mirror of
https://github.com/angristan/openvpn-install.git
synced 2025-12-16 08:57:03 +01:00
179cbc0c25e296a044b5bb12b44d03d83baf40a8
10 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Stanislas
|
179cbc0c25 |
fix: increase DNS test retries and use seq for loop (#1370)
- Increase DNS retry count from 5 to 10 for improved test reliability when Unbound needs more time to initialize - Refactor retry loop to use `seq` with a `DNS_MAX_RETRIES` to be cleaner |
||
|
Stanislas
|
44c995df8e |
feat: migrate to OpenVPN 2.4+ directory structure and improve distro compatibility (#1364)
## Summary Migrates OpenVPN configuration to use the modern OpenVPN 2.4+ directory structure and improves compatibility across different Linux distributions. Close https://github.com/angristan/openvpn-install/issues/1307, close https://github.com/angristan/openvpn-install/issues/788, close https://github.com/angristan/openvpn-install/issues/605, close https://github.com/angristan/openvpn-install/pull/653, close https://github.com/angristan/openvpn-install/issues/1214 ### Directory Structure Changes - All server files now in `/etc/openvpn/server/` instead of `/etc/openvpn/` - Uses `openvpn-server@server.service` consistently across all distros - `server.conf` uses relative paths for portability ### Distro-Specific User/Group Handling Different distros configure OpenVPN differently: | Distro | User | Group | systemd handles user? | |--------|------|-------|----------------------| | Debian/Ubuntu | nobody | nogroup | No | | Fedora/RHEL/Amazon | openvpn | openvpn | No | | Arch | openvpn | network | **Yes** (via `User=` in service) | The script now: 1. Detects if an `openvpn` user exists and uses appropriate group 2. Checks if systemd service already has `User=` directive 3. Skips `user`/`group` in config when systemd handles it (avoids "double privilege drop" error on Arch) 4. Sets file ownership with `chown -R` for non-root OpenVPN users ### Other Changes - Updated FAQ.md with new paths - Added systemd service file validation in tests - Added CRL reload verification in tests |
||
|
Guo Yunhe
|
bbf93a19d5 |
Add openSUSE Tumbleweed/Leap support (#1166)
<!--- ❗️ Please read ❗️ ➡️ Please make sure you've followed the guidelines: https://github.com/angristan/openvpn-install#contributing ✅ Please make sure your changes are tested and working 🗣️ Please avoid large PRs, and discuss changes in a GitHub issue first ✋ If the changes are too big and not in line with the project, they will probably be rejected. Remember that this script is meant to be simple and easy to use. ---> --------- Co-authored-by: Stanislas Lange <git@slange.me> |
||
|
Stanislas
|
0d4d2229f4 |
test: add e2e tests for certificate revocation (#1345)
## Summary - Add end-to-end tests for certificate revocation functionality - Test that a revoked client certificate cannot connect to the VPN - Test that a new certificate can be created with the same name as a revoked one (validating the fix from #1185) - Test that the new certificate can successfully connect ## Test Flow 1. **Initial connectivity tests** - existing tests pass 2. **Certificate revocation test**: - Create a new client `revoketest` - Connect with the certificate (verifies it works) - Disconnect the client - Revoke the certificate via the install script - Try to reconnect with revoked cert (verifies connection is rejected) 3. **Reuse revoked name test**: - Create a new certificate with the same name `revoketest` - Verify both revoked and valid entries exist in `index.txt` - Connect with the new certificate (verifies it works) ## Changes | File | Changes | |------|---------| | `test/server-entrypoint.sh` | Start OpenVPN in background, add revocation test orchestration | | `test/client-entrypoint.sh` | Add revocation test phases with signal file coordination | | `docker-compose.yml` | Remove read-only restriction on shared volume for client | | `Makefile` | Increase timeout from 60 to 180 iterations | | `.github/workflows/docker-test.yml` | Increase timeouts, fix shared volume | |
||
|
Stanislas
|
2374e4e81c |
Refactor Unbound setup and add E2E tests (#1340)
Refactor Unbound DNS installation to use modern `conf.d` pattern and add E2E testing. **Changes:** - Unified Unbound config across all distros using `/etc/unbound/unbound.conf.d/openvpn.conf` - Added startup validation with retry logic - Added `ip-freebind` to allow binding before tun interface exists - E2E tests now verify Unbound DNS resolution from VPN clients **Testing:** - Server: verifies config creation, interface binding, security options - Client: verifies DNS resolution through Unbound (10.8.0.1) --- Closes https://github.com/angristan/openvpn-install/issues/602 Closes https://github.com/angristan/openvpn-install/pull/604 Closes https://github.com/angristan/openvpn-install/issues/1189 Co-authored-by: Henry N <henrynmail-github@yahoo.de> |
||
|
renovate[bot]
|
1aae852c60 |
chore(deps): update super-linter/super-linter action to v8 (#1339)
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [super-linter/super-linter](https://redirect.github.com/super-linter/super-linter) | action | major | `v7` -> `v8` | --- ### Release Notes <details> <summary>super-linter/super-linter (super-linter/super-linter)</summary> ### [`v8`](https://redirect.github.com/super-linter/super-linter/blob/HEAD/CHANGELOG.md#680-2024-07-31) [Compare Source](https://redirect.github.com/super-linter/super-linter/compare/v7...v8) ##### 🚀 Features - allow using both prettier and standardjs ([#​5679](https://redirect.github.com/super-linter/super-linter/issues/5679)) ([2daf461]( |
||
|
Stanislas
|
ffcffac061 |
refactor: improve certificate duration variable naming (#1329)
## Summary - Rename constants to `DEFAULT_CERT_VALIDITY_DURATION_DAYS` and `DEFAULT_CRL_VALIDITY_DURATION_DAYS` for clarity - Replace all hardcoded `3650` values with the constants - Split `DAYS_VALID` into `CLIENT_CERT_DURATION_DAYS` and `SERVER_CERT_DURATION_DAYS` for more granular control over client vs server certificate validity - Increase CRL validity to 15 years (5475 days) to provide a 5-year safety buffer over the default 10-year certificate validity - Update README with new headless install variables ## Breaking changes - `DAYS_VALID` environment variable is replaced by `CLIENT_CERT_DURATION_DAYS` and `SERVER_CERT_DURATION_DAYS` |
||
|
Stanislas
|
6b09270347 |
feat: add certificate renewal functionality (#1328)
## Summary
- Add certificate renewal for both client and server certificates
- Allow custom validity period during renewal (prompts user, defaults to
3650 days)
- Show expiry info inline in menus (e.g., "Renew the server certificate
(expires in 3542 days)")
- Regenerate `.ovpn` files after client renewal
- Restart OpenVPN service after server renewal
- Extract reusable helper functions to reduce code duplication
- Add robust input validation and error handling
## New menu option
```
What do you want to do?
1) Add a new user
2) Revoke existing user
3) Renew certificate ← NEW
4) Remove OpenVPN
5) Exit
```
## Renewal submenu
```
What do you want to renew?
1) Renew a client certificate
2) Renew the server certificate (expires in 3542 days)
3) Back to main menu
```
Client list shows expiry for each:
```
Select the existing client certificate you want to renew
1) alice (expires in 3542 days)
2) bob (expires in 30 days)
3) charlie (EXPIRED 5 days ago)
```
## Helper functions added
Extracted common code into reusable functions:
- `getHomeDir()` - home directory detection
- `regenerateCRL()` - CRL regeneration after cert changes
- `generateClientConfig()` - .ovpn file generation
- `selectClient()` - client listing with optional expiry display
- `getDaysUntilExpiry()` - certificate expiry calculation
- `formatExpiry()` - human-readable expiry formatting
## Test plan
- [x] Client certificate renewal tested in Docker CI
- [x] Server certificate renewal tested in Docker CI
- [x] Certificate validity verified after renewal (~3650 days)
- [x] VPN connectivity tested with renewed certificate
Closes #974 #1002 #1228 #1060
|
||
|
Stanislas
|
004fbb477a |
Add structured logging system with color-coded output and file logging (#1321)
## Summary - Add comprehensive logging system with color-coded log levels ([INFO], [WARN], [ERROR], [OK]) - Wrap all command executions with `run_cmd()` to capture output and prevent leaks to stdout - Add file logging with timestamps (default: `openvpn-install.log`) - Suppress interactive prompts in auto-install mode for cleaner CI/scripted usage - Show log file location hint on errors for easier debugging ## Changes - **openvpn-install.sh**: New logging functions (`log_info`, `log_warn`, `log_error`, `log_fatal`, `log_success`, `log_prompt`, `log_header`, `log_menu`, `run_cmd`), all `echo` statements converted to use logging functions - **test/validate-output.sh**: New E2E validator that ensures all script output uses proper log formatting (catches raw echo leaks) - **test/server-entrypoint.sh**: Integrates output validation into Docker tests - **test/Dockerfile.server**: Copies validation script into container ## Configuration - `VERBOSE=1` - Show command output in terminal - `LOG_FILE=path` - Customize log location (default: `openvpn-install.log`) - `LOG_FILE=""` - Disable file logging - `FORCE_COLOR=1` - Force colored output in non-TTY environments |
||
|
Stanislas
|
a3389c126c |
Add Docker-based E2E testing (#1320)
### Summary - Add automated end-to-end testing using Docker to verify the installation script works across 18 Linux distributions - Add Oracle Linux 9 support to the installation script - Drop support for EOL distributions (Debian 8/9/10, CentOS 7, Ubuntu 16.04) - Disable Digital Ocean droplets based end-to-end tests, let's use docker from now on ### Changes **New test infrastructure:** - `test/Dockerfile.server` - Multi-OS server image with `BASE_IMAGE` build arg - `test/Dockerfile.client` - Ubuntu 24.04 client for connectivity testing - `test/server-entrypoint.sh` - Runs install script, verifies files exist, asserts iptables NAT rules, starts OpenVPN - `test/client-entrypoint.sh` - Connects to VPN, verifies tun0 interface, pings gateway - `docker-compose.yml` - Orchestrates server + client with shared volume - `.github/workflows/docker-test.yml` - CI matrix testing 18 OS variants - `.github/workflows/test.yml` - Removed push/PR triggers, now manual only for DO tests - `Makefile` - Local testing commands (`make test`, `make test-ubuntu-24.04`, etc.) **Distributions tested (18 total):** | Family | Versions | |--------|----------| | Ubuntu | 18.04, 20.04, 22.04, 24.04 | | Debian | 11, 12 | | Fedora | 40, 41 | | Rocky Linux | 8, 9 | | AlmaLinux | 8, 9 | | Oracle Linux | 8, 9 | | Amazon Linux | 2, 2023 | | CentOS Stream | 9 | | Arch Linux | latest | |