[ "$OS" =~ (debian|ubuntu) ]]; then @@ -136,7 +137,9 @@ prefetch: yes' >> /etc/unbound/unbound.conf # Get root servers list curl -o /etc/unbound/root.hints https://www.internic.net/domain/named.cache - mv /etc/unbound/unbound.conf /etc/unbound/unbound.conf.old + if [[ ! -f /etc/unbound/unbound.conf.old ]]; then + mv /etc/unbound/unbound.conf /etc/unbound/unbound.conf.old + fi echo 'server: use-syslog: yes @@ -595,9 +598,13 @@ function installOpenVPN () { PASS=${PASS:-1} CONTINUE=${CONTINUE:-y} - # Behind NAT, we'll default to the publicly reachable IPv4. - PUBLIC_IPV4=$(curl ifconfig.co) - ENDPOINT=${ENDPOINT:-$PUBLIC_IPV4} + # Behind NAT, we'll default to the publicly reachable IPv4/IPv6. + if [[ $IPV6_SUPPORT == "y" ]]; then + PUBLIC_IP=$(curl https://ifconfig.co) + else + PUBLIC_IP=$(curl -4 https://ifconfig.co) + fi + ENDPOINT=${ENDPOINT:-$PUBLIC_IP} fi # Run setup questions first, and set other variales if auto-install @@ -622,33 +629,42 @@ function installOpenVPN () { fi fi - if [[ "$OS" =~ (debian|ubuntu) ]]; then - apt-get update - apt-get -y install ca-certificates gnupg - # We add the OpenVPN repo to get the latest version. - if [[ "$VERSION_ID" == "8" ]]; then - echo "deb http://build.openvpn.net/debian/openvpn/stable jessie main" > /etc/apt/sources.list.d/openvpn.list - wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add - + # If OpenVPN isn't installed yet, install it. This script is more-or-less + # idempotent on multiple runs, but will only install OpenVPN from upstream + # the first time. + if [[ ! -e /etc/openvpn/server.conf ]]; then + if [[ "$OS" =~ (debian|ubuntu) ]]; then apt-get update + apt-get -y install ca-certificates gnupg + # We add the OpenVPN repo to get the latest version. + if [[ "$VERSION_ID" = "8" ]]; then + echo "deb http://build.openvpn.net/debian/openvpn/stable jessie main" > /etc/apt/sources.list.d/openvpn.list + wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add - + apt-get update + fi + if [[ "$VERSION_ID" = "16.04" ]]; then + echo "deb http://build.openvpn.net/debian/openvpn/stable xenial main" > /etc/apt/sources.list.d/openvpn.list + wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add - + apt-get update + fi + # Ubuntu > 16.04 and Debian > 8 have OpenVPN >= 2.4 without the need of a third party repository. + apt-get install -y openvpn iptables openssl wget ca-certificates curl + elif [[ "$OS" = 'centos' ]]; then + yum install -y epel-release + yum install -y openvpn iptables openssl wget ca-certificates curl tar 'policycoreutils-python*' + elif [[ "$OS" = 'amzn' ]]; then + amazon-linux-extras install -y epel + yum install -y openvpn iptables openssl wget ca-certificates curl + elif [[ "$OS" = 'fedora' ]]; then + dnf install -y openvpn iptables openssl wget ca-certificates curl + elif [[ "$OS" = 'arch' ]]; then + # Install required dependencies and upgrade the system + pacman --needed --noconfirm -Syu openvpn iptables openssl wget ca-certificates curl fi - if [[ "$VERSION_ID" == "16.04" ]]; then - echo "deb http://build.openvpn.net/debian/openvpn/stable xenial main" > /etc/apt/sources.list.d/openvpn.list - wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add - - apt-get update + # An old version of easy-rsa was available by default in some openvpn packages + if [[ -d /etc/openvpn/easy-rsa/ ]]; then + rm -rf /etc/openvpn/easy-rsa/ fi - # Ubuntu > 16.04 and Debian > 8 have OpenVPN >= 2.4 without the need of a third party repository. - apt-get install -y openvpn iptables openssl wget ca-certificates curl - elif [[ "$OS" == 'centos' ]]; then - yum install -y epel-release - yum install -y openvpn iptables openssl wget ca-certificates curl tar 'policycoreutils-python*' - elif [[ "$OS" == 'amzn' ]]; then - amazon-linux-extras install -y epel - yum install -y openvpn iptables openssl wget ca-certificates curl - elif [[ "$OS" == 'fedora' ]]; then - dnf install -y openvpn iptables openssl wget ca-certificates curl - elif [[ "$OS" == 'arch' ]]; then - # Install required dependencies and upgrade the system - pacman --needed --noconfirm -Syu openvpn iptables openssl wget ca-certificates curl fi # Find out if the machine uses nogroup or nobody for the permissionless group @@ -658,63 +674,70 @@ function installOpenVPN () { NOGROUP=nobody fi - # An old version of easy-rsa was available by default in some openvpn packages - if [[ -d /etc/openvpn/easy-rsa/ ]]; then - rm -rf /etc/openvpn/easy-rsa/ + # Install the latest version of easy-rsa from source, if not already + # installed. + if [[ ! -d /etc/openvpn/easy-rsa/ ]]; then + local version="3.0.6" + wget -O ~/EasyRSA-unix-v${version}.tgz https://github.com/OpenVPN/easy-rsa/releases/download/v${version}/EasyRSA-unix-v${version}.tgz + tar xzf ~/EasyRSA-unix-v${version}.tgz -C ~/ + mkdir -p /etc/openvpn/easy-rsa + mv ~/EasyRSA-v${version}/* /etc/openvpn/easy-rsa/ + chown -R root:root /etc/openvpn/easy-rsa/ + rm -f ~/EasyRSA-unix-v${version}.tgz + + cd /etc/openvpn/easy-rsa/ || return + case $CERT_TYPE in + 1) + echo "set_var EASYRSA_ALGO ec" > vars + echo "set_var EASYRSA_CURVE $CERT_CURVE" >> vars + ;; + 2) + echo "set_var EASYRSA_KEY_SIZE $RSA_KEY_SIZE" > vars + ;; + esac + + # Generate a random, alphanumeric identifier of 16 characters for CN and one for server name + SERVER_CN="cn_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)" + echo "$SERVER_CN" > SERVER_CN_GENERATED + SERVER_NAME="server_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)" + echo "$SERVER_NAME" > SERVER_NAME_GENERATED + + echo "set_var EASYRSA_REQ_CN $SERVER_CN" >> vars + + # Create the PKI, set up the CA, the DH params and the server certificate + ./easyrsa init-pki + + # Workaround to remove unharmful error until easy-rsa 3.0.7 + # https://github.com/OpenVPN/easy-rsa/issues/261 + sed -i 's/^RANDFILE/#RANDFILE/g' pki/openssl-easyrsa.cnf + + ./easyrsa --batch build-ca nopass + + if [[ $DH_TYPE == "2" ]]; then + # ECDH keys are generated on-the-fly so we don't need to generate them beforehand + openssl dhparam -out dh.pem $DH_KEY_SIZE + fi + + ./easyrsa build-server-full "$SERVER_NAME" nopass + EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl + + case $TLS_SIG in + 1) + # Generate tls-crypt key + openvpn --genkey --secret /etc/openvpn/tls-crypt.key + ;; + 2) + # Generate tls-auth key + openvpn --genkey --secret /etc/openvpn/tls-auth.key + ;; + esac + else + # If easy-rsa is already installed, grab the generated SERVER_NAME + # for client configs + cd /etc/openvpn/easy-rsa/ || return + SERVER_NAME=$(cat SERVER_NAME_GENERATED) fi - # Install the latest version of easy-rsa from source - local version="3.0.6" - wget -O ~/EasyRSA-unix-v${version}.tgz https://github.com/OpenVPN/easy-rsa/releases/download/v${version}/EasyRSA-unix-v${version}.tgz - tar xzf ~/EasyRSA-unix-v${version}.tgz -C ~/ - mv ~/EasyRSA-v${version} /etc/openvpn/easy-rsa - chown -R root:root /etc/openvpn/easy-rsa/ - rm -f ~/EasyRSA-unix-v${version}.tgz - - cd /etc/openvpn/easy-rsa/ || return - case $CERT_TYPE in - 1) - echo "set_var EASYRSA_ALGO ec" > vars - echo "set_var EASYRSA_CURVE $CERT_CURVE" >> vars - ;; - 2) - echo "set_var EASYRSA_KEY_SIZE $RSA_KEY_SIZE" > vars - ;; - esac - - # Generate a random, alphanumeric identifier of 16 characters for CN and one for server name - SERVER_CN="cn_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)" - SERVER_NAME="server_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)" - echo "set_var EASYRSA_REQ_CN $SERVER_CN" >> vars - - # Create the PKI, set up the CA, the DH params and the server certificate - ./easyrsa init-pki - - # Workaround to remove unharmful error until easy-rsa 3.0.7 - # https://github.com/OpenVPN/easy-rsa/issues/261 - sed -i 's/^RANDFILE/#RANDFILE/g' pki/openssl-easyrsa.cnf - - ./easyrsa --batch build-ca nopass - - if [[ $DH_TYPE == "2" ]]; then - # ECDH keys are generated on-the-fly so we don't need to generate them beforehand - openssl dhparam -out dh.pem $DH_KEY_SIZE - fi - - ./easyrsa build-server-full "$SERVER_NAME" nopass - EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl - - case $TLS_SIG in - 1) - # Generate tls-crypt key - openvpn --genkey --secret /etc/openvpn/tls-crypt.key - ;; - 2) - # Generate tls-auth key - openvpn --genkey --secret /etc/openvpn/tls-auth.key - ;; - esac - # Move all the generated files cp pki/ca.crt pki/private/ca.key "pki/issued/$SERVER_NAME.crt" "pki/private/$SERVER_NAME.key" /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn if [[ $DH_TYPE == "2" ]]; then @@ -858,8 +881,8 @@ verb 3" >> /etc/openvpn/server.conf mkdir -p /var/log/openvpn # Enable routing - echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.d/20-openvpn.conf - if [[ "$IPV6_SUPPORT" == 'y' ]]; then + echo 'net.ipv4.ip_forward=1' > /etc/sysctl.d/20-openvpn.conf + if [[ "$IPV6_SUPPORT" = 'y' ]]; then echo 'net.ipv6.conf.all.forwarding=1' >> /etc/sysctl.d/20-openvpn.conf fi # Apply sysctl rules @@ -1028,16 +1051,23 @@ function newClient () { read -rp "Select an option [1-2]: " -e -i 1 PASS done - cd /etc/openvpn/easy-rsa/ || return - case $PASS in - 1) - ./easyrsa build-client-full "$CLIENT" nopass - ;; - 2) - echo "⚠️ You will be asked for the client password below ⚠️" - ./easyrsa build-client-full "$CLIENT" - ;; - esac + CLIENTEXISTS=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep -c -E "/CN=$CLIENT\$") + if [[ "$CLIENTEXISTS" = '1' ]]; then + echo "" + echo "The specified client CN was found in easy-rsa." + else + cd /etc/openvpn/easy-rsa/ || return + case $PASS in + 1) + ./easyrsa build-client-full "$CLIENT" nopass + ;; + 2) + echo "⚠️ You will be asked for the client password below ⚠️" + ./easyrsa build-client-full "$CLIENT" + ;; + esac + echo "Client $CLIENT added." + fi # Home directory of the user, where the client configuration (.ovpn) will be written if [ -e "/home/$CLIENT" ]; then # if $1 is a user name @@ -1086,7 +1116,7 @@ function newClient () { } >> "$homeDir/$CLIENT.ovpn" echo "" - echo "Client $CLIENT added, the configuration file is available at $homeDir/$CLIENT.ovpn." + echo "The configuration file has been written to $homeDir/$CLIENT.ovpn." echo "Download the .ovpn file and import it in your OpenVPN client." exit 0 @@ -1276,7 +1306,7 @@ function manageMenu () { initialCheck # Check if OpenVPN is already installed -if [[ -e /etc/openvpn/server.conf ]]; then +if [[ -e /etc/openvpn/server.conf && $AUTO_INSTALL != "y" ]]; then manageMenu else installOpenVPN From 159ab9af6e5f3764a61cfefea951dd84dbe93ba4 Mon Sep 17 00:00:00 2001 From: randomshell <43271778+randomshell@users.noreply.github.com> Date: Mon, 27 Apr 2020 12:12:23 +0000 Subject: [PATCH 033/132] refactor(revoke client): remove uneeded cleanup (#607) The deletion of issued files is handled by easy-rsa. See function move_revoked() https://github.com/OpenVPN/easy-rsa/blob/f0129cfe6222820a85db2d394ab73d3c7759c5be/easyrsa3/easyrsa#L1050 --- openvpn-install.sh | 4 ---- 1 file changed, 4 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 5a78e73..3071a65 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -1143,10 +1143,6 @@ function revokeClient () { cd /etc/openvpn/easy-rsa/ || return ./easyrsa --batch revoke "$CLIENT" EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl - # Cleanup - rm -f "pki/reqs/$CLIENT.req" - rm -f "pki/private/$CLIENT.key" - rm -f "pki/issued/$CLIENT.crt" rm -f /etc/openvpn/crl.pem cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/crl.pem chmod 644 /etc/openvpn/crl.pem From 62a4ff3b41d562c1d5c82dd48ff34aa36780b160 Mon Sep 17 00:00:00 2001 From: randomshell <43271778+randomshell@users.noreply.github.com> Date: Mon, 27 Apr 2020 12:19:25 +0000 Subject: [PATCH 034/132] fix(client conf): ignore block-outside-dns if not supported (#628) --- openvpn-install.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/openvpn-install.sh b/openvpn-install.sh index 3071a65..d79620f 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -1020,6 +1020,7 @@ cipher $CIPHER tls-client tls-version-min 1.2 tls-cipher $CC_CIPHER +ignore-unknown-option block-outside-dns setenv opt block-outside-dns # Prevent Windows 10 DNS leak verb 3" >> /etc/openvpn/client-template.txt From a3e6652d6d63de55c6016b37af9ef20f3d8390cd Mon Sep 17 00:00:00 2001 From: randomshell <43271778+randomshell@users.noreply.github.com> Date: Mon, 27 Apr 2020 12:20:04 +0000 Subject: [PATCH 035/132] docs(faq): update DNS not working question (#632) --- FAQ.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/FAQ.md b/FAQ.md index 0fa5340..537a165 100644 --- a/FAQ.md +++ b/FAQ.md @@ -71,7 +71,7 @@ If your client is <2.3.3, remove `tls-version-min 1.2` from your `/etc/openvpn/s **Q:** DNS is not working on my Linux client -**A:** Make sure the `resolvconf` package is installed. If it does not solve the issue, look at https://wiki.archlinux.org/index.php/OpenVPN#Update_systemd-resolved_script +**A:** See "How do I fix DNS leaks?" question --- From 8d5bb43aed6a631f77def65a60a61984a16e2252 Mon Sep 17 00:00:00 2001 From: Sidd Date: Mon, 27 Apr 2020 07:22:35 -0500 Subject: [PATCH 036/132] feat(curves): add secp256k1 option (#315) --- README.md | 4 ++-- openvpn-install.sh | 28 ++++++++++++++++++---------- 2 files changed, 20 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index bd82d07..8e55490 100644 --- a/README.md +++ b/README.md @@ -211,7 +211,7 @@ OpenVPN 2.4 added support for ECDSA. Elliptic curve cryptography is faster, ligh This script provides: -- ECDSA: `prime256v1`/`secp384r1`/`secp521r1` curves +- ECDSA: `prime256v1`/`secp256k1`/`secp384r1`/`secp521r1` curves - RSA: `2048`/`3072`/`4096` bits keys It defaults to ECDSA with `prime256v1`. @@ -276,7 +276,7 @@ Also, generating a classic DH keys can take a long, looong time. ECDH keys are e The script provides the following options: -- ECDH: `prime256v1`/`secp384r1`/`secp521r1` curves +- ECDH: `prime256v1`/`secp256k1`/`secp384r1`/`secp521r1` curves - DH: `2048`/`3072`/`4096` bits keys It defaults to `prime256v1`. diff --git a/openvpn-install.sh b/openvpn-install.sh index d79620f..ff19a04 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -416,19 +416,23 @@ function installQuestions () { echo "" echo "Choose which curve you want to use for the certificate's key:" echo " 1) prime256v1 (recommended)" - echo " 2) secp384r1" - echo " 3) secp521r1" - until [[ $CERT_CURVE_CHOICE =~ ^[1-3]$ ]]; do - read -rp"Curve [1-3]: " -e -i 1 CERT_CURVE_CHOICE + echo " 2) secp256k1" + echo " 3) secp384r1" + echo " 4) secp521r1" + until [[ $CERT_CURVE_CHOICE =~ ^[1-4]$ ]]; do + read -rp"Curve [1-4]: " -e -i 1 CERT_CURVE_CHOICE done case $CERT_CURVE_CHOICE in 1) CERT_CURVE="prime256v1" ;; 2) - CERT_CURVE="secp384r1" + CERT_CURVE="secp256k1" ;; 3) + CERT_CURVE="secp384r1" + ;; + 4) CERT_CURVE="secp521r1" ;; esac @@ -501,19 +505,23 @@ function installQuestions () { echo "" echo "Choose which curve you want to use for the ECDH key:" echo " 1) prime256v1 (recommended)" - echo " 2) secp384r1" - echo " 3) secp521r1" - while [[ $DH_CURVE_CHOICE != "1" && $DH_CURVE_CHOICE != "2" && $DH_CURVE_CHOICE != "3" ]]; do - read -rp"Curve [1-3]: " -e -i 1 DH_CURVE_CHOICE + echo " 2) secp256k1" + echo " 3) secp384r1" + echo " 4) secp521r1" + until [[ $DH_CURVE_CHOICE =~ ^[1-4]$ ]]; do + read -rp"Curve [1-4]: " -e -i 1 DH_CURVE_CHOICE done case $DH_CURVE_CHOICE in 1) DH_CURVE="prime256v1" ;; 2) - DH_CURVE="secp384r1" + DH_CURVE="secp256k1" ;; 3) + DH_CURVE="secp384r1" + ;; + 4) DH_CURVE="secp521r1" ;; esac From e3139cd8778d62b29b95d61d0cba78c15ba8b1ba Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Mon, 27 Apr 2020 14:36:44 +0200 Subject: [PATCH 037/132] Revert "feat(curves): add secp256k1 option (#315)" This reverts commit 8d5bb43aed6a631f77def65a60a61984a16e2252. Tested with Viscosity, doesn't work --- README.md | 4 ++-- openvpn-install.sh | 28 ++++++++++------------------ 2 files changed, 12 insertions(+), 20 deletions(-) diff --git a/README.md b/README.md index 8e55490..bd82d07 100644 --- a/README.md +++ b/README.md @@ -211,7 +211,7 @@ OpenVPN 2.4 added support for ECDSA. Elliptic curve cryptography is faster, ligh This script provides: -- ECDSA: `prime256v1`/`secp256k1`/`secp384r1`/`secp521r1` curves +- ECDSA: `prime256v1`/`secp384r1`/`secp521r1` curves - RSA: `2048`/`3072`/`4096` bits keys It defaults to ECDSA with `prime256v1`. @@ -276,7 +276,7 @@ Also, generating a classic DH keys can take a long, looong time. ECDH keys are e The script provides the following options: -- ECDH: `prime256v1`/`secp256k1`/`secp384r1`/`secp521r1` curves +- ECDH: `prime256v1`/`secp384r1`/`secp521r1` curves - DH: `2048`/`3072`/`4096` bits keys It defaults to `prime256v1`. diff --git a/openvpn-install.sh b/openvpn-install.sh index ff19a04..d79620f 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -416,23 +416,19 @@ function installQuestions () { echo "" echo "Choose which curve you want to use for the certificate's key:" echo " 1) prime256v1 (recommended)" - echo " 2) secp256k1" - echo " 3) secp384r1" - echo " 4) secp521r1" - until [[ $CERT_CURVE_CHOICE =~ ^[1-4]$ ]]; do - read -rp"Curve [1-4]: " -e -i 1 CERT_CURVE_CHOICE + echo " 2) secp384r1" + echo " 3) secp521r1" + until [[ $CERT_CURVE_CHOICE =~ ^[1-3]$ ]]; do + read -rp"Curve [1-3]: " -e -i 1 CERT_CURVE_CHOICE done case $CERT_CURVE_CHOICE in 1) CERT_CURVE="prime256v1" ;; 2) - CERT_CURVE="secp256k1" - ;; - 3) CERT_CURVE="secp384r1" ;; - 4) + 3) CERT_CURVE="secp521r1" ;; esac @@ -505,23 +501,19 @@ function installQuestions () { echo "" echo "Choose which curve you want to use for the ECDH key:" echo " 1) prime256v1 (recommended)" - echo " 2) secp256k1" - echo " 3) secp384r1" - echo " 4) secp521r1" - until [[ $DH_CURVE_CHOICE =~ ^[1-4]$ ]]; do - read -rp"Curve [1-4]: " -e -i 1 DH_CURVE_CHOICE + echo " 2) secp384r1" + echo " 3) secp521r1" + while [[ $DH_CURVE_CHOICE != "1" && $DH_CURVE_CHOICE != "2" && $DH_CURVE_CHOICE != "3" ]]; do + read -rp"Curve [1-3]: " -e -i 1 DH_CURVE_CHOICE done case $DH_CURVE_CHOICE in 1) DH_CURVE="prime256v1" ;; 2) - DH_CURVE="secp256k1" - ;; - 3) DH_CURVE="secp384r1" ;; - 4) + 3) DH_CURVE="secp521r1" ;; esac From 6cc0022dff3025a6d5b1fe0dde6e9a967926fab7 Mon Sep 17 00:00:00 2001 From: Stanislas Date: Mon, 27 Apr 2020 14:59:19 +0200 Subject: [PATCH 038/132] style(script): format with shfmt (#638) shfmt -w -s --- openvpn-install.sh | 760 ++++++++++++++++++++++----------------------- 1 file changed, 380 insertions(+), 380 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index d79620f..7c2cffc 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -3,26 +3,26 @@ # Secure OpenVPN server installer for Debian, Ubuntu, CentOS, Amazon Linux 2, Fedora and Arch Linux # https://github.com/angristan/openvpn-install -function isRoot () { +function isRoot() { if [ "$EUID" -ne 0 ]; then return 1 fi } -function tunAvailable () { +function tunAvailable() { if [ ! -e /dev/net/tun ]; then return 1 fi } -function checkOS () { +function checkOS() { if [[ -e /etc/debian_version ]]; then OS="debian" # shellcheck disable=SC1091 source /etc/os-release - if [[ "$ID" == "debian" || "$ID" == "raspbian" ]]; then - if [[ "$VERSION_ID" -lt 8 ]]; then + if [[ $ID == "debian" || $ID == "raspbian" ]]; then + if [[ $VERSION_ID -lt 8 ]]; then echo "⚠️ Your version of Debian is not supported." echo "" echo "However, if you're using Debian >= 8 or unstable/testing then you can continue, at your own risk." @@ -30,11 +30,11 @@ function checkOS () { until [[ $CONTINUE =~ (y|n) ]]; do read -rp "Continue? [y/n]: " -e CONTINUE done - if [[ "$CONTINUE" == "n" ]]; then + if [[ $CONTINUE == "n" ]]; then exit 1 fi fi - elif [[ "$ID" == "ubuntu" ]];then + elif [[ $ID == "ubuntu" ]]; then OS="ubuntu" MAJOR_UBUNTU_VERSION=$(echo "$VERSION_ID" | cut -d '.' -f1) if [[ $MAJOR_UBUNTU_VERSION -lt 16 ]]; then @@ -45,7 +45,7 @@ function checkOS () { until [[ $CONTINUE =~ (y|n) ]]; do read -rp "Continue? [y/n]: " -e CONTINUE done - if [[ "$CONTINUE" == "n" ]]; then + if [[ $CONTINUE == "n" ]]; then exit 1 fi fi @@ -53,10 +53,10 @@ function checkOS () { elif [[ -e /etc/system-release ]]; then # shellcheck disable=SC1091 source /etc/os-release - if [[ "$ID" == "fedora" ]]; then + if [[ $ID == "fedora" ]]; then OS="fedora" fi - if [[ "$ID" == "centos" ]]; then + if [[ $ID == "centos" ]]; then OS="centos" if [[ ! $VERSION_ID =~ (7|8) ]]; then echo "⚠️ Your version of CentOS is not supported." @@ -66,9 +66,9 @@ function checkOS () { exit 1 fi fi - if [[ "$ID" == "amzn" ]]; then + if [[ $ID == "amzn" ]]; then OS="amzn" - if [[ ! $VERSION_ID == "2" ]]; then + if [[ $VERSION_ID != "2" ]]; then echo "⚠️ Your version of Amazon Linux is not supported." echo "" echo "The script only support Amazon Linux 2." @@ -84,7 +84,7 @@ function checkOS () { fi } -function initialCheck () { +function initialCheck() { if ! isRoot; then echo "Sorry, you need to run this as root" exit 1 @@ -96,11 +96,11 @@ function initialCheck () { checkOS } -function installUnbound () { +function installUnbound() { # If Unbound isn't installed, install it if [[ ! -e /etc/unbound/unbound.conf ]]; then - if [[ "$OS" =~ (debian|ubuntu) ]]; then + if [[ $OS =~ (debian|ubuntu) ]]; then apt-get install -y unbound # Configuration @@ -109,9 +109,9 @@ access-control: 10.8.0.1/24 allow hide-identity: yes hide-version: yes use-caps-for-id: yes -prefetch: yes' >> /etc/unbound/unbound.conf +prefetch: yes' >>/etc/unbound/unbound.conf - elif [[ "$OS" =~ (centos|amzn) ]]; then + elif [[ $OS =~ (centos|amzn) ]]; then yum install -y unbound # Configuration @@ -121,7 +121,7 @@ prefetch: yes' >> /etc/unbound/unbound.conf sed -i 's|# hide-version: no|hide-version: yes|' /etc/unbound/unbound.conf sed -i 's|use-caps-for-id: no|use-caps-for-id: yes|' /etc/unbound/unbound.conf - elif [[ "$OS" == "fedora" ]]; then + elif [[ $OS == "fedora" ]]; then dnf install -y unbound # Configuration @@ -131,7 +131,7 @@ prefetch: yes' >> /etc/unbound/unbound.conf sed -i 's|# hide-version: no|hide-version: yes|' /etc/unbound/unbound.conf sed -i 's|# use-caps-for-id: no|use-caps-for-id: yes|' /etc/unbound/unbound.conf - elif [[ "$OS" == "arch" ]]; then + elif [[ $OS == "arch" ]]; then pacman -Syu --noconfirm unbound # Get root servers list @@ -157,10 +157,10 @@ prefetch: yes' >> /etc/unbound/unbound.conf hide-identity: yes hide-version: yes qname-minimisation: yes - prefetch: yes' > /etc/unbound/unbound.conf + prefetch: yes' >/etc/unbound/unbound.conf fi - if [[ ! "$OS" =~ (fedora|centos|amzn) ]];then + if [[ ! $OS =~ (fedora|centos|amzn) ]]; then # DNS Rebinding fix echo "private-address: 10.0.0.0/8 private-address: 172.16.0.0/12 @@ -169,10 +169,10 @@ private-address: 169.254.0.0/16 private-address: fd00::/8 private-address: fe80::/10 private-address: 127.0.0.0/8 -private-address: ::ffff:0:0/96" >> /etc/unbound/unbound.conf +private-address: ::ffff:0:0/96" >>/etc/unbound/unbound.conf fi else # Unbound is already installed - echo 'include: /etc/unbound/openvpn.conf' >> /etc/unbound/unbound.conf + echo 'include: /etc/unbound/openvpn.conf' >>/etc/unbound/unbound.conf # Add Unbound 'server' for the OpenVPN subnet echo 'server: @@ -189,14 +189,14 @@ private-address: 169.254.0.0/16 private-address: fd00::/8 private-address: fe80::/10 private-address: 127.0.0.0/8 -private-address: ::ffff:0:0/96' > /etc/unbound/openvpn.conf +private-address: ::ffff:0:0/96' >/etc/unbound/openvpn.conf fi - systemctl enable unbound - systemctl restart unbound + systemctl enable unbound + systemctl restart unbound } -function installQuestions () { +function installQuestions() { echo "Welcome to the OpenVPN installer!" echo "The git repository is available at: https://github.com/angristan/openvpn-install" echo "" @@ -218,7 +218,7 @@ function installQuestions () { echo "" echo "It seems this server is behind NAT. What is its public IPv4 address or hostname?" echo "We need it for the clients to connect to the server." - until [[ "$ENDPOINT" != "" ]]; do + until [[ $ENDPOINT != "" ]]; do read -rp "Public IPv4 address or hostname: " -e ENDPOINT done fi @@ -227,7 +227,7 @@ function installQuestions () { echo "Checking for IPv6 connectivity..." echo "" # "ping6" and "ping -6" availability varies depending on the distribution - if type ping6 > /dev/null 2>&1; then + if type ping6 >/dev/null 2>&1; then PING6="ping6 -c3 ipv6.google.com > /dev/null 2>&1" else PING6="ping -6 -c3 ipv6.google.com > /dev/null 2>&1" @@ -249,22 +249,22 @@ function installQuestions () { echo " 1) Default: 1194" echo " 2) Custom" echo " 3) Random [49152-65535]" - until [[ "$PORT_CHOICE" =~ ^[1-3]$ ]]; do + until [[ $PORT_CHOICE =~ ^[1-3]$ ]]; do read -rp "Port choice [1-3]: " -e -i 1 PORT_CHOICE done case $PORT_CHOICE in - 1) - PORT="1194" + 1) + PORT="1194" ;; - 2) - until [[ "$PORT" =~ ^[0-9]+$ ]] && [ "$PORT" -ge 1 ] && [ "$PORT" -le 65535 ]; do - read -rp "Custom port [1-65535]: " -e -i 1194 PORT - done + 2) + until [[ $PORT =~ ^[0-9]+$ ]] && [ "$PORT" -ge 1 ] && [ "$PORT" -le 65535 ]; do + read -rp "Custom port [1-65535]: " -e -i 1194 PORT + done ;; - 3) - # Generate random number within private ports range - PORT=$(shuf -i49152-65535 -n1) - echo "Random Port: $PORT" + 3) + # Generate random number within private ports range + PORT=$(shuf -i49152-65535 -n1) + echo "Random Port: $PORT" ;; esac echo "" @@ -272,15 +272,15 @@ function installQuestions () { echo "UDP is faster. Unless it is not available, you shouldn't use TCP." echo " 1) UDP" echo " 2) TCP" - until [[ "$PROTOCOL_CHOICE" =~ ^[1-2]$ ]]; do + until [[ $PROTOCOL_CHOICE =~ ^[1-2]$ ]]; do read -rp "Protocol [1-2]: " -e -i 1 PROTOCOL_CHOICE done case $PROTOCOL_CHOICE in - 1) - PROTOCOL="udp" + 1) + PROTOCOL="udp" ;; - 2) - PROTOCOL="tcp" + 2) + PROTOCOL="tcp" ;; esac echo "" @@ -298,42 +298,42 @@ function installQuestions () { echo " 11) AdGuard DNS (Anycast: worldwide)" echo " 12) NextDNS (Anycast: worldwide)" echo " 13) Custom" - until [[ "$DNS" =~ ^[0-9]+$ ]] && [ "$DNS" -ge 1 ] && [ "$DNS" -le 13 ]; do + until [[ $DNS =~ ^[0-9]+$ ]] && [ "$DNS" -ge 1 ] && [ "$DNS" -le 13 ]; do read -rp "DNS [1-12]: " -e -i 3 DNS - if [[ $DNS == 2 ]] && [[ -e /etc/unbound/unbound.conf ]]; then - echo "" - echo "Unbound is already installed." - echo "You can allow the script to configure it in order to use it from your OpenVPN clients" - echo "We will simply add a second server to /etc/unbound/unbound.conf for the OpenVPN subnet." - echo "No changes are made to the current configuration." - echo "" + if [[ $DNS == 2 ]] && [[ -e /etc/unbound/unbound.conf ]]; then + echo "" + echo "Unbound is already installed." + echo "You can allow the script to configure it in order to use it from your OpenVPN clients" + echo "We will simply add a second server to /etc/unbound/unbound.conf for the OpenVPN subnet." + echo "No changes are made to the current configuration." + echo "" - until [[ $CONTINUE =~ (y|n) ]]; do - read -rp "Apply configuration changes to Unbound? [y/n]: " -e CONTINUE - done - if [[ $CONTINUE == "n" ]];then - # Break the loop and cleanup - unset DNS - unset CONTINUE - fi - elif [[ $DNS == "13" ]]; then - until [[ "$DNS1" =~ ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ ]]; do - read -rp "Primary DNS: " -e DNS1 - done - until [[ "$DNS2" =~ ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ ]]; do - read -rp "Secondary DNS (optional): " -e DNS2 - if [[ "$DNS2" == "" ]]; then - break - fi - done + until [[ $CONTINUE =~ (y|n) ]]; do + read -rp "Apply configuration changes to Unbound? [y/n]: " -e CONTINUE + done + if [[ $CONTINUE == "n" ]]; then + # Break the loop and cleanup + unset DNS + unset CONTINUE fi + elif [[ $DNS == "13" ]]; then + until [[ $DNS1 =~ ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ ]]; do + read -rp "Primary DNS: " -e DNS1 + done + until [[ $DNS2 =~ ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ ]]; do + read -rp "Secondary DNS (optional): " -e DNS2 + if [[ $DNS2 == "" ]]; then + break + fi + done + fi done echo "" echo "Do you want to use compression? It is not recommended since the VORACLE attack make use of it." until [[ $COMPRESSION_ENABLED =~ (y|n) ]]; do read -rp"Enable compression? [y/n]: " -e -i n COMPRESSION_ENABLED done - if [[ $COMPRESSION_ENABLED == "y" ]];then + if [[ $COMPRESSION_ENABLED == "y" ]]; then echo "Choose which compression algorithm you want to use: (they are ordered by efficiency)" echo " 1) LZ4-v2" echo " 2) LZ4" @@ -342,13 +342,13 @@ function installQuestions () { read -rp"Compression algorithm [1-3]: " -e -i 1 COMPRESSION_CHOICE done case $COMPRESSION_CHOICE in - 1) + 1) COMPRESSION_ALG="lz4-v2" ;; - 2) + 2) COMPRESSION_ALG="lz4" ;; - 3) + 3) COMPRESSION_ALG="lzo" ;; esac @@ -362,7 +362,7 @@ function installQuestions () { until [[ $CUSTOMIZE_ENC =~ (y|n) ]]; do read -rp "Customize encryption settings? [y/n]: " -e -i n CUSTOMIZE_ENC done - if [[ $CUSTOMIZE_ENC == "n" ]];then + if [[ $CUSTOMIZE_ENC == "n" ]]; then # Use default, sane and fast parameters CIPHER="AES-128-GCM" CERT_TYPE="1" # ECDSA @@ -381,27 +381,27 @@ function installQuestions () { echo " 4) AES-128-CBC" echo " 5) AES-192-CBC" echo " 6) AES-256-CBC" - until [[ "$CIPHER_CHOICE" =~ ^[1-6]$ ]]; do + until [[ $CIPHER_CHOICE =~ ^[1-6]$ ]]; do read -rp "Cipher [1-6]: " -e -i 1 CIPHER_CHOICE done case $CIPHER_CHOICE in - 1) - CIPHER="AES-128-GCM" + 1) + CIPHER="AES-128-GCM" ;; - 2) - CIPHER="AES-192-GCM" + 2) + CIPHER="AES-192-GCM" ;; - 3) - CIPHER="AES-256-GCM" + 3) + CIPHER="AES-256-GCM" ;; - 4) - CIPHER="AES-128-CBC" + 4) + CIPHER="AES-128-CBC" ;; - 5) - CIPHER="AES-192-CBC" + 5) + CIPHER="AES-192-CBC" ;; - 6) - CIPHER="AES-256-CBC" + 6) + CIPHER="AES-256-CBC" ;; esac echo "" @@ -412,81 +412,81 @@ function installQuestions () { read -rp"Certificate key type [1-2]: " -e -i 1 CERT_TYPE done case $CERT_TYPE in + 1) + echo "" + echo "Choose which curve you want to use for the certificate's key:" + echo " 1) prime256v1 (recommended)" + echo " 2) secp384r1" + echo " 3) secp521r1" + until [[ $CERT_CURVE_CHOICE =~ ^[1-3]$ ]]; do + read -rp"Curve [1-3]: " -e -i 1 CERT_CURVE_CHOICE + done + case $CERT_CURVE_CHOICE in 1) - echo "" - echo "Choose which curve you want to use for the certificate's key:" - echo " 1) prime256v1 (recommended)" - echo " 2) secp384r1" - echo " 3) secp521r1" - until [[ $CERT_CURVE_CHOICE =~ ^[1-3]$ ]]; do - read -rp"Curve [1-3]: " -e -i 1 CERT_CURVE_CHOICE - done - case $CERT_CURVE_CHOICE in - 1) - CERT_CURVE="prime256v1" - ;; - 2) - CERT_CURVE="secp384r1" - ;; - 3) - CERT_CURVE="secp521r1" - ;; - esac - ;; + CERT_CURVE="prime256v1" + ;; 2) - echo "" - echo "Choose which size you want to use for the certificate's RSA key:" - echo " 1) 2048 bits (recommended)" - echo " 2) 3072 bits" - echo " 3) 4096 bits" - until [[ "$RSA_KEY_SIZE_CHOICE" =~ ^[1-3]$ ]]; do - read -rp "RSA key size [1-3]: " -e -i 1 RSA_KEY_SIZE_CHOICE - done - case $RSA_KEY_SIZE_CHOICE in - 1) - RSA_KEY_SIZE="2048" - ;; - 2) - RSA_KEY_SIZE="3072" - ;; - 3) - RSA_KEY_SIZE="4096" - ;; - esac + CERT_CURVE="secp384r1" + ;; + 3) + CERT_CURVE="secp521r1" + ;; + esac + ;; + 2) + echo "" + echo "Choose which size you want to use for the certificate's RSA key:" + echo " 1) 2048 bits (recommended)" + echo " 2) 3072 bits" + echo " 3) 4096 bits" + until [[ $RSA_KEY_SIZE_CHOICE =~ ^[1-3]$ ]]; do + read -rp "RSA key size [1-3]: " -e -i 1 RSA_KEY_SIZE_CHOICE + done + case $RSA_KEY_SIZE_CHOICE in + 1) + RSA_KEY_SIZE="2048" + ;; + 2) + RSA_KEY_SIZE="3072" + ;; + 3) + RSA_KEY_SIZE="4096" + ;; + esac ;; esac echo "" echo "Choose which cipher you want to use for the control channel:" case $CERT_TYPE in + 1) + echo " 1) ECDHE-ECDSA-AES-128-GCM-SHA256 (recommended)" + echo " 2) ECDHE-ECDSA-AES-256-GCM-SHA384" + until [[ $CC_CIPHER_CHOICE =~ ^[1-2]$ ]]; do + read -rp"Control channel cipher [1-2]: " -e -i 1 CC_CIPHER_CHOICE + done + case $CC_CIPHER_CHOICE in 1) - echo " 1) ECDHE-ECDSA-AES-128-GCM-SHA256 (recommended)" - echo " 2) ECDHE-ECDSA-AES-256-GCM-SHA384" - until [[ $CC_CIPHER_CHOICE =~ ^[1-2]$ ]]; do - read -rp"Control channel cipher [1-2]: " -e -i 1 CC_CIPHER_CHOICE - done - case $CC_CIPHER_CHOICE in - 1) - CC_CIPHER="TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" - ;; - 2) - CC_CIPHER="TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" - ;; - esac - ;; + CC_CIPHER="TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" + ;; 2) - echo " 1) ECDHE-RSA-AES-128-GCM-SHA256 (recommended)" - echo " 2) ECDHE-RSA-AES-256-GCM-SHA384" - until [[ $CC_CIPHER_CHOICE =~ ^[1-2]$ ]]; do - read -rp"Control channel cipher [1-2]: " -e -i 1 CC_CIPHER_CHOICE - done - case $CC_CIPHER_CHOICE in - 1) - CC_CIPHER="TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256" - ;; - 2) - CC_CIPHER="TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384" - ;; - esac + CC_CIPHER="TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" + ;; + esac + ;; + 2) + echo " 1) ECDHE-RSA-AES-128-GCM-SHA256 (recommended)" + echo " 2) ECDHE-RSA-AES-256-GCM-SHA384" + until [[ $CC_CIPHER_CHOICE =~ ^[1-2]$ ]]; do + read -rp"Control channel cipher [1-2]: " -e -i 1 CC_CIPHER_CHOICE + done + case $CC_CIPHER_CHOICE in + 1) + CC_CIPHER="TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256" + ;; + 2) + CC_CIPHER="TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384" + ;; + esac ;; esac echo "" @@ -497,54 +497,54 @@ function installQuestions () { read -rp"DH key type [1-2]: " -e -i 1 DH_TYPE done case $DH_TYPE in + 1) + echo "" + echo "Choose which curve you want to use for the ECDH key:" + echo " 1) prime256v1 (recommended)" + echo " 2) secp384r1" + echo " 3) secp521r1" + while [[ $DH_CURVE_CHOICE != "1" && $DH_CURVE_CHOICE != "2" && $DH_CURVE_CHOICE != "3" ]]; do + read -rp"Curve [1-3]: " -e -i 1 DH_CURVE_CHOICE + done + case $DH_CURVE_CHOICE in 1) - echo "" - echo "Choose which curve you want to use for the ECDH key:" - echo " 1) prime256v1 (recommended)" - echo " 2) secp384r1" - echo " 3) secp521r1" - while [[ $DH_CURVE_CHOICE != "1" && $DH_CURVE_CHOICE != "2" && $DH_CURVE_CHOICE != "3" ]]; do - read -rp"Curve [1-3]: " -e -i 1 DH_CURVE_CHOICE - done - case $DH_CURVE_CHOICE in - 1) - DH_CURVE="prime256v1" - ;; - 2) - DH_CURVE="secp384r1" - ;; - 3) - DH_CURVE="secp521r1" - ;; - esac - ;; + DH_CURVE="prime256v1" + ;; 2) - echo "" - echo "Choose what size of Diffie-Hellman key you want to use:" - echo " 1) 2048 bits (recommended)" - echo " 2) 3072 bits" - echo " 3) 4096 bits" - until [[ "$DH_KEY_SIZE_CHOICE" =~ ^[1-3]$ ]]; do - read -rp "DH key size [1-3]: " -e -i 1 DH_KEY_SIZE_CHOICE - done - case $DH_KEY_SIZE_CHOICE in - 1) - DH_KEY_SIZE="2048" - ;; - 2) - DH_KEY_SIZE="3072" - ;; - 3) - DH_KEY_SIZE="4096" - ;; - esac + DH_CURVE="secp384r1" + ;; + 3) + DH_CURVE="secp521r1" + ;; + esac + ;; + 2) + echo "" + echo "Choose what size of Diffie-Hellman key you want to use:" + echo " 1) 2048 bits (recommended)" + echo " 2) 3072 bits" + echo " 3) 4096 bits" + until [[ $DH_KEY_SIZE_CHOICE =~ ^[1-3]$ ]]; do + read -rp "DH key size [1-3]: " -e -i 1 DH_KEY_SIZE_CHOICE + done + case $DH_KEY_SIZE_CHOICE in + 1) + DH_KEY_SIZE="2048" + ;; + 2) + DH_KEY_SIZE="3072" + ;; + 3) + DH_KEY_SIZE="4096" + ;; + esac ;; esac echo "" # The "auth" options behaves differently with AEAD ciphers - if [[ "$CIPHER" =~ CBC$ ]]; then + if [[ $CIPHER =~ CBC$ ]]; then echo "The digest algorithm authenticates data channel packets and tls-auth packets from the control channel." - elif [[ "$CIPHER" =~ GCM$ ]]; then + elif [[ $CIPHER =~ GCM$ ]]; then echo "The digest algorithm authenticates tls-auth packets from the control channel." fi echo "Which digest algorithm do you want to use for HMAC?" @@ -555,14 +555,14 @@ function installQuestions () { read -rp "Digest algorithm [1-3]: " -e -i 1 HMAC_ALG_CHOICE done case $HMAC_ALG_CHOICE in - 1) - HMAC_ALG="SHA256" + 1) + HMAC_ALG="SHA256" ;; - 2) - HMAC_ALG="SHA384" + 2) + HMAC_ALG="SHA384" ;; - 3) - HMAC_ALG="SHA512" + 3) + HMAC_ALG="SHA512" ;; esac echo "" @@ -571,7 +571,7 @@ function installQuestions () { echo " 1) tls-crypt (recommended)" echo " 2) tls-auth" until [[ $TLS_SIG =~ [1-2] ]]; do - read -rp "Control channel additional security mechanism [1-2]: " -e -i 1 TLS_SIG + read -rp "Control channel additional security mechanism [1-2]: " -e -i 1 TLS_SIG done fi echo "" @@ -583,7 +583,7 @@ function installQuestions () { fi } -function installOpenVPN () { +function installOpenVPN() { if [[ $AUTO_INSTALL == "y" ]]; then # Set default choices so that no questions will be asked. APPROVE_INSTALL=${APPROVE_INSTALL:-y} @@ -612,52 +612,52 @@ function installOpenVPN () { # Get the "public" interface from the default route NIC=$(ip -4 route ls | grep default | grep -Po '(?<=dev )(\S+)' | head -1) - if [[ -z "$NIC" ]] && [[ "$IPV6_SUPPORT" == 'y' ]]; then + if [[ -z $NIC ]] && [[ $IPV6_SUPPORT == 'y' ]]; then NIC=$(ip -6 route show default | sed -ne 's/^default .* dev \([^ ]*\) .*$/\1/p') fi # $NIC can not be empty for script rm-openvpn-rules.sh - if [[ -z "$NIC" ]]; then - echo - echo "Can not detect public interface." - echo "This needs for setup MASQUERADE." - until [[ $CONTINUE =~ (y|n) ]]; do - read -rp "Continue? [y/n]: " -e CONTINUE - done - if [[ "$CONTINUE" == "n" ]]; then - exit 1 - fi - fi + if [[ -z $NIC ]]; then + echo + echo "Can not detect public interface." + echo "This needs for setup MASQUERADE." + until [[ $CONTINUE =~ (y|n) ]]; do + read -rp "Continue? [y/n]: " -e CONTINUE + done + if [[ $CONTINUE == "n" ]]; then + exit 1 + fi + fi # If OpenVPN isn't installed yet, install it. This script is more-or-less # idempotent on multiple runs, but will only install OpenVPN from upstream # the first time. if [[ ! -e /etc/openvpn/server.conf ]]; then - if [[ "$OS" =~ (debian|ubuntu) ]]; then + if [[ $OS =~ (debian|ubuntu) ]]; then apt-get update apt-get -y install ca-certificates gnupg # We add the OpenVPN repo to get the latest version. - if [[ "$VERSION_ID" = "8" ]]; then - echo "deb http://build.openvpn.net/debian/openvpn/stable jessie main" > /etc/apt/sources.list.d/openvpn.list + if [[ $VERSION_ID == "8" ]]; then + echo "deb http://build.openvpn.net/debian/openvpn/stable jessie main" >/etc/apt/sources.list.d/openvpn.list wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add - apt-get update fi - if [[ "$VERSION_ID" = "16.04" ]]; then - echo "deb http://build.openvpn.net/debian/openvpn/stable xenial main" > /etc/apt/sources.list.d/openvpn.list + if [[ $VERSION_ID == "16.04" ]]; then + echo "deb http://build.openvpn.net/debian/openvpn/stable xenial main" >/etc/apt/sources.list.d/openvpn.list wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add - apt-get update fi # Ubuntu > 16.04 and Debian > 8 have OpenVPN >= 2.4 without the need of a third party repository. apt-get install -y openvpn iptables openssl wget ca-certificates curl - elif [[ "$OS" = 'centos' ]]; then + elif [[ $OS == 'centos' ]]; then yum install -y epel-release yum install -y openvpn iptables openssl wget ca-certificates curl tar 'policycoreutils-python*' - elif [[ "$OS" = 'amzn' ]]; then + elif [[ $OS == 'amzn' ]]; then amazon-linux-extras install -y epel yum install -y openvpn iptables openssl wget ca-certificates curl - elif [[ "$OS" = 'fedora' ]]; then + elif [[ $OS == 'fedora' ]]; then dnf install -y openvpn iptables openssl wget ca-certificates curl - elif [[ "$OS" = 'arch' ]]; then + elif [[ $OS == 'arch' ]]; then # Install required dependencies and upgrade the system pacman --needed --noconfirm -Syu openvpn iptables openssl wget ca-certificates curl fi @@ -687,22 +687,22 @@ function installOpenVPN () { cd /etc/openvpn/easy-rsa/ || return case $CERT_TYPE in - 1) - echo "set_var EASYRSA_ALGO ec" > vars - echo "set_var EASYRSA_CURVE $CERT_CURVE" >> vars + 1) + echo "set_var EASYRSA_ALGO ec" >vars + echo "set_var EASYRSA_CURVE $CERT_CURVE" >>vars ;; - 2) - echo "set_var EASYRSA_KEY_SIZE $RSA_KEY_SIZE" > vars + 2) + echo "set_var EASYRSA_KEY_SIZE $RSA_KEY_SIZE" >vars ;; esac # Generate a random, alphanumeric identifier of 16 characters for CN and one for server name SERVER_CN="cn_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)" - echo "$SERVER_CN" > SERVER_CN_GENERATED + echo "$SERVER_CN" >SERVER_CN_GENERATED SERVER_NAME="server_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)" - echo "$SERVER_NAME" > SERVER_NAME_GENERATED + echo "$SERVER_NAME" >SERVER_NAME_GENERATED - echo "set_var EASYRSA_REQ_CN $SERVER_CN" >> vars + echo "set_var EASYRSA_REQ_CN $SERVER_CN" >>vars # Create the PKI, set up the CA, the DH params and the server certificate ./easyrsa init-pki @@ -722,13 +722,13 @@ function installOpenVPN () { EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl case $TLS_SIG in - 1) - # Generate tls-crypt key - openvpn --genkey --secret /etc/openvpn/tls-crypt.key + 1) + # Generate tls-crypt key + openvpn --genkey --secret /etc/openvpn/tls-crypt.key ;; - 2) - # Generate tls-auth key - openvpn --genkey --secret /etc/openvpn/tls-auth.key + 2) + # Generate tls-auth key + openvpn --genkey --secret /etc/openvpn/tls-auth.key ;; esac else @@ -748,11 +748,11 @@ function installOpenVPN () { chmod 644 /etc/openvpn/crl.pem # Generate server.conf - echo "port $PORT" > /etc/openvpn/server.conf - if [[ "$IPV6_SUPPORT" == 'n' ]]; then - echo "proto $PROTOCOL" >> /etc/openvpn/server.conf - elif [[ "$IPV6_SUPPORT" == 'y' ]]; then - echo "proto ${PROTOCOL}6" >> /etc/openvpn/server.conf + echo "port $PORT" >/etc/openvpn/server.conf + if [[ $IPV6_SUPPORT == 'n' ]]; then + echo "proto $PROTOCOL" >>/etc/openvpn/server.conf + elif [[ $IPV6_SUPPORT == 'y' ]]; then + echo "proto ${PROTOCOL}6" >>/etc/openvpn/server.conf fi echo "dev tun @@ -763,101 +763,101 @@ persist-tun keepalive 10 120 topology subnet server 10.8.0.0 255.255.255.0 -ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf +ifconfig-pool-persist ipp.txt" >>/etc/openvpn/server.conf # DNS resolvers case $DNS in - 1) # Current system resolvers - # Locate the proper resolv.conf - # Needed for systems running systemd-resolved - if grep -q "127.0.0.53" "/etc/resolv.conf"; then - RESOLVCONF='/run/systemd/resolve/resolv.conf' - else - RESOLVCONF='/etc/resolv.conf' - fi - # Obtain the resolvers from resolv.conf and use them for OpenVPN - grep -v '#' $RESOLVCONF | grep 'nameserver' | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read -r line; do - echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server.conf - done + 1) # Current system resolvers + # Locate the proper resolv.conf + # Needed for systems running systemd-resolved + if grep -q "127.0.0.53" "/etc/resolv.conf"; then + RESOLVCONF='/run/systemd/resolve/resolv.conf' + else + RESOLVCONF='/etc/resolv.conf' + fi + # Obtain the resolvers from resolv.conf and use them for OpenVPN + grep -v '#' $RESOLVCONF | grep 'nameserver' | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read -r line; do + echo "push \"dhcp-option DNS $line\"" >>/etc/openvpn/server.conf + done ;; - 2) # Self-hosted DNS resolver (Unbound) - echo 'push "dhcp-option DNS 10.8.0.1"' >> /etc/openvpn/server.conf + 2) # Self-hosted DNS resolver (Unbound) + echo 'push "dhcp-option DNS 10.8.0.1"' >>/etc/openvpn/server.conf ;; - 3) # Cloudflare - echo 'push "dhcp-option DNS 1.0.0.1"' >> /etc/openvpn/server.conf - echo 'push "dhcp-option DNS 1.1.1.1"' >> /etc/openvpn/server.conf + 3) # Cloudflare + echo 'push "dhcp-option DNS 1.0.0.1"' >>/etc/openvpn/server.conf + echo 'push "dhcp-option DNS 1.1.1.1"' >>/etc/openvpn/server.conf ;; - 4) # Quad9 - echo 'push "dhcp-option DNS 9.9.9.9"' >> /etc/openvpn/server.conf - echo 'push "dhcp-option DNS 149.112.112.112"' >> /etc/openvpn/server.conf + 4) # Quad9 + echo 'push "dhcp-option DNS 9.9.9.9"' >>/etc/openvpn/server.conf + echo 'push "dhcp-option DNS 149.112.112.112"' >>/etc/openvpn/server.conf ;; - 5) # Quad9 uncensored - echo 'push "dhcp-option DNS 9.9.9.10"' >> /etc/openvpn/server.conf - echo 'push "dhcp-option DNS 149.112.112.10"' >> /etc/openvpn/server.conf + 5) # Quad9 uncensored + echo 'push "dhcp-option DNS 9.9.9.10"' >>/etc/openvpn/server.conf + echo 'push "dhcp-option DNS 149.112.112.10"' >>/etc/openvpn/server.conf ;; - 6) # FDN - echo 'push "dhcp-option DNS 80.67.169.40"' >> /etc/openvpn/server.conf - echo 'push "dhcp-option DNS 80.67.169.12"' >> /etc/openvpn/server.conf + 6) # FDN + echo 'push "dhcp-option DNS 80.67.169.40"' >>/etc/openvpn/server.conf + echo 'push "dhcp-option DNS 80.67.169.12"' >>/etc/openvpn/server.conf ;; - 7) # DNS.WATCH - echo 'push "dhcp-option DNS 84.200.69.80"' >> /etc/openvpn/server.conf - echo 'push "dhcp-option DNS 84.200.70.40"' >> /etc/openvpn/server.conf + 7) # DNS.WATCH + echo 'push "dhcp-option DNS 84.200.69.80"' >>/etc/openvpn/server.conf + echo 'push "dhcp-option DNS 84.200.70.40"' >>/etc/openvpn/server.conf ;; - 8) # OpenDNS - echo 'push "dhcp-option DNS 208.67.222.222"' >> /etc/openvpn/server.conf - echo 'push "dhcp-option DNS 208.67.220.220"' >> /etc/openvpn/server.conf + 8) # OpenDNS + echo 'push "dhcp-option DNS 208.67.222.222"' >>/etc/openvpn/server.conf + echo 'push "dhcp-option DNS 208.67.220.220"' >>/etc/openvpn/server.conf ;; - 9) # Google - echo 'push "dhcp-option DNS 8.8.8.8"' >> /etc/openvpn/server.conf - echo 'push "dhcp-option DNS 8.8.4.4"' >> /etc/openvpn/server.conf + 9) # Google + echo 'push "dhcp-option DNS 8.8.8.8"' >>/etc/openvpn/server.conf + echo 'push "dhcp-option DNS 8.8.4.4"' >>/etc/openvpn/server.conf ;; - 10) # Yandex Basic - echo 'push "dhcp-option DNS 77.88.8.8"' >> /etc/openvpn/server.conf - echo 'push "dhcp-option DNS 77.88.8.1"' >> /etc/openvpn/server.conf + 10) # Yandex Basic + echo 'push "dhcp-option DNS 77.88.8.8"' >>/etc/openvpn/server.conf + echo 'push "dhcp-option DNS 77.88.8.1"' >>/etc/openvpn/server.conf ;; - 11) # AdGuard DNS - echo 'push "dhcp-option DNS 176.103.130.130"' >> /etc/openvpn/server.conf - echo 'push "dhcp-option DNS 176.103.130.131"' >> /etc/openvpn/server.conf + 11) # AdGuard DNS + echo 'push "dhcp-option DNS 176.103.130.130"' >>/etc/openvpn/server.conf + echo 'push "dhcp-option DNS 176.103.130.131"' >>/etc/openvpn/server.conf ;; - 12) # NextDNS - echo 'push "dhcp-option DNS 45.90.28.167"' >> /etc/openvpn/server.conf - echo 'push "dhcp-option DNS 45.90.30.167"' >> /etc/openvpn/server.conf + 12) # NextDNS + echo 'push "dhcp-option DNS 45.90.28.167"' >>/etc/openvpn/server.conf + echo 'push "dhcp-option DNS 45.90.30.167"' >>/etc/openvpn/server.conf ;; - 13) # Custom DNS - echo "push \"dhcp-option DNS $DNS1\"" >> /etc/openvpn/server.conf - if [[ "$DNS2" != "" ]]; then - echo "push \"dhcp-option DNS $DNS2\"" >> /etc/openvpn/server.conf + 13) # Custom DNS + echo "push \"dhcp-option DNS $DNS1\"" >>/etc/openvpn/server.conf + if [[ $DNS2 != "" ]]; then + echo "push \"dhcp-option DNS $DNS2\"" >>/etc/openvpn/server.conf fi ;; esac - echo 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/server.conf + echo 'push "redirect-gateway def1 bypass-dhcp"' >>/etc/openvpn/server.conf # IPv6 network settings if needed - if [[ "$IPV6_SUPPORT" == 'y' ]]; then + if [[ $IPV6_SUPPORT == 'y' ]]; then echo 'server-ipv6 fd42:42:42:42::/112 tun-ipv6 push tun-ipv6 push "route-ipv6 2000::/3" -push "redirect-gateway ipv6"' >> /etc/openvpn/server.conf +push "redirect-gateway ipv6"' >>/etc/openvpn/server.conf fi - if [[ $COMPRESSION_ENABLED == "y" ]]; then - echo "compress $COMPRESSION_ALG" >> /etc/openvpn/server.conf + if [[ $COMPRESSION_ENABLED == "y" ]]; then + echo "compress $COMPRESSION_ALG" >>/etc/openvpn/server.conf fi if [[ $DH_TYPE == "1" ]]; then - echo "dh none" >> /etc/openvpn/server.conf - echo "ecdh-curve $DH_CURVE" >> /etc/openvpn/server.conf + echo "dh none" >>/etc/openvpn/server.conf + echo "ecdh-curve $DH_CURVE" >>/etc/openvpn/server.conf elif [[ $DH_TYPE == "2" ]]; then - echo "dh dh.pem" >> /etc/openvpn/server.conf + echo "dh dh.pem" >>/etc/openvpn/server.conf fi case $TLS_SIG in - 1) - echo "tls-crypt tls-crypt.key 0" >> /etc/openvpn/server.conf + 1) + echo "tls-crypt tls-crypt.key 0" >>/etc/openvpn/server.conf ;; - 2) - echo "tls-auth tls-auth.key 0" >> /etc/openvpn/server.conf + 2) + echo "tls-auth tls-auth.key 0" >>/etc/openvpn/server.conf ;; esac @@ -873,7 +873,7 @@ tls-version-min 1.2 tls-cipher $CC_CIPHER client-config-dir /etc/openvpn/ccd status /var/log/openvpn/status.log -verb 3" >> /etc/openvpn/server.conf +verb 3" >>/etc/openvpn/server.conf # Create client-config-dir dir mkdir -p /etc/openvpn/ccd @@ -881,9 +881,9 @@ verb 3" >> /etc/openvpn/server.conf mkdir -p /var/log/openvpn # Enable routing - echo 'net.ipv4.ip_forward=1' > /etc/sysctl.d/20-openvpn.conf - if [[ "$IPV6_SUPPORT" = 'y' ]]; then - echo 'net.ipv6.conf.all.forwarding=1' >> /etc/sysctl.d/20-openvpn.conf + echo 'net.ipv4.ip_forward=1' >/etc/sysctl.d/20-openvpn.conf + if [[ $IPV6_SUPPORT == 'y' ]]; then + echo 'net.ipv6.conf.all.forwarding=1' >>/etc/sysctl.d/20-openvpn.conf fi # Apply sysctl rules sysctl --system @@ -891,14 +891,14 @@ verb 3" >> /etc/openvpn/server.conf # If SELinux is enabled and a custom port was selected, we need this if hash sestatus 2>/dev/null; then if sestatus | grep "Current mode" | grep -qs "enforcing"; then - if [[ "$PORT" != '1194' ]]; then + if [[ $PORT != '1194' ]]; then semanage port -a -t openvpn_port_t -p "$PROTOCOL" "$PORT" fi fi fi # Finally, restart and enable OpenVPN - if [[ "$OS" == 'arch' || "$OS" == 'fedora' || "$OS" == 'centos' ]]; then + if [[ $OS == 'arch' || $OS == 'fedora' || $OS == 'centos' ]]; then # Don't modify package-provided service cp /usr/lib/systemd/system/openvpn-server@.service /etc/systemd/system/openvpn-server@.service @@ -907,14 +907,14 @@ verb 3" >> /etc/openvpn/server.conf # Another workaround to keep using /etc/openvpn/ sed -i 's|/etc/openvpn/server|/etc/openvpn|' /etc/systemd/system/openvpn-server@.service # On fedora, the service hardcodes the ciphers. We want to manage the cipher ourselves, so we remove it from the service - if [[ "$OS" == "fedora" ]];then + if [[ $OS == "fedora" ]]; then sed -i 's|--cipher AES-256-GCM --ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC:BF-CBC||' /etc/systemd/system/openvpn-server@.service fi systemctl daemon-reload systemctl enable openvpn-server@server systemctl restart openvpn-server@server - elif [[ "$OS" == "ubuntu" ]] && [[ "$VERSION_ID" == "16.04" ]]; then + elif [[ $OS == "ubuntu" ]] && [[ $VERSION_ID == "16.04" ]]; then # On Ubuntu 16.04, we use the package from the OpenVPN repo # This package uses a sysvinit service systemctl enable openvpn @@ -933,7 +933,7 @@ verb 3" >> /etc/openvpn/server.conf systemctl restart openvpn@server fi - if [[ $DNS == 2 ]];then + if [[ $DNS == 2 ]]; then installUnbound fi @@ -946,13 +946,13 @@ iptables -t nat -I POSTROUTING 1 -s 10.8.0.0/24 -o $NIC -j MASQUERADE iptables -I INPUT 1 -i tun0 -j ACCEPT iptables -I FORWARD 1 -i $NIC -o tun0 -j ACCEPT iptables -I FORWARD 1 -i tun0 -o $NIC -j ACCEPT -iptables -I INPUT 1 -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" > /etc/iptables/add-openvpn-rules.sh +iptables -I INPUT 1 -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" >/etc/iptables/add-openvpn-rules.sh - if [[ "$IPV6_SUPPORT" == 'y' ]]; then + if [[ $IPV6_SUPPORT == 'y' ]]; then echo "ip6tables -t nat -I POSTROUTING 1 -s fd42:42:42:42::/112 -o $NIC -j MASQUERADE ip6tables -I INPUT 1 -i tun0 -j ACCEPT ip6tables -I FORWARD 1 -i $NIC -o tun0 -j ACCEPT -ip6tables -I FORWARD 1 -i tun0 -o $NIC -j ACCEPT" >> /etc/iptables/add-openvpn-rules.sh +ip6tables -I FORWARD 1 -i tun0 -o $NIC -j ACCEPT" >>/etc/iptables/add-openvpn-rules.sh fi # Script to remove rules @@ -961,13 +961,13 @@ iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o $NIC -j MASQUERADE iptables -D INPUT -i tun0 -j ACCEPT iptables -D FORWARD -i $NIC -o tun0 -j ACCEPT iptables -D FORWARD -i tun0 -o $NIC -j ACCEPT -iptables -D INPUT -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" > /etc/iptables/rm-openvpn-rules.sh +iptables -D INPUT -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" >/etc/iptables/rm-openvpn-rules.sh - if [[ "$IPV6_SUPPORT" == 'y' ]]; then + if [[ $IPV6_SUPPORT == 'y' ]]; then echo "ip6tables -t nat -D POSTROUTING -s fd42:42:42:42::/112 -o $NIC -j MASQUERADE ip6tables -D INPUT -i tun0 -j ACCEPT ip6tables -D FORWARD -i $NIC -o tun0 -j ACCEPT -ip6tables -D FORWARD -i tun0 -o $NIC -j ACCEPT" >> /etc/iptables/rm-openvpn-rules.sh +ip6tables -D FORWARD -i tun0 -o $NIC -j ACCEPT" >>/etc/iptables/rm-openvpn-rules.sh fi chmod +x /etc/iptables/add-openvpn-rules.sh @@ -986,7 +986,7 @@ ExecStop=/etc/iptables/rm-openvpn-rules.sh RemainAfterExit=yes [Install] -WantedBy=multi-user.target" > /etc/systemd/system/iptables-openvpn.service +WantedBy=multi-user.target" >/etc/systemd/system/iptables-openvpn.service # Enable service and apply rules systemctl daemon-reload @@ -994,17 +994,17 @@ WantedBy=multi-user.target" > /etc/systemd/system/iptables-openvpn.service systemctl start iptables-openvpn # If the server is behind a NAT, use the correct IP address for the clients to connect to - if [[ "$ENDPOINT" != "" ]]; then + if [[ $ENDPOINT != "" ]]; then IP=$ENDPOINT fi # client-template.txt is created so we have a template to add further users later - echo "client" > /etc/openvpn/client-template.txt - if [[ "$PROTOCOL" == 'udp' ]]; then - echo "proto udp" >> /etc/openvpn/client-template.txt - echo "explicit-exit-notify" >> /etc/openvpn/client-template.txt - elif [[ "$PROTOCOL" == 'tcp' ]]; then - echo "proto tcp-client" >> /etc/openvpn/client-template.txt + echo "client" >/etc/openvpn/client-template.txt + if [[ $PROTOCOL == 'udp' ]]; then + echo "proto udp" >>/etc/openvpn/client-template.txt + echo "explicit-exit-notify" >>/etc/openvpn/client-template.txt + elif [[ $PROTOCOL == 'tcp' ]]; then + echo "proto tcp-client" >>/etc/openvpn/client-template.txt fi echo "remote $IP $PORT dev tun @@ -1022,23 +1022,23 @@ tls-version-min 1.2 tls-cipher $CC_CIPHER ignore-unknown-option block-outside-dns setenv opt block-outside-dns # Prevent Windows 10 DNS leak -verb 3" >> /etc/openvpn/client-template.txt +verb 3" >>/etc/openvpn/client-template.txt -if [[ $COMPRESSION_ENABLED == "y" ]]; then - echo "compress $COMPRESSION_ALG" >> /etc/openvpn/client-template.txt -fi + if [[ $COMPRESSION_ENABLED == "y" ]]; then + echo "compress $COMPRESSION_ALG" >>/etc/openvpn/client-template.txt + fi # Generate the custom client.ovpn newClient echo "If you want to add more clients, you simply need to run this script another time!" } -function newClient () { +function newClient() { echo "" echo "Tell me a name for the client." echo "Use one word only, no special characters." - until [[ "$CLIENT" =~ ^[a-zA-Z0-9_]+$ ]]; do + until [[ $CLIENT =~ ^[a-zA-Z0-9_]+$ ]]; do read -rp "Client name: " -e CLIENT done @@ -1048,30 +1048,30 @@ function newClient () { echo " 1) Add a passwordless client" echo " 2) Use a password for the client" - until [[ "$PASS" =~ ^[1-2]$ ]]; do + until [[ $PASS =~ ^[1-2]$ ]]; do read -rp "Select an option [1-2]: " -e -i 1 PASS done CLIENTEXISTS=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep -c -E "/CN=$CLIENT\$") - if [[ "$CLIENTEXISTS" = '1' ]]; then + if [[ $CLIENTEXISTS == '1' ]]; then echo "" echo "The specified client CN was found in easy-rsa." else cd /etc/openvpn/easy-rsa/ || return case $PASS in - 1) - ./easyrsa build-client-full "$CLIENT" nopass + 1) + ./easyrsa build-client-full "$CLIENT" nopass ;; - 2) + 2) echo "⚠️ You will be asked for the client password below ⚠️" - ./easyrsa build-client-full "$CLIENT" + ./easyrsa build-client-full "$CLIENT" ;; esac echo "Client $CLIENT added." fi # Home directory of the user, where the client configuration (.ovpn) will be written - if [ -e "/home/$CLIENT" ]; then # if $1 is a user name + if [ -e "/home/$CLIENT" ]; then # if $1 is a user name homeDir="/home/$CLIENT" elif [ "${SUDO_USER}" ]; then # if not, use SUDO_USER homeDir="/home/${SUDO_USER}" @@ -1102,19 +1102,19 @@ function newClient () { echo "" case $TLS_SIG in - 1) - echo "" - cat /etc/openvpn/tls-crypt.key - echo "" + 1) + echo "" + cat /etc/openvpn/tls-crypt.key + echo "" ;; - 2) - echo "key-direction 1" - echo "" - cat /etc/openvpn/tls-auth.key - echo "" + 2) + echo "key-direction 1" + echo "" + cat /etc/openvpn/tls-auth.key + echo "" ;; esac - } >> "$homeDir/$CLIENT.ovpn" + } >>"$homeDir/$CLIENT.ovpn" echo "" echo "The configuration file has been written to $homeDir/$CLIENT.ovpn." @@ -1123,9 +1123,9 @@ function newClient () { exit 0 } -function revokeClient () { +function revokeClient() { NUMBEROFCLIENTS=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep -c "^V") - if [[ "$NUMBEROFCLIENTS" == '0' ]]; then + if [[ $NUMBEROFCLIENTS == '0' ]]; then echo "" echo "You have no existing clients!" exit 1 @@ -1134,7 +1134,7 @@ function revokeClient () { echo "" echo "Select the existing client certificate you want to revoke" tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | nl -s ') ' - if [[ "$NUMBEROFCLIENTS" == '1' ]]; then + if [[ $NUMBEROFCLIENTS == '1' ]]; then read -rp "Select one client [1]: " CLIENTNUMBER else read -rp "Select one client [1-$NUMBEROFCLIENTS]: " CLIENTNUMBER @@ -1155,7 +1155,7 @@ function revokeClient () { echo "Certificate for client $CLIENT revoked." } -function removeUnbound () { +function removeUnbound() { # Remove OpenVPN-related config sed -i '/include: \/etc\/unbound\/openvpn.conf/d' /etc/unbound/unbound.conf rm /etc/unbound/openvpn.conf @@ -1166,17 +1166,17 @@ function removeUnbound () { read -rp "Do you want to completely remove Unbound? [y/n]: " -e REMOVE_UNBOUND done - if [[ "$REMOVE_UNBOUND" == 'y' ]]; then + if [[ $REMOVE_UNBOUND == 'y' ]]; then # Stop Unbound systemctl stop unbound - if [[ "$OS" =~ (debian|ubuntu) ]]; then + if [[ $OS =~ (debian|ubuntu) ]]; then apt-get autoremove --purge -y unbound - elif [[ "$OS" == 'arch' ]]; then + elif [[ $OS == 'arch' ]]; then pacman --noconfirm -R unbound - elif [[ "$OS" =~ (centos|amzn) ]]; then + elif [[ $OS =~ (centos|amzn) ]]; then yum remove -y unbound - elif [[ "$OS" == 'fedora' ]]; then + elif [[ $OS == 'fedora' ]]; then dnf remove -y unbound fi @@ -1191,21 +1191,21 @@ function removeUnbound () { fi } -function removeOpenVPN () { +function removeOpenVPN() { echo "" # shellcheck disable=SC2034 read -rp "Do you really want to remove OpenVPN? [y/n]: " -e -i n REMOVE - if [[ "$REMOVE" == 'y' ]]; then + if [[ $REMOVE == 'y' ]]; then # Get OpenVPN port from the configuration PORT=$(grep '^port ' /etc/openvpn/server.conf | cut -d " " -f 2) # Stop OpenVPN - if [[ "$OS" =~ (fedora|arch|centos) ]]; then + if [[ $OS =~ (fedora|arch|centos) ]]; then systemctl disable openvpn-server@server systemctl stop openvpn-server@server # Remove customised service rm /etc/systemd/system/openvpn-server@.service - elif [[ "$OS" == "ubuntu" ]] && [[ "$VERSION_ID" == "16.04" ]]; then + elif [[ $OS == "ubuntu" ]] && [[ $VERSION_ID == "16.04" ]]; then systemctl disable openvpn systemctl stop openvpn else @@ -1227,23 +1227,23 @@ function removeOpenVPN () { # SELinux if hash sestatus 2>/dev/null; then if sestatus | grep "Current mode" | grep -qs "enforcing"; then - if [[ "$PORT" != '1194' ]]; then + if [[ $PORT != '1194' ]]; then semanage port -d -t openvpn_port_t -p udp "$PORT" fi fi fi - if [[ "$OS" =~ (debian|ubuntu) ]]; then + if [[ $OS =~ (debian|ubuntu) ]]; then apt-get autoremove --purge -y openvpn - if [[ -e /etc/apt/sources.list.d/openvpn.list ]];then + if [[ -e /etc/apt/sources.list.d/openvpn.list ]]; then rm /etc/apt/sources.list.d/openvpn.list apt-get update fi - elif [[ "$OS" == 'arch' ]]; then + elif [[ $OS == 'arch' ]]; then pacman --noconfirm -R openvpn - elif [[ "$OS" =~ (centos|amzn) ]]; then + elif [[ $OS =~ (centos|amzn) ]]; then yum remove -y openvpn - elif [[ "$OS" == 'fedora' ]]; then + elif [[ $OS == 'fedora' ]]; then dnf remove -y openvpn fi @@ -1267,7 +1267,7 @@ function removeOpenVPN () { fi } -function manageMenu () { +function manageMenu() { clear echo "Welcome to OpenVPN-install!" echo "The git repository is available at: https://github.com/angristan/openvpn-install" @@ -1279,22 +1279,22 @@ function manageMenu () { echo " 2) Revoke existing user" echo " 3) Remove OpenVPN" echo " 4) Exit" - until [[ "$MENU_OPTION" =~ ^[1-4]$ ]]; do + until [[ $MENU_OPTION =~ ^[1-4]$ ]]; do read -rp "Select an option [1-4]: " MENU_OPTION done case $MENU_OPTION in - 1) - newClient + 1) + newClient ;; - 2) - revokeClient + 2) + revokeClient ;; - 3) - removeOpenVPN + 3) + removeOpenVPN ;; - 4) - exit 0 + 4) + exit 0 ;; esac } From 0f871f26d8093a88b91666063733de1d905d79b7 Mon Sep 17 00:00:00 2001 From: Stanislas Date: Mon, 27 Apr 2020 15:01:15 +0200 Subject: [PATCH 039/132] ci(lint): add shfmt job (#639) --- .github/workflows/push.yml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml index c6a36b9..2be7614 100644 --- a/.github/workflows/push.yml +++ b/.github/workflows/push.yml @@ -1,5 +1,5 @@ on: [push, pull_request] -name: ShellCheck +name: Lint jobs: shellcheck: runs-on: ubuntu-latest @@ -9,3 +9,11 @@ jobs: uses: ludeeus/action-shellcheck@0.0.1 with: args: openvpn-install.sh -e SC1091,SC2164,SC2034,SC1072,SC1073,SC1009 + shfmt: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@master + - name: shfmt + uses: bltavares/actions/shfmt@master + env: + SHFMT_ARGS: -d From b4cbb54320cf778ffb48c8d0aa54d3c265455645 Mon Sep 17 00:00:00 2001 From: Stanislas Date: Mon, 27 Apr 2020 15:21:32 +0200 Subject: [PATCH 040/132] ci(workflow): don't run jobs twice on PRs (#640) --- .github/workflows/push.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml index 2be7614..fba20c3 100644 --- a/.github/workflows/push.yml +++ b/.github/workflows/push.yml @@ -1,4 +1,11 @@ -on: [push, pull_request] +on: + push: + branches: + - master + pull_request: + branches: + - master + name: Lint jobs: shellcheck: From 08aeed2c5b28757ca834bfb066d08fd99e41e3c1 Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Mon, 27 Apr 2020 15:26:20 +0200 Subject: [PATCH 041/132] docs(readme): add notes about bash formatting --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index bd82d07..a786a5f 100644 --- a/README.md +++ b/README.md @@ -179,6 +179,10 @@ Solutions that provision a ready to use OpenVPN server based on this script in o - AWS using Terraform at [`openvpn-terraform-install`](https://github.com/dumrauf/openvpn-terraform-install) +## Contributing / Code formatting + +We use [shellcheck](https://github.com/koalaman/shellcheck) and [shfmt](https://github.com/mvdan/sh) to enforce bash styling guidelines and good practices. They are executed for each commit / PR with GitHub Actions, so you can check the configuration [here](https://github.com/angristan/openvpn-install/blob/master/.github/workflows/push.yml). + ## Security and Encryption From af3bf12bb659bc37219db0499491fd9fd464c7bb Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Mon, 27 Apr 2020 15:31:36 +0200 Subject: [PATCH 042/132] style(readme): format markdown --- README.md | 37 ++++++++++++++++++++----------------- 1 file changed, 20 insertions(+), 17 deletions(-) diff --git a/README.md b/README.md index a786a5f..d49925b 100644 --- a/README.md +++ b/README.md @@ -42,6 +42,7 @@ If you have any question, head to the [FAQ](#faq) first. Please read everything It's also possible to run the script headless, e.g. without waiting for user input, in an automated manner. Example usage: + ```bash AUTO_INSTALL=y ./openvpn-install.sh @@ -79,6 +80,7 @@ The headless install is more-or-less idempotent, in that it has been made safe t It's also possible to automate the addition of a new user. Here, the key is to provide the (string) value of the `MENU_OPTION` variable along with the remaining mandatory variables before invoking the script. The following Bash script adds a new user `foo` to an existing OpenVPN configuration + ```bash #!/bin/bash export MENU_OPTION="1" @@ -111,15 +113,15 @@ The script supports these OS and architectures: | | i386 | amd64 | armhf | arm64 | | --------------- | ---- | ----- | ----- | ----- | -| Amazon Linux 2 | ❔ | ✅ | ❔ | ❔ | -| Arch Linux | ❔ | ✅ | ❔ | ✅ | -| CentOS 7 | ❔ | ✅ | ❌ | ✅ | -| CentOS 8 | ❌ | ✅ | ❔ | ❔ | -| Debian 8 | ✅ | ✅ | ❌ | ❌ | -| Debian >= 9 | ❌ | ✅ | ✅ | ✅ | -| Fedora >= 27 | ❔ | ✅ | ❔ | ❔ | -| Ubuntu 16.04 | ✅ | ✅ | ❌ | ❌ | -| Ubuntu >= 18.04 | ❌ | ✅ | ✅ | ✅ | +| Amazon Linux 2 | ❔ | ✅ | ❔ | ❔ | +| Arch Linux | ❔ | ✅ | ❔ | ✅ | +| CentOS 7 | ❔ | ✅ | ❌ | ✅ | +| CentOS 8 | ❌ | ✅ | ❔ | ❔ | +| Debian 8 | ✅ | ✅ | ❌ | ❌ | +| Debian >= 9 | ❌ | ✅ | ✅ | ✅ | +| Fedora >= 27 | ❔ | ✅ | ❔ | ❔ | +| Ubuntu 16.04 | ✅ | ✅ | ❌ | ❌ | +| Ubuntu >= 18.04 | ❌ | ✅ | ✅ | ✅ | To be noted: @@ -141,9 +143,9 @@ More Q&A in [FAQ.md](FAQ.md). **A:** I recommend these: -- [Vultr](https://goo.gl/Xyd1Sc): Worldwide locations, IPv6 support, starting at $3.50/month +- [Vultr](https://goo.gl/Xyd1Sc): Worldwide locations, IPv6 support, starting at \$3.50/month - [PulseHeberg](https://goo.gl/76yqW5): France, unlimited bandwidth, starting at €3/month -- [Digital Ocean](https://goo.gl/qXrNLK): Worldwide locations, IPv6 support, starting at $5/month +- [Digital Ocean](https://goo.gl/qXrNLK): Worldwide locations, IPv6 support, starting at \$5/month --- @@ -173,17 +175,16 @@ More Q&A in [FAQ.md](FAQ.md). More Q&A in [FAQ.md](FAQ.md). -## One-stop solutions for public cloud +## One-stop solutions for public cloud Solutions that provision a ready to use OpenVPN server based on this script in one go are available for: - - AWS using Terraform at [`openvpn-terraform-install`](https://github.com/dumrauf/openvpn-terraform-install) +- AWS using Terraform at [`openvpn-terraform-install`](https://github.com/dumrauf/openvpn-terraform-install) ## Contributing / Code formatting We use [shellcheck](https://github.com/koalaman/shellcheck) and [shfmt](https://github.com/mvdan/sh) to enforce bash styling guidelines and good practices. They are executed for each commit / PR with GitHub Actions, so you can check the configuration [here](https://github.com/angristan/openvpn-install/blob/master/.github/workflows/push.yml). - ## Security and Encryption OpenVPN's default settings are pretty weak regarding encryption. This script aims to improve that. @@ -193,6 +194,7 @@ OpenVPN 2.4 was a great update regarding encryption. It added support for ECDSA, If you want more information about an option mentioned below, head to the [OpenVPN manual](https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage). It is very complete. Most of OpenVPN's encryption-related stuff is managed by [Easy-RSA](https://github.com/OpenVPN/easy-rsa). Defaults parameters are in the [vars.example](https://github.com/OpenVPN/easy-rsa/blob/v3.0.6/easyrsa3/vars.example) file. + ### Compression By default, OpenVPN doesn't enable compression. This script provides support for LZ0 and LZ4 (v1/v2) algorithms, the latter being more efficient. @@ -230,11 +232,11 @@ By default, OpenVPN uses `BF-CBC` as the data channel cipher. Blowfish is an old > > Using BF-CBC is no longer recommended, because of its 64-bit block size. This small block size allows attacks based on collisions, as demonstrated by SWEET32. See https://community.openvpn.net/openvpn/wiki/SWEET32 for details. ->Security researchers at INRIA published an attack on 64-bit block ciphers, such as 3DES and Blowfish. They show that they are able to recover plaintext when the same data is sent often enough, and show how they can use cross-site scripting vulnerabilities to send data of interest often enough. This works over HTTPS, but also works for HTTP-over-OpenVPN. See ​https://sweet32.info/ for a much better and more elaborate explanation. +> Security researchers at INRIA published an attack on 64-bit block ciphers, such as 3DES and Blowfish. They show that they are able to recover plaintext when the same data is sent often enough, and show how they can use cross-site scripting vulnerabilities to send data of interest often enough. This works over HTTPS, but also works for HTTP-over-OpenVPN. See https://sweet32.info/ for a much better and more elaborate explanation. > > OpenVPN's default cipher, BF-CBC, is affected by this attack. -Indeed, AES is today's standard. It's the fastest and more secure cipher available today. [SEED](https://en.wikipedia.org/wiki/SEED) and [Camellia](https://en.wikipedia.org/wiki/Camellia_(cipher)) are not vulnerable to date but are slower than AES and relatively less trusted. +Indeed, AES is today's standard. It's the fastest and more secure cipher available today. [SEED](https://en.wikipedia.org/wiki/SEED) and [Camellia]() are not vulnerable to date but are slower than AES and relatively less trusted. > Of the currently supported ciphers, OpenVPN currently recommends using AES-256-CBC or AES-128-CBC. OpenVPN 2.4 and newer will also support GCM. For 2.4+, we recommend using AES-256-GCM or AES-128-GCM. @@ -253,7 +255,7 @@ The script supports the following ciphers: And defaults to `AES-128-GCM`. -OpenVPN 2.4 added a feature called "NCP": *Negotiable Crypto Parameters*. It means you can provide a cipher suite like with HTTPS. It is set to `AES-256-GCM:AES-128-GCM` by default and overrides the `--cipher` parameter when used with an OpenVPN 2.4 client. For the sake of simplicity, the script set both the `--cipher` and `--ncp-cipher` to the cipher chosen above. +OpenVPN 2.4 added a feature called "NCP": _Negotiable Crypto Parameters_. It means you can provide a cipher suite like with HTTPS. It is set to `AES-256-GCM:AES-128-GCM` by default and overrides the `--cipher` parameter when used with an OpenVPN 2.4 client. For the sake of simplicity, the script set both the `--cipher` and `--ncp-cipher` to the cipher chosen above. ### Control channel @@ -314,6 +316,7 @@ About `tls-crypt`: > Encrypt and authenticate all control channel packets with the key from keyfile. (See --tls-auth for more background.) > > Encrypting (and authenticating) control channel packets: +> > - provides more privacy by hiding the certificate used for the TLS connection, > - makes it harder to identify OpenVPN traffic as such, > - provides "poor-man's" post-quantum security, against attackers who will never know the pre-shared key (i.e. no forward secrecy). From c2d7729c2033c55de354a82299e9b9afce325f6a Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Mon, 27 Apr 2020 15:32:05 +0200 Subject: [PATCH 043/132] style(faq): format markdown --- FAQ.md | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/FAQ.md b/FAQ.md index 537a165..a058b4b 100644 --- a/FAQ.md +++ b/FAQ.md @@ -20,6 +20,7 @@ You can, of course, it's even recommended, update the `openvpn` package with you On Linux you need to add these lines to your `.ovpn` file based on your Distribution. Debian 9, 10 and Ubuntu 16.04, 18.04 + ``` script-security 2 up /etc/openvpn/update-resolv-conf @@ -27,6 +28,7 @@ down /etc/openvpn/update-resolv-conf ``` Centos 6, 7 + ``` script-security 2 up /usr/share/doc/openvpn-2.4.8/contrib/pull-resolv-conf/client.up @@ -34,6 +36,7 @@ down /usr/share/doc/openvpn-2.4.8/contrib/pull-resolv-conf/client.down ``` Centos 8, Fedora 30, 31 + ``` script-security 2 up /usr/share/doc/openvpn/contrib/pull-resolv-conf/client.up @@ -41,6 +44,7 @@ down /usr/share/doc/openvpn/contrib/pull-resolv-conf/client.down ``` Arch Linux + ``` script-security 2 up /usr/share/openvpn/contrib/pull-resolv-conf/client.up @@ -92,10 +96,11 @@ Sysctl options are at `/etc/sysctl.d/20-openvpn.conf` **Q:** My router can't connect **A:** + - `Options error: No closing quotation (") in config.ovpn:46` : - type `yes` when asked to customize encryption settings and choose `tls-auth` + type `yes` when asked to customize encryption settings and choose `tls-auth` - `Options error: Unrecognized option or missing parameter(s) in config.ovpn:36: tls-version-min (2.3.2)` : - see question "Can I use an OpenVPN 2.3 client?" + see question "Can I use an OpenVPN 2.3 client?" From 87bfd046dd768175045850873e063d5c9ab96561 Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Mon, 27 Apr 2020 15:42:47 +0200 Subject: [PATCH 044/132] docs(readme): fix english punctuation --- README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index d49925b..f00b73d 100644 --- a/README.md +++ b/README.md @@ -8,14 +8,14 @@ You can also check out [wireguard-install](https://github.com/angristan/wireguar ## Usage -First, get the script and make it executable : +First, get the script and make it executable: ```bash curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh chmod +x openvpn-install.sh ``` -Then run it : +Then run it: ```sh ./openvpn-install.sh @@ -25,7 +25,7 @@ You need to run the script as root and have the TUN module enabled. The first time you run it, you'll have to follow the assistant and answer a few questions to setup your VPN server. -When OpenVPN is installed, you can run the script again, and you will get the choice to : +When OpenVPN is installed, you can run the script again, and you will get the choice to: - Add a client - Remove a client @@ -240,7 +240,7 @@ Indeed, AES is today's standard. It's the fastest and more secure cipher availab > Of the currently supported ciphers, OpenVPN currently recommends using AES-256-CBC or AES-128-CBC. OpenVPN 2.4 and newer will also support GCM. For 2.4+, we recommend using AES-256-GCM or AES-128-GCM. -AES-256 is 40% slower than AES-128, and there isn't any real reason to use a 256 bits key over a 128 bits key with AES. (Source : [1](http://security.stackexchange.com/questions/14068/why-most-people-use-256-bit-encryption-instead-of-128-bit),[2](http://security.stackexchange.com/questions/6141/amount-of-simple-operations-that-is-safely-out-of-reach-for-all-humanity/6149#6149)). Moreover, AES-256 is more vulnerable to [Timing attacks](https://en.wikipedia.org/wiki/Timing_attack). +AES-256 is 40% slower than AES-128, and there isn't any real reason to use a 256 bits key over a 128 bits key with AES. (Source: [1](http://security.stackexchange.com/questions/14068/why-most-people-use-256-bit-encryption-instead-of-128-bit),[2](http://security.stackexchange.com/questions/6141/amount-of-simple-operations-that-is-safely-out-of-reach-for-all-humanity/6149#6149)). Moreover, AES-256 is more vulnerable to [Timing attacks](https://en.wikipedia.org/wiki/Timing_attack). AES-GCM is an [AEAD cipher](https://en.wikipedia.org/wiki/Authenticated_encryption) which means it simultaneously provides confidentiality, integrity, and authenticity assurances on the data. From 3b2c84b94d17c636a148148873d08c55bee9acbf Mon Sep 17 00:00:00 2001 From: randomshell <43271778+randomshell@users.noreply.github.com> Date: Mon, 27 Apr 2020 14:03:55 +0000 Subject: [PATCH 045/132] fix(selinux): fix deletion of selinux policy (#555) --- openvpn-install.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 7c2cffc..1928158 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -1198,6 +1198,7 @@ function removeOpenVPN() { if [[ $REMOVE == 'y' ]]; then # Get OpenVPN port from the configuration PORT=$(grep '^port ' /etc/openvpn/server.conf | cut -d " " -f 2) + PROTOCOL=$(grep '^proto ' /etc/openvpn/server.conf | cut -d " " -f 2) # Stop OpenVPN if [[ $OS =~ (fedora|arch|centos) ]]; then @@ -1227,8 +1228,8 @@ function removeOpenVPN() { # SELinux if hash sestatus 2>/dev/null; then if sestatus | grep "Current mode" | grep -qs "enforcing"; then - if [[ $PORT != '1194' ]]; then - semanage port -d -t openvpn_port_t -p udp "$PORT" + if [[ "$PORT" != '1194' ]]; then + semanage port -d -t openvpn_port_t -p "$PROTOCOL" "$PORT" fi fi fi From 29980e6befc6bfa95578badd5afa9e479cfaf1d1 Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Mon, 27 Apr 2020 16:05:51 +0200 Subject: [PATCH 046/132] style(script) format with shfmt --- openvpn-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 1928158..cfe9c4f 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -1228,7 +1228,7 @@ function removeOpenVPN() { # SELinux if hash sestatus 2>/dev/null; then if sestatus | grep "Current mode" | grep -qs "enforcing"; then - if [[ "$PORT" != '1194' ]]; then + if [[ $PORT != '1194' ]]; then semanage port -d -t openvpn_port_t -p "$PROTOCOL" "$PORT" fi fi From fdb35b86c6ea2927df553d8bfacfb362a479ba01 Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Mon, 27 Apr 2020 16:19:09 +0200 Subject: [PATCH 047/132] fix(fedora): install policycoreutils-python-utils for selinux --- openvpn-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index cfe9c4f..4b1479f 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -656,7 +656,7 @@ function installOpenVPN() { amazon-linux-extras install -y epel yum install -y openvpn iptables openssl wget ca-certificates curl elif [[ $OS == 'fedora' ]]; then - dnf install -y openvpn iptables openssl wget ca-certificates curl + dnf install -y openvpn iptables openssl wget ca-certificates curl policycoreutils-python-utils elif [[ $OS == 'arch' ]]; then # Install required dependencies and upgrade the system pacman --needed --noconfirm -Syu openvpn iptables openssl wget ca-certificates curl From 2a35a3db16cb45e6c1d53f3def81f3a029c14f97 Mon Sep 17 00:00:00 2001 From: Henry N Date: Mon, 27 Apr 2020 16:24:30 +0200 Subject: [PATCH 048/132] refactor(install): simplify detection of public IP4, add fallback to IPv6 (#589) --- openvpn-install.sh | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 4b1479f..0354bc3 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -208,7 +208,11 @@ function installQuestions() { echo "Unless your server is behind NAT, it should be your public IPv4 address." # Detect public IPv4 address and pre-fill for the user - IP=$(ip addr | grep 'inet' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1) + IP=$(ip -4 addr | sed -ne 's|^.* inet \([^/]*\)/.* scope global.*$|\1|p' | head -1) + if [[ -z "$IP" ]]; then + # Detect public IPv6 address + IP=$(ip -6 addr | sed -ne 's|^.* inet6 \([^/]*\)/.* scope global.*$|\1|p' | head -1) + fi APPROVE_IP=${APPROVE_IP:-n} if [[ $APPROVE_IP =~ n ]]; then read -rp "IP address: " -e -i "$IP" IP From c758418c6d2ec47e3e5f9e0768e7e4dfb59f1a6a Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Mon, 27 Apr 2020 16:25:20 +0200 Subject: [PATCH 049/132] style(script) format with shfmt --- openvpn-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 0354bc3..8eaae90 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -209,7 +209,7 @@ function installQuestions() { # Detect public IPv4 address and pre-fill for the user IP=$(ip -4 addr | sed -ne 's|^.* inet \([^/]*\)/.* scope global.*$|\1|p' | head -1) - if [[ -z "$IP" ]]; then + if [[ -z $IP ]]; then # Detect public IPv6 address IP=$(ip -6 addr | sed -ne 's|^.* inet6 \([^/]*\)/.* scope global.*$|\1|p' | head -1) fi From f411d9dec7a0879dd2166573375287130c096166 Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Mon, 27 Apr 2020 17:35:30 +0200 Subject: [PATCH 050/132] fix(revokeClient): fix prompt input check fix #477 #590 --- openvpn-install.sh | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 8eaae90..2f9972f 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -1138,12 +1138,13 @@ function revokeClient() { echo "" echo "Select the existing client certificate you want to revoke" tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | nl -s ') ' - if [[ $NUMBEROFCLIENTS == '1' ]]; then - read -rp "Select one client [1]: " CLIENTNUMBER - else - read -rp "Select one client [1-$NUMBEROFCLIENTS]: " CLIENTNUMBER - fi - + until [[ $CLIENTNUMBER -ge 1 && $CLIENTNUMBER -le $NUMBEROFCLIENTS ]]; do + if [[ $CLIENTNUMBER == '1' ]]; then + read -rp "Select one client [1]: " CLIENTNUMBER + else + read -rp "Select one client [1-$NUMBEROFCLIENTS]: " CLIENTNUMBER + fi + done CLIENT=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | sed -n "$CLIENTNUMBER"p) cd /etc/openvpn/easy-rsa/ || return ./easyrsa --batch revoke "$CLIENT" From 96e6ea71e9094c3b5bce52489e4f8262bb14b16c Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Mon, 27 Apr 2020 17:45:58 +0200 Subject: [PATCH 051/132] fix(newClient): exit if client name already taken fix #613 --- openvpn-install.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 2f9972f..27bb1c1 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -1059,7 +1059,8 @@ function newClient() { CLIENTEXISTS=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep -c -E "/CN=$CLIENT\$") if [[ $CLIENTEXISTS == '1' ]]; then echo "" - echo "The specified client CN was found in easy-rsa." + echo "The specified client CN was already found in easy-rsa, please choose another name." + exit else cd /etc/openvpn/easy-rsa/ || return case $PASS in From 182c43316ff9acd8ac46c6d548deda166893e213 Mon Sep 17 00:00:00 2001 From: Henry N Date: Mon, 27 Apr 2020 18:04:18 +0200 Subject: [PATCH 052/132] feat(install): get system IPv6 resolvers if enabled (#599) --- openvpn-install.sh | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 27bb1c1..72122b0 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -780,8 +780,11 @@ ifconfig-pool-persist ipp.txt" >>/etc/openvpn/server.conf RESOLVCONF='/etc/resolv.conf' fi # Obtain the resolvers from resolv.conf and use them for OpenVPN - grep -v '#' $RESOLVCONF | grep 'nameserver' | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read -r line; do - echo "push \"dhcp-option DNS $line\"" >>/etc/openvpn/server.conf + sed -ne 's/^nameserver[[:space:]]\+\([^[:space:]]\+\).*$/\1/p' $RESOLVCONF | while read -r line; do + # Copy, if it's a IPv4 |or| if IPv6 is enabled, IPv4/IPv6 does not matter + if [[ $line =~ ^[0-9.]*$ ]] || [[ $IPV6_SUPPORT == 'y' ]]; then + echo "push \"dhcp-option DNS $line\"" >>/etc/openvpn/server.conf + fi done ;; 2) # Self-hosted DNS resolver (Unbound) From 369c8dadaa9e7819d2e24e8e5908efae23f632b9 Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Mon, 27 Apr 2020 18:06:59 +0200 Subject: [PATCH 053/132] refactor(menu): remove clear console --- openvpn-install.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 72122b0..c76b8d3 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -1278,7 +1278,6 @@ function removeOpenVPN() { } function manageMenu() { - clear echo "Welcome to OpenVPN-install!" echo "The git repository is available at: https://github.com/angristan/openvpn-install" echo "" From c785b230e925fa6d34dbd516506633e0c31224cd Mon Sep 17 00:00:00 2001 From: randomshell <43271778+randomshell@users.noreply.github.com> Date: Mon, 27 Apr 2020 17:02:35 +0000 Subject: [PATCH 054/132] docs(faq): add info for remote LAN access (#630) --- FAQ.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/FAQ.md b/FAQ.md index a058b4b..6561282 100644 --- a/FAQ.md +++ b/FAQ.md @@ -104,3 +104,9 @@ Sysctl options are at `/etc/sysctl.d/20-openvpn.conf` - `Options error: Unrecognized option or missing parameter(s) in config.ovpn:36: tls-version-min (2.3.2)` : see question "Can I use an OpenVPN 2.3 client?" + +--- + +**Q:** How can I access computers the OpenVPN server's remote LAN? + +**A:** Add a route with the subnet of the remote network to `/etc/openvpn/server.conf` and restart openvpn. Example: `push "route 192.168.1.0 255.255.255.0"` if the server's LAN is `192.168.1.0/24` From 529d3656932911a2a0fc5f88c06014eea99e3c3c Mon Sep 17 00:00:00 2001 From: "D. Robin" Date: Mon, 27 Apr 2020 19:10:49 +0200 Subject: [PATCH 055/132] build(easy-rsa): 3.0.6 -> 3.0.7 (#641) --- openvpn-install.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index c76b8d3..9ca427b 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -681,8 +681,8 @@ function installOpenVPN() { # Install the latest version of easy-rsa from source, if not already # installed. if [[ ! -d /etc/openvpn/easy-rsa/ ]]; then - local version="3.0.6" - wget -O ~/EasyRSA-unix-v${version}.tgz https://github.com/OpenVPN/easy-rsa/releases/download/v${version}/EasyRSA-unix-v${version}.tgz + local version="3.0.7" + wget -O ~/EasyRSA-unix-v${version}.tgz https://github.com/OpenVPN/easy-rsa/releases/download/v${version}/EasyRSA-${version}.tgz tar xzf ~/EasyRSA-unix-v${version}.tgz -C ~/ mkdir -p /etc/openvpn/easy-rsa mv ~/EasyRSA-v${version}/* /etc/openvpn/easy-rsa/ From 0e961a2e6b362574c705d00b121fbecad4d1de83 Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Mon, 27 Apr 2020 19:20:40 +0200 Subject: [PATCH 056/132] refactor(install): simplify easy-rsa install process --- openvpn-install.sh | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 9ca427b..20be0af 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -678,16 +678,13 @@ function installOpenVPN() { NOGROUP=nobody fi - # Install the latest version of easy-rsa from source, if not already - # installed. + # Install the latest version of easy-rsa from source, if not already installed. if [[ ! -d /etc/openvpn/easy-rsa/ ]]; then local version="3.0.7" - wget -O ~/EasyRSA-unix-v${version}.tgz https://github.com/OpenVPN/easy-rsa/releases/download/v${version}/EasyRSA-${version}.tgz - tar xzf ~/EasyRSA-unix-v${version}.tgz -C ~/ - mkdir -p /etc/openvpn/easy-rsa - mv ~/EasyRSA-v${version}/* /etc/openvpn/easy-rsa/ - chown -R root:root /etc/openvpn/easy-rsa/ - rm -f ~/EasyRSA-unix-v${version}.tgz + wget -O ~/easy-rsa.tgz https://github.com/OpenVPN/easy-rsa/releases/download/v${version}/EasyRSA-${version}.tgz + mkdir /etc/openvpn/easy-rsa + tar xzf ~/easy-rsa.tgz --strip-components=1 --directory /etc/openvpn/easy-rsa + rm -f ~/easy-rsa.tgz cd /etc/openvpn/easy-rsa/ || return case $CERT_TYPE in From 83f70fe71fa771c726bf8e4d90174304711dba89 Mon Sep 17 00:00:00 2001 From: Stanislas Date: Tue, 28 Apr 2020 11:26:24 +0200 Subject: [PATCH 057/132] ci(workflow): run script in headless mode on VMs (#643) Run script in headless mode on all supported distributions, on Digital Ocean VMs, with GitHub Actions --- .github/workflows/{push.yml => lint.yml} | 0 .github/workflows/test.yml | 100 +++++++++++++++++++++++ README.md | 2 + 3 files changed, 102 insertions(+) rename .github/workflows/{push.yml => lint.yml} (100%) create mode 100644 .github/workflows/test.yml diff --git a/.github/workflows/push.yml b/.github/workflows/lint.yml similarity index 100% rename from .github/workflows/push.yml rename to .github/workflows/lint.yml diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml new file mode 100644 index 0000000..1f47ec7 --- /dev/null +++ b/.github/workflows/test.yml @@ -0,0 +1,100 @@ +on: + push: + branches: + - master + pull_request: + branches: + - master + +name: Test +jobs: + install: + runs-on: ubuntu-latest + if: github.repository == 'angristan/openvpn-install' + strategy: + matrix: + os-image: + - debian-9-x64 + - debian-10-x64 + - ubuntu-18-04-x64 + - ubuntu-16-04-x64 + - ubuntu-20-04-x64 + - fedora-30-x64 + - fedora-31-x64 + - centos-7-x64 + - centos-8-x64 + steps: + - uses: actions/checkout@master + + - name: Setup doctl + uses: digitalocean/action-doctl@v2 + with: + token: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }} + + - name: Create server + run: doctl compute droplet create openvpn-action-$GITHUB_RUN_ID-$GITHUB_RUN_NUMBER-${{ matrix.os-image }} --size s-1vcpu-1gb --image ${{ matrix.os-image }} --region lon1 --enable-ipv6 --ssh-keys be:66:76:61:a8:71:93:aa:e3:19:ba:d8:0d:d2:2d:d4 --wait + + - name: Get server ID + run: echo ::set-output name=value::$(doctl compute droplet list -o json | jq -r '.[] | select(.name == "'openvpn-action-$GITHUB_RUN_ID-$GITHUB_RUN_NUMBER-${{ matrix.os-image }}'").id') + id: server_id + + - name: Move server to dedicated project + run: doctl projects resources assign ${{ secrets.DIGITALOCEAN_PROJECT_ID }} --resource=do:droplet:${{ steps.server_id.outputs.value }} + + - name: Wait for server to boot + run: sleep 90 + + - name: Get server IP + run: echo ::set-output name=value::$(doctl compute droplet list -o json | jq -r '.[] | select(.name == "'openvpn-action-$GITHUB_RUN_ID-$GITHUB_RUN_NUMBER-${{ matrix.os-image }}'").networks.v4 | .[0].ip_address') + id: server_ip + + - name: Get server OS + run: echo ::set-output name=value::$(echo ${{ matrix.os-image }} | cut -d '-' -f1) + id: server_os + + - name: Setup remote server (Debian/Ubuntu) + if: steps.server_os.outputs.value == 'debian' || steps.server_os.outputs.value == 'ubuntu' + uses: appleboy/ssh-action@master + with: + host: ${{ steps.server_ip.outputs.value }} + username: root + key: ${{ secrets.SSH_KEY }} + script: set -x && apt-get update && apt-get install -y git + + - name: Setup remote server (Fedora) + if: steps.server_os.outputs.value == 'fedora' + uses: appleboy/ssh-action@master + with: + host: ${{ steps.server_ip.outputs.value }} + username: root + key: ${{ secrets.SSH_KEY }} + script: set -x && dnf install -y git + + - name: Setup remote server (CentOS) + if: steps.server_os.outputs.value == 'centos' + uses: appleboy/ssh-action@master + with: + host: ${{ steps.server_ip.outputs.value }} + username: root + key: ${{ secrets.SSH_KEY }} + script: set -x && yum install -y git + + - name: Download repo and checkout current commit + uses: appleboy/ssh-action@master + with: + host: ${{ steps.server_ip.outputs.value }} + username: root + key: ${{ secrets.SSH_KEY }} + script: set -x && git clone https://github.com/angristan/openvpn-install.git && cd openvpn-install && git checkout ${{ github.event.pull_request.head.sha }} + + - name: Run openvpn-install.sh in headless mode + uses: appleboy/ssh-action@master + with: + host: ${{ steps.server_ip.outputs.value }} + username: root + key: ${{ secrets.SSH_KEY }} + script: 'set -x && AUTO_INSTALL=y bash -x ~/openvpn-install/openvpn-install.sh && ps aux | grep openvpn | grep -v grep > /dev/null 2>&1 && echo "Success: OpenVPN is running" && exit 0 || echo "Failure: OpenVPN is not running" && exit 1' + + - name: Delete server + run: doctl compute droplet delete -f openvpn-action-$GITHUB_RUN_ID-$GITHUB_RUN_NUMBER-${{ matrix.os-image }} + if: always() diff --git a/README.md b/README.md index f00b73d..4f93e55 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,7 @@ # openvpn-install +![Test](https://github.com/angristan/openvpn-install/workflows/Test/badge.svg) ![Lint](https://github.com/angristan/openvpn-install/workflows/Lint/badge.svg) + OpenVPN installer for Debian, Ubuntu, Fedora, CentOS and Arch Linux. This script will let you setup your own secure VPN server in just a few seconds. From 3ece6f394d7ae534d57cea3ae8d1a75ac5234ac7 Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Tue, 28 Apr 2020 11:28:27 +0200 Subject: [PATCH 058/132] chore(test): remove Vagrantfile thanks to #643 --- .gitignore | 2 -- Vagrantfile | 35 ----------------------------------- 2 files changed, 37 deletions(-) delete mode 100644 .gitignore delete mode 100644 Vagrantfile diff --git a/.gitignore b/.gitignore deleted file mode 100644 index 73ab2cf..0000000 --- a/.gitignore +++ /dev/null @@ -1,2 +0,0 @@ -.vagrant/ -*.log diff --git a/Vagrantfile b/Vagrantfile deleted file mode 100644 index 4dd0973..0000000 --- a/Vagrantfile +++ /dev/null @@ -1,35 +0,0 @@ -# This Vagrantfile is used to test the script - -# To run the script on all machines, export VAGRANT_AUTOSTART=true -autostart_machines = ENV['VAGRANT_AUTOSTART'] == 'true' || false -# else, run `vagrant up ` - -machines = [ - { hostname: 'debian-10', box: 'debian/stretch64' }, - { hostname: 'debian-9', box: 'debian/stretch64' }, - { hostname: 'debian-8', box: 'debian/jessie64' }, - { hostname: 'ubuntu-1604', box: 'ubuntu/bionic64' }, - { hostname: 'ubuntu-1804', box: 'ubuntu/xenial64' }, - { hostname: 'centos-7', box: 'centos/7' }, - { hostname: 'fedora-29', box: 'fedora/29-cloud-base' }, - { hostname: 'fedora-28', box: 'fedora/28-cloud-base' }, - { hostname: 'archlinux', box: 'archlinux/archlinux' } -] - -Vagrant.configure('2') do |config| - machines.each do |machine| - config.vm.provider 'virtualbox' do |v| - v.memory = 1024 - v.cpus = 2 - end - config.vm.define machine[:hostname], autostart: autostart_machines do |machineconfig| - machineconfig.vm.hostname = machine[:hostname] - machineconfig.vm.box = machine[:box] - - machineconfig.vm.provision 'shell', inline: <<-SHELL - AUTO_INSTALL=y /vagrant/openvpn-install.sh - ps aux | grep openvpn | grep -v grep > /dev/null 2>&1 && echo "Success: OpenVPN is running" && exit 0 || echo "Failure: OpenVPN is not running" && exit 1 - SHELL - end - end -end From 2370f802b7beaf735bbc6c22ddfd3a3d4721eb52 Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Tue, 28 Apr 2020 11:44:53 +0200 Subject: [PATCH 059/132] refactor(install): update policycoreutils-python package name on CentOS --- openvpn-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 20be0af..2eeaed2 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -655,7 +655,7 @@ function installOpenVPN() { apt-get install -y openvpn iptables openssl wget ca-certificates curl elif [[ $OS == 'centos' ]]; then yum install -y epel-release - yum install -y openvpn iptables openssl wget ca-certificates curl tar 'policycoreutils-python*' + yum install -y openvpn iptables openssl wget ca-certificates curl tar policycoreutils-python elif [[ $OS == 'amzn' ]]; then amazon-linux-extras install -y epel yum install -y openvpn iptables openssl wget ca-certificates curl From ec36253e752ea8c3513751bf104f2c43c3f2a3cb Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Tue, 28 Apr 2020 11:51:23 +0200 Subject: [PATCH 060/132] Revert "refactor(install): update policycoreutils-python package name on CentOS" This reverts commit 2370f802b7beaf735bbc6c22ddfd3a3d4721eb52. --- openvpn-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 2eeaed2..20be0af 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -655,7 +655,7 @@ function installOpenVPN() { apt-get install -y openvpn iptables openssl wget ca-certificates curl elif [[ $OS == 'centos' ]]; then yum install -y epel-release - yum install -y openvpn iptables openssl wget ca-certificates curl tar policycoreutils-python + yum install -y openvpn iptables openssl wget ca-certificates curl tar 'policycoreutils-python*' elif [[ $OS == 'amzn' ]]; then amazon-linux-extras install -y epel yum install -y openvpn iptables openssl wget ca-certificates curl From 137284e55fdd48fd444a7ad156d3c0a13481a822 Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Tue, 28 Apr 2020 14:17:27 +0200 Subject: [PATCH 061/132] ci(workflow): don't run test job on forks --- .github/workflows/test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 1f47ec7..d7fc020 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -10,7 +10,7 @@ name: Test jobs: install: runs-on: ubuntu-latest - if: github.repository == 'angristan/openvpn-install' + if: github.repository == 'angristan/openvpn-install' && github.actor == 'repo-owner' strategy: matrix: os-image: From e952d58995bcdbb2d31c60de3b8e6622c8efe7ba Mon Sep 17 00:00:00 2001 From: Techroy23 <53241974+techroy23@users.noreply.github.com> Date: Tue, 28 Apr 2020 20:23:18 +0800 Subject: [PATCH 062/132] docs(faq): add batch client generation script (#645) --- FAQ.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/FAQ.md b/FAQ.md index 6561282..b891666 100644 --- a/FAQ.md +++ b/FAQ.md @@ -110,3 +110,17 @@ Sysctl options are at `/etc/sysctl.d/20-openvpn.conf` **Q:** How can I access computers the OpenVPN server's remote LAN? **A:** Add a route with the subnet of the remote network to `/etc/openvpn/server.conf` and restart openvpn. Example: `push "route 192.168.1.0 255.255.255.0"` if the server's LAN is `192.168.1.0/24` + +--- + +**Q:** How can I add multiple users in one go? + +**A:** Here is a sample bash script to achieve this: + + ```sh +userlist=(user1 user2 user3) + +for i in ${userlist[@]};do + MENU_OPTION=1 CLIENT=$i PASS=1 ./openvpn-install.sh +done +``` From 1cb4d744f02c4a128e970c09f1b274a4e736aca3 Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Tue, 28 Apr 2020 15:15:01 +0200 Subject: [PATCH 063/132] ci(shellcheck): use env for action instead of args --- .github/workflows/lint.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index fba20c3..4628851 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -14,8 +14,8 @@ jobs: - uses: actions/checkout@master - name: shellcheck uses: ludeeus/action-shellcheck@0.0.1 - with: - args: openvpn-install.sh -e SC1091,SC2164,SC2034,SC1072,SC1073,SC1009 + env: + SHELLCHECK_OPTS: -e SC1091,SC2164,SC2034,SC1072,SC1073,SC1009 shfmt: runs-on: ubuntu-latest steps: From aa20ae6ba61ae8d4e811f03b38cd40585b0b4343 Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Tue, 28 Apr 2020 15:25:14 +0200 Subject: [PATCH 064/132] ci(workflow): don't run test job on forks --- .github/workflows/test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index d7fc020..a6ccf0f 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -10,7 +10,7 @@ name: Test jobs: install: runs-on: ubuntu-latest - if: github.repository == 'angristan/openvpn-install' && github.actor == 'repo-owner' + if: github.repository == 'angristan/openvpn-install' && github.actor == 'angristan' strategy: matrix: os-image: From 80e89836f1ad568ccfa4e3896987aa7a1d802493 Mon Sep 17 00:00:00 2001 From: Henry N Date: Thu, 30 Apr 2020 23:42:09 +0200 Subject: [PATCH 065/132] fix: add IPv6 INPUT iptables rule on incoming port (#601) Co-authored-by: Stanislas --- openvpn-install.sh | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 20be0af..fb8cf63 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -956,7 +956,8 @@ iptables -I INPUT 1 -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" >/etc/iptables echo "ip6tables -t nat -I POSTROUTING 1 -s fd42:42:42:42::/112 -o $NIC -j MASQUERADE ip6tables -I INPUT 1 -i tun0 -j ACCEPT ip6tables -I FORWARD 1 -i $NIC -o tun0 -j ACCEPT -ip6tables -I FORWARD 1 -i tun0 -o $NIC -j ACCEPT" >>/etc/iptables/add-openvpn-rules.sh +ip6tables -I FORWARD 1 -i tun0 -o $NIC -j ACCEPT +ip6tables -I INPUT 1 -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" >>/etc/iptables/add-openvpn-rules.sh fi # Script to remove rules @@ -971,7 +972,8 @@ iptables -D INPUT -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" >/etc/iptables/r echo "ip6tables -t nat -D POSTROUTING -s fd42:42:42:42::/112 -o $NIC -j MASQUERADE ip6tables -D INPUT -i tun0 -j ACCEPT ip6tables -D FORWARD -i $NIC -o tun0 -j ACCEPT -ip6tables -D FORWARD -i tun0 -o $NIC -j ACCEPT" >>/etc/iptables/rm-openvpn-rules.sh +ip6tables -D FORWARD -i tun0 -o $NIC -j ACCEPT +ip6tables -D INPUT -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" >>/etc/iptables/rm-openvpn-rules.sh fi chmod +x /etc/iptables/add-openvpn-rules.sh From c24928162d35be081aae3ec3455385862edef0ce Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Thu, 30 Apr 2020 23:43:43 +0200 Subject: [PATCH 066/132] ci: don't run deploy tests on PRs --- .github/workflows/test.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index a6ccf0f..e7b1e1c 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -2,9 +2,6 @@ on: push: branches: - master - pull_request: - branches: - - master name: Test jobs: From 9096af167785fd6a40fc3c54e1b3de7425d825b6 Mon Sep 17 00:00:00 2001 From: Henry N Date: Fri, 1 May 2020 00:04:38 +0200 Subject: [PATCH 067/132] feat: push IPv6 endpoint with DHCP when self-hosted DNS resolver is in use (#600) Co-authored-by: randomshell <43271778+randomshell@users.noreply.github.com> Co-authored-by: Stanislas --- openvpn-install.sh | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index fb8cf63..218c812 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -159,10 +159,17 @@ prefetch: yes' >>/etc/unbound/unbound.conf qname-minimisation: yes prefetch: yes' >/etc/unbound/unbound.conf fi + + # IPv6 DNS for all OS + if [[ "$IPV6_SUPPORT" == 'y' ]]; then + echo 'interface: fd42:42:42:42::1 +access-control: fd42:42:42:42::/112 allow' >> /etc/unbound/unbound.conf + fi if [[ ! $OS =~ (fedora|centos|amzn) ]]; then # DNS Rebinding fix echo "private-address: 10.0.0.0/8 +private-address: fd42:42:42:42::/112 private-address: 172.16.0.0/12 private-address: 192.168.0.0/16 private-address: 169.254.0.0/16 @@ -183,13 +190,18 @@ hide-version: yes use-caps-for-id: yes prefetch: yes private-address: 10.0.0.0/8 +private-address: fd42:42:42:42::/112 private-address: 172.16.0.0/12 private-address: 192.168.0.0/16 private-address: 169.254.0.0/16 private-address: fd00::/8 private-address: fe80::/10 private-address: 127.0.0.0/8 -private-address: ::ffff:0:0/96' >/etc/unbound/openvpn.conf +private-address: ::ffff:0:0/96' > /etc/unbound/openvpn.conf + if [[ "$IPV6_SUPPORT" == 'y' ]]; then + echo 'interface: fd42:42:42:42::1 +access-control: fd42:42:42:42::/112 allow' >> /etc/unbound/openvpn.conf + fi fi systemctl enable unbound @@ -784,8 +796,11 @@ ifconfig-pool-persist ipp.txt" >>/etc/openvpn/server.conf fi done ;; - 2) # Self-hosted DNS resolver (Unbound) - echo 'push "dhcp-option DNS 10.8.0.1"' >>/etc/openvpn/server.conf + 2) # Self-hosted DNS resolver (Unbound) + echo 'push "dhcp-option DNS 10.8.0.1"' >> /etc/openvpn/server.conf + if [[ "$IPV6_SUPPORT" == 'y' ]]; then + echo 'push "dhcp-option DNS fd42:42:42:42::1"' >> /etc/openvpn/server.conf + fi ;; 3) # Cloudflare echo 'push "dhcp-option DNS 1.0.0.1"' >>/etc/openvpn/server.conf From 5e2e67f78df9f92a8d7ce92338a8f6e653c0c149 Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Fri, 1 May 2020 00:10:11 +0200 Subject: [PATCH 068/132] style: format with shfmt --- openvpn-install.sh | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 218c812..5f49ada 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -159,11 +159,11 @@ prefetch: yes' >>/etc/unbound/unbound.conf qname-minimisation: yes prefetch: yes' >/etc/unbound/unbound.conf fi - + # IPv6 DNS for all OS - if [[ "$IPV6_SUPPORT" == 'y' ]]; then + if [[ $IPV6_SUPPORT == 'y' ]]; then echo 'interface: fd42:42:42:42::1 -access-control: fd42:42:42:42::/112 allow' >> /etc/unbound/unbound.conf +access-control: fd42:42:42:42::/112 allow' >>/etc/unbound/unbound.conf fi if [[ ! $OS =~ (fedora|centos|amzn) ]]; then @@ -197,10 +197,10 @@ private-address: 169.254.0.0/16 private-address: fd00::/8 private-address: fe80::/10 private-address: 127.0.0.0/8 -private-address: ::ffff:0:0/96' > /etc/unbound/openvpn.conf - if [[ "$IPV6_SUPPORT" == 'y' ]]; then +private-address: ::ffff:0:0/96' >/etc/unbound/openvpn.conf + if [[ $IPV6_SUPPORT == 'y' ]]; then echo 'interface: fd42:42:42:42::1 -access-control: fd42:42:42:42::/112 allow' >> /etc/unbound/openvpn.conf +access-control: fd42:42:42:42::/112 allow' >>/etc/unbound/openvpn.conf fi fi @@ -796,11 +796,11 @@ ifconfig-pool-persist ipp.txt" >>/etc/openvpn/server.conf fi done ;; - 2) # Self-hosted DNS resolver (Unbound) - echo 'push "dhcp-option DNS 10.8.0.1"' >> /etc/openvpn/server.conf - if [[ "$IPV6_SUPPORT" == 'y' ]]; then - echo 'push "dhcp-option DNS fd42:42:42:42::1"' >> /etc/openvpn/server.conf - fi + 2) # Self-hosted DNS resolver (Unbound) + echo 'push "dhcp-option DNS 10.8.0.1"' >>/etc/openvpn/server.conf + if [[ $IPV6_SUPPORT == 'y' ]]; then + echo 'push "dhcp-option DNS fd42:42:42:42::1"' >>/etc/openvpn/server.conf + fi ;; 3) # Cloudflare echo 'push "dhcp-option DNS 1.0.0.1"' >>/etc/openvpn/server.conf From 317c4dbdbf2bcfd4bd867cc3d5502a4a1738c3ee Mon Sep 17 00:00:00 2001 From: randomshell Date: Thu, 7 May 2020 20:07:25 +0000 Subject: [PATCH 069/132] Remove easy-rsa <3.0.7 workaround We have easy-rsa 3.0.7 and it's not needed anymore --- openvpn-install.sh | 5 ----- 1 file changed, 5 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 5f49ada..4a9e347 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -719,11 +719,6 @@ function installOpenVPN() { # Create the PKI, set up the CA, the DH params and the server certificate ./easyrsa init-pki - - # Workaround to remove unharmful error until easy-rsa 3.0.7 - # https://github.com/OpenVPN/easy-rsa/issues/261 - sed -i 's/^RANDFILE/#RANDFILE/g' pki/openssl-easyrsa.cnf - ./easyrsa --batch build-ca nopass if [[ $DH_TYPE == "2" ]]; then From 6ee5787a29440b7dfcdfd61653eb8bb0dac8ff50 Mon Sep 17 00:00:00 2001 From: Stanislas Date: Sun, 10 May 2020 22:27:57 +0200 Subject: [PATCH 070/132] Add contributors hall-of-fame --- README.md | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 4f93e55..67c3965 100644 --- a/README.md +++ b/README.md @@ -183,7 +183,22 @@ Solutions that provision a ready to use OpenVPN server based on this script in o - AWS using Terraform at [`openvpn-terraform-install`](https://github.com/dumrauf/openvpn-terraform-install) -## Contributing / Code formatting +## Contributing + +### Contributors hall-of-fame + +Thanks ❤️ + +[![](https://sourcerer.io/fame/angristan/angristan/openvpn-install/images/0)](https://github.com/angristan/openvpn-install/graphs/contributors) +[![](https://sourcerer.io/fame/angristan/angristan/openvpn-install/images/1)](https://github.com/angristan/openvpn-install/graphs/contributors) +[![](https://sourcerer.io/fame/angristan/angristan/openvpn-install/images/2)](https://github.com/angristan/openvpn-install/graphs/contributors) +[![](https://sourcerer.io/fame/angristan/angristan/openvpn-install/images/3)](https://github.com/angristan/openvpn-install/graphs/contributors) +[![](https://sourcerer.io/fame/angristan/angristan/openvpn-install/images/4)](https://github.com/angristan/openvpn-install/graphs/contributors) +[![](https://sourcerer.io/fame/angristan/angristan/openvpn-install/images/5)](https://github.com/angristan/openvpn-install/graphs/contributors) +[![](https://sourcerer.io/fame/angristan/angristan/openvpn-install/images/6)](https://github.com/angristan/openvpn-install/graphs/contributors) +[![](https://sourcerer.io/fame/angristan/angristan/openvpn-install/images/7)](https://github.com/angristan/openvpn-install/graphs/contributors) + +### Code formatting We use [shellcheck](https://github.com/koalaman/shellcheck) and [shfmt](https://github.com/mvdan/sh) to enforce bash styling guidelines and good practices. They are executed for each commit / PR with GitHub Actions, so you can check the configuration [here](https://github.com/angristan/openvpn-install/blob/master/.github/workflows/push.yml). From b2888fa514946edb1aa9803eeb1780b5c90b3bc7 Mon Sep 17 00:00:00 2001 From: Shubham Date: Sat, 16 May 2020 01:36:18 +0530 Subject: [PATCH 071/132] readme: fix typo (#664) --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 67c3965..759540f 100644 --- a/README.md +++ b/README.md @@ -37,7 +37,7 @@ In your home directory, you will have `.ovpn` files. These are the client config If you have any question, head to the [FAQ](#faq) first. Please read everything before opening an issue. -**PLEASE do net send me emails or private messages asking for help.** The only place to get help is the issues. Other people may be able to help and in the future, other users may also run into the same issue as you. My time is not available for free just for you, you're not special. +**PLEASE do not send me emails or private messages asking for help.** The only place to get help is the issues. Other people may be able to help and in the future, other users may also run into the same issue as you. My time is not available for free just for you, you're not special. ### Headless install From 15b2c986af5047ad26aa2d7b6d32c932f34d7b8e Mon Sep 17 00:00:00 2001 From: robiiinos Date: Fri, 26 Jun 2020 22:37:38 +0200 Subject: [PATCH 072/132] ci: make linter great again --- .github/workflows/lint.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 4628851..13ffd36 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -7,19 +7,21 @@ on: - master name: Lint + jobs: shellcheck: runs-on: ubuntu-latest steps: - - uses: actions/checkout@master + - uses: actions/checkout@v2 - name: shellcheck - uses: ludeeus/action-shellcheck@0.0.1 + uses: ludeeus/action-shellcheck@0.2.1 env: SHELLCHECK_OPTS: -e SC1091,SC2164,SC2034,SC1072,SC1073,SC1009 + shfmt: runs-on: ubuntu-latest steps: - - uses: actions/checkout@master + - uses: actions/checkout@v2 - name: shfmt uses: bltavares/actions/shfmt@master env: From 101f0365ba4e1bbffa21799479c0dea6098ee39f Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Fri, 26 Jun 2020 23:30:07 +0200 Subject: [PATCH 073/132] deps: add dependabot for actions versions --- .github/dependabot.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..f4d737f --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,10 @@ +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "daily" + assignees: + - "angristan" + reviewers: + - "angristan" From b11296870ffdb397168f142f1cc48ec7ebb8b0a8 Mon Sep 17 00:00:00 2001 From: robiiinos Date: Sat, 27 Jun 2020 12:29:43 +0200 Subject: [PATCH 074/132] Typo in README --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 759540f..dae8552 100644 --- a/README.md +++ b/README.md @@ -216,7 +216,7 @@ Most of OpenVPN's encryption-related stuff is managed by [Easy-RSA](https://gith By default, OpenVPN doesn't enable compression. This script provides support for LZ0 and LZ4 (v1/v2) algorithms, the latter being more efficient. -However, it is discouraged to use compression since it since the [VORACLE attack](https://protonvpn.com/blog/voracle-attack/) makes use of it. +However, it is discouraged to use compression since the [VORACLE attack](https://protonvpn.com/blog/voracle-attack/) makes use of it. ### TLS version From ed26d6a649bf5396f999cc9508dfaaf276c185ad Mon Sep 17 00:00:00 2001 From: robiiinos Date: Sat, 27 Jun 2020 12:30:20 +0200 Subject: [PATCH 075/132] Update error message on CentOS install --- openvpn-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 4a9e347..9ddcbb8 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -61,7 +61,7 @@ function checkOS() { if [[ ! $VERSION_ID =~ (7|8) ]]; then echo "⚠️ Your version of CentOS is not supported." echo "" - echo "The script only support CentOS 7." + echo "The script only support CentOS 7 and CentOS 8." echo "" exit 1 fi From 2a73a41f715f8d1e06299d58bdbb283fadd51294 Mon Sep 17 00:00:00 2001 From: robiiinos Date: Sat, 27 Jun 2020 12:44:22 +0200 Subject: [PATCH 076/132] Add new dns leak tests to FAQ --- FAQ.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/FAQ.md b/FAQ.md index b891666..8c894c0 100644 --- a/FAQ.md +++ b/FAQ.md @@ -10,7 +10,7 @@ You can, of course, it's even recommended, update the `openvpn` package with you **Q:** How do I check for DNS leaks? -**A:** Go to [dnsleaktest.com](https://dnsleaktest.com/) or [ipleak.net](https://ipleak.net/) with your browser. Only your server's IP should show up. +**A:** Go to [browserleaks.com](https://browserleaks.com/dns) or [ipleak.net](https://ipleak.net/) (both perform IPv4 and IPv6 check) with your browser. Only your server's IP should show up. --- From 3f04a554ef31ac5093ef4fc9ccf67b25943e8f1a Mon Sep 17 00:00:00 2001 From: Stanislas Date: Sun, 28 Jun 2020 19:56:27 +0200 Subject: [PATCH 077/132] Update FUNDING.yml --- .github/FUNDING.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml index 7d1aa44..d5689d8 100644 --- a/.github/FUNDING.yml +++ b/.github/FUNDING.yml @@ -1,3 +1,3 @@ -patreon: angristan -liberapay: angristan -ko_fi: angristan +patreon: stanislas +liberapay: stanislas +ko_fi: stanislas From 9e1fe367bf8452fa19d2d5b46cb8263792f4f9d7 Mon Sep 17 00:00:00 2001 From: robiiinos Date: Mon, 29 Jun 2020 09:09:38 +0200 Subject: [PATCH 078/132] Default DNS to AdGuard --- openvpn-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 9ddcbb8..5bdcf9f 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -315,7 +315,7 @@ function installQuestions() { echo " 12) NextDNS (Anycast: worldwide)" echo " 13) Custom" until [[ $DNS =~ ^[0-9]+$ ]] && [ "$DNS" -ge 1 ] && [ "$DNS" -le 13 ]; do - read -rp "DNS [1-12]: " -e -i 3 DNS + read -rp "DNS [1-12]: " -e -i 11 DNS if [[ $DNS == 2 ]] && [[ -e /etc/unbound/unbound.conf ]]; then echo "" echo "Unbound is already installed." From a35cd2eca4dce9eb9698785cecc32c3faf59babf Mon Sep 17 00:00:00 2001 From: cn3lfs Date: Tue, 30 Jun 2020 15:14:19 +0800 Subject: [PATCH 079/132] change mkdir to mkdir -p for directory not exist change mkdir to mkdir -p for directory /etc/openvpn/easy-rsa not exist --- openvpn-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 9ddcbb8..0ae3821 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -694,7 +694,7 @@ function installOpenVPN() { if [[ ! -d /etc/openvpn/easy-rsa/ ]]; then local version="3.0.7" wget -O ~/easy-rsa.tgz https://github.com/OpenVPN/easy-rsa/releases/download/v${version}/EasyRSA-${version}.tgz - mkdir /etc/openvpn/easy-rsa + mkdir -p /etc/openvpn/easy-rsa tar xzf ~/easy-rsa.tgz --strip-components=1 --directory /etc/openvpn/easy-rsa rm -f ~/easy-rsa.tgz From bbd29a81782adaaf6dff02f48b9016eb1c9a765e Mon Sep 17 00:00:00 2001 From: randomshell Date: Thu, 2 Jul 2020 20:04:26 +0000 Subject: [PATCH 080/132] Update easy-rsa link in README to 3.0.7 --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index dae8552..730ac49 100644 --- a/README.md +++ b/README.md @@ -210,7 +210,7 @@ OpenVPN 2.4 was a great update regarding encryption. It added support for ECDSA, If you want more information about an option mentioned below, head to the [OpenVPN manual](https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage). It is very complete. -Most of OpenVPN's encryption-related stuff is managed by [Easy-RSA](https://github.com/OpenVPN/easy-rsa). Defaults parameters are in the [vars.example](https://github.com/OpenVPN/easy-rsa/blob/v3.0.6/easyrsa3/vars.example) file. +Most of OpenVPN's encryption-related stuff is managed by [Easy-RSA](https://github.com/OpenVPN/easy-rsa). Defaults parameters are in the [vars.example](https://github.com/OpenVPN/easy-rsa/blob/v3.0.7/easyrsa3/vars.example) file. ### Compression From d37ffde48ec241e35f5c6f1b28aa06ec028a888c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 15 Jul 2020 06:11:26 +0000 Subject: [PATCH 081/132] build(deps): bump ludeeus/action-shellcheck from 0.2.1 to 0.4.1 Bumps [ludeeus/action-shellcheck](https://github.com/ludeeus/action-shellcheck) from 0.2.1 to 0.4.1. - [Release notes](https://github.com/ludeeus/action-shellcheck/releases) - [Commits](https://github.com/ludeeus/action-shellcheck/compare/0.2.1...2394c9008b9dfe3897187f907e93b57eedeeedb2) Signed-off-by: dependabot[bot] --- .github/workflows/lint.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 13ffd36..90c178e 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -14,7 +14,7 @@ jobs: steps: - uses: actions/checkout@v2 - name: shellcheck - uses: ludeeus/action-shellcheck@0.2.1 + uses: ludeeus/action-shellcheck@0.4.1 env: SHELLCHECK_OPTS: -e SC1091,SC2164,SC2034,SC1072,SC1073,SC1009 From b4773385a48235d444b12adc2b04caccbfd96ac5 Mon Sep 17 00:00:00 2001 From: Aleksander Date: Fri, 17 Jul 2020 22:10:31 +0300 Subject: [PATCH 082/132] Updated client name input restrictions and hint --- openvpn-install.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 9ddcbb8..9242f41 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -1052,9 +1052,9 @@ verb 3" >>/etc/openvpn/client-template.txt function newClient() { echo "" echo "Tell me a name for the client." - echo "Use one word only, no special characters." + echo "The name must consist of alphanumeric character. It may also include an underscore or a dash." - until [[ $CLIENT =~ ^[a-zA-Z0-9_]+$ ]]; do + until [[ $CLIENT =~ ^[a-zA-Z0-9_-]+$ ]]; do read -rp "Client name: " -e CLIENT done From 54b884e7b11ec1b48e20e4fc9515bf9d1e53b872 Mon Sep 17 00:00:00 2001 From: "D. Robin" <16455953+robiiinos@users.noreply.github.com> Date: Sat, 25 Jul 2020 17:06:55 +0200 Subject: [PATCH 083/132] Pin GitHub Actions version (#702) --- .github/workflows/test.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index e7b1e1c..c37f47e 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -21,7 +21,7 @@ jobs: - centos-7-x64 - centos-8-x64 steps: - - uses: actions/checkout@master + - uses: actions/checkout@v2 - name: Setup doctl uses: digitalocean/action-doctl@v2 @@ -51,7 +51,7 @@ jobs: - name: Setup remote server (Debian/Ubuntu) if: steps.server_os.outputs.value == 'debian' || steps.server_os.outputs.value == 'ubuntu' - uses: appleboy/ssh-action@master + uses: appleboy/ssh-action@v0.1.2 with: host: ${{ steps.server_ip.outputs.value }} username: root @@ -60,7 +60,7 @@ jobs: - name: Setup remote server (Fedora) if: steps.server_os.outputs.value == 'fedora' - uses: appleboy/ssh-action@master + uses: appleboy/ssh-action@v0.1.2 with: host: ${{ steps.server_ip.outputs.value }} username: root @@ -69,7 +69,7 @@ jobs: - name: Setup remote server (CentOS) if: steps.server_os.outputs.value == 'centos' - uses: appleboy/ssh-action@master + uses: appleboy/ssh-action@v0.1.2 with: host: ${{ steps.server_ip.outputs.value }} username: root @@ -77,7 +77,7 @@ jobs: script: set -x && yum install -y git - name: Download repo and checkout current commit - uses: appleboy/ssh-action@master + uses: appleboy/ssh-action@v0.1.2 with: host: ${{ steps.server_ip.outputs.value }} username: root @@ -85,7 +85,7 @@ jobs: script: set -x && git clone https://github.com/angristan/openvpn-install.git && cd openvpn-install && git checkout ${{ github.event.pull_request.head.sha }} - name: Run openvpn-install.sh in headless mode - uses: appleboy/ssh-action@master + uses: appleboy/ssh-action@v0.1.2 with: host: ${{ steps.server_ip.outputs.value }} username: root From 5c2a86f27e8de46074d760dee490d46d2d26c1d5 Mon Sep 17 00:00:00 2001 From: randomshell Date: Tue, 28 Jul 2020 10:24:57 +0000 Subject: [PATCH 084/132] Update distro compatibility list and remove Debian 8 support (#654) --- README.md | 9 ++++----- openvpn-install.sh | 9 ++------- 2 files changed, 6 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index 730ac49..a82f069 100644 --- a/README.md +++ b/README.md @@ -117,13 +117,12 @@ The script supports these OS and architectures: | --------------- | ---- | ----- | ----- | ----- | | Amazon Linux 2 | ❔ | ✅ | ❔ | ❔ | | Arch Linux | ❔ | ✅ | ❔ | ✅ | -| CentOS 7 | ❔ | ✅ | ❌ | ✅ | -| CentOS 8 | ❌ | ✅ | ❔ | ❔ | -| Debian 8 | ✅ | ✅ | ❌ | ❌ | -| Debian >= 9 | ❌ | ✅ | ✅ | ✅ | +| CentOS 7 | ✅ | ✅ | ✅ | ✅ | +| CentOS 8 | ❌ | ✅ | ❌ | ✅ | +| Debian >= 9 | ✅ | ✅ | ✅ | ✅ | | Fedora >= 27 | ❔ | ✅ | ❔ | ❔ | | Ubuntu 16.04 | ✅ | ✅ | ❌ | ❌ | -| Ubuntu >= 18.04 | ❌ | ✅ | ✅ | ✅ | +| Ubuntu >= 18.04 | ✅ | ✅ | ✅ | ✅ | To be noted: diff --git a/openvpn-install.sh b/openvpn-install.sh index 5bdcf9f..0529726 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -22,10 +22,10 @@ function checkOS() { source /etc/os-release if [[ $ID == "debian" || $ID == "raspbian" ]]; then - if [[ $VERSION_ID -lt 8 ]]; then + if [[ $VERSION_ID -lt 9 ]]; then echo "⚠️ Your version of Debian is not supported." echo "" - echo "However, if you're using Debian >= 8 or unstable/testing then you can continue, at your own risk." + echo "However, if you're using Debian >= 9 or unstable/testing then you can continue, at your own risk." echo "" until [[ $CONTINUE =~ (y|n) ]]; do read -rp "Continue? [y/n]: " -e CONTINUE @@ -653,11 +653,6 @@ function installOpenVPN() { apt-get update apt-get -y install ca-certificates gnupg # We add the OpenVPN repo to get the latest version. - if [[ $VERSION_ID == "8" ]]; then - echo "deb http://build.openvpn.net/debian/openvpn/stable jessie main" >/etc/apt/sources.list.d/openvpn.list - wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add - - apt-get update - fi if [[ $VERSION_ID == "16.04" ]]; then echo "deb http://build.openvpn.net/debian/openvpn/stable xenial main" >/etc/apt/sources.list.d/openvpn.list wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add - From a486d07436967fe26b6f74be937c842218dcbce4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 29 Jul 2020 05:54:32 +0000 Subject: [PATCH 085/132] build(deps): bump ludeeus/action-shellcheck from 0.4.1 to 0.5.0 Bumps [ludeeus/action-shellcheck](https://github.com/ludeeus/action-shellcheck) from 0.4.1 to 0.5.0. - [Release notes](https://github.com/ludeeus/action-shellcheck/releases) - [Commits](https://github.com/ludeeus/action-shellcheck/compare/0.4.1...c489c81f79527f818be72b97b918b06e75eaee6d) Signed-off-by: dependabot[bot] --- .github/workflows/lint.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 90c178e..34e2736 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -14,7 +14,7 @@ jobs: steps: - uses: actions/checkout@v2 - name: shellcheck - uses: ludeeus/action-shellcheck@0.4.1 + uses: ludeeus/action-shellcheck@0.5.0 env: SHELLCHECK_OPTS: -e SC1091,SC2164,SC2034,SC1072,SC1073,SC1009 From 9579e29ccf3c7691007bc0c1e8b035a76fdc95d8 Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Thu, 30 Jul 2020 12:44:57 +0200 Subject: [PATCH 086/132] Update provider links --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index a82f069..23a3957 100644 --- a/README.md +++ b/README.md @@ -145,8 +145,9 @@ More Q&A in [FAQ.md](FAQ.md). **A:** I recommend these: - [Vultr](https://goo.gl/Xyd1Sc): Worldwide locations, IPv6 support, starting at \$3.50/month -- [PulseHeberg](https://goo.gl/76yqW5): France, unlimited bandwidth, starting at €3/month +- [Hetzner](https://hetzner.cloud/?ref=ywtlvZsjgeDq): Germany, IPv6, 20 TB of traffic, starting at €3/month - [Digital Ocean](https://goo.gl/qXrNLK): Worldwide locations, IPv6 support, starting at \$5/month +- [PulseHeberg](https://goo.gl/76yqW5): France, unlimited bandwidth, starting at €3/month --- From 1e3006c9ecd9f36b35b7a40074c023429b758e88 Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Mon, 3 Aug 2020 17:50:40 +0200 Subject: [PATCH 087/132] Shellcheck: move excludes to action env --- .github/workflows/lint.yml | 28 +++++++++++----------------- openvpn-install.sh | 3 --- 2 files changed, 11 insertions(+), 20 deletions(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 34e2736..7aaf095 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -1,10 +1,4 @@ -on: - push: - branches: - - master - pull_request: - branches: - - master +on: push name: Lint @@ -12,17 +6,17 @@ jobs: shellcheck: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 - - name: shellcheck - uses: ludeeus/action-shellcheck@0.5.0 - env: - SHELLCHECK_OPTS: -e SC1091,SC2164,SC2034,SC1072,SC1073,SC1009 + - uses: actions/checkout@v2 + - name: shellcheck + uses: ludeeus/action-shellcheck@0.5.0 + env: + SHELLCHECK_OPTS: -e SC1091,SC2164,SC2034,SC1072,SC1073,SC1009 shfmt: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 - - name: shfmt - uses: bltavares/actions/shfmt@master - env: - SHFMT_ARGS: -d + - uses: actions/checkout@v2 + - name: shfmt + uses: bltavares/actions/shfmt@master + env: + SHFMT_ARGS: -d diff --git a/openvpn-install.sh b/openvpn-install.sh index c0fe624..685f607 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -18,7 +18,6 @@ function tunAvailable() { function checkOS() { if [[ -e /etc/debian_version ]]; then OS="debian" - # shellcheck disable=SC1091 source /etc/os-release if [[ $ID == "debian" || $ID == "raspbian" ]]; then @@ -51,7 +50,6 @@ function checkOS() { fi fi elif [[ -e /etc/system-release ]]; then - # shellcheck disable=SC1091 source /etc/os-release if [[ $ID == "fedora" ]]; then OS="fedora" @@ -1206,7 +1204,6 @@ function removeUnbound() { function removeOpenVPN() { echo "" - # shellcheck disable=SC2034 read -rp "Do you really want to remove OpenVPN? [y/n]: " -e -i n REMOVE if [[ $REMOVE == 'y' ]]; then # Get OpenVPN port from the configuration From 25d00c197e99cad163c54f99c29af122f9202cc8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 10 Aug 2020 05:32:40 +0000 Subject: [PATCH 088/132] build(deps): bump appleboy/ssh-action from v0.1.2 to v0.1.3 Bumps [appleboy/ssh-action](https://github.com/appleboy/ssh-action) from v0.1.2 to v0.1.3. - [Release notes](https://github.com/appleboy/ssh-action/releases) - [Commits](https://github.com/appleboy/ssh-action/compare/v0.1.2...bf84735fa9986d048980965656d55112e863f432) Signed-off-by: dependabot[bot] --- .github/workflows/test.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index c37f47e..52a4307 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -51,7 +51,7 @@ jobs: - name: Setup remote server (Debian/Ubuntu) if: steps.server_os.outputs.value == 'debian' || steps.server_os.outputs.value == 'ubuntu' - uses: appleboy/ssh-action@v0.1.2 + uses: appleboy/ssh-action@v0.1.3 with: host: ${{ steps.server_ip.outputs.value }} username: root @@ -60,7 +60,7 @@ jobs: - name: Setup remote server (Fedora) if: steps.server_os.outputs.value == 'fedora' - uses: appleboy/ssh-action@v0.1.2 + uses: appleboy/ssh-action@v0.1.3 with: host: ${{ steps.server_ip.outputs.value }} username: root @@ -69,7 +69,7 @@ jobs: - name: Setup remote server (CentOS) if: steps.server_os.outputs.value == 'centos' - uses: appleboy/ssh-action@v0.1.2 + uses: appleboy/ssh-action@v0.1.3 with: host: ${{ steps.server_ip.outputs.value }} username: root @@ -77,7 +77,7 @@ jobs: script: set -x && yum install -y git - name: Download repo and checkout current commit - uses: appleboy/ssh-action@v0.1.2 + uses: appleboy/ssh-action@v0.1.3 with: host: ${{ steps.server_ip.outputs.value }} username: root @@ -85,7 +85,7 @@ jobs: script: set -x && git clone https://github.com/angristan/openvpn-install.git && cd openvpn-install && git checkout ${{ github.event.pull_request.head.sha }} - name: Run openvpn-install.sh in headless mode - uses: appleboy/ssh-action@v0.1.2 + uses: appleboy/ssh-action@v0.1.3 with: host: ${{ steps.server_ip.outputs.value }} username: root From 9623867026c82615f86c5f30907c082cc4f1d7fb Mon Sep 17 00:00:00 2001 From: Gal Bracha Date: Tue, 8 Sep 2020 11:47:31 +0300 Subject: [PATCH 089/132] FAQ - Added how to set up part of the routing # Implements Updated `FAQ.md` - Added how to set only some of the traffic to go through the VPN and the rest using the normal connection --- FAQ.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/FAQ.md b/FAQ.md index 8c894c0..87e6afe 100644 --- a/FAQ.md +++ b/FAQ.md @@ -124,3 +124,14 @@ for i in ${userlist[@]};do MENU_OPTION=1 CLIENT=$i PASS=1 ./openvpn-install.sh done ``` +--- + +**Q:** For my clients - I want to set my internal network to pass through the VPN and the rest to go through my internet? + +**A:** You would need to edit the `.ovpn` file. You can edit the template out of which those files are created by editing `/etc/openvpn/client-template.txt` file and adding + + ```sh +route-nopull +route 10.0.0.0 255.0.0.0 +``` +So for example - here it would route all traffic of `10.0.0.0/8` to the vpn. And the rest through the internet. From cb23f0ec2485341d0f01bb81c5fbcc7b304b1143 Mon Sep 17 00:00:00 2001 From: Stanislas Date: Fri, 2 Oct 2020 21:29:20 +0200 Subject: [PATCH 090/132] Add badge to README --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 23a3957..0d12296 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # openvpn-install -![Test](https://github.com/angristan/openvpn-install/workflows/Test/badge.svg) ![Lint](https://github.com/angristan/openvpn-install/workflows/Lint/badge.svg) +![Test](https://github.com/angristan/openvpn-install/workflows/Test/badge.svg) ![Lint](https://github.com/angristan/openvpn-install/workflows/Lint/badge.svg) [![Hits](https://hits.seeyoufarm.com/api/count/incr/badge.svg?url=https%3A%2F%2Fgithub.com%2Fangristan%2Fopenvpn-install&count_bg=%2379C83D&title_bg=%23555555&icon=&icon_color=%23E7E7E7&title=hits&edge_flat=false)](https://hits.seeyoufarm.com) OpenVPN installer for Debian, Ubuntu, Fedora, CentOS and Arch Linux. From 2950fd445752fd0515cdbf37b28ab8a494bc8299 Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Sat, 3 Oct 2020 19:04:08 +0200 Subject: [PATCH 091/132] action: get public IP from doctl Fix #737 --- .github/workflows/test.yml | 124 ++++++++++++++++++------------------- 1 file changed, 62 insertions(+), 62 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 52a4307..edd5d5d 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -1,7 +1,7 @@ on: push: branches: - - master + - master name: Test jobs: @@ -21,77 +21,77 @@ jobs: - centos-7-x64 - centos-8-x64 steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v2 - - name: Setup doctl - uses: digitalocean/action-doctl@v2 - with: - token: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }} + - name: Setup doctl + uses: digitalocean/action-doctl@v2 + with: + token: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }} - - name: Create server - run: doctl compute droplet create openvpn-action-$GITHUB_RUN_ID-$GITHUB_RUN_NUMBER-${{ matrix.os-image }} --size s-1vcpu-1gb --image ${{ matrix.os-image }} --region lon1 --enable-ipv6 --ssh-keys be:66:76:61:a8:71:93:aa:e3:19:ba:d8:0d:d2:2d:d4 --wait + - name: Create server + run: doctl compute droplet create openvpn-action-$GITHUB_RUN_ID-$GITHUB_RUN_NUMBER-${{ matrix.os-image }} --size s-1vcpu-1gb --image ${{ matrix.os-image }} --region lon1 --enable-ipv6 --ssh-keys be:66:76:61:a8:71:93:aa:e3:19:ba:d8:0d:d2:2d:d4 --wait - - name: Get server ID - run: echo ::set-output name=value::$(doctl compute droplet list -o json | jq -r '.[] | select(.name == "'openvpn-action-$GITHUB_RUN_ID-$GITHUB_RUN_NUMBER-${{ matrix.os-image }}'").id') - id: server_id + - name: Get server ID + run: echo ::set-output name=value::$(doctl compute droplet list -o json | jq -r '.[] | select(.name == "'openvpn-action-$GITHUB_RUN_ID-$GITHUB_RUN_NUMBER-${{ matrix.os-image }}'").id') + id: server_id - - name: Move server to dedicated project - run: doctl projects resources assign ${{ secrets.DIGITALOCEAN_PROJECT_ID }} --resource=do:droplet:${{ steps.server_id.outputs.value }} + - name: Move server to dedicated project + run: doctl projects resources assign ${{ secrets.DIGITALOCEAN_PROJECT_ID }} --resource=do:droplet:${{ steps.server_id.outputs.value }} - - name: Wait for server to boot - run: sleep 90 + - name: Wait for server to boot + run: sleep 90 - - name: Get server IP - run: echo ::set-output name=value::$(doctl compute droplet list -o json | jq -r '.[] | select(.name == "'openvpn-action-$GITHUB_RUN_ID-$GITHUB_RUN_NUMBER-${{ matrix.os-image }}'").networks.v4 | .[0].ip_address') - id: server_ip + - name: Get server IP + run: echo ::set-output name=value::$(doctl compute droplet list -o json | jq -r '.[] | select(.name == "'openvpn-action-$GITHUB_RUN_ID-$GITHUB_RUN_NUMBER-${{ matrix.os-image }}'").networks.v4 | .[] | select(.type == "'public'").ip_address') + id: server_ip - - name: Get server OS - run: echo ::set-output name=value::$(echo ${{ matrix.os-image }} | cut -d '-' -f1) - id: server_os + - name: Get server OS + run: echo ::set-output name=value::$(echo ${{ matrix.os-image }} | cut -d '-' -f1) + id: server_os - - name: Setup remote server (Debian/Ubuntu) - if: steps.server_os.outputs.value == 'debian' || steps.server_os.outputs.value == 'ubuntu' - uses: appleboy/ssh-action@v0.1.3 - with: - host: ${{ steps.server_ip.outputs.value }} - username: root - key: ${{ secrets.SSH_KEY }} - script: set -x && apt-get update && apt-get install -y git + - name: Setup remote server (Debian/Ubuntu) + if: steps.server_os.outputs.value == 'debian' || steps.server_os.outputs.value == 'ubuntu' + uses: appleboy/ssh-action@v0.1.3 + with: + host: ${{ steps.server_ip.outputs.value }} + username: root + key: ${{ secrets.SSH_KEY }} + script: set -x && apt-get update && apt-get install -y git - - name: Setup remote server (Fedora) - if: steps.server_os.outputs.value == 'fedora' - uses: appleboy/ssh-action@v0.1.3 - with: - host: ${{ steps.server_ip.outputs.value }} - username: root - key: ${{ secrets.SSH_KEY }} - script: set -x && dnf install -y git + - name: Setup remote server (Fedora) + if: steps.server_os.outputs.value == 'fedora' + uses: appleboy/ssh-action@v0.1.3 + with: + host: ${{ steps.server_ip.outputs.value }} + username: root + key: ${{ secrets.SSH_KEY }} + script: set -x && dnf install -y git - - name: Setup remote server (CentOS) - if: steps.server_os.outputs.value == 'centos' - uses: appleboy/ssh-action@v0.1.3 - with: - host: ${{ steps.server_ip.outputs.value }} - username: root - key: ${{ secrets.SSH_KEY }} - script: set -x && yum install -y git + - name: Setup remote server (CentOS) + if: steps.server_os.outputs.value == 'centos' + uses: appleboy/ssh-action@v0.1.3 + with: + host: ${{ steps.server_ip.outputs.value }} + username: root + key: ${{ secrets.SSH_KEY }} + script: set -x && yum install -y git - - name: Download repo and checkout current commit - uses: appleboy/ssh-action@v0.1.3 - with: - host: ${{ steps.server_ip.outputs.value }} - username: root - key: ${{ secrets.SSH_KEY }} - script: set -x && git clone https://github.com/angristan/openvpn-install.git && cd openvpn-install && git checkout ${{ github.event.pull_request.head.sha }} + - name: Download repo and checkout current commit + uses: appleboy/ssh-action@v0.1.3 + with: + host: ${{ steps.server_ip.outputs.value }} + username: root + key: ${{ secrets.SSH_KEY }} + script: set -x && git clone https://github.com/angristan/openvpn-install.git && cd openvpn-install && git checkout ${{ github.event.pull_request.head.sha }} - - name: Run openvpn-install.sh in headless mode - uses: appleboy/ssh-action@v0.1.3 - with: - host: ${{ steps.server_ip.outputs.value }} - username: root - key: ${{ secrets.SSH_KEY }} - script: 'set -x && AUTO_INSTALL=y bash -x ~/openvpn-install/openvpn-install.sh && ps aux | grep openvpn | grep -v grep > /dev/null 2>&1 && echo "Success: OpenVPN is running" && exit 0 || echo "Failure: OpenVPN is not running" && exit 1' + - name: Run openvpn-install.sh in headless mode + uses: appleboy/ssh-action@v0.1.3 + with: + host: ${{ steps.server_ip.outputs.value }} + username: root + key: ${{ secrets.SSH_KEY }} + script: 'set -x && AUTO_INSTALL=y bash -x ~/openvpn-install/openvpn-install.sh && ps aux | grep openvpn | grep -v grep > /dev/null 2>&1 && echo "Success: OpenVPN is running" && exit 0 || echo "Failure: OpenVPN is not running" && exit 1' - - name: Delete server - run: doctl compute droplet delete -f openvpn-action-$GITHUB_RUN_ID-$GITHUB_RUN_NUMBER-${{ matrix.os-image }} - if: always() + - name: Delete server + run: doctl compute droplet delete -f openvpn-action-$GITHUB_RUN_ID-$GITHUB_RUN_NUMBER-${{ matrix.os-image }} + if: always() From 7ddd525edfceb7b83117f42fec3bcfa63f21a5fc Mon Sep 17 00:00:00 2001 From: Gal Bracha Date: Mon, 12 Oct 2020 10:28:22 +0300 Subject: [PATCH 092/132] Update FAQ.md Added instructions on the `/etc/openvpn/client-template.txt` as requested --- FAQ.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/FAQ.md b/FAQ.md index 87e6afe..4a7d2de 100644 --- a/FAQ.md +++ b/FAQ.md @@ -124,6 +124,13 @@ for i in ${userlist[@]};do MENU_OPTION=1 CLIENT=$i PASS=1 ./openvpn-install.sh done ``` + +--- + +**Q:** How do I change the default `.ovpn` file created for future clients? + +**A:** You can edit the template out of which `.ovpn` files are created by editing `/etc/openvpn/client-template.txt` + --- **Q:** For my clients - I want to set my internal network to pass through the VPN and the rest to go through my internet? From 4eb349bf104e1b646e5f12957bd36a7e8731c9f3 Mon Sep 17 00:00:00 2001 From: Stanislas Date: Mon, 19 Oct 2020 12:03:44 +0200 Subject: [PATCH 093/132] readme: update badge --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 0d12296..f1743c6 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,8 @@ # openvpn-install -![Test](https://github.com/angristan/openvpn-install/workflows/Test/badge.svg) ![Lint](https://github.com/angristan/openvpn-install/workflows/Lint/badge.svg) [![Hits](https://hits.seeyoufarm.com/api/count/incr/badge.svg?url=https%3A%2F%2Fgithub.com%2Fangristan%2Fopenvpn-install&count_bg=%2379C83D&title_bg=%23555555&icon=&icon_color=%23E7E7E7&title=hits&edge_flat=false)](https://hits.seeyoufarm.com) +![Test](https://github.com/angristan/openvpn-install/workflows/Test/badge.svg) +![Lint](https://github.com/angristan/openvpn-install/workflows/Lint/badge.svg) +![visitors](https://visitor-badge.glitch.me/badge?page_id=angristan.openvpn-install) OpenVPN installer for Debian, Ubuntu, Fedora, CentOS and Arch Linux. From 8d05ce62e826a014109f0853a2254be29f8e6643 Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Mon, 19 Oct 2020 12:16:59 +0200 Subject: [PATCH 094/132] actions: remove fedora 30, add 32 --- .github/workflows/test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index edd5d5d..2353c32 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -16,8 +16,8 @@ jobs: - ubuntu-18-04-x64 - ubuntu-16-04-x64 - ubuntu-20-04-x64 - - fedora-30-x64 - fedora-31-x64 + - fedora-32-x64 - centos-7-x64 - centos-8-x64 steps: From cef199916d567d66dbe90a5e4c668735bfd241e3 Mon Sep 17 00:00:00 2001 From: Phonic Mouse Date: Tue, 20 Oct 2020 16:31:12 +0200 Subject: [PATCH 095/132] Added automatic NAT public IP discovery (#735) --- openvpn-install.sh | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 685f607..905b3f9 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -219,6 +219,7 @@ function installQuestions() { # Detect public IPv4 address and pre-fill for the user IP=$(ip -4 addr | sed -ne 's|^.* inet \([^/]*\)/.* scope global.*$|\1|p' | head -1) + if [[ -z $IP ]]; then # Detect public IPv6 address IP=$(ip -6 addr | sed -ne 's|^.* inet6 \([^/]*\)/.* scope global.*$|\1|p' | head -1) @@ -232,8 +233,10 @@ function installQuestions() { echo "" echo "It seems this server is behind NAT. What is its public IPv4 address or hostname?" echo "We need it for the clients to connect to the server." + + PUBLICIP=$(curl -s https://api.ipify.org) until [[ $ENDPOINT != "" ]]; do - read -rp "Public IPv4 address or hostname: " -e ENDPOINT + read -rp "Public IPv4 address or hostname: " -e -i "$PUBLICIP" ENDPOINT done fi From 9935c96cdf68e14dc41f6cdb887a2a54faa248ed Mon Sep 17 00:00:00 2001 From: Stanislas Date: Tue, 20 Oct 2020 16:40:43 +0200 Subject: [PATCH 096/132] ci: update triggers --- .github/workflows/lint.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 7aaf095..d86031e 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -1,4 +1,4 @@ -on: push +on: [push, pull_request, pull_request_target] name: Lint From 73c5304fdae9e821fa8da6e75e04ce3a34474f38 Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Tue, 20 Oct 2020 16:42:35 +0200 Subject: [PATCH 097/132] style: format with shfmt --- openvpn-install.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 905b3f9..0e1671d 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -219,7 +219,7 @@ function installQuestions() { # Detect public IPv4 address and pre-fill for the user IP=$(ip -4 addr | sed -ne 's|^.* inet \([^/]*\)/.* scope global.*$|\1|p' | head -1) - + if [[ -z $IP ]]; then # Detect public IPv6 address IP=$(ip -6 addr | sed -ne 's|^.* inet6 \([^/]*\)/.* scope global.*$|\1|p' | head -1) @@ -233,7 +233,7 @@ function installQuestions() { echo "" echo "It seems this server is behind NAT. What is its public IPv4 address or hostname?" echo "We need it for the clients to connect to the server." - + PUBLICIP=$(curl -s https://api.ipify.org) until [[ $ENDPOINT != "" ]]; do read -rp "Public IPv4 address or hostname: " -e -i "$PUBLICIP" ENDPOINT From 2e193e33cb6843db9f4a027241c4ddf3a5dbfb0b Mon Sep 17 00:00:00 2001 From: Dave Eargle Date: Tue, 20 Oct 2020 15:44:52 -0600 Subject: [PATCH 098/132] increase priority of sysctl conf file (#750) Prevents GCP cloud platform's default security policy for instances, which uses prefix 60-, from overriding ip_forward. Also future-proofs against any other such default policy. --- openvpn-install.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 0e1671d..9269680 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -891,9 +891,9 @@ verb 3" >>/etc/openvpn/server.conf mkdir -p /var/log/openvpn # Enable routing - echo 'net.ipv4.ip_forward=1' >/etc/sysctl.d/20-openvpn.conf + echo 'net.ipv4.ip_forward=1' >/etc/sysctl.d/99-openvpn.conf if [[ $IPV6_SUPPORT == 'y' ]]; then - echo 'net.ipv6.conf.all.forwarding=1' >>/etc/sysctl.d/20-openvpn.conf + echo 'net.ipv6.conf.all.forwarding=1' >>/etc/sysctl.d/99-openvpn.conf fi # Apply sysctl rules sysctl --system @@ -1266,7 +1266,7 @@ function removeOpenVPN() { find /root/ -maxdepth 1 -name "*.ovpn" -delete rm -rf /etc/openvpn rm -rf /usr/share/doc/openvpn* - rm -f /etc/sysctl.d/20-openvpn.conf + rm -f /etc/sysctl.d/99-openvpn.conf rm -rf /var/log/openvpn # Unbound From 7b7567e7cbdf1c69bad0e4fc87941231281536be Mon Sep 17 00:00:00 2001 From: randomshell Date: Wed, 21 Oct 2020 11:57:45 +0000 Subject: [PATCH 099/132] Remove key-direction from tls-crypt option (#748) In contrast to --tls-auth, --tls-crypt does *not* require the user to set --key-direction. Thus syntax is `--tls-crypt keyfile` --- openvpn-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 9269680..45d12a4 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -864,7 +864,7 @@ push "redirect-gateway ipv6"' >>/etc/openvpn/server.conf case $TLS_SIG in 1) - echo "tls-crypt tls-crypt.key 0" >>/etc/openvpn/server.conf + echo "tls-crypt tls-crypt.key" >>/etc/openvpn/server.conf ;; 2) echo "tls-auth tls-auth.key 0" >>/etc/openvpn/server.conf From bd047c08d7529586b68e199204a4d0ae0af7ab46 Mon Sep 17 00:00:00 2001 From: Stanislas Date: Wed, 21 Oct 2020 13:59:49 +0200 Subject: [PATCH 100/132] ci: use super-linter (#683) --- .editorconfig | 3 +++ .github/linters/.markdown-lint.yml | 1 + .github/workflows/lint.yml | 20 ++++++-------------- FAQ.md | 9 +++++---- README.md | 5 ++--- openvpn-install.sh | 1 + 6 files changed, 18 insertions(+), 21 deletions(-) create mode 100644 .editorconfig create mode 100644 .github/linters/.markdown-lint.yml diff --git a/.editorconfig b/.editorconfig new file mode 100644 index 0000000..b4d9ec4 --- /dev/null +++ b/.editorconfig @@ -0,0 +1,3 @@ +[*.sh] +indent_style = tab +indent_size = 4 diff --git a/.github/linters/.markdown-lint.yml b/.github/linters/.markdown-lint.yml new file mode 100644 index 0000000..68d1fdf --- /dev/null +++ b/.github/linters/.markdown-lint.yml @@ -0,0 +1 @@ +{ 'MD013': null, 'MD045': null, 'MD040': null, 'MD036': null } diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index d86031e..082bca5 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -3,20 +3,12 @@ on: [push, pull_request, pull_request_target] name: Lint jobs: - shellcheck: + super-linter: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 - - name: shellcheck - uses: ludeeus/action-shellcheck@0.5.0 + - name: Checkout Code + uses: actions/checkout@v2 + - name: Lint Code Base + uses: github/super-linter@v3.13.1 env: - SHELLCHECK_OPTS: -e SC1091,SC2164,SC2034,SC1072,SC1073,SC1009 - - shfmt: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - - name: shfmt - uses: bltavares/actions/shfmt@master - env: - SHFMT_ARGS: -d + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/FAQ.md b/FAQ.md index 4a7d2de..ee0e51a 100644 --- a/FAQ.md +++ b/FAQ.md @@ -69,7 +69,7 @@ If your client is <2.3.3, remove `tls-version-min 1.2` from your `/etc/openvpn/s **Q:** IPv6 is not working on my Hetzner VM -**A:** This an issue on their side. See https://angristan.xyz/fix-ipv6-hetzner-cloud/ +**A:** This an issue on their side. See --- @@ -117,11 +117,11 @@ Sysctl options are at `/etc/sysctl.d/20-openvpn.conf` **A:** Here is a sample bash script to achieve this: - ```sh +```sh userlist=(user1 user2 user3) for i in ${userlist[@]};do - MENU_OPTION=1 CLIENT=$i PASS=1 ./openvpn-install.sh + MENU_OPTION=1 CLIENT=$i PASS=1 ./openvpn-install.sh done ``` @@ -137,8 +137,9 @@ done **A:** You would need to edit the `.ovpn` file. You can edit the template out of which those files are created by editing `/etc/openvpn/client-template.txt` file and adding - ```sh +```sh route-nopull route 10.0.0.0 255.0.0.0 ``` + So for example - here it would route all traffic of `10.0.0.0/8` to the vpn. And the rest through the internet. diff --git a/README.md b/README.md index f1743c6..d9ba9be 100644 --- a/README.md +++ b/README.md @@ -249,9 +249,8 @@ By default, OpenVPN uses `BF-CBC` as the data channel cipher. Blowfish is an old > The default is BF-CBC, an abbreviation for Blowfish in Cipher Block Chaining mode. > -> Using BF-CBC is no longer recommended, because of its 64-bit block size. This small block size allows attacks based on collisions, as demonstrated by SWEET32. See https://community.openvpn.net/openvpn/wiki/SWEET32 for details. - -> Security researchers at INRIA published an attack on 64-bit block ciphers, such as 3DES and Blowfish. They show that they are able to recover plaintext when the same data is sent often enough, and show how they can use cross-site scripting vulnerabilities to send data of interest often enough. This works over HTTPS, but also works for HTTP-over-OpenVPN. See https://sweet32.info/ for a much better and more elaborate explanation. +> Using BF-CBC is no longer recommended, because of its 64-bit block size. This small block size allows attacks based on collisions, as demonstrated by SWEET32. See for details. +> Security researchers at INRIA published an attack on 64-bit block ciphers, such as 3DES and Blowfish. They show that they are able to recover plaintext when the same data is sent often enough, and show how they can use cross-site scripting vulnerabilities to send data of interest often enough. This works over HTTPS, but also works for HTTP-over-OpenVPN. See for a much better and more elaborate explanation. > > OpenVPN's default cipher, BF-CBC, is affected by this attack. diff --git a/openvpn-install.sh b/openvpn-install.sh index 45d12a4..92bb343 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -1,4 +1,5 @@ #!/bin/bash +# shellcheck disable=SC1091,SC2164,SC2034,SC1072,SC1073,SC1009 # Secure OpenVPN server installer for Debian, Ubuntu, CentOS, Amazon Linux 2, Fedora and Arch Linux # https://github.com/angristan/openvpn-install From 54dc74904ca8afd04790c260d5fde7cd9553318a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 24 Oct 2020 12:54:30 +0200 Subject: [PATCH 101/132] build(deps): bump github/super-linter from v3.13.1 to v3.13.2 (#752) Bumps [github/super-linter](https://github.com/github/super-linter) from v3.13.1 to v3.13.2. - [Release notes](https://github.com/github/super-linter/releases) - [Commits](https://github.com/github/super-linter/compare/v3.13.1...692f5c0e2e62673866f557c1935a581684569bfb) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/lint.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 082bca5..b751d16 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -9,6 +9,6 @@ jobs: - name: Checkout Code uses: actions/checkout@v2 - name: Lint Code Base - uses: github/super-linter@v3.13.1 + uses: github/super-linter@v3.13.2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From e16d93f3142be0f9f5833be5de7eb5d466461afc Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Wed, 28 Oct 2020 18:58:51 +0100 Subject: [PATCH 102/132] readme: update provider link --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index d9ba9be..cb8eadd 100644 --- a/README.md +++ b/README.md @@ -146,7 +146,7 @@ More Q&A in [FAQ.md](FAQ.md). **A:** I recommend these: -- [Vultr](https://goo.gl/Xyd1Sc): Worldwide locations, IPv6 support, starting at \$3.50/month +- [Vultr](https://www.vultr.com/?ref=8537055-6G): Worldwide locations, IPv6 support, starting at \$3.50/month - [Hetzner](https://hetzner.cloud/?ref=ywtlvZsjgeDq): Germany, IPv6, 20 TB of traffic, starting at €3/month - [Digital Ocean](https://goo.gl/qXrNLK): Worldwide locations, IPv6 support, starting at \$5/month - [PulseHeberg](https://goo.gl/76yqW5): France, unlimited bandwidth, starting at €3/month From 8db952d2b72cebb2b90385b0a3980cd436664263 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 8 Nov 2020 12:57:46 +0100 Subject: [PATCH 103/132] build(deps): bump github/super-linter from v3.13.2 to v3.13.5 (#755) Bumps [github/super-linter](https://github.com/github/super-linter) from v3.13.2 to v3.13.5. - [Release notes](https://github.com/github/super-linter/releases) - [Commits](https://github.com/github/super-linter/compare/v3.13.2...49b9b28c00ef7c9ce15d8df5e41e6039f370e812) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/lint.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index b751d16..4f19bc9 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -9,6 +9,6 @@ jobs: - name: Checkout Code uses: actions/checkout@v2 - name: Lint Code Base - uses: github/super-linter@v3.13.2 + uses: github/super-linter@v3.13.5 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 82c3c2430b4ee31726d0c27e6a17d58fc591913d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 18 Nov 2020 10:06:36 +0100 Subject: [PATCH 104/132] build(deps): bump appleboy/ssh-action from v0.1.3 to v0.1.4 (#764) Bumps [appleboy/ssh-action](https://github.com/appleboy/ssh-action) from v0.1.3 to v0.1.4. - [Release notes](https://github.com/appleboy/ssh-action/releases) - [Commits](https://github.com/appleboy/ssh-action/compare/v0.1.3...1d1b21ca96111b1eb4c03c21c14ebb971d2200f6) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/test.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 2353c32..0129bdb 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -51,7 +51,7 @@ jobs: - name: Setup remote server (Debian/Ubuntu) if: steps.server_os.outputs.value == 'debian' || steps.server_os.outputs.value == 'ubuntu' - uses: appleboy/ssh-action@v0.1.3 + uses: appleboy/ssh-action@v0.1.4 with: host: ${{ steps.server_ip.outputs.value }} username: root @@ -60,7 +60,7 @@ jobs: - name: Setup remote server (Fedora) if: steps.server_os.outputs.value == 'fedora' - uses: appleboy/ssh-action@v0.1.3 + uses: appleboy/ssh-action@v0.1.4 with: host: ${{ steps.server_ip.outputs.value }} username: root @@ -69,7 +69,7 @@ jobs: - name: Setup remote server (CentOS) if: steps.server_os.outputs.value == 'centos' - uses: appleboy/ssh-action@v0.1.3 + uses: appleboy/ssh-action@v0.1.4 with: host: ${{ steps.server_ip.outputs.value }} username: root @@ -77,7 +77,7 @@ jobs: script: set -x && yum install -y git - name: Download repo and checkout current commit - uses: appleboy/ssh-action@v0.1.3 + uses: appleboy/ssh-action@v0.1.4 with: host: ${{ steps.server_ip.outputs.value }} username: root @@ -85,7 +85,7 @@ jobs: script: set -x && git clone https://github.com/angristan/openvpn-install.git && cd openvpn-install && git checkout ${{ github.event.pull_request.head.sha }} - name: Run openvpn-install.sh in headless mode - uses: appleboy/ssh-action@v0.1.3 + uses: appleboy/ssh-action@v0.1.4 with: host: ${{ steps.server_ip.outputs.value }} username: root From 7d18ef433773b9a48ed747a42b03dae35a5ae859 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 6 Dec 2020 21:44:12 +0100 Subject: [PATCH 105/132] build(deps): bump github/super-linter from v3.13.5 to v3.14.0 (#770) Bumps [github/super-linter](https://github.com/github/super-linter) from v3.13.5 to v3.14.0. - [Release notes](https://github.com/github/super-linter/releases) - [Commits](https://github.com/github/super-linter/compare/v3.13.5...cf0e6a9704fec0915165f905063020dc27c0cdbf) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/lint.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 4f19bc9..acc58be 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -9,6 +9,6 @@ jobs: - name: Checkout Code uses: actions/checkout@v2 - name: Lint Code Base - uses: github/super-linter@v3.13.5 + uses: github/super-linter@v3.14.0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 860aaa8bf4f659d88f9acb74822adbb3c7f1f774 Mon Sep 17 00:00:00 2001 From: quyleanh Date: Wed, 9 Dec 2020 02:56:39 +0700 Subject: [PATCH 106/132] Update with latest Adguard DNS server (#766) Update latest Adguard DNS server as [following article](https://kb.adguard.com/en/general/dns-providers#adguard-dns) --- openvpn-install.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 92bb343..b813c54 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -827,8 +827,8 @@ ifconfig-pool-persist ipp.txt" >>/etc/openvpn/server.conf echo 'push "dhcp-option DNS 77.88.8.1"' >>/etc/openvpn/server.conf ;; 11) # AdGuard DNS - echo 'push "dhcp-option DNS 176.103.130.130"' >>/etc/openvpn/server.conf - echo 'push "dhcp-option DNS 176.103.130.131"' >>/etc/openvpn/server.conf + echo 'push "dhcp-option DNS 94.140.14.14"' >>/etc/openvpn/server.conf + echo 'push "dhcp-option DNS 94.140.15.15"' >>/etc/openvpn/server.conf ;; 12) # NextDNS echo 'push "dhcp-option DNS 45.90.28.167"' >>/etc/openvpn/server.conf From b2e96b076221bfd7693008a9ca120f6cb0cb8876 Mon Sep 17 00:00:00 2001 From: Stanislas Date: Tue, 8 Dec 2020 21:24:38 +0100 Subject: [PATCH 107/132] Update FAQ.md --- FAQ.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/FAQ.md b/FAQ.md index ee0e51a..dbb52fc 100644 --- a/FAQ.md +++ b/FAQ.md @@ -10,7 +10,7 @@ You can, of course, it's even recommended, update the `openvpn` package with you **Q:** How do I check for DNS leaks? -**A:** Go to [browserleaks.com](https://browserleaks.com/dns) or [ipleak.net](https://ipleak.net/) (both perform IPv4 and IPv6 check) with your browser. Only your server's IP should show up. +**A:** Go to [browserleaks.com](https://browserleaks.com/dns) or [ipleak.net](https://ipleak.net/) (both perform IPv4 and IPv6 check) with your browser. Your IP should not show up (test without and without the VPN). --- From 5acd9a0446a110b8852b0bc1ce212c60e0fad2f4 Mon Sep 17 00:00:00 2001 From: Stanislas Date: Tue, 8 Dec 2020 21:26:39 +0100 Subject: [PATCH 108/132] Update FAQ.md --- FAQ.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/FAQ.md b/FAQ.md index dbb52fc..8125194 100644 --- a/FAQ.md +++ b/FAQ.md @@ -10,7 +10,7 @@ You can, of course, it's even recommended, update the `openvpn` package with you **Q:** How do I check for DNS leaks? -**A:** Go to [browserleaks.com](https://browserleaks.com/dns) or [ipleak.net](https://ipleak.net/) (both perform IPv4 and IPv6 check) with your browser. Your IP should not show up (test without and without the VPN). +**A:** Go to [browserleaks.com](https://browserleaks.com/dns) or [ipleak.net](https://ipleak.net/) (both perform IPv4 and IPv6 check) with your browser. Your IP should not show up (test without and without the VPN). The DNS servers should be the ones you selected during the setup, not your IP address nor your ISP's DNS servers' addresses. --- From ea236de3e32d2404632f6ccf63b1b4b9ee36f647 Mon Sep 17 00:00:00 2001 From: Stanislas Date: Tue, 8 Dec 2020 21:39:51 +0100 Subject: [PATCH 109/132] Create user from text file Fix #732 --- FAQ.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/FAQ.md b/FAQ.md index 8125194..825a9ba 100644 --- a/FAQ.md +++ b/FAQ.md @@ -125,6 +125,14 @@ for i in ${userlist[@]};do done ``` +From a list in a text file: + +```sh +while read USER + do MENU_OPTION="1" CLIENT="$USER" PASS="1" ./openvpn-install.sh +done < users.txt +``` + --- **Q:** How do I change the default `.ovpn` file created for future clients? From 1cc1978477da3eaf88f1e2fd9fbd63a24ae8b089 Mon Sep 17 00:00:00 2001 From: Christoph Schulz Date: Sun, 14 Feb 2021 10:54:53 +0100 Subject: [PATCH 110/132] Compatibility with RHEL+EPEL (#796) --- openvpn-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index b813c54..da252e1 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -52,7 +52,7 @@ function checkOS() { fi elif [[ -e /etc/system-release ]]; then source /etc/os-release - if [[ $ID == "fedora" ]]; then + if [[ $ID == "fedora" || $ID_LIKE == "fedora" ]]; then OS="fedora" fi if [[ $ID == "centos" ]]; then From 1fceec27dbb11b2b98d87bfdad9a76615a79e557 Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Sun, 14 Feb 2021 11:06:57 +0100 Subject: [PATCH 111/132] test: remove fedora 31, add 33 --- .github/workflows/test.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 0129bdb..d18336e 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -13,11 +13,11 @@ jobs: os-image: - debian-9-x64 - debian-10-x64 - - ubuntu-18-04-x64 - ubuntu-16-04-x64 + - ubuntu-18-04-x64 - ubuntu-20-04-x64 - - fedora-31-x64 - fedora-32-x64 + - fedora-33-x64 - centos-7-x64 - centos-8-x64 steps: From c68518566b361f4a2cd30d083dbef309cf36979f Mon Sep 17 00:00:00 2001 From: Stanislas Date: Sun, 21 Feb 2021 15:45:14 +0100 Subject: [PATCH 112/132] Update lint.yml --- .github/workflows/lint.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index acc58be..80f04a4 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -1,4 +1,4 @@ -on: [push, pull_request, pull_request_target] +on: [push, pull_request] name: Lint From 353ce9c534caa988dcc6322ac85107f7710207c2 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 3 Mar 2021 12:29:51 +0100 Subject: [PATCH 113/132] build(deps): bump github/super-linter from v3.14.0 to v3.15.1 (#797) Bumps [github/super-linter](https://github.com/github/super-linter) from v3.14.0 to v3.15.1. - [Release notes](https://github.com/github/super-linter/releases) - [Commits](https://github.com/github/super-linter/compare/v3.14.0...a4de8540a1162d917a5c0918467143c98c2176b2) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/lint.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 80f04a4..0a87a71 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -9,6 +9,6 @@ jobs: - name: Checkout Code uses: actions/checkout@v2 - name: Lint Code Base - uses: github/super-linter@v3.14.0 + uses: github/super-linter@v3.15.1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 29d4dc20f8af382c1102544afed0c6427bf09a19 Mon Sep 17 00:00:00 2001 From: Stanislas Date: Wed, 3 Mar 2021 12:30:12 +0100 Subject: [PATCH 114/132] Update lint.yml --- .github/workflows/lint.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 0a87a71..502a3a0 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -9,6 +9,6 @@ jobs: - name: Checkout Code uses: actions/checkout@v2 - name: Lint Code Base - uses: github/super-linter@v3.15.1 + uses: github/super-linter@v3 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 1abb6a69482be6b20e51eadf1313a6bfef4757da Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 10 Mar 2021 21:38:49 +0100 Subject: [PATCH 115/132] build(deps): bump github/super-linter from v3 to v3.15.2 (#799) Bumps [github/super-linter](https://github.com/github/super-linter) from v3 to v3.15.2. - [Release notes](https://github.com/github/super-linter/releases) - [Commits](https://github.com/github/super-linter/compare/v3...16f5c4067d70b7e90445a32524a96d02f973ca4b) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/lint.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 502a3a0..a8d7c18 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -9,6 +9,6 @@ jobs: - name: Checkout Code uses: actions/checkout@v2 - name: Lint Code Base - uses: github/super-linter@v3 + uses: github/super-linter@v3.15.2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From d1de5c64fe3a151104b03082746839c39c77ae5c Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Wed, 10 Mar 2021 21:46:52 +0100 Subject: [PATCH 116/132] apt: use remove instead of autoremove Close https://github.com/angristan/openvpn-install/issues/794 --- openvpn-install.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index da252e1..d479cfd 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -1186,7 +1186,7 @@ function removeUnbound() { systemctl stop unbound if [[ $OS =~ (debian|ubuntu) ]]; then - apt-get autoremove --purge -y unbound + apt-get remove --purge -y unbound elif [[ $OS == 'arch' ]]; then pacman --noconfirm -R unbound elif [[ $OS =~ (centos|amzn) ]]; then @@ -1249,7 +1249,7 @@ function removeOpenVPN() { fi if [[ $OS =~ (debian|ubuntu) ]]; then - apt-get autoremove --purge -y openvpn + apt-get remove --purge -y openvpn if [[ -e /etc/apt/sources.list.d/openvpn.list ]]; then rm /etc/apt/sources.list.d/openvpn.list apt-get update From e965518dc7df1a1363be674455bb798b28727851 Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Wed, 10 Mar 2021 22:16:16 +0100 Subject: [PATCH 117/132] Fix home dir detection when using sudo as root Close https://github.com/angristan/openvpn-install/issues/780 --- openvpn-install.sh | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index d479cfd..2bcf579 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -1084,12 +1084,20 @@ function newClient() { echo "Client $CLIENT added." fi - # Home directory of the user, where the client configuration (.ovpn) will be written - if [ -e "/home/$CLIENT" ]; then # if $1 is a user name - homeDir="/home/$CLIENT" - elif [ "${SUDO_USER}" ]; then # if not, use SUDO_USER - homeDir="/home/${SUDO_USER}" - else # if not SUDO_USER, use /root + # Home directory of the user, where the client configuration will be written + if [ -e "/home/${CLIENT_NAME}" ]; then + # if $1 is a user name + homeDir="/home/${CLIENT_NAME}" + elif [ "${SUDO_USER}" ]; then + # if not, use SUDO_USER + if [ "${SUDO_USER}" == "root" ]; then + # If running sudo as root + homeDir="/root" + else + homeDir="/home/${SUDO_USER}" + fi + else + # if not SUDO_USER, use /root homeDir="/root" fi From 319459ae770666e5d989d57ecdf84c2c8d7c9aac Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Thu, 11 Mar 2021 18:59:45 +0100 Subject: [PATCH 118/132] Fix home dir detection Fix e965518dc7df1a1363be674455bb798b28727851 Fix https://github.com/angristan/openvpn-install/issues/806 --- openvpn-install.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 2bcf579..efa92ed 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -1085,9 +1085,9 @@ function newClient() { fi # Home directory of the user, where the client configuration will be written - if [ -e "/home/${CLIENT_NAME}" ]; then + if [ -e "/home/${CLIENT}" ]; then # if $1 is a user name - homeDir="/home/${CLIENT_NAME}" + homeDir="/home/${CLIENT}" elif [ "${SUDO_USER}" ]; then # if not, use SUDO_USER if [ "${SUDO_USER}" == "root" ]; then From f642f4c6da6a92112753b09d4623dde6c1f6f05b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 13 Mar 2021 13:06:59 +0100 Subject: [PATCH 119/132] build(deps): bump github/super-linter from v3.15.2 to v3.15.3 (#807) Bumps [github/super-linter](https://github.com/github/super-linter) from v3.15.2 to v3.15.3. - [Release notes](https://github.com/github/super-linter/releases) - [Commits](https://github.com/github/super-linter/compare/v3.15.2...9de5db92288c66235faef7716d6893949ce43769) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/lint.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index a8d7c18..35807d7 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -9,6 +9,6 @@ jobs: - name: Checkout Code uses: actions/checkout@v2 - name: Lint Code Base - uses: github/super-linter@v3.15.2 + uses: github/super-linter@v3.15.3 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From bfdf48c392b2e3fa8586b54353f41985cbb901c4 Mon Sep 17 00:00:00 2001 From: rvva <54245875+rvva@users.noreply.github.com> Date: Mon, 22 Mar 2021 10:48:15 +0100 Subject: [PATCH 120/132] Add support for Oracle Linux 8 (#810) Co-authored-by: Stanislas --- README.md | 3 ++- openvpn-install.sh | 28 ++++++++++++++++++++-------- 2 files changed, 22 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index cb8eadd..f955fce 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ ![Lint](https://github.com/angristan/openvpn-install/workflows/Lint/badge.svg) ![visitors](https://visitor-badge.glitch.me/badge?page_id=angristan.openvpn-install) -OpenVPN installer for Debian, Ubuntu, Fedora, CentOS and Arch Linux. +OpenVPN installer for Debian, Ubuntu, Fedora, CentOS, Oracle Linux and Arch Linux. This script will let you setup your own secure VPN server in just a few seconds. @@ -125,6 +125,7 @@ The script supports these OS and architectures: | Fedora >= 27 | ❔ | ✅ | ❔ | ❔ | | Ubuntu 16.04 | ✅ | ✅ | ❌ | ❌ | | Ubuntu >= 18.04 | ✅ | ✅ | ✅ | ✅ | +| Oracle Linux 8 | ❌ | ✅ | ❌ | ❔ | To be noted: diff --git a/openvpn-install.sh b/openvpn-install.sh index efa92ed..806d147 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -1,7 +1,7 @@ #!/bin/bash # shellcheck disable=SC1091,SC2164,SC2034,SC1072,SC1073,SC1009 -# Secure OpenVPN server installer for Debian, Ubuntu, CentOS, Amazon Linux 2, Fedora and Arch Linux +# Secure OpenVPN server installer for Debian, Ubuntu, CentOS, Amazon Linux 2, Fedora, Oracle Linux 8 and Arch Linux # https://github.com/angristan/openvpn-install function isRoot() { @@ -65,6 +65,15 @@ function checkOS() { exit 1 fi fi + if [[ $ID == "ol" ]]; then + OS="oracle" + if [[ ! $VERSION_ID =~ (8) ]]; then + echo "Your version of Oracle Linux is not supported." + echo "" + echo "The script only support Oracle Linux 8." + exit 1 + fi + fi if [[ $ID == "amzn" ]]; then OS="amzn" if [[ $VERSION_ID != "2" ]]; then @@ -78,7 +87,7 @@ function checkOS() { elif [[ -e /etc/arch-release ]]; then OS=arch else - echo "Looks like you aren't running this installer on a Debian, Ubuntu, Fedora, CentOS, Amazon Linux 2 or Arch Linux system" + echo "Looks like you aren't running this installer on a Debian, Ubuntu, Fedora, CentOS, Amazon Linux 2, Oracle Linux 8 or Arch Linux system" exit 1 fi } @@ -110,7 +119,7 @@ hide-version: yes use-caps-for-id: yes prefetch: yes' >>/etc/unbound/unbound.conf - elif [[ $OS =~ (centos|amzn) ]]; then + elif [[ $OS =~ (centos|amzn|oracle) ]]; then yum install -y unbound # Configuration @@ -165,7 +174,7 @@ prefetch: yes' >>/etc/unbound/unbound.conf access-control: fd42:42:42:42::/112 allow' >>/etc/unbound/unbound.conf fi - if [[ ! $OS =~ (fedora|centos|amzn) ]]; then + if [[ ! $OS =~ (fedora|centos|amzn|oracle) ]]; then # DNS Rebinding fix echo "private-address: 10.0.0.0/8 private-address: fd42:42:42:42::/112 @@ -665,6 +674,9 @@ function installOpenVPN() { elif [[ $OS == 'centos' ]]; then yum install -y epel-release yum install -y openvpn iptables openssl wget ca-certificates curl tar 'policycoreutils-python*' + elif [[ $OS == 'oracle' ]]; then + yum install -y 'oracle-epel-release-*' + yum install -y openvpn iptables openssl wget ca-certificates curl tar 'policycoreutils-python*' elif [[ $OS == 'amzn' ]]; then amazon-linux-extras install -y epel yum install -y openvpn iptables openssl wget ca-certificates curl @@ -909,7 +921,7 @@ verb 3" >>/etc/openvpn/server.conf fi # Finally, restart and enable OpenVPN - if [[ $OS == 'arch' || $OS == 'fedora' || $OS == 'centos' ]]; then + if [[ $OS == 'arch' || $OS == 'fedora' || $OS == 'centos' || $OS == 'oracle' ]]; then # Don't modify package-provided service cp /usr/lib/systemd/system/openvpn-server@.service /etc/systemd/system/openvpn-server@.service @@ -1197,7 +1209,7 @@ function removeUnbound() { apt-get remove --purge -y unbound elif [[ $OS == 'arch' ]]; then pacman --noconfirm -R unbound - elif [[ $OS =~ (centos|amzn) ]]; then + elif [[ $OS =~ (centos|amzn|oracle) ]]; then yum remove -y unbound elif [[ $OS == 'fedora' ]]; then dnf remove -y unbound @@ -1223,7 +1235,7 @@ function removeOpenVPN() { PROTOCOL=$(grep '^proto ' /etc/openvpn/server.conf | cut -d " " -f 2) # Stop OpenVPN - if [[ $OS =~ (fedora|arch|centos) ]]; then + if [[ $OS =~ (fedora|arch|centos|oracle) ]]; then systemctl disable openvpn-server@server systemctl stop openvpn-server@server # Remove customised service @@ -1264,7 +1276,7 @@ function removeOpenVPN() { fi elif [[ $OS == 'arch' ]]; then pacman --noconfirm -R openvpn - elif [[ $OS =~ (centos|amzn) ]]; then + elif [[ $OS =~ (centos|amzn|oracle) ]]; then yum remove -y openvpn elif [[ $OS == 'fedora' ]]; then dnf remove -y openvpn From b840f56f3e937878ade53bd35a9d506f42cdfc77 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 4 May 2021 18:04:58 +0200 Subject: [PATCH 121/132] build(deps): bump github/super-linter from v3.15.3 to v3.16.3 (#823) Bumps [github/super-linter](https://github.com/github/super-linter) from v3.15.3 to v3.16.3. - [Release notes](https://github.com/github/super-linter/releases) - [Commits](https://github.com/github/super-linter/compare/v3.15.3...6abf4dbec9acf8a5b5f4e80497dfb5cc6ae6ea5e) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/lint.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 35807d7..144e629 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -9,6 +9,6 @@ jobs: - name: Checkout Code uses: actions/checkout@v2 - name: Lint Code Base - uses: github/super-linter@v3.15.3 + uses: github/super-linter@v3.16.3 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 248a85f5da7365b9a4bef35040f2385624288f33 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 7 May 2021 22:12:56 +0200 Subject: [PATCH 122/132] build(deps): bump github/super-linter from v3.16.3 to v3.17.0 (#825) Bumps [github/super-linter](https://github.com/github/super-linter) from v3.16.3 to v3.17.0. - [Release notes](https://github.com/github/super-linter/releases) - [Commits](https://github.com/github/super-linter/compare/v3.16.3...28cfebb84fd6dd9e8773b5efe5ac0f8f3714f228) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/lint.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 144e629..6764474 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -9,6 +9,6 @@ jobs: - name: Checkout Code uses: actions/checkout@v2 - name: Lint Code Base - uses: github/super-linter@v3.16.3 + uses: github/super-linter@v3.17.0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 126f575655697322778e445011bdb82c94a40e63 Mon Sep 17 00:00:00 2001 From: Stanislas Date: Sat, 8 May 2021 22:47:24 +0200 Subject: [PATCH 123/132] Update bug-report-or-suport-request.md --- .../bug-report-or-suport-request.md | 38 +++++-------------- 1 file changed, 10 insertions(+), 28 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/bug-report-or-suport-request.md b/.github/ISSUE_TEMPLATE/bug-report-or-suport-request.md index f59acf9..167dd9e 100644 --- a/.github/ISSUE_TEMPLATE/bug-report-or-suport-request.md +++ b/.github/ISSUE_TEMPLATE/bug-report-or-suport-request.md @@ -7,43 +7,25 @@ assignees: '' --- +**⚠️ Unless you are sure you find a bug with the script, please open a [discussion](https://github.com/angristan/openvpn-install/discussions) instead of an issue!** + **Checklist** - [ ] I read the [README](https://github.com/angristan/openvpn-install/blob/master/README.md) - [ ] I read the [FAQ](https://github.com/angristan/openvpn-install/blob/master/FAQ.md) - [ ] I searched the [issues](https://github.com/angristan/openvpn-install/issues?q=is%3Aissue+) +- [ ] I searched the [discussion](https://github.com/angristan/openvpn-install/discussions) - [ ] My issue is about the script, and not OpenVPN itself -**Describe the issue** -A clear and concise description of what the bug is. +Pease include as much details as possible in your issue: -**To Reproduce** -Steps to reproduce the behavior: - -1. ... - -**Expected behavior** -A clear and concise description of what you expected to happen. - -**Logs** -If applicable, add logs or screenshots to help explain your problem. - -If you can reproduce the issue, please run the script in debug mode and post the output: `bash -x openvpn-install.sh` - -**Server if applicable):** - -- OS: [e.g. Debian 10] -- Hosting provider (if applicable): [e.g. Vultr, AWS] - -**Client (if applicable):** - -- Device: [e.g. iPhone6] -- OS: [e.g. iOS8.1] -- Client: [e.g. OpenVPN Connect] - -**Additional context** -Add any other context about the problem here. +- Description of the issue +- How to reproduce the issue +- What did you expected should happen +- Logs +- Server/Client versions (OS, OpenVPN, etc) +- Any context or information that could help From 2b897dc64a2556d39fbbeecab1bb701b28b6a8c7 Mon Sep 17 00:00:00 2001 From: Stanislas Date: Sat, 8 May 2021 22:48:22 +0200 Subject: [PATCH 124/132] Update bug-report-or-suport-request.md --- .github/ISSUE_TEMPLATE/bug-report-or-suport-request.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/ISSUE_TEMPLATE/bug-report-or-suport-request.md b/.github/ISSUE_TEMPLATE/bug-report-or-suport-request.md index 167dd9e..93b6be9 100644 --- a/.github/ISSUE_TEMPLATE/bug-report-or-suport-request.md +++ b/.github/ISSUE_TEMPLATE/bug-report-or-suport-request.md @@ -29,3 +29,7 @@ Pease include as much details as possible in your issue: - Logs - Server/Client versions (OS, OpenVPN, etc) - Any context or information that could help + +--- + + From 31551a7176157997e547db31a0e227d2c5b1c479 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 12 May 2021 08:53:03 +0200 Subject: [PATCH 125/132] build(deps): bump actions/checkout from 2 to 2.3.4 (#838) Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 2.3.4. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v2...v2.3.4) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/lint.yml | 2 +- .github/workflows/test.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 6764474..461c4e1 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -7,7 +7,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout Code - uses: actions/checkout@v2 + uses: actions/checkout@v2.3.4 - name: Lint Code Base uses: github/super-linter@v3.17.0 env: diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index d18336e..ce068a1 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -21,7 +21,7 @@ jobs: - centos-7-x64 - centos-8-x64 steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v2.3.4 - name: Setup doctl uses: digitalocean/action-doctl@v2 From ac8d41f0cb5adfdaaa1585843c29da6c44834e5f Mon Sep 17 00:00:00 2001 From: Stanislas Date: Wed, 12 May 2021 08:53:21 +0200 Subject: [PATCH 126/132] Update dependabot.yml --- .github/dependabot.yml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index f4d737f..5ace460 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -3,8 +3,4 @@ updates: - package-ecosystem: "github-actions" directory: "/" schedule: - interval: "daily" - assignees: - - "angristan" - reviewers: - - "angristan" + interval: "weekly" From c379bf3b67bc8c914d2f412ff2995136b8be4129 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 18 May 2021 16:16:17 +0200 Subject: [PATCH 127/132] build(deps): bump github/super-linter from 3.17.0 to 3.17.1 (#841) Bumps [github/super-linter](https://github.com/github/super-linter) from 3.17.0 to 3.17.1. - [Release notes](https://github.com/github/super-linter/releases) - [Commits](https://github.com/github/super-linter/compare/v3.17.0...v3.17.1) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/lint.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 461c4e1..939a10c 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -9,6 +9,6 @@ jobs: - name: Checkout Code uses: actions/checkout@v2.3.4 - name: Lint Code Base - uses: github/super-linter@v3.17.0 + uses: github/super-linter@v3.17.1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From b9deadef619e5b2ac76a1d87f5365a156fb97aca Mon Sep 17 00:00:00 2001 From: Stanislas Date: Mon, 31 May 2021 02:00:33 +0200 Subject: [PATCH 128/132] readme: remove broken hall of fame --- README.md | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/README.md b/README.md index f955fce..2757795 100644 --- a/README.md +++ b/README.md @@ -188,19 +188,6 @@ Solutions that provision a ready to use OpenVPN server based on this script in o ## Contributing -### Contributors hall-of-fame - -Thanks ❤️ - -[![](https://sourcerer.io/fame/angristan/angristan/openvpn-install/images/0)](https://github.com/angristan/openvpn-install/graphs/contributors) -[![](https://sourcerer.io/fame/angristan/angristan/openvpn-install/images/1)](https://github.com/angristan/openvpn-install/graphs/contributors) -[![](https://sourcerer.io/fame/angristan/angristan/openvpn-install/images/2)](https://github.com/angristan/openvpn-install/graphs/contributors) -[![](https://sourcerer.io/fame/angristan/angristan/openvpn-install/images/3)](https://github.com/angristan/openvpn-install/graphs/contributors) -[![](https://sourcerer.io/fame/angristan/angristan/openvpn-install/images/4)](https://github.com/angristan/openvpn-install/graphs/contributors) -[![](https://sourcerer.io/fame/angristan/angristan/openvpn-install/images/5)](https://github.com/angristan/openvpn-install/graphs/contributors) -[![](https://sourcerer.io/fame/angristan/angristan/openvpn-install/images/6)](https://github.com/angristan/openvpn-install/graphs/contributors) -[![](https://sourcerer.io/fame/angristan/angristan/openvpn-install/images/7)](https://github.com/angristan/openvpn-install/graphs/contributors) - ### Code formatting We use [shellcheck](https://github.com/koalaman/shellcheck) and [shfmt](https://github.com/mvdan/sh) to enforce bash styling guidelines and good practices. They are executed for each commit / PR with GitHub Actions, so you can check the configuration [here](https://github.com/angristan/openvpn-install/blob/master/.github/workflows/push.yml). From faf43047e2a005df1f3167c7e21c40c75d5743c4 Mon Sep 17 00:00:00 2001 From: Stanislas Date: Sat, 5 Jun 2021 00:05:31 +0200 Subject: [PATCH 129/132] Update FUNDING.yml --- .github/FUNDING.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml index d5689d8..42b3ecb 100644 --- a/.github/FUNDING.yml +++ b/.github/FUNDING.yml @@ -1,3 +1,5 @@ patreon: stanislas liberapay: stanislas ko_fi: stanislas +github: angristan +custom: https://coindrop.to/stanislas From 995d2445876d6d68d3158d2b8060dc366bbb5508 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 5 Jun 2021 00:07:02 +0200 Subject: [PATCH 130/132] build(deps): bump github/super-linter from 3.17.1 to 4.0.2 (#848) Bumps [github/super-linter](https://github.com/github/super-linter) from 3.17.1 to 4.0.2. - [Release notes](https://github.com/github/super-linter/releases) - [Commits](https://github.com/github/super-linter/compare/v3.17.1...v4.0.2) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/lint.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 939a10c..37c7216 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -9,6 +9,6 @@ jobs: - name: Checkout Code uses: actions/checkout@v2.3.4 - name: Lint Code Base - uses: github/super-linter@v3.17.1 + uses: github/super-linter@v4.0.2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 2be9932fde5c88d4a14946fdbf427de9699f78ed Mon Sep 17 00:00:00 2001 From: Stanislas Date: Sat, 5 Jun 2021 00:13:49 +0200 Subject: [PATCH 131/132] dependabot: check monthly --- .github/dependabot.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 5ace460..8ac6b8c 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -3,4 +3,4 @@ updates: - package-ecosystem: "github-actions" directory: "/" schedule: - interval: "weekly" + interval: "monthly" From 2ab48f2265ac0f265f4c0108a8bf06479c46d730 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 5 Jun 2021 00:57:18 +0200 Subject: [PATCH 132/132] build(deps): bump github/super-linter from 4.0.2 to 4.1.0 (#852) Bumps [github/super-linter](https://github.com/github/super-linter) from 4.0.2 to 4.1.0. - [Release notes](https://github.com/github/super-linter/releases) - [Commits](https://github.com/github/super-linter/compare/v4.0.2...v4.1.0) --- updated-dependencies: - dependency-name: github/super-linter dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/lint.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 37c7216..fa26b23 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -9,6 +9,6 @@ jobs: - name: Checkout Code uses: actions/checkout@v2.3.4 - name: Lint Code Base - uses: github/super-linter@v4.0.2 + uses: github/super-linter@v4.1.0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}