diff --git a/openvpn-install.sh b/openvpn-install.sh
index 96cd8bc..06ad608 100755
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@@ -57,7 +57,7 @@ function checkOS() {
fi
if [[ $ID == "centos" || $ID == "rocky" || $ID == "almalinux" ]]; then
OS="centos"
- if [[ ! $VERSION_ID =~ (7|8) ]]; then
+ if [[ ${VERSION_ID%.*} -lt 7 ]]; then
echo "⚠️ Your version of CentOS is not supported."
echo ""
echo "The script only support CentOS 7 and CentOS 8."
@@ -227,14 +227,8 @@ function installQuestions() {
echo "I need to know the IPv4 address of the network interface you want OpenVPN listening to."
echo "Unless your server is behind NAT, it should be your public IPv4 address."
- # If detect_from_net is not set detect the IP from the network
- # Else use this command to detect ip: curl -s https://api.ipify.org
- if [[ -z $DETECT_FROM_NET ]]; then
- # Detect public IPv4 address and pre-fill for the user
- IP=$(ip -4 addr | sed -ne 's|^.* inet \([^/]*\)/.* scope global.*$|\1|p' | head -1)
- else
- IP=$(curl -s https://api.ipify.org)
- fi
+ # Detect public IPv4 address and pre-fill for the user
+ IP=$(ip -4 addr | sed -ne 's|^.* inet \([^/]*\)/.* scope global.*$|\1|p' | head -1)
if [[ -z $IP ]]; then
# Detect public IPv6 address
@@ -633,9 +627,13 @@ function installOpenVPN() {
# Behind NAT, we'll default to the publicly reachable IPv4/IPv6.
if [[ $IPV6_SUPPORT == "y" ]]; then
- PUBLIC_IP=$(curl --retry 5 --retry-connrefused https://ifconfig.co)
+ if ! PUBLIC_IP=$(curl -f --retry 5 --retry-connrefused https://ip.seeip.org); then
+ PUBLIC_IP=$(dig -6 TXT +short o-o.myaddr.l.google.com @ns1.google.com | tr -d '"')
+ fi
else
- PUBLIC_IP=$(curl --retry 5 --retry-connrefused -4 https://ifconfig.co)
+ if ! PUBLIC_IP=$(curl -f --retry 5 --retry-connrefused -4 https://ip.seeip.org); then
+ PUBLIC_IP=$(dig -4 TXT +short o-o.myaddr.l.google.com @ns1.google.com | tr -d '"')
+ fi
fi
ENDPOINT=${ENDPOINT:-$PUBLIC_IP}
fi
@@ -708,10 +706,10 @@ function installOpenVPN() {
# Install the latest version of easy-rsa from source, if not already installed.
if [[ ! -d /etc/openvpn/easy-rsa/ ]]; then
- local version="3.0.7"
+ local version="3.1.2"
wget -O ~/easy-rsa.tgz https://github.com/OpenVPN/easy-rsa/releases/download/v${version}/EasyRSA-${version}.tgz
mkdir -p /etc/openvpn/easy-rsa
- tar xzf ~/easy-rsa.tgz --strip-components=1 --directory /etc/openvpn/easy-rsa
+ tar xzf ~/easy-rsa.tgz --strip-components=1 --no-same-owner --directory /etc/openvpn/easy-rsa
rm -f ~/easy-rsa.tgz
cd /etc/openvpn/easy-rsa/ || return
@@ -731,18 +729,16 @@ function installOpenVPN() {
SERVER_NAME="server_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)"
echo "$SERVER_NAME" >SERVER_NAME_GENERATED
- echo "set_var EASYRSA_REQ_CN $SERVER_CN" >>vars
-
# Create the PKI, set up the CA, the DH params and the server certificate
./easyrsa init-pki
- ./easyrsa --batch build-ca nopass
+ ./easyrsa --batch --req-cn="$SERVER_CN" build-ca nopass
if [[ $DH_TYPE == "2" ]]; then
# ECDH keys are generated on-the-fly so we don't need to generate them beforehand
openssl dhparam -out dh.pem $DH_KEY_SIZE
fi
- ./easyrsa build-server-full "$SERVER_NAME" nopass
+ ./easyrsa --batch build-server-full "$SERVER_NAME" nopass
EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
case $TLS_SIG in
@@ -1089,14 +1085,11 @@ function newClient() {
cd /etc/openvpn/easy-rsa/ || return
case $PASS in
1)
- ./easyrsa build-client-full "$CLIENT" nopass
+ ./easyrsa --batch build-client-full "$CLIENT" nopass
;;
2)
- echo -e "\n\n⚠️ You will be asked for the client password below ⚠️"
- echo "this is a random password generated"
- echo `openssl rand -base64 $(shuf -i13-17 -n1) || tr -dc A-Za-z0-9 "
echo ""
- awk '/BEGIN/,/END/' "/etc/openvpn/easy-rsa/pki/issued/$CLIENT.crt"
+ awk '/BEGIN/,/END CERTIFICATE/' "/etc/openvpn/easy-rsa/pki/issued/$CLIENT.crt"
echo ""
echo ""