From e7aa52b51f971af775d3f0bd156ceb292394642a Mon Sep 17 00:00:00 2001
From: Stanislas <git@slange.me>
Date: Sat, 13 Dec 2025 10:55:36 +0100
Subject: [PATCH] fix(arch): detect pending kernel upgrades before installation
 (#1372)

On Arch Linux, the script uses `pacman -Syu` which performs a full
system upgrade. If a user's system is out of date and has pending kernel
updates:

1. Script runs `pacman -Syu` to install OpenVPN
2. Kernel gets upgraded along with other packages
3. The TUN module for the **new** kernel isn't loaded (old kernel still
running)
4. OpenVPN fails to start because TUN is unavailable
5. User has to reboot anyway, but now they're confused about why it
broke

So we check preventively now, and ask them to upgrade & reboot before
running the script

<img width="1342" height="488" alt="image"
src="https://github.com/user-attachments/assets/e9646737-eaf4-4035-b247-20e8f2daea60"
/>
---
 openvpn-install.sh | 52 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 52 insertions(+)

diff --git a/openvpn-install.sh b/openvpn-install.sh
index 16ea068..0321cee 100755
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@@ -233,6 +233,57 @@ function checkOS() {
 	fi
 }
 
+function checkArchPendingKernelUpgrade() {
+	if [[ $OS != "arch" ]]; then
+		return 0
+	fi
+
+	# Check if running kernel's modules are available
+	# (detects if kernel was upgraded but system not rebooted)
+	# Skip this check in containers - they share host kernel but have their own /lib/modules
+	if [[ -f /.dockerenv ]] || grep -qE '(docker|lxc|containerd)' /proc/1/cgroup 2>/dev/null; then
+		log_info "Running in container, skipping kernel modules check"
+	else
+		local running_kernel
+		running_kernel=$(uname -r)
+		if [[ ! -d "/lib/modules/${running_kernel}" ]]; then
+			log_error "Kernel modules for running kernel ($running_kernel) not found!"
+			log_info "This usually means the kernel was upgraded but the system wasn't rebooted."
+			log_fatal "Please reboot your system and run this script again."
+		fi
+	fi
+
+	log_info "Checking for pending kernel upgrades on Arch Linux..."
+
+	# Sync package database to check for updates
+	if ! pacman -Sy &>/dev/null; then
+		log_warn "Failed to sync package database, skipping kernel upgrade check"
+		return 0
+	fi
+
+	# Check for pending linux kernel upgrades
+	local pending_kernels
+	pending_kernels=$(pacman -Qu 2>/dev/null | grep -E '^linux' || true)
+
+	if [[ -n "$pending_kernels" ]]; then
+		log_warn "Linux kernel upgrade(s) pending:"
+		echo "$pending_kernels" | while read -r line; do
+			log_info "  $line"
+		done
+		echo ""
+		log_info "This script uses 'pacman -Syu' which will upgrade your kernel."
+		log_info "After a kernel upgrade, the TUN module won't be available until you reboot."
+		echo ""
+		log_info "Please upgrade your system and reboot first:"
+		log_info "  sudo pacman -Syu"
+		log_info "  sudo reboot"
+		echo ""
+		log_fatal "Aborting. Run this script again after upgrading and rebooting."
+	fi
+
+	log_success "No pending kernel upgrades"
+}
+
 function initialCheck() {
 	log_debug "Checking root privileges..."
 	if ! isRoot; then
@@ -249,6 +300,7 @@ function initialCheck() {
 	log_debug "Detecting operating system..."
 	checkOS
 	log_info "Detected OS: $OS (${PRETTY_NAME:-unknown})"
+	checkArchPendingKernelUpgrade
 }
 
 # Check if OpenVPN version is at least the specified version