From 38d3bf9afa0733245a6b2eb7e149aaed54cddc67 Mon Sep 17 00:00:00 2001 From: s7r Date: Wed, 18 Jan 2023 22:05:09 +0000 Subject: [PATCH 01/15] Update FAQ with IPv6 prefix policies for ULA addresses (#1083) * Update FAQ with IPv6 prefix policies for ULA addresses Most operating systems will prefer IPv4 rather than IPv6 ULA, which defeats the purpose of redirect-gateway ipv6. It's nothing the script can do to automate this. --- FAQ.md | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/FAQ.md b/FAQ.md index 825a9ba..5acd78b 100644 --- a/FAQ.md +++ b/FAQ.md @@ -151,3 +151,25 @@ route 10.0.0.0 255.0.0.0 ``` So for example - here it would route all traffic of `10.0.0.0/8` to the vpn. And the rest through the internet. + +--- + +**Q:** I have enabled IPv6 and my VPN client gets an IPv6 address. Why do I reach the websites or other dual-stacked destionations via IPv4 only? + +**A:** This is because inside the tunnel you don't get a publicly routable IPv6 address, instead you get an ULA (Unlique Local Lan) address. Operating systems don't prefer this all the time. You can fix this in your operating system policies as it's unrelated to the VPN itself: + +Windows (commands needs to run cmd.exe as Administrator): + +``` +netsh interface ipv6 add prefixpolicy fd00::/8 3 1 +``` + +Linux: + +edit `/etc/gai.conf` and uncomment the following line and also change its value to `1`: + +``` +label fc00::/7 1 +``` + +This will not work properly unless you add you your VPN server `server.conf` one or two lines to push at least 1 (one) IPv6 DNS server. Most providers have IPv6 servers as well, add two more lines of `push "dhcp-option DNS "` From 48f8c16d3a95a980329cf41b33f8f9e1605f8839 Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Sat, 21 Jan 2023 23:00:23 +0100 Subject: [PATCH 02/15] Add issue and PR templates --- .github/issue_template.md | 10 ++++++++++ .github/pull_request_template.md | 8 ++++++++ 2 files changed, 18 insertions(+) create mode 100644 .github/issue_template.md create mode 100644 .github/pull_request_template.md diff --git a/.github/issue_template.md b/.github/issue_template.md new file mode 100644 index 0000000..4d38a8d --- /dev/null +++ b/.github/issue_template.md @@ -0,0 +1,10 @@ + diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md new file mode 100644 index 0000000..d26ab9b --- /dev/null +++ b/.github/pull_request_template.md @@ -0,0 +1,8 @@ + From 2d0eca1a1d16e796be1b8338bc52f768b5b0a305 Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Sat, 21 Jan 2023 23:06:44 +0100 Subject: [PATCH 03/15] Update issue/PR template + contributing guidelines --- .github/issue_template.md | 13 ++++++------- .github/pull_request_template.md | 11 +++++------ README.md | 4 ++++ 3 files changed, 15 insertions(+), 13 deletions(-) diff --git a/.github/issue_template.md b/.github/issue_template.md index 4d38a8d..adfdb1a 100644 --- a/.github/issue_template.md +++ b/.github/issue_template.md @@ -1,10 +1,9 @@ diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index d26ab9b..43bed85 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -1,8 +1,7 @@ diff --git a/README.md b/README.md index 4e81f28..9fa1c18 100644 --- a/README.md +++ b/README.md @@ -192,6 +192,10 @@ Solutions that provision a ready to use OpenVPN server based on this script in o ## Contributing +## Discuss changes + +Please open an issue before submitting a PR if you want to discuss a change, especially if it's a big one. + ### Code formatting We use [shellcheck](https://github.com/koalaman/shellcheck) and [shfmt](https://github.com/mvdan/sh) to enforce bash styling guidelines and good practices. They are executed for each commit / PR with GitHub Actions, so you can check the configuration [here](https://github.com/angristan/openvpn-install/blob/master/.github/workflows/push.yml). From 580c617d9844fbba82eb0f3fb92bfe5289781102 Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Sat, 21 Jan 2023 23:18:52 +0100 Subject: [PATCH 04/15] Update issue template --- .github/issue_template.md | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/issue_template.md b/.github/issue_template.md index adfdb1a..2166d42 100644 --- a/.github/issue_template.md +++ b/.github/issue_template.md @@ -5,5 +5,6 @@ 💡 It helps keep the issue tracker clean and focused on bugs and feature requests. 🙏 Please include as much information as possible, and make sure you're running the latest version of the script. +✍️ Please state the Linux distribution you're using and its version, as well as the OpenVPN version. ✋ For feature requests, remember that this script is meant to be simple and easy to use. If you want to add a lot of options, it's better to fork the project. ---> From 64cbbce0b7fd6c324c0d08c32ee961b9e8246f07 Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Sat, 21 Jan 2023 23:40:01 +0100 Subject: [PATCH 05/15] Add OpenVPN 2.5 notice to README --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index 9fa1c18..7dbba89 100644 --- a/README.md +++ b/README.md @@ -202,6 +202,9 @@ We use [shellcheck](https://github.com/koalaman/shellcheck) and [shfmt](https:// ## Security and Encryption +> **Warning** +> This has not been updated for OpenVPN 2.5 and later. + OpenVPN's default settings are pretty weak regarding encryption. This script aims to improve that. OpenVPN 2.4 was a great update regarding encryption. It added support for ECDSA, ECDH, AES GCM, NCP and tls-crypt. From 0ac1bf4f51716516d2817998fbbda005c616a09d Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Sat, 21 Jan 2023 23:41:03 +0100 Subject: [PATCH 06/15] Format markdown table in readme --- README.md | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index 7dbba89..f38c0d3 100644 --- a/README.md +++ b/README.md @@ -118,17 +118,17 @@ The script supports these OS and architectures: | | i386 | amd64 | armhf | arm64 | | --------------- | ---- | ----- | ----- | ----- | -| Amazon Linux 2 | ❔ | ✅ | ❔ | ❔ | -| Arch Linux | ❔ | ✅ | ❔ | ✅ | -| CentOS 7 | ✅ | ✅ | ✅ | ✅ | -| CentOS 8 | ❌ | ✅ | ❌ | ✅ | -| Debian >= 9 | ✅ | ✅ | ✅ | ✅ | -| Fedora >= 27 | ❔ | ✅ | ❔ | ❔ | -| Ubuntu 16.04 | ✅ | ✅ | ❌ | ❌ | -| Ubuntu >= 18.04 | ✅ | ✅ | ✅ | ✅ | -| Oracle Linux 8 | ❌ | ✅ | ❌ | ❔ | -| Rocky Linux 8 | ❔ | ✅ | ❔ | ❔ | -| AlmaLinux 8 | ❌ | ✅ | ❌ | ❔ | +| Amazon Linux 2 | ❔ | ✅ | ❔ | ❔ | +| Arch Linux | ❔ | ✅ | ❔ | ✅ | +| CentOS 7 | ✅ | ✅ | ✅ | ✅ | +| CentOS 8 | ❌ | ✅ | ❌ | ✅ | +| Debian >= 9 | ✅ | ✅ | ✅ | ✅ | +| Fedora >= 27 | ❔ | ✅ | ❔ | ❔ | +| Ubuntu 16.04 | ✅ | ✅ | ❌ | ❌ | +| Ubuntu >= 18.04 | ✅ | ✅ | ✅ | ✅ | +| Oracle Linux 8 | ❌ | ✅ | ❌ | ❔ | +| Rocky Linux 8 | ❔ | ✅ | ❔ | ❔ | +| AlmaLinux 8 | ❌ | ✅ | ❌ | ❔ | To be noted: From ca8d58d5f0090a8c43a2e1a3b6577263843ef88a Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Sun, 22 Jan 2023 00:06:05 +0100 Subject: [PATCH 07/15] Fix checkout in test workflow --- .github/workflows/test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index af95572..b9b7747 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -80,7 +80,7 @@ jobs: host: ${{ steps.server_ip.outputs.value }} username: root key: ${{ secrets.SSH_KEY }} - script: set -x && git clone https://github.com/angristan/openvpn-install.git && cd openvpn-install && git checkout ${{ github.event.pull_request.head.sha }} + script: set -x && git clone https://github.com/angristan/openvpn-install.git && cd openvpn-install && git checkout ${{ github.sha }} - name: Run openvpn-install.sh in headless mode uses: appleboy/ssh-action@v0.1.6 From 2f76bb5e40f6f41a5bb2928379499b74da93f653 Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Sun, 22 Jan 2023 00:06:51 +0100 Subject: [PATCH 08/15] Update easy-rsa to 3.1.2 and fix compatibility with Ubuntu 22.04 Based on this patch by @zerodivisi0n: https://github.com/angristan/openvpn-install/issues/1000#issuecomment-1283484772 --- .github/workflows/test.yml | 1 + openvpn-install.sh | 12 +++++------- 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index b9b7747..4270574 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -15,6 +15,7 @@ jobs: - debian-11-x64 - ubuntu-18-04-x64 - ubuntu-20-04-x64 + - ubuntu-22-04-x64 - fedora-35-x64 - centos-7-x64 - centos-stream-8-x64 diff --git a/openvpn-install.sh b/openvpn-install.sh index 7c6f741..6bb39c5 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -706,7 +706,7 @@ function installOpenVPN() { # Install the latest version of easy-rsa from source, if not already installed. if [[ ! -d /etc/openvpn/easy-rsa/ ]]; then - local version="3.0.7" + local version="3.1.2" wget -O ~/easy-rsa.tgz https://github.com/OpenVPN/easy-rsa/releases/download/v${version}/EasyRSA-${version}.tgz mkdir -p /etc/openvpn/easy-rsa tar xzf ~/easy-rsa.tgz --strip-components=1 --no-same-owner --directory /etc/openvpn/easy-rsa @@ -729,18 +729,16 @@ function installOpenVPN() { SERVER_NAME="server_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)" echo "$SERVER_NAME" >SERVER_NAME_GENERATED - echo "set_var EASYRSA_REQ_CN $SERVER_CN" >>vars - # Create the PKI, set up the CA, the DH params and the server certificate ./easyrsa init-pki - ./easyrsa --batch build-ca nopass + ./easyrsa --batch --req-cn="$SERVER_CN" build-ca nopass if [[ $DH_TYPE == "2" ]]; then # ECDH keys are generated on-the-fly so we don't need to generate them beforehand openssl dhparam -out dh.pem $DH_KEY_SIZE fi - ./easyrsa build-server-full "$SERVER_NAME" nopass + ./easyrsa --batch build-server-full "$SERVER_NAME" nopass EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl case $TLS_SIG in @@ -1087,11 +1085,11 @@ function newClient() { cd /etc/openvpn/easy-rsa/ || return case $PASS in 1) - ./easyrsa build-client-full "$CLIENT" nopass + ./easyrsa --batch build-client-full "$CLIENT" nopass ;; 2) echo "⚠️ You will be asked for the client password below ⚠️" - ./easyrsa build-client-full "$CLIENT" + ./easyrsa --batch build-client-full "$CLIENT" ;; esac echo "Client $CLIENT added." From d2556ff235e9daa5fa10245050c4432f03a0258f Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Sun, 22 Jan 2023 00:57:26 +0100 Subject: [PATCH 09/15] Add support for CentOS 9 + update supported distributions --- .github/workflows/test.yml | 4 ++++ README.md | 33 +++++++++++++++++---------------- openvpn-install.sh | 2 +- 3 files changed, 22 insertions(+), 17 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 4270574..4473eed 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -17,8 +17,12 @@ jobs: - ubuntu-20-04-x64 - ubuntu-22-04-x64 - fedora-35-x64 + # - fedora-36-x64 + # - fedora-37-x64 + # dnf is broken: https://ask.fedoraproject.org/t/dnf-operations-use-large-amount-of-ram-and-may-fail-in-low-memory-environments/26427 - centos-7-x64 - centos-stream-8-x64 + - centos-stream-9-x64 steps: - uses: actions/checkout@v3.2.0 diff --git a/README.md b/README.md index f38c0d3..393b702 100644 --- a/README.md +++ b/README.md @@ -114,27 +114,28 @@ export PASS="1" ## Compatibility -The script supports these OS and architectures: +The script supports these Linux distributions: -| | i386 | amd64 | armhf | arm64 | -| --------------- | ---- | ----- | ----- | ----- | -| Amazon Linux 2 | ❔ | ✅ | ❔ | ❔ | -| Arch Linux | ❔ | ✅ | ❔ | ✅ | -| CentOS 7 | ✅ | ✅ | ✅ | ✅ | -| CentOS 8 | ❌ | ✅ | ❌ | ✅ | -| Debian >= 9 | ✅ | ✅ | ✅ | ✅ | -| Fedora >= 27 | ❔ | ✅ | ❔ | ❔ | -| Ubuntu 16.04 | ✅ | ✅ | ❌ | ❌ | -| Ubuntu >= 18.04 | ✅ | ✅ | ✅ | ✅ | -| Oracle Linux 8 | ❌ | ✅ | ❌ | ❔ | -| Rocky Linux 8 | ❔ | ✅ | ❔ | ❔ | -| AlmaLinux 8 | ❌ | ✅ | ❌ | ❔ | +| | Support | +| ------------------ | ------- | +| AlmaLinux 8 | ✅ | +| Amazon Linux 2 | ✅ | +| Arch Linux | ✅ | +| CentOS 7 | ✅ 🤖 | +| CentOS Stream >= 8 | ✅ 🤖 | +| Debian >= 10 | ✅ 🤖 | +| Fedora >= 35 | ✅ 🤖 | +| Oracle Linux 8 | ✅ | +| Rocky Linux 8 | ✅ | +| Ubuntu >= 18.04 | ✅ 🤖 | To be noted: -- It should work on Debian 8+ and Ubuntu 16.04+. But versions not in the table above are not officially supported. +- The script is regularly tested against the distributions marked with a 🤖 only. + - It's only test on `amd64` architecture. +- It should work on older versions such as Debian 8+, Ubuntu 16.04+ and previous Fedora releases. But versions not in the table above are not officially supported. + - It should also support versions between the LTS versions, but these are not tested. - The script requires `systemd`. -- The script is regularly tested against `amd64` only. ## Fork diff --git a/openvpn-install.sh b/openvpn-install.sh index 6bb39c5..c47e08f 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -57,7 +57,7 @@ function checkOS() { fi if [[ $ID == "centos" || $ID == "rocky" || $ID == "almalinux" ]]; then OS="centos" - if [[ ! $VERSION_ID =~ (7|8) ]]; then + if [[ $VERSION_ID -lt 7 ]]; then echo "⚠️ Your version of CentOS is not supported." echo "" echo "The script only support CentOS 7 and CentOS 8." From 33fe6af1315cf1f5a43397bf65341e683deac463 Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Sun, 22 Jan 2023 01:55:06 +0100 Subject: [PATCH 10/15] Update cloud providers --- README.md | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 393b702..b856e95 100644 --- a/README.md +++ b/README.md @@ -151,10 +151,9 @@ More Q&A in [FAQ.md](FAQ.md). **A:** I recommend these: -- [Vultr](https://www.vultr.com/?ref=8537055-6G): Worldwide locations, IPv6 support, starting at \$3.50/month -- [Hetzner](https://hetzner.cloud/?ref=ywtlvZsjgeDq): Germany, IPv6, 20 TB of traffic, starting at €3/month -- [Digital Ocean](https://goo.gl/qXrNLK): Worldwide locations, IPv6 support, starting at \$5/month -- [PulseHeberg](https://goo.gl/76yqW5): France, unlimited bandwidth, starting at €3/month +- [Vultr](https://www.vultr.com/?ref=8948982-8H): Worldwide locations, IPv6 support, starting at \$5/month +- [Hetzner](https://hetzner.cloud/?ref=ywtlvZsjgeDq): Germany, Finland and USA. IPv6, 20 TB of traffic, starting at 4.5€/month +- [Digital Ocean](https://m.do.co/c/ed0ba143fe53): Worldwide locations, IPv6 support, starting at \$4/month --- From d096f7a3a24063cade1c9b0c0a4cb4d0e1aea457 Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Sun, 22 Jan 2023 16:42:48 +0100 Subject: [PATCH 11/15] Add star history --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index b856e95..d3e3037 100644 --- a/README.md +++ b/README.md @@ -353,3 +353,7 @@ You can [say thanks](https://saythanks.io/to/angristan) if you want! Many thanks to the [contributors](https://github.com/Angristan/OpenVPN-install/graphs/contributors) and Nyr's original work. This project is under the [MIT Licence](https://raw.githubusercontent.com/Angristan/openvpn-install/master/LICENSE) + +## Star History + +[![Star History Chart](https://api.star-history.com/svg?repos=angristan/openvpn-install&type=Date)](https://star-history.com/#angristan/openvpn-install&Date) From 80feebed16b3baa5979f764ee3272443f2fe08e6 Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Sun, 22 Jan 2023 16:43:13 +0100 Subject: [PATCH 12/15] Remove visitors badge --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index d3e3037..fba65c8 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,6 @@ ![Test](https://github.com/angristan/openvpn-install/workflows/Test/badge.svg) ![Lint](https://github.com/angristan/openvpn-install/workflows/Lint/badge.svg) -![visitors](https://visitor-badge.glitch.me/badge?page_id=angristan.openvpn-install) [![Say Thanks!](https://img.shields.io/badge/Say%20Thanks-!-1EAEDB.svg)](https://saythanks.io/to/angristan) OpenVPN installer for Debian, Ubuntu, Fedora, CentOS, Arch Linux, Oracle Linux, Rocky Linux and AlmaLinux. From 1a249c621d63aa16f95b59673df8ae5c64d3c002 Mon Sep 17 00:00:00 2001 From: Stanislas Date: Mon, 20 Nov 2023 21:14:04 +0100 Subject: [PATCH 13/15] ci: test workflow server images update (#1183) * test ci * remove ubuntu 18.04 * remove fedora 35 and add 37 38 * disable centos stream 9, add debian 12 --- .github/workflows/test.yml | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 4473eed..71ea00a 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -2,6 +2,7 @@ on: push: branches: - master + - ci name: Test jobs: @@ -13,16 +14,14 @@ jobs: os-image: - debian-10-x64 - debian-11-x64 - - ubuntu-18-04-x64 + - debian-12-x64 - ubuntu-20-04-x64 - ubuntu-22-04-x64 - - fedora-35-x64 - # - fedora-36-x64 - # - fedora-37-x64 - # dnf is broken: https://ask.fedoraproject.org/t/dnf-operations-use-large-amount-of-ram-and-may-fail-in-low-memory-environments/26427 + - fedora-37-x64 + - fedora-38-x64 - centos-7-x64 - centos-stream-8-x64 - - centos-stream-9-x64 + # - centos-stream-9-x64 # yum oomkill steps: - uses: actions/checkout@v3.2.0 From 651e36c6cb0359ab7f4e699e2c71d3917acba69c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Salbe=C3=AF?= Date: Mon, 20 Nov 2023 21:19:13 +0100 Subject: [PATCH 14/15] Fix syntax error on Rocky Linux version check (#1182) Co-authored-by: David Salbei --- openvpn-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index c47e08f..06ad608 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -57,7 +57,7 @@ function checkOS() { fi if [[ $ID == "centos" || $ID == "rocky" || $ID == "almalinux" ]]; then OS="centos" - if [[ $VERSION_ID -lt 7 ]]; then + if [[ ${VERSION_ID%.*} -lt 7 ]]; then echo "⚠️ Your version of CentOS is not supported." echo "" echo "The script only support CentOS 7 and CentOS 8." From 5a4b31bd0d711da5df5febc944167b3cdb0a28bf Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Mon, 20 Nov 2023 21:21:51 +0100 Subject: [PATCH 15/15] Fix typo in README --- README.md | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index fba65c8..dd83d6a 100644 --- a/README.md +++ b/README.md @@ -117,21 +117,21 @@ The script supports these Linux distributions: | | Support | | ------------------ | ------- | -| AlmaLinux 8 | ✅ | -| Amazon Linux 2 | ✅ | -| Arch Linux | ✅ | -| CentOS 7 | ✅ 🤖 | -| CentOS Stream >= 8 | ✅ 🤖 | -| Debian >= 10 | ✅ 🤖 | -| Fedora >= 35 | ✅ 🤖 | -| Oracle Linux 8 | ✅ | -| Rocky Linux 8 | ✅ | -| Ubuntu >= 18.04 | ✅ 🤖 | +| AlmaLinux 8 | ✅ | +| Amazon Linux 2 | ✅ | +| Arch Linux | ✅ | +| CentOS 7 | ✅ 🤖 | +| CentOS Stream >= 8 | ✅ 🤖 | +| Debian >= 10 | ✅ 🤖 | +| Fedora >= 35 | ✅ 🤖 | +| Oracle Linux 8 | ✅ | +| Rocky Linux 8 | ✅ | +| Ubuntu >= 18.04 | ✅ 🤖 | To be noted: - The script is regularly tested against the distributions marked with a 🤖 only. - - It's only test on `amd64` architecture. + - It's only tested on `amd64` architecture. - It should work on older versions such as Debian 8+, Ubuntu 16.04+ and previous Fedora releases. But versions not in the table above are not officially supported. - It should also support versions between the LTS versions, but these are not tested. - The script requires `systemd`.