Rewrite README

This commit is contained in:
angristan 2018-09-20 17:16:04 +02:00
parent e920f7fbc2
commit 0a5c3c1401
2 changed files with 48 additions and 75 deletions

115
README.md
View File

@ -1,30 +1,25 @@
# OpenVPN-install
# openvpn-install
OpenVPN installer for Debian, Ubuntu, Fedora, CentOS and Arch Linux.
OpenVPN installer for Debian, Ubuntu, Fedora and CentOS.
This script will let you setup your own secure VPN server in just a few minutes.
Here is a preview of the installer :
![previw_1](https://lut.im/IzjFrfhM18/DY8KD91W0uMhEgLp.png)
![preview_2](https://lut.im/eODTn8Sa9y/euCqh0wzXwlz3UNs.png)
## Usage
**You have to enable the TUN module otherwise OpenVPN won't work.** Ask your host if you don't know how to do it. If the TUN module is not enabled, the script will warn you and exit.
You can get a cheap VPS to run this script for $3.50/month worldwide at [Vultr](https://goo.gl/Xyd1Sc) or 3€/month for unlimited bandwidth in France at [PulseHeberg](https://goo.gl/76yqW5).
First, get the script and make it executable :
```bash
wget https://raw.githubusercontent.com/Angristan/OpenVPN-install/master/openvpn-install.sh
wget https://raw.githubusercontent.com/Angristan/openvpn-install/master/openvpn-install.sh
chmod +x openvpn-install.sh
```
Then run it :
`./openvpn-install.sh`
```sh
./openvpn-install.sh
```
You need to run the script as root and have the TUN module enabled.
The first time you run it, you'll have to follow the assistant and answer a few questions to setup your VPN server.
@ -34,25 +29,24 @@ When OpenVPN is installed, you can run the script again, and you will get the ch
- Remove a client
- Uninstall OpenVPN
![preview_3](https://i.imgur.com/AlW9g7t.png)
In your home directory, you will have `.ovpn` files. These are the client configuration files. Download them from your server and connect using your prefered OpenVPN client.
## The fork
## Features
This script is based on the great work of [Nyr and its contributors](https://github.com/Nyr/openvpn-install).
I made it because I wanted to have a more secured OpenVPN out-of-the-box. It works like the original script, but is more focused on privacy and especially better encryption. Nyr's original script uses mainly default parameters regarding encryption, and some of them are insecure. See [#encryption](#encryption).
Also, Nyr and myself clearly have not the same point of view regarding this script, that's why it's a fork.
The only drawback is that you need to use a recent version of OpenVPN, because some parameters that requires TLS 1.2 are only available since OpenVPN 2.3.3. Therefore I restrain the compatibility of this script to a few but widely used GNU/Linux distributions, to get a recent version of OpenVPN from trusted third-party repositories, if needed. That is not a complete drawback tough, because it means that you can have the latest version with all the new features and security fixes. See [compatibility](#compatibility).
On the client-side, it's less problematic, but if you want to use an OpenVPN server installed with this script with an old client (\<2.3.3), it won't work. However I don't see why you would use an outdated client.
**TL;DR**, this script is relatively secure, and you can just press enter in the setup.
**[A Pull Request](https://github.com/Angristan/OpenVPN-install/pull/96) is currently being worked on to implement the latest OpenVPN 2.4 features.**
- Installs and configures a ready-to-use OpenVPN server
- Iptables rules and forwarding managed in a seamless way
- If needed, the script can cleanly remove OpenVPN, including configuration and iptables rules
- Customizable encryption settings, enhanced default settings
- Varitey of DNS resolvers to be pushed to the clients
- Choice to use a self-hosted resolver with Unbound (supports already existing Unboud installations)
- Choice between TCP and UDP
- NATed IPv6 support
- Compression disabled to prevent VORACLE
- Unprivileged mode: run as `nobody`/`nogroup`
- Block DNS leaks on Windows 10
- Randomized server certificate name
- Choice to protect clients with a password (private key encryption)
- Many other little things!
## Compatibility
@ -67,49 +61,30 @@ The script supports these OS and architectures:
- **Fedora 28** (amd64)
- **CentOS 7** (i386, amd64, arm64)
(It should also work on Debian unstable/testing and Ubuntu beta).
To be noted:
The script requires `systemd`.
- It should also work on Debian unstable/testing and Ubuntu beta.
- The script requires `systemd`.
- The script is regularly tested against `amd64` only.
## Features
## Fork
This fork includes the following features :
This script is based on the great work of [Nyr and its contributors](https://github.com/Nyr/openvpn-install).
- Every feature of the [original script](https://github.com/Nyr/openvpn-install)
- Better encryption, see below
- Better DNS resolvers, see below
- Choice between TCP and UDP (UDP is still recommended)
- IPv6 (NATed) support
- Run server in unprivileged mode, reducing risks to the system
- [Block DNS leak on Windows 10](https://community.openvpn.net/openvpn/ticket/605)
- No compression, as [compression is a vector for oracle attacks, e.g. CRIME or BREACH](https://github.com/BetterCrypto/Applied-Crypto-Hardening/pull/91#issuecomment-75388575)
- [Arch Linux support](https://github.com/Angristan/OpenVPN-install/pull/2)
- Up-to-date OpenVPN thanks to [EPEL](http://fedoraproject.org/wiki/EPEL) for CentOS and [swupdate.openvpn.net](https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos) for Ubuntu and Debian. These are third-party yet trusted repositories.
- Randomized certificate name
- The ability to create passwordless clients and clients protected with a password
- Other improvements !
## DNS
The script will ask you which DNS resolvers you want to use when connected to the VPN.
Here are the possibilities :
- Current system resolvers, those that are in `/etc/resolv.conf`
- Self-hosted resolver thanks to Unbound
- [Cloudflare](https://1.1.1.1/), recommended, fastest resolvers available (Anycast servers)
- [Quad9](https://www.quad9.net), recommended, security and privacy oriented, fast worldwide (Anycast servers)
- [FDN's DNS Servers](http://www.fdn.fr/actions/dns/), recommended if you're in western europe (France)
- [DNS.WATCH DNS Servers](https://dns.watch/index), recommended if you're in western europe (Germany)
- [OpenDNS](https://en.wikipedia.org/wiki/OpenDNS), not recommened but fast wordlwide (Anycast servers)
- [Google Public DNS](https://en.wikipedia.org/wiki/Google_Public_DNS), not recommended, but fast worldwide (Anycast servers)
- [Yandex Basic DNS](https://dns.yandex.com/), not recommended, but fast in Russia
- [AdGuard DNS](https://github.com/AdguardTeam/AdguardDNS), located in Russia, blocks ads and trackers
Any other fast, trustable and neutral servers proposition is welcome.
Since 2016, the two scripts have diverged and are not alike anymore, especially under the hood. The main goal of the script was enhanced security. But since then, the script has been completely rewritten and a lot a features have been added. The script is only comptaible with recent distributions though, so if you need to use a very old server or client, I advise using Nyr's script.
## FAQ
**Q:** Which provider do you recommend?
**A:** I recommend these:
- [Vultr](https://goo.gl/Xyd1Sc): Worldwide locations, IPv6 support, starting at $3.50/month
- [PulseHeberg](https://goo.gl/76yqW5): France, unlimited bandwidth, starting at €3/month
- [Digital Ocean](https://goo.gl/qXrNLK): Worldwide locations, IPv6 support, starting at $5/month
---
**Q:** The script has been udpated since I installed OpenVPN. How do I update?
**A:** You can't. Managing updates and new features from the script would require way too much work. Your only solution is to uninstall OpenVPN and reinstall with the updated script.
@ -118,6 +93,12 @@ You can, of course, it's even recommended, update the `openvpn` package with you
---
**Q:** How do I check for DNS leaks?
**A:** Go to [dnsleaktest.com](https://dnsleaktest.com/) or [ipleak.net](https://ipleak.net/) with your browser. Only your server's IP should show up.
---
**Q:** IPv6 is not working on my Hetzner VM
**A:** This an issue on their side. See [issue #295](https://github.com/angristan/openvpn-install/issues/295).
@ -264,10 +245,6 @@ SHA-1 is not safe anymore, so I use SHA-256 which is safe and widely used.
TLS-Auth is not enabled by default by OpenVPN, but it is in this script.
## Check for DNS leaks
Go to [dnsleaktest.com](https://dnsleaktest.com/) or [ipleak.net](https://ipleak.net/) with your browser. Only your server's IP should show up.
## Say thanks
You can [say thanks](https://saythanks.io/to/Angristan) if you want!

View File

@ -1,9 +1,7 @@
#!/bin/bash
# Secure OpenVPN server installer for Debian, Ubuntu, CentOS and Fedora
# https://github.com/Angristan/OpenVPN-install
# Functions
# https://github.com/angristan/openvpn-install
function isRoot () {
if [ "$EUID" -ne 0 ]; then
@ -597,7 +595,7 @@ $CIPHER
tls-client
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
setenv opt block-outside-dns
setenv opt block-outside-dns # Prevent Windows 10 DNS leak
verb 3" >> /etc/openvpn/client-template.txt
# Generate the custom client.ovpn
@ -833,8 +831,6 @@ function manageMenu () {
esac
}
# Main
# Check for root, TUN, OS...
initialCheck