mirror of
https://github.com/angristan/openvpn-install.git
synced 2024-12-11 18:05:32 +01:00
Merge pull request #1 from rhyswilliamsza/master
[Alignment] Align with angristan master
This commit is contained in:
commit
3e3c874b49
3
.editorconfig
Normal file
3
.editorconfig
Normal file
@ -0,0 +1,3 @@
|
||||
[*.sh]
|
||||
indent_style = tab
|
||||
indent_size = 4
|
8
.github/FUNDING.yml
vendored
8
.github/FUNDING.yml
vendored
@ -1,3 +1,5 @@
|
||||
patreon: angristan
|
||||
liberapay: angristan
|
||||
ko_fi: angristan
|
||||
patreon: stanislas
|
||||
liberapay: stanislas
|
||||
ko_fi: stanislas
|
||||
github: angristan
|
||||
custom: https://coindrop.to/stanislas
|
||||
|
13
.github/ISSUE_TEMPLATE.md
vendored
13
.github/ISSUE_TEMPLATE.md
vendored
@ -1,13 +0,0 @@
|
||||
<!---
|
||||
|
||||
Before opening an issue, please make sure:
|
||||
|
||||
- You installed OpenVPN with the latest version of the script
|
||||
- You read the FAQ
|
||||
- Your issue is about the script, NOT OpenVPN itself
|
||||
- ⚠ PLEASE Post your OpenVPN version and OS for both the server and the client if needed
|
||||
|
||||
FYI, you can excute the script with `bash -x openvpn-install.sh` to enable debug mode.
|
||||
|
||||
You can format your comments with Markdown: https://guides.github.com/features/mastering-markdown/
|
||||
--->
|
35
.github/ISSUE_TEMPLATE/bug-report-or-suport-request.md
vendored
Normal file
35
.github/ISSUE_TEMPLATE/bug-report-or-suport-request.md
vendored
Normal file
@ -0,0 +1,35 @@
|
||||
---
|
||||
name: Bug report / Support request
|
||||
about: Create a report to help us improve
|
||||
title: ''
|
||||
labels: ''
|
||||
assignees: ''
|
||||
|
||||
---
|
||||
|
||||
**⚠️ Unless you are sure you find a bug with the script, please open a [discussion](https://github.com/angristan/openvpn-install/discussions) instead of an issue!**
|
||||
|
||||
**Checklist**
|
||||
|
||||
- [ ] I read the [README](https://github.com/angristan/openvpn-install/blob/master/README.md)
|
||||
- [ ] I read the [FAQ](https://github.com/angristan/openvpn-install/blob/master/FAQ.md)
|
||||
- [ ] I searched the [issues](https://github.com/angristan/openvpn-install/issues?q=is%3Aissue+)
|
||||
- [ ] I searched the [discussion](https://github.com/angristan/openvpn-install/discussions)
|
||||
- [ ] My issue is about the script, and not OpenVPN itself
|
||||
|
||||
<!---
|
||||
If you need help with OpenVPN itself, please us the [community forums](https://forums.openvpn.net/) or [Stack Overflow](https://stackoverflow.com/questions/tagged/openvpn)
|
||||
--->
|
||||
|
||||
Pease include as much details as possible in your issue:
|
||||
|
||||
- Description of the issue
|
||||
- How to reproduce the issue
|
||||
- What did you expected should happen
|
||||
- Logs
|
||||
- Server/Client versions (OS, OpenVPN, etc)
|
||||
- Any context or information that could help
|
||||
|
||||
---
|
||||
|
||||
<!-- Write your report below this line -->
|
31
.github/ISSUE_TEMPLATE/feature-request.md
vendored
Normal file
31
.github/ISSUE_TEMPLATE/feature-request.md
vendored
Normal file
@ -0,0 +1,31 @@
|
||||
---
|
||||
name: Feature request
|
||||
about: Suggest an idea for this project
|
||||
title: ''
|
||||
labels: ''
|
||||
assignees: ''
|
||||
|
||||
---
|
||||
|
||||
**Checklist**
|
||||
|
||||
- [ ] I read the [README](https://github.com/angristan/openvpn-install/blob/master/README.md)
|
||||
- [ ] I read the [FAQ](https://github.com/angristan/openvpn-install/blob/master/FAQ.md)
|
||||
- [ ] I searched the [issues](https://github.com/angristan/openvpn-install/issues?q=is%3Aissue+)
|
||||
- [ ] My issue is about the script, and not OpenVPN itself
|
||||
|
||||
<!---
|
||||
If you need help with OpenVPN itself, please us the [community forums](https://forums.openvpn.net/) or [Stack Overflow](https://stackoverflow.com/questions/tagged/openvpn)
|
||||
--->
|
||||
|
||||
**Is your feature request related to a problem? Please describe.**
|
||||
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
|
||||
|
||||
**Describe the solution you'd like**
|
||||
A clear and concise description of what you want to happen.
|
||||
|
||||
**Describe alternatives you've considered**
|
||||
A clear and concise description of any alternative solutions or features you've considered.
|
||||
|
||||
**Additional context**
|
||||
Add any other context or screenshots about the feature request here.
|
6
.github/dependabot.yml
vendored
Normal file
6
.github/dependabot.yml
vendored
Normal file
@ -0,0 +1,6 @@
|
||||
version: 2
|
||||
updates:
|
||||
- package-ecosystem: "github-actions"
|
||||
directory: "/"
|
||||
schedule:
|
||||
interval: "monthly"
|
1
.github/linters/.markdown-lint.yml
vendored
Normal file
1
.github/linters/.markdown-lint.yml
vendored
Normal file
@ -0,0 +1 @@
|
||||
{ 'MD013': null, 'MD045': null, 'MD040': null, 'MD036': null }
|
14
.github/workflows/lint.yml
vendored
Normal file
14
.github/workflows/lint.yml
vendored
Normal file
@ -0,0 +1,14 @@
|
||||
on: [push, pull_request]
|
||||
|
||||
name: Lint
|
||||
|
||||
jobs:
|
||||
super-linter:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout Code
|
||||
uses: actions/checkout@v2.3.4
|
||||
- name: Lint Code Base
|
||||
uses: github/super-linter@v4.1.0
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
11
.github/workflows/push.yml
vendored
11
.github/workflows/push.yml
vendored
@ -1,11 +0,0 @@
|
||||
on: push
|
||||
name: ShellCheck
|
||||
jobs:
|
||||
shellcheck:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@master
|
||||
- name: shellcheck
|
||||
uses: ludeeus/action-shellcheck@0.0.1
|
||||
with:
|
||||
args: openvpn-install.sh -e SC1091,SC2164,SC2034,SC1072,SC1073,SC1009
|
97
.github/workflows/test.yml
vendored
Normal file
97
.github/workflows/test.yml
vendored
Normal file
@ -0,0 +1,97 @@
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- master
|
||||
|
||||
name: Test
|
||||
jobs:
|
||||
install:
|
||||
runs-on: ubuntu-latest
|
||||
if: github.repository == 'angristan/openvpn-install' && github.actor == 'angristan'
|
||||
strategy:
|
||||
matrix:
|
||||
os-image:
|
||||
- debian-9-x64
|
||||
- debian-10-x64
|
||||
- ubuntu-16-04-x64
|
||||
- ubuntu-18-04-x64
|
||||
- ubuntu-20-04-x64
|
||||
- fedora-32-x64
|
||||
- fedora-33-x64
|
||||
- centos-7-x64
|
||||
- centos-8-x64
|
||||
steps:
|
||||
- uses: actions/checkout@v2.3.4
|
||||
|
||||
- name: Setup doctl
|
||||
uses: digitalocean/action-doctl@v2
|
||||
with:
|
||||
token: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }}
|
||||
|
||||
- name: Create server
|
||||
run: doctl compute droplet create openvpn-action-$GITHUB_RUN_ID-$GITHUB_RUN_NUMBER-${{ matrix.os-image }} --size s-1vcpu-1gb --image ${{ matrix.os-image }} --region lon1 --enable-ipv6 --ssh-keys be:66:76:61:a8:71:93:aa:e3:19:ba:d8:0d:d2:2d:d4 --wait
|
||||
|
||||
- name: Get server ID
|
||||
run: echo ::set-output name=value::$(doctl compute droplet list -o json | jq -r '.[] | select(.name == "'openvpn-action-$GITHUB_RUN_ID-$GITHUB_RUN_NUMBER-${{ matrix.os-image }}'").id')
|
||||
id: server_id
|
||||
|
||||
- name: Move server to dedicated project
|
||||
run: doctl projects resources assign ${{ secrets.DIGITALOCEAN_PROJECT_ID }} --resource=do:droplet:${{ steps.server_id.outputs.value }}
|
||||
|
||||
- name: Wait for server to boot
|
||||
run: sleep 90
|
||||
|
||||
- name: Get server IP
|
||||
run: echo ::set-output name=value::$(doctl compute droplet list -o json | jq -r '.[] | select(.name == "'openvpn-action-$GITHUB_RUN_ID-$GITHUB_RUN_NUMBER-${{ matrix.os-image }}'").networks.v4 | .[] | select(.type == "'public'").ip_address')
|
||||
id: server_ip
|
||||
|
||||
- name: Get server OS
|
||||
run: echo ::set-output name=value::$(echo ${{ matrix.os-image }} | cut -d '-' -f1)
|
||||
id: server_os
|
||||
|
||||
- name: Setup remote server (Debian/Ubuntu)
|
||||
if: steps.server_os.outputs.value == 'debian' || steps.server_os.outputs.value == 'ubuntu'
|
||||
uses: appleboy/ssh-action@v0.1.4
|
||||
with:
|
||||
host: ${{ steps.server_ip.outputs.value }}
|
||||
username: root
|
||||
key: ${{ secrets.SSH_KEY }}
|
||||
script: set -x && apt-get update && apt-get install -y git
|
||||
|
||||
- name: Setup remote server (Fedora)
|
||||
if: steps.server_os.outputs.value == 'fedora'
|
||||
uses: appleboy/ssh-action@v0.1.4
|
||||
with:
|
||||
host: ${{ steps.server_ip.outputs.value }}
|
||||
username: root
|
||||
key: ${{ secrets.SSH_KEY }}
|
||||
script: set -x && dnf install -y git
|
||||
|
||||
- name: Setup remote server (CentOS)
|
||||
if: steps.server_os.outputs.value == 'centos'
|
||||
uses: appleboy/ssh-action@v0.1.4
|
||||
with:
|
||||
host: ${{ steps.server_ip.outputs.value }}
|
||||
username: root
|
||||
key: ${{ secrets.SSH_KEY }}
|
||||
script: set -x && yum install -y git
|
||||
|
||||
- name: Download repo and checkout current commit
|
||||
uses: appleboy/ssh-action@v0.1.4
|
||||
with:
|
||||
host: ${{ steps.server_ip.outputs.value }}
|
||||
username: root
|
||||
key: ${{ secrets.SSH_KEY }}
|
||||
script: set -x && git clone https://github.com/angristan/openvpn-install.git && cd openvpn-install && git checkout ${{ github.event.pull_request.head.sha }}
|
||||
|
||||
- name: Run openvpn-install.sh in headless mode
|
||||
uses: appleboy/ssh-action@v0.1.4
|
||||
with:
|
||||
host: ${{ steps.server_ip.outputs.value }}
|
||||
username: root
|
||||
key: ${{ secrets.SSH_KEY }}
|
||||
script: 'set -x && AUTO_INSTALL=y bash -x ~/openvpn-install/openvpn-install.sh && ps aux | grep openvpn | grep -v grep > /dev/null 2>&1 && echo "Success: OpenVPN is running" && exit 0 || echo "Failure: OpenVPN is not running" && exit 1'
|
||||
|
||||
- name: Delete server
|
||||
run: doctl compute droplet delete -f openvpn-action-$GITHUB_RUN_ID-$GITHUB_RUN_NUMBER-${{ matrix.os-image }}
|
||||
if: always()
|
2
.gitignore
vendored
2
.gitignore
vendored
@ -1,2 +0,0 @@
|
||||
.vagrant/
|
||||
*.log
|
153
FAQ.md
Normal file
153
FAQ.md
Normal file
@ -0,0 +1,153 @@
|
||||
# FAQ
|
||||
|
||||
**Q:** The script has been updated since I installed OpenVPN. How do I update?
|
||||
|
||||
**A:** You can't. Managing updates and new features from the script would require way too much work. Your only solution is to uninstall OpenVPN and reinstall with the updated script.
|
||||
|
||||
You can, of course, it's even recommended, update the `openvpn` package with your package manager.
|
||||
|
||||
---
|
||||
|
||||
**Q:** How do I check for DNS leaks?
|
||||
|
||||
**A:** Go to [browserleaks.com](https://browserleaks.com/dns) or [ipleak.net](https://ipleak.net/) (both perform IPv4 and IPv6 check) with your browser. Your IP should not show up (test without and without the VPN). The DNS servers should be the ones you selected during the setup, not your IP address nor your ISP's DNS servers' addresses.
|
||||
|
||||
---
|
||||
|
||||
**Q:** How do I fix DNS leaks?
|
||||
|
||||
**A:** On Windows 10 DNS leaks are blocked by default with the `block-outside-dns` option.
|
||||
On Linux you need to add these lines to your `.ovpn` file based on your Distribution.
|
||||
|
||||
Debian 9, 10 and Ubuntu 16.04, 18.04
|
||||
|
||||
```
|
||||
script-security 2
|
||||
up /etc/openvpn/update-resolv-conf
|
||||
down /etc/openvpn/update-resolv-conf
|
||||
```
|
||||
|
||||
Centos 6, 7
|
||||
|
||||
```
|
||||
script-security 2
|
||||
up /usr/share/doc/openvpn-2.4.8/contrib/pull-resolv-conf/client.up
|
||||
down /usr/share/doc/openvpn-2.4.8/contrib/pull-resolv-conf/client.down
|
||||
```
|
||||
|
||||
Centos 8, Fedora 30, 31
|
||||
|
||||
```
|
||||
script-security 2
|
||||
up /usr/share/doc/openvpn/contrib/pull-resolv-conf/client.up
|
||||
down /usr/share/doc/openvpn/contrib/pull-resolv-conf/client.down
|
||||
```
|
||||
|
||||
Arch Linux
|
||||
|
||||
```
|
||||
script-security 2
|
||||
up /usr/share/openvpn/contrib/pull-resolv-conf/client.up
|
||||
down /usr/share/openvpn/contrib/pull-resolv-conf/client.down
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
**Q:** Can I use an OpenVPN 2.3 client?
|
||||
|
||||
**A:** Yes. I really recommend using an up-to-date client, but if you really need it, choose the following options:
|
||||
|
||||
- No compression or LZ0
|
||||
- RSA certificate
|
||||
- DH Key
|
||||
- AES CBC
|
||||
- tls-auth
|
||||
|
||||
If your client is <2.3.3, remove `tls-version-min 1.2` from your `/etc/openvpn/server.conf` and `.ovpn` files.
|
||||
|
||||
---
|
||||
|
||||
**Q:** IPv6 is not working on my Hetzner VM
|
||||
|
||||
**A:** This an issue on their side. See <https://angristan.xyz/fix-ipv6-hetzner-cloud/>
|
||||
|
||||
---
|
||||
|
||||
**Q:** DNS is not working on my Linux client
|
||||
|
||||
**A:** See "How do I fix DNS leaks?" question
|
||||
|
||||
---
|
||||
|
||||
**Q:** What syctl and iptables changes are made by the script?
|
||||
|
||||
**A:** Iptables rules are saved at `/etc/iptables/add-openvpn-rules.sh` and `/etc/iptables/rm-openvpn-rules.sh`. They are managed by the service `/etc/systemd/system/iptables-openvpn.service`
|
||||
|
||||
Sysctl options are at `/etc/sysctl.d/20-openvpn.conf`
|
||||
|
||||
---
|
||||
|
||||
**Q:** How can I access other clients connected to the same OpenVPN server?
|
||||
|
||||
**A:** Add `client-to-client` to your `server.conf`
|
||||
|
||||
---
|
||||
|
||||
**Q:** My router can't connect
|
||||
|
||||
**A:**
|
||||
|
||||
- `Options error: No closing quotation (") in config.ovpn:46` :
|
||||
|
||||
type `yes` when asked to customize encryption settings and choose `tls-auth`
|
||||
|
||||
- `Options error: Unrecognized option or missing parameter(s) in config.ovpn:36: tls-version-min (2.3.2)` :
|
||||
|
||||
see question "Can I use an OpenVPN 2.3 client?"
|
||||
|
||||
---
|
||||
|
||||
**Q:** How can I access computers the OpenVPN server's remote LAN?
|
||||
|
||||
**A:** Add a route with the subnet of the remote network to `/etc/openvpn/server.conf` and restart openvpn. Example: `push "route 192.168.1.0 255.255.255.0"` if the server's LAN is `192.168.1.0/24`
|
||||
|
||||
---
|
||||
|
||||
**Q:** How can I add multiple users in one go?
|
||||
|
||||
**A:** Here is a sample bash script to achieve this:
|
||||
|
||||
```sh
|
||||
userlist=(user1 user2 user3)
|
||||
|
||||
for i in ${userlist[@]};do
|
||||
MENU_OPTION=1 CLIENT=$i PASS=1 ./openvpn-install.sh
|
||||
done
|
||||
```
|
||||
|
||||
From a list in a text file:
|
||||
|
||||
```sh
|
||||
while read USER
|
||||
do MENU_OPTION="1" CLIENT="$USER" PASS="1" ./openvpn-install.sh
|
||||
done < users.txt
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
**Q:** How do I change the default `.ovpn` file created for future clients?
|
||||
|
||||
**A:** You can edit the template out of which `.ovpn` files are created by editing `/etc/openvpn/client-template.txt`
|
||||
|
||||
---
|
||||
|
||||
**Q:** For my clients - I want to set my internal network to pass through the VPN and the rest to go through my internet?
|
||||
|
||||
**A:** You would need to edit the `.ovpn` file. You can edit the template out of which those files are created by editing `/etc/openvpn/client-template.txt` file and adding
|
||||
|
||||
```sh
|
||||
route-nopull
|
||||
route 10.0.0.0 255.0.0.0
|
||||
```
|
||||
|
||||
So for example - here it would route all traffic of `10.0.0.0/8` to the vpn. And the rest through the internet.
|
86
README.md
86
README.md
@ -1,6 +1,10 @@
|
||||
# openvpn-install
|
||||
|
||||
OpenVPN installer for Debian, Ubuntu, Fedora, CentOS and Arch Linux.
|
||||
![Test](https://github.com/angristan/openvpn-install/workflows/Test/badge.svg)
|
||||
![Lint](https://github.com/angristan/openvpn-install/workflows/Lint/badge.svg)
|
||||
![visitors](https://visitor-badge.glitch.me/badge?page_id=angristan.openvpn-install)
|
||||
|
||||
OpenVPN installer for Debian, Ubuntu, Fedora, CentOS, Oracle Linux and Arch Linux.
|
||||
|
||||
This script will let you setup your own secure VPN server in just a few seconds.
|
||||
|
||||
@ -8,14 +12,14 @@ You can also check out [wireguard-install](https://github.com/angristan/wireguar
|
||||
|
||||
## Usage
|
||||
|
||||
First, get the script and make it executable :
|
||||
First, get the script and make it executable:
|
||||
|
||||
```bash
|
||||
curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh
|
||||
chmod +x openvpn-install.sh
|
||||
```
|
||||
|
||||
Then run it :
|
||||
Then run it:
|
||||
|
||||
```sh
|
||||
./openvpn-install.sh
|
||||
@ -25,7 +29,7 @@ You need to run the script as root and have the TUN module enabled.
|
||||
|
||||
The first time you run it, you'll have to follow the assistant and answer a few questions to setup your VPN server.
|
||||
|
||||
When OpenVPN is installed, you can run the script again, and you will get the choice to :
|
||||
When OpenVPN is installed, you can run the script again, and you will get the choice to:
|
||||
|
||||
- Add a client
|
||||
- Remove a client
|
||||
@ -33,13 +37,16 @@ When OpenVPN is installed, you can run the script again, and you will get the ch
|
||||
|
||||
In your home directory, you will have `.ovpn` files. These are the client configuration files. Download them from your server and connect using your favorite OpenVPN client.
|
||||
|
||||
If you have any question, head to the [FAQ](#faq) first.
|
||||
If you have any question, head to the [FAQ](#faq) first. Please read everything before opening an issue.
|
||||
|
||||
**PLEASE do not send me emails or private messages asking for help.** The only place to get help is the issues. Other people may be able to help and in the future, other users may also run into the same issue as you. My time is not available for free just for you, you're not special.
|
||||
|
||||
### Headless install
|
||||
|
||||
It's also possible to run the script headless, e.g. without waiting for user input, in an automated manner.
|
||||
|
||||
Example usage:
|
||||
|
||||
```bash
|
||||
AUTO_INSTALL=y ./openvpn-install.sh
|
||||
|
||||
@ -71,11 +78,14 @@ Other variables can be set depending on your choice (encryption, compression). Y
|
||||
|
||||
Password-protected clients are not supported by the headless installation method since user input is expected by Easy-RSA.
|
||||
|
||||
The headless install is more-or-less idempotent, in that it has been made safe to run multiple times with the same parameters, e.g. by a state provisioner like Ansible/Terraform/Salt/Chef/Puppet. It will only install and regenerate the Easy-RSA PKI if it doesn't already exist, and it will only install OpenVPN and other upstream dependencies if OpenVPN isn't already installed. It will recreate all local config and re-generate the client file on each headless run.
|
||||
|
||||
### Headless User Addition
|
||||
|
||||
It's also possible to automate the addition of a new user. Here, the key is to provide the (string) value of the `MENU_OPTION` variable along with the remaining mandatory variables before invoking the script.
|
||||
|
||||
The following Bash script adds a new user `foo` to an existing OpenVPN configuration
|
||||
|
||||
```bash
|
||||
#!/bin/bash
|
||||
export MENU_OPTION="1"
|
||||
@ -106,20 +116,17 @@ export PASS="1"
|
||||
|
||||
The script supports these OS and architectures:
|
||||
|
||||
| | i386 | amd64 | armhf | arm64 |
|
||||
| -------------- | ---- | ----- | ----- | ----- |
|
||||
| Amazon Linux 2 | ❔ | ✅ | ❔ | ❔ |
|
||||
| Arch Linux | ❔ | ✅ | ❔ | ✅ |
|
||||
| Centos 8 | ❌ | ✅ | ❔ | ❔ |
|
||||
| CentOS 7 | ❔ | ✅ | ❌ | ✅ |
|
||||
| Debian 8 | ✅ | ✅ | ❌ | ❌ |
|
||||
| Debian 9 | ❌ | ✅ | ✅ | ✅ |
|
||||
| Debian 10 | ❔ | ✅ | ✅ | ❔ |
|
||||
| Fedora 27 | ❔ | ✅ | ❔ | ❔ |
|
||||
| Fedora 28 | ❔ | ✅ | ❔ | ❔ |
|
||||
| Ubuntu 16.04 | ✅ | ✅ | ❌ | ❌ |
|
||||
| Ubuntu 18.04 | ❌ | ✅ | ✅ | ✅ |
|
||||
| Ubuntu 19.04 | ❌ | ✅ | ✅ | ✅ |
|
||||
| | i386 | amd64 | armhf | arm64 |
|
||||
| --------------- | ---- | ----- | ----- | ----- |
|
||||
| Amazon Linux 2 | ❔ | ✅ | ❔ | ❔ |
|
||||
| Arch Linux | ❔ | ✅ | ❔ | ✅ |
|
||||
| CentOS 7 | ✅ | ✅ | ✅ | ✅ |
|
||||
| CentOS 8 | ❌ | ✅ | ❌ | ✅ |
|
||||
| Debian >= 9 | ✅ | ✅ | ✅ | ✅ |
|
||||
| Fedora >= 27 | ❔ | ✅ | ❔ | ❔ |
|
||||
| Ubuntu 16.04 | ✅ | ✅ | ❌ | ❌ |
|
||||
| Ubuntu >= 18.04 | ✅ | ✅ | ✅ | ✅ |
|
||||
| Oracle Linux 8 | ❌ | ✅ | ❌ | ❔ |
|
||||
|
||||
To be noted:
|
||||
|
||||
@ -135,17 +142,16 @@ Since 2016, the two scripts have diverged and are not alike anymore, especially
|
||||
|
||||
## FAQ
|
||||
|
||||
**LOOK AT THE [WIKI](https://github.com/angristan/openvpn-install/wiki/FAQ) FOR MORE INFORMATION. PLEASE READ BOTH BEFORE OPENING AN ISSUE.**
|
||||
|
||||
**PLEASE do net send me emails or private messages asking for help.** The only place to get help is the issues. Other people may be able to help and in the future, other users may also run into the same issue as you.
|
||||
More Q&A in [FAQ.md](FAQ.md).
|
||||
|
||||
**Q:** Which provider do you recommend?
|
||||
|
||||
**A:** I recommend these:
|
||||
|
||||
- [Vultr](https://goo.gl/Xyd1Sc): Worldwide locations, IPv6 support, starting at $3.50/month
|
||||
- [Vultr](https://www.vultr.com/?ref=8537055-6G): Worldwide locations, IPv6 support, starting at \$3.50/month
|
||||
- [Hetzner](https://hetzner.cloud/?ref=ywtlvZsjgeDq): Germany, IPv6, 20 TB of traffic, starting at €3/month
|
||||
- [Digital Ocean](https://goo.gl/qXrNLK): Worldwide locations, IPv6 support, starting at \$5/month
|
||||
- [PulseHeberg](https://goo.gl/76yqW5): France, unlimited bandwidth, starting at €3/month
|
||||
- [Digital Ocean](https://goo.gl/qXrNLK): Worldwide locations, IPv6 support, starting at $5/month
|
||||
|
||||
---
|
||||
|
||||
@ -173,12 +179,19 @@ Since 2016, the two scripts have diverged and are not alike anymore, especially
|
||||
|
||||
---
|
||||
|
||||
## One-stop solutions for public cloud
|
||||
More Q&A in [FAQ.md](FAQ.md).
|
||||
|
||||
## One-stop solutions for public cloud
|
||||
|
||||
Solutions that provision a ready to use OpenVPN server based on this script in one go are available for:
|
||||
|
||||
- AWS using Terraform at [`openvpn-terraform-install`](https://github.com/dumrauf/openvpn-terraform-install)
|
||||
- AWS using Terraform at [`openvpn-terraform-install`](https://github.com/dumrauf/openvpn-terraform-install)
|
||||
|
||||
## Contributing
|
||||
|
||||
### Code formatting
|
||||
|
||||
We use [shellcheck](https://github.com/koalaman/shellcheck) and [shfmt](https://github.com/mvdan/sh) to enforce bash styling guidelines and good practices. They are executed for each commit / PR with GitHub Actions, so you can check the configuration [here](https://github.com/angristan/openvpn-install/blob/master/.github/workflows/push.yml).
|
||||
|
||||
## Security and Encryption
|
||||
|
||||
@ -188,12 +201,13 @@ OpenVPN 2.4 was a great update regarding encryption. It added support for ECDSA,
|
||||
|
||||
If you want more information about an option mentioned below, head to the [OpenVPN manual](https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage). It is very complete.
|
||||
|
||||
Most of OpenVPN's encryption-related stuff is managed by [Easy-RSA](https://github.com/OpenVPN/easy-rsa). Defaults parameters are in the [vars.example](https://github.com/OpenVPN/easy-rsa/blob/v3.0.6/easyrsa3/vars.example) file.
|
||||
Most of OpenVPN's encryption-related stuff is managed by [Easy-RSA](https://github.com/OpenVPN/easy-rsa). Defaults parameters are in the [vars.example](https://github.com/OpenVPN/easy-rsa/blob/v3.0.7/easyrsa3/vars.example) file.
|
||||
|
||||
### Compression
|
||||
|
||||
By default, OpenVPN doesn't enable compression. This script provides support for LZ0 and LZ4 (v1/v2) algorithms, the latter being more efficient.
|
||||
|
||||
However, it is discouraged to use compression since it since the [VORACLE attack](https://protonvpn.com/blog/voracle-attack/) makes use of it.
|
||||
However, it is discouraged to use compression since the [VORACLE attack](https://protonvpn.com/blog/voracle-attack/) makes use of it.
|
||||
|
||||
### TLS version
|
||||
|
||||
@ -224,17 +238,16 @@ By default, OpenVPN uses `BF-CBC` as the data channel cipher. Blowfish is an old
|
||||
|
||||
> The default is BF-CBC, an abbreviation for Blowfish in Cipher Block Chaining mode.
|
||||
>
|
||||
> Using BF-CBC is no longer recommended, because of its 64-bit block size. This small block size allows attacks based on collisions, as demonstrated by SWEET32. See https://community.openvpn.net/openvpn/wiki/SWEET32 for details.
|
||||
|
||||
>Security researchers at INRIA published an attack on 64-bit block ciphers, such as 3DES and Blowfish. They show that they are able to recover plaintext when the same data is sent often enough, and show how they can use cross-site scripting vulnerabilities to send data of interest often enough. This works over HTTPS, but also works for HTTP-over-OpenVPN. See https://sweet32.info/ for a much better and more elaborate explanation.
|
||||
> Using BF-CBC is no longer recommended, because of its 64-bit block size. This small block size allows attacks based on collisions, as demonstrated by SWEET32. See <https://community.openvpn.net/openvpn/wiki/SWEET32> for details.
|
||||
> Security researchers at INRIA published an attack on 64-bit block ciphers, such as 3DES and Blowfish. They show that they are able to recover plaintext when the same data is sent often enough, and show how they can use cross-site scripting vulnerabilities to send data of interest often enough. This works over HTTPS, but also works for HTTP-over-OpenVPN. See <https://sweet32.info/> for a much better and more elaborate explanation.
|
||||
>
|
||||
> OpenVPN's default cipher, BF-CBC, is affected by this attack.
|
||||
|
||||
Indeed, AES is today's standard. It's the fastest and more secure cipher available today. [SEED](https://en.wikipedia.org/wiki/SEED) and [Camellia](https://en.wikipedia.org/wiki/Camellia_(cipher)) are not vulnerable to date but are slower than AES and relatively less trusted.
|
||||
Indeed, AES is today's standard. It's the fastest and more secure cipher available today. [SEED](https://en.wikipedia.org/wiki/SEED) and [Camellia](<https://en.wikipedia.org/wiki/Camellia_(cipher)>) are not vulnerable to date but are slower than AES and relatively less trusted.
|
||||
|
||||
> Of the currently supported ciphers, OpenVPN currently recommends using AES-256-CBC or AES-128-CBC. OpenVPN 2.4 and newer will also support GCM. For 2.4+, we recommend using AES-256-GCM or AES-128-GCM.
|
||||
|
||||
AES-256 is 40% slower than AES-128, and there isn't any real reason to use a 256 bits key over a 128 bits key with AES. (Source : [1](http://security.stackexchange.com/questions/14068/why-most-people-use-256-bit-encryption-instead-of-128-bit),[2](http://security.stackexchange.com/questions/6141/amount-of-simple-operations-that-is-safely-out-of-reach-for-all-humanity/6149#6149)). Moreover, AES-256 is more vulnerable to [Timing attacks](https://en.wikipedia.org/wiki/Timing_attack).
|
||||
AES-256 is 40% slower than AES-128, and there isn't any real reason to use a 256 bits key over a 128 bits key with AES. (Source: [1](http://security.stackexchange.com/questions/14068/why-most-people-use-256-bit-encryption-instead-of-128-bit),[2](http://security.stackexchange.com/questions/6141/amount-of-simple-operations-that-is-safely-out-of-reach-for-all-humanity/6149#6149)). Moreover, AES-256 is more vulnerable to [Timing attacks](https://en.wikipedia.org/wiki/Timing_attack).
|
||||
|
||||
AES-GCM is an [AEAD cipher](https://en.wikipedia.org/wiki/Authenticated_encryption) which means it simultaneously provides confidentiality, integrity, and authenticity assurances on the data.
|
||||
|
||||
@ -249,7 +262,7 @@ The script supports the following ciphers:
|
||||
|
||||
And defaults to `AES-128-GCM`.
|
||||
|
||||
OpenVPN 2.4 added a feature called "NCP": *Negotiable Crypto Parameters*. It means you can provide a cipher suite like with HTTPS. It is set to `AES-256-GCM:AES-128-GCM` by default and overrides the `--cipher` parameter when used with an OpenVPN 2.4 client. For the sake of simplicity, the script set both the `--cipher` and `--ncp-cipher` to the cipher chosen above.
|
||||
OpenVPN 2.4 added a feature called "NCP": _Negotiable Crypto Parameters_. It means you can provide a cipher suite like with HTTPS. It is set to `AES-256-GCM:AES-128-GCM` by default and overrides the `--cipher` parameter when used with an OpenVPN 2.4 client. For the sake of simplicity, the script set both the `--cipher` and `--ncp-cipher` to the cipher chosen above.
|
||||
|
||||
### Control channel
|
||||
|
||||
@ -310,6 +323,7 @@ About `tls-crypt`:
|
||||
> Encrypt and authenticate all control channel packets with the key from keyfile. (See --tls-auth for more background.)
|
||||
>
|
||||
> Encrypting (and authenticating) control channel packets:
|
||||
>
|
||||
> - provides more privacy by hiding the certificate used for the TLS connection,
|
||||
> - makes it harder to identify OpenVPN traffic as such,
|
||||
> - provides "poor-man's" post-quantum security, against attackers who will never know the pre-shared key (i.e. no forward secrecy).
|
||||
@ -322,9 +336,7 @@ The script supports both and uses `tls-crypt` by default.
|
||||
|
||||
## Say thanks
|
||||
|
||||
*Sadly saythanks.io doesn't exist anymore... Thanks for the dozens of messages! It's really meaninful to me.*
|
||||
|
||||
*Still want to help? Check the "sponsor" button at the top of the page!*
|
||||
You can [say thanks](https://saythanks.io/to/angristan%40pm.me) if you want!
|
||||
|
||||
## Credits & Licence
|
||||
|
||||
|
35
Vagrantfile
vendored
35
Vagrantfile
vendored
@ -1,35 +0,0 @@
|
||||
# This Vagrantfile is used to test the script
|
||||
|
||||
# To run the script on all machines, export VAGRANT_AUTOSTART=true
|
||||
autostart_machines = ENV['VAGRANT_AUTOSTART'] == 'true' || false
|
||||
# else, run `vagrant up <hostname>`
|
||||
|
||||
machines = [
|
||||
{ hostname: 'debian-10', box: 'debian/stretch64' },
|
||||
{ hostname: 'debian-9', box: 'debian/stretch64' },
|
||||
{ hostname: 'debian-8', box: 'debian/jessie64' },
|
||||
{ hostname: 'ubuntu-1604', box: 'ubuntu/bionic64' },
|
||||
{ hostname: 'ubuntu-1804', box: 'ubuntu/xenial64' },
|
||||
{ hostname: 'centos-7', box: 'centos/7' },
|
||||
{ hostname: 'fedora-29', box: 'fedora/29-cloud-base' },
|
||||
{ hostname: 'fedora-28', box: 'fedora/28-cloud-base' },
|
||||
{ hostname: 'archlinux', box: 'archlinux/archlinux' }
|
||||
]
|
||||
|
||||
Vagrant.configure('2') do |config|
|
||||
machines.each do |machine|
|
||||
config.vm.provider 'virtualbox' do |v|
|
||||
v.memory = 1024
|
||||
v.cpus = 2
|
||||
end
|
||||
config.vm.define machine[:hostname], autostart: autostart_machines do |machineconfig|
|
||||
machineconfig.vm.hostname = machine[:hostname]
|
||||
machineconfig.vm.box = machine[:box]
|
||||
|
||||
machineconfig.vm.provision 'shell', inline: <<-SHELL
|
||||
AUTO_INSTALL=y /vagrant/openvpn-install.sh
|
||||
ps aux | grep openvpn | grep -v grep > /dev/null 2>&1 && echo "Success: OpenVPN is running" && exit 0 || echo "Failure: OpenVPN is not running" && exit 1
|
||||
SHELL
|
||||
end
|
||||
end
|
||||
end
|
1013
openvpn-install.sh
1013
openvpn-install.sh
File diff suppressed because it is too large
Load Diff
Loading…
Reference in New Issue
Block a user