From e123635e7ca50792523ea034bf2ed19749aeb690 Mon Sep 17 00:00:00 2001 From: Henry N Date: Thu, 2 Apr 2020 16:30:50 +0200 Subject: [PATCH 1/6] Add comments to some DNS options in code (#598) --- openvpn-install.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index edb703e..a9f1a03 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -745,7 +745,7 @@ ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf # DNS resolvers case $DNS in - 1) + 1) # Current system resolvers # Locate the proper resolv.conf # Needed for systems running systemd-resolved if grep -q "127.0.0.53" "/etc/resolv.conf"; then @@ -758,7 +758,7 @@ ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server.conf done ;; - 2) + 2) # Self-hosted DNS resolver (Unbound) echo 'push "dhcp-option DNS 10.8.0.1"' >> /etc/openvpn/server.conf ;; 3) # Cloudflare From d958c15909270b3cc5f0c6bd1b5e6fd0182135b0 Mon Sep 17 00:00:00 2001 From: Stanislas Date: Fri, 3 Apr 2020 11:13:57 +0200 Subject: [PATCH 2/6] =?UTF-8?q?=F0=9F=A4=A6=E2=80=8D=E2=99=82=EF=B8=8F?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index ca3cdf7..b6e90f0 100644 --- a/README.md +++ b/README.md @@ -33,7 +33,9 @@ When OpenVPN is installed, you can run the script again, and you will get the ch In your home directory, you will have `.ovpn` files. These are the client configuration files. Download them from your server and connect using your favorite OpenVPN client. -If you have any question, head to the [FAQ](#faq) first. +If you have any question, head to the [FAQ](#faq) and the [Wiki](https://github.com/angristan/openvpn-install/wiki/FAQ) first. Please read everything before opening an issue. + +**PLEASE do net send me emails or private messages asking for help.** The only place to get help is the issues. Other people may be able to help and in the future, other users may also run into the same issue as you. My time is not available for free just for you, you're not special. ### Headless install From d31efe9e7b6483325cb6aa7976db2e7f2e28b403 Mon Sep 17 00:00:00 2001 From: Stanislas Date: Sat, 4 Apr 2020 11:54:17 +0200 Subject: [PATCH 3/6] Move FAQ from wiki to git to allow contributions (#611) Signed-off-by: Stanislas Lange --- .github/ISSUE_TEMPLATE.md | 2 +- FAQ.md | 47 +++++++++++++++++++++++++++++++++++++++ README.md | 6 ++--- 3 files changed, 51 insertions(+), 4 deletions(-) create mode 100644 FAQ.md diff --git a/.github/ISSUE_TEMPLATE.md b/.github/ISSUE_TEMPLATE.md index 617414b..36bc569 100644 --- a/.github/ISSUE_TEMPLATE.md +++ b/.github/ISSUE_TEMPLATE.md @@ -7,7 +7,7 @@ Before opening an issue, please make sure: - Your issue is about the script, NOT OpenVPN itself - ⚠ PLEASE Post your OpenVPN version and OS for both the server and the client if needed -FYI, you can excute the script with `bash -x openvpn-install.sh` to enable debug mode. +FYI, you can execute the script with `bash -x openvpn-install.sh` to enable debug mode. You can format your comments with Markdown: https://guides.github.com/features/mastering-markdown/ ---> diff --git a/FAQ.md b/FAQ.md new file mode 100644 index 0000000..895c865 --- /dev/null +++ b/FAQ.md @@ -0,0 +1,47 @@ +# FAQ + +**Q:** The script has been updated since I installed OpenVPN. How do I update? + +**A:** You can't. Managing updates and new features from the script would require way too much work. Your only solution is to uninstall OpenVPN and reinstall with the updated script. + +You can, of course, it's even recommended, update the `openvpn` package with your package manager. + +--- + +**Q:** How do I check for DNS leaks? + +**A:** Go to [dnsleaktest.com](https://dnsleaktest.com/) or [ipleak.net](https://ipleak.net/) with your browser. Only your server's IP should show up. + +--- + +**Q:** Can I use an OpenVPN 2.3 client? + +**A:** Yes. I really recommend using an up-to-date client, but if you really need it, choose the following options: + +- No compression or LZ0 +- RSA certificate +- DH Key +- AES CBC +- tls-auth + +If your client is <2.3.3, remove `tls-version-min 1.2` from your `/etc/openvpn/server.conf` and `.ovpn` files. + +--- + +**Q:** IPv6 is not working on my Hetzner VM + +**A:** This an issue on their side. See https://angristan.xyz/fix-ipv6-hetzner-cloud/ + +--- + +**Q:** DNS is not working on my Linux client + +**A:** Make sure the `resolvconf` package is installed. If it does not solve the issue, look at https://wiki.archlinux.org/index.php/OpenVPN#Update_systemd-resolved_script + +--- + +**Q:** How to setup openVPN in a LXC container? (f.e. Proxmox) + +**A:** See https://github.com/Nyr/openvpn-install/wiki/How-to-setup-openVPN-in-a-LXC-container-(f.e.-Proxmox) + +--- diff --git a/README.md b/README.md index b6e90f0..f36e290 100644 --- a/README.md +++ b/README.md @@ -136,9 +136,7 @@ Since 2016, the two scripts have diverged and are not alike anymore, especially ## FAQ -**LOOK AT THE [WIKI](https://github.com/angristan/openvpn-install/wiki/FAQ) FOR MORE INFORMATION. PLEASE READ BOTH BEFORE OPENING AN ISSUE.** - -**PLEASE do net send me emails or private messages asking for help.** The only place to get help is the issues. Other people may be able to help and in the future, other users may also run into the same issue as you. +More Q&A in [FAQ.md](FAQ.md). **Q:** Which provider do you recommend? @@ -174,6 +172,8 @@ Since 2016, the two scripts have diverged and are not alike anymore, especially --- +More Q&A in [FAQ.md](FAQ.md). + ## One-stop solutions for public cloud Solutions that provision a ready to use OpenVPN server based on this script in one go are available for: From 7e7a494f595356625deda506fab65dc8a7520b59 Mon Sep 17 00:00:00 2001 From: Stanislas Date: Sat, 4 Apr 2020 11:55:08 +0200 Subject: [PATCH 4/6] Remove wiki link --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index f36e290..ecabc80 100644 --- a/README.md +++ b/README.md @@ -33,7 +33,7 @@ When OpenVPN is installed, you can run the script again, and you will get the ch In your home directory, you will have `.ovpn` files. These are the client configuration files. Download them from your server and connect using your favorite OpenVPN client. -If you have any question, head to the [FAQ](#faq) and the [Wiki](https://github.com/angristan/openvpn-install/wiki/FAQ) first. Please read everything before opening an issue. +If you have any question, head to the [FAQ](#faq) first. Please read everything before opening an issue. **PLEASE do net send me emails or private messages asking for help.** The only place to get help is the issues. Other people may be able to help and in the future, other users may also run into the same issue as you. My time is not available for free just for you, you're not special. From 6e8aeb3505fb206ac7dfc398825befd5766633e6 Mon Sep 17 00:00:00 2001 From: Henry N Date: Mon, 6 Apr 2020 14:41:10 +0200 Subject: [PATCH 5/6] Uninstallation: restart unbound only if not removed (#612) --- openvpn-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index a9f1a03..2b7c646 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -1130,7 +1130,6 @@ function removeUnbound () { # Remove OpenVPN-related config sed -i 's|include: \/etc\/unbound\/openvpn.conf||' /etc/unbound/unbound.conf rm /etc/unbound/openvpn.conf - systemctl restart unbound until [[ $REMOVE_UNBOUND =~ (y|n) ]]; do echo "" @@ -1157,6 +1156,7 @@ function removeUnbound () { echo "" echo "Unbound removed!" else + systemctl restart unbound echo "" echo "Unbound wasn't removed." fi From ef5d5faf30188d4d2a555e6914ff2fe415f17015 Mon Sep 17 00:00:00 2001 From: randomshell <43271778+randomshell@users.noreply.github.com> Date: Mon, 6 Apr 2020 12:51:58 +0000 Subject: [PATCH 6/6] Change = conditional to == (#591) --- openvpn-install.sh | 66 +++++++++++++++++++++++----------------------- 1 file changed, 33 insertions(+), 33 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 2b7c646..2a36390 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -31,7 +31,7 @@ function checkOS () { until [[ $CONTINUE =~ (y|n) ]]; do read -rp "Continue? [y/n]: " -e CONTINUE done - if [[ "$CONTINUE" = "n" ]]; then + if [[ "$CONTINUE" == "n" ]]; then exit 1 fi fi @@ -46,7 +46,7 @@ function checkOS () { until [[ $CONTINUE =~ (y|n) ]]; do read -rp "Continue? [y/n]: " -e CONTINUE done - if [[ "$CONTINUE" = "n" ]]; then + if [[ "$CONTINUE" == "n" ]]; then exit 1 fi fi @@ -54,10 +54,10 @@ function checkOS () { elif [[ -e /etc/system-release ]]; then # shellcheck disable=SC1091 source /etc/os-release - if [[ "$ID" = "fedora" ]]; then + if [[ "$ID" == "fedora" ]]; then OS="fedora" fi - if [[ "$ID" = "centos" ]]; then + if [[ "$ID" == "centos" ]]; then OS="centos" if [[ ! $VERSION_ID =~ (7|8) ]]; then echo "⚠️ Your version of CentOS is not supported." @@ -67,7 +67,7 @@ function checkOS () { exit 1 fi fi - if [[ "$ID" = "amzn" ]]; then + if [[ "$ID" == "amzn" ]]; then OS="amzn" if [[ ! $VERSION_ID == "2" ]]; then echo "⚠️ Your version of Amazon Linux is not supported." @@ -121,7 +121,7 @@ prefetch: yes' >> /etc/unbound/unbound.conf sed -i 's|# hide-version: no|hide-version: yes|' /etc/unbound/unbound.conf sed -i 's|use-caps-for-id: no|use-caps-for-id: yes|' /etc/unbound/unbound.conf - elif [[ "$OS" = "fedora" ]]; then + elif [[ "$OS" == "fedora" ]]; then dnf install -y unbound # Configuration @@ -131,7 +131,7 @@ prefetch: yes' >> /etc/unbound/unbound.conf sed -i 's|# hide-version: no|hide-version: yes|' /etc/unbound/unbound.conf sed -i 's|# use-caps-for-id: no|use-caps-for-id: yes|' /etc/unbound/unbound.conf - elif [[ "$OS" = "arch" ]]; then + elif [[ "$OS" == "arch" ]]; then pacman -Syu --noconfirm unbound # Get root servers list @@ -309,7 +309,7 @@ function installQuestions () { until [[ $CONTINUE =~ (y|n) ]]; do read -rp "Apply configuration changes to Unbound? [y/n]: " -e CONTINUE done - if [[ $CONTINUE = "n" ]];then + if [[ $CONTINUE == "n" ]];then # Break the loop and cleanup unset DNS unset CONTINUE @@ -606,7 +606,7 @@ function installOpenVPN () { # Get the "public" interface from the default route NIC=$(ip -4 route ls | grep default | grep -Po '(?<=dev )(\S+)' | head -1) - if [[ -z "$NIC" ]] && [[ "$IPV6_SUPPORT" = 'y' ]]; then + if [[ -z "$NIC" ]] && [[ "$IPV6_SUPPORT" == 'y' ]]; then NIC=$(ip -6 route show default | sed -ne 's/^default .* dev \([^ ]*\) .*$/\1/p') fi @@ -618,7 +618,7 @@ function installOpenVPN () { until [[ $CONTINUE =~ (y|n) ]]; do read -rp "Continue? [y/n]: " -e CONTINUE done - if [[ "$CONTINUE" = "n" ]]; then + if [[ "$CONTINUE" == "n" ]]; then exit 1 fi fi @@ -627,27 +627,27 @@ function installOpenVPN () { apt-get update apt-get -y install ca-certificates gnupg # We add the OpenVPN repo to get the latest version. - if [[ "$VERSION_ID" = "8" ]]; then + if [[ "$VERSION_ID" == "8" ]]; then echo "deb http://build.openvpn.net/debian/openvpn/stable jessie main" > /etc/apt/sources.list.d/openvpn.list wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add - apt-get update fi - if [[ "$VERSION_ID" = "16.04" ]]; then + if [[ "$VERSION_ID" == "16.04" ]]; then echo "deb http://build.openvpn.net/debian/openvpn/stable xenial main" > /etc/apt/sources.list.d/openvpn.list wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add - apt-get update fi # Ubuntu > 16.04 and Debian > 8 have OpenVPN >= 2.4 without the need of a third party repository. apt-get install -y openvpn iptables openssl wget ca-certificates curl - elif [[ "$OS" = 'centos' ]]; then + elif [[ "$OS" == 'centos' ]]; then yum install -y epel-release yum install -y openvpn iptables openssl wget ca-certificates curl tar 'policycoreutils-python*' - elif [[ "$OS" = 'amzn' ]]; then + elif [[ "$OS" == 'amzn' ]]; then amazon-linux-extras install -y epel yum install -y openvpn iptables openssl wget ca-certificates curl - elif [[ "$OS" = 'fedora' ]]; then + elif [[ "$OS" == 'fedora' ]]; then dnf install -y openvpn iptables openssl wget ca-certificates curl - elif [[ "$OS" = 'arch' ]]; then + elif [[ "$OS" == 'arch' ]]; then # Install required dependencies and upgrade the system pacman --needed --noconfirm -Syu openvpn iptables openssl wget ca-certificates curl fi @@ -727,9 +727,9 @@ function installOpenVPN () { # Generate server.conf echo "port $PORT" > /etc/openvpn/server.conf - if [[ "$IPV6_SUPPORT" = 'n' ]]; then + if [[ "$IPV6_SUPPORT" == 'n' ]]; then echo "proto $PROTOCOL" >> /etc/openvpn/server.conf - elif [[ "$IPV6_SUPPORT" = 'y' ]]; then + elif [[ "$IPV6_SUPPORT" == 'y' ]]; then echo "proto ${PROTOCOL}6" >> /etc/openvpn/server.conf fi @@ -811,7 +811,7 @@ ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf echo 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/server.conf # IPv6 network settings if needed - if [[ "$IPV6_SUPPORT" = 'y' ]]; then + if [[ "$IPV6_SUPPORT" == 'y' ]]; then echo 'server-ipv6 fd42:42:42:42::/112 tun-ipv6 push tun-ipv6 @@ -857,7 +857,7 @@ verb 3" >> /etc/openvpn/server.conf # Enable routing echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.d/20-openvpn.conf - if [[ "$IPV6_SUPPORT" = 'y' ]]; then + if [[ "$IPV6_SUPPORT" == 'y' ]]; then echo 'net.ipv6.conf.all.forwarding=1' >> /etc/sysctl.d/20-openvpn.conf fi # Apply sysctl rules @@ -873,7 +873,7 @@ verb 3" >> /etc/openvpn/server.conf fi # Finally, restart and enable OpenVPN - if [[ "$OS" = 'arch' || "$OS" = 'fedora' || "$OS" = 'centos' ]]; then + if [[ "$OS" == 'arch' || "$OS" == 'fedora' || "$OS" == 'centos' ]]; then # Don't modify package-provided service cp /usr/lib/systemd/system/openvpn-server@.service /etc/systemd/system/openvpn-server@.service @@ -923,7 +923,7 @@ iptables -I FORWARD 1 -i $NIC -o tun0 -j ACCEPT iptables -I FORWARD 1 -i tun0 -o $NIC -j ACCEPT iptables -I INPUT 1 -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" > /etc/iptables/add-openvpn-rules.sh - if [[ "$IPV6_SUPPORT" = 'y' ]]; then + if [[ "$IPV6_SUPPORT" == 'y' ]]; then echo "ip6tables -t nat -I POSTROUTING 1 -s fd42:42:42:42::/112 -o $NIC -j MASQUERADE ip6tables -I INPUT 1 -i tun0 -j ACCEPT ip6tables -I FORWARD 1 -i $NIC -o tun0 -j ACCEPT @@ -938,7 +938,7 @@ iptables -D FORWARD -i $NIC -o tun0 -j ACCEPT iptables -D FORWARD -i tun0 -o $NIC -j ACCEPT iptables -D INPUT -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" > /etc/iptables/rm-openvpn-rules.sh - if [[ "$IPV6_SUPPORT" = 'y' ]]; then + if [[ "$IPV6_SUPPORT" == 'y' ]]; then echo "ip6tables -t nat -D POSTROUTING -s fd42:42:42:42::/112 -o $NIC -j MASQUERADE ip6tables -D INPUT -i tun0 -j ACCEPT ip6tables -D FORWARD -i $NIC -o tun0 -j ACCEPT @@ -975,10 +975,10 @@ WantedBy=multi-user.target" > /etc/systemd/system/iptables-openvpn.service # client-template.txt is created so we have a template to add further users later echo "client" > /etc/openvpn/client-template.txt - if [[ "$PROTOCOL" = 'udp' ]]; then + if [[ "$PROTOCOL" == 'udp' ]]; then echo "proto udp" >> /etc/openvpn/client-template.txt echo "explicit-exit-notify" >> /etc/openvpn/client-template.txt - elif [[ "$PROTOCOL" = 'tcp' ]]; then + elif [[ "$PROTOCOL" == 'tcp' ]]; then echo "proto tcp-client" >> /etc/openvpn/client-template.txt fi echo "remote $IP $PORT @@ -1092,7 +1092,7 @@ function newClient () { function revokeClient () { NUMBEROFCLIENTS=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep -c "^V") - if [[ "$NUMBEROFCLIENTS" = '0' ]]; then + if [[ "$NUMBEROFCLIENTS" == '0' ]]; then echo "" echo "You have no existing clients!" exit 1 @@ -1101,7 +1101,7 @@ function revokeClient () { echo "" echo "Select the existing client certificate you want to revoke" tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | nl -s ') ' - if [[ "$NUMBEROFCLIENTS" = '1' ]]; then + if [[ "$NUMBEROFCLIENTS" == '1' ]]; then read -rp "Select one client [1]: " CLIENTNUMBER else read -rp "Select one client [1-$NUMBEROFCLIENTS]: " CLIENTNUMBER @@ -1137,17 +1137,17 @@ function removeUnbound () { read -rp "Do you want to completely remove Unbound? [y/n]: " -e REMOVE_UNBOUND done - if [[ "$REMOVE_UNBOUND" = 'y' ]]; then + if [[ "$REMOVE_UNBOUND" == 'y' ]]; then # Stop Unbound systemctl stop unbound if [[ "$OS" =~ (debian|ubuntu) ]]; then apt-get autoremove --purge -y unbound - elif [[ "$OS" = 'arch' ]]; then + elif [[ "$OS" == 'arch' ]]; then pacman --noconfirm -R unbound elif [[ "$OS" =~ (centos|amzn) ]]; then yum remove -y unbound - elif [[ "$OS" = 'fedora' ]]; then + elif [[ "$OS" == 'fedora' ]]; then dnf remove -y unbound fi @@ -1166,7 +1166,7 @@ function removeOpenVPN () { echo "" # shellcheck disable=SC2034 read -rp "Do you really want to remove OpenVPN? [y/n]: " -e -i n REMOVE - if [[ "$REMOVE" = 'y' ]]; then + if [[ "$REMOVE" == 'y' ]]; then # Get OpenVPN port from the configuration PORT=$(grep '^port ' /etc/openvpn/server.conf | cut -d " " -f 2) @@ -1210,11 +1210,11 @@ function removeOpenVPN () { rm /etc/apt/sources.list.d/openvpn.list apt-get update fi - elif [[ "$OS" = 'arch' ]]; then + elif [[ "$OS" == 'arch' ]]; then pacman --noconfirm -R openvpn elif [[ "$OS" =~ (centos|amzn) ]]; then yum remove -y openvpn - elif [[ "$OS" = 'fedora' ]]; then + elif [[ "$OS" == 'fedora' ]]; then dnf remove -y openvpn fi