feat: migrate to OpenVPN 2.4+ directory structure and improve distro compatibility (#1364)

## Summary Migrates OpenVPN configuration to use the modern OpenVPN 2.4+ directory structure and improves compatibility across different Linux distributions. Close https://github.com/angristan/openvpn-install/issues/1307, close https://github.com/angristan/openvpn-install/issues/788, close https://github.com/angristan/openvpn-install/issues/605, close https://github.com/angristan/openvpn-install/pull/653, close https://github.com/angristan/openvpn-install/issues/1214 ### Directory Structure Changes - All server files now in `/etc/openvpn/server/` instead of `/etc/openvpn/` - Uses `openvpn-server@server.service` consistently across all distros - `server.conf` uses relative paths for portability ### Distro-Specific User/Group Handling Different distros configure OpenVPN differently: | Distro | User | Group | systemd handles user? | |--------|------|-------|----------------------| | Debian/Ubuntu | nobody | nogroup | No | | Fedora/RHEL/Amazon | openvpn | openvpn | No | | Arch | openvpn | network | **Yes** (via `User=` in service) | The script now: 1. Detects if an `openvpn` user exists and uses appropriate group 2. Checks if systemd service already has `User=` directive 3. Skips `user`/`group` in config when systemd handles it (avoids "double privilege drop" error on Arch) 4. Sets file ownership with `chown -R` for non-root OpenVPN users ### Other Changes - Updated FAQ.md with new paths - Added systemd service file validation in tests - Added CRL reload verification in tests
2025-12-15 16:37:03 +01:00 · 2025-12-12 22:09:18 +01:00
parent 3bc52d245b
commit 44c995df8e
3 changed files with 273 additions and 187 deletions
--- a/FAQ.md
+++ b/FAQ.md
@@ -71,7 +71,7 @@ down /usr/share/openvpn/contrib/pull-resolv-conf/client.down
 - AES CBC
 - tls-auth

-If your client is <2.3.3, remove `tls-version-min 1.2` from your `/etc/openvpn/server.conf` and `.ovpn` files.
+If your client is <2.3.3, remove `tls-version-min 1.2` from your `/etc/openvpn/server/server.conf` and `.ovpn` files.

 ---

@@ -117,7 +117,7 @@ Sysctl options are at `/etc/sysctl.d/99-openvpn.conf`

 **Q:** How can I access computers the OpenVPN server's remote LAN?

-**A:** Add a route with the subnet of the remote network to `/etc/openvpn/server.conf` and restart OpenVPN. Example: `push "route 192.168.1.0 255.255.255.0"` if the server's LAN is `192.168.1.0/24`
+**A:** Add a route with the subnet of the remote network to `/etc/openvpn/server/server.conf` and restart OpenVPN. Example: `push "route 192.168.1.0 255.255.255.0"` if the server's LAN is `192.168.1.0/24`

 ---

@@ -145,13 +145,13 @@ done < users.txt

 **Q:** How do I change the default `.ovpn` file created for future clients?

-**A:** You can edit the template out of which `.ovpn` files are created by editing `/etc/openvpn/client-template.txt`
+**A:** You can edit the template out of which `.ovpn` files are created by editing `/etc/openvpn/server/client-template.txt`

 ---

 **Q:** For my clients - I want to set my internal network to pass through the VPN and the rest to go through my internet?

-**A:** You would need to edit the `.ovpn` file. You can edit the template out of which those files are created by editing `/etc/openvpn/client-template.txt` file and adding
+**A:** You would need to edit the `.ovpn` file. You can edit the template out of which those files are created by editing `/etc/openvpn/server/client-template.txt` file and adding

 ```sh
 route-nopull