renovate[bot]
1aae852c60
chore(deps): update super-linter/super-linter action to v8 ( #1339 )
...
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
|
[super-linter/super-linter](https://redirect.github.com/super-linter/super-linter )
| action | major | `v7` -> `v8` |
---
### Release Notes
<details>
<summary>super-linter/super-linter (super-linter/super-linter)</summary>
###
[`v8`](https://redirect.github.com/super-linter/super-linter/blob/HEAD/CHANGELOG.md#680-2024-07-31 )
[Compare
Source](https://redirect.github.com/super-linter/super-linter/compare/v7...v8 )
##### 🚀 Features
- allow using both prettier and standardjs
([#​5679](https://redirect.github.com/super-linter/super-linter/issues/5679 ))
([2daf461](2daf461143https://redirect.github.com/super-linter/super-linter/issues/5940 ))
([20c4df5](20c4df58c0https://redirect.github.com/super-linter/super-linter/issues/5868 ))
([c770a8d](c770a8d253https://redirect.github.com/super-linter/super-linter/issues/5809 ))
([5be4926](5be4926633https://redirect.github.com/super-linter/super-linter/issues/5688 )
- write github actions step summary
([#​5867](https://redirect.github.com/super-linter/super-linter/issues/5867 ))
([57c8658](57c86588c3https://redirect.github.com/super-linter/super-linter/issues/5650 )
##### 🐛 Bugfixes
- avoid duplicated content in summary
([#​5939](https://redirect.github.com/super-linter/super-linter/issues/5939 ))
([ef57e13](ef57e132e1https://redirect.github.com/super-linter/super-linter/issues/5899 ))
([78ed3ef](78ed3ef5fchttps://redirect.github.com/super-linter/super-linter/issues/5927 ))
([eec862d](eec862d0eahttps://redirect.github.com/super-linter/super-linter/issues/5870 ))
([6bd7659](6bd76596f3⬆️ Dependency updates
- **bundler:** bump rubocop-minitest in /dependencies
([#​5875](https://redirect.github.com/super-linter/super-linter/issues/5875 ))
([9751e62](9751e62beehttps://redirect.github.com/super-linter/super-linter/issues/5777 ))
([763dcc4](763dcc4d45https://redirect.github.com/super-linter/super-linter/issues/5878 ))
([592d903](592d903c50https://redirect.github.com/super-linter/super-linter/issues/5872 ))
([587fe0a](587fe0a8b9https://redirect.github.com/super-linter/super-linter/issues/5754 ))
([6bb3f78](6bb3f789bbhttps://redirect.github.com/super-linter/super-linter/issues/5882 ))
([b5bf9f2](b5bf9f297dhttps://redirect.github.com/super-linter/super-linter/issues/5883 ))
([95feeac](95feeacb0ahttps://redirect.github.com/super-linter/super-linter/issues/5764 ))
([b75f1cf](b75f1cfcefhttps://redirect.github.com/super-linter/super-linter/issues/5873 ))
([f068663](f06866359bhttps://redirect.github.com/super-linter/super-linter/issues/5748 ))
([81ab76d](81ab76d001https://redirect.github.com/super-linter/super-linter/issues/5881 ))
([d84d439](d84d439393https://redirect.github.com/super-linter/super-linter/issues/5885 ))
([d384e67](d384e674c7https://redirect.github.com/super-linter/super-linter/issues/5856 ))
([81196f4](81196f4267https://redirect.github.com/super-linter/super-linter/issues/5884 ))
([8a044b5](8a044b58dehttps://redirect.github.com/super-linter/super-linter/issues/5765 ))
([4931da5](4931da55dahttps://redirect.github.com/super-linter/super-linter/issues/5858 ))
([ae1dba5](ae1dba53fdhttps://redirect.github.com/super-linter/super-linter/issues/5857 ))
([913bd0d](913bd0dd47https://redirect.github.com/super-linter/super-linter/issues/5768 ))
([33bb4b4](33bb4b46d4https://redirect.github.com/super-linter/super-linter/issues/5861 ))
([ed72e66](ed72e66416https://redirect.github.com/super-linter/super-linter/issues/5860 ))
([dd4313c](dd4313c9b3https://redirect.github.com/super-linter/super-linter/issues/5770 ))
([27170b8](27170b8e92https://redirect.github.com/super-linter/super-linter/issues/5849 ))
([19c5fce](19c5fcea2ehttps://redirect.github.com/babel/eslint-parser )
in /dependencies
([#​5886](https://redirect.github.com/super-linter/super-linter/issues/5886 ))
([387a2b5](387a2b5626https://redirect.github.com/babel/preset-react )
in /dependencies
([#​5740](https://redirect.github.com/super-linter/super-linter/issues/5740 ))
([4eeb628](4eeb62862ehttps://redirect.github.com/babel/preset-typescript )
in /dependencies
([#​5734](https://redirect.github.com/super-linter/super-linter/issues/5734 ))
([de4b193](de4b193006https://redirect.github.com/react-native/eslint-config )
in /dependencies
([#​5835](https://redirect.github.com/super-linter/super-linter/issues/5835 ))
([28c228d](28c228dfc0https://redirect.github.com/typescript-eslint/eslint-plugin )
in /dependencies
([#​5895](https://redirect.github.com/super-linter/super-linter/issues/5895 ))
([7f5b018](7f5b018fb7https://redirect.github.com/super-linter/super-linter/issues/5738 ))
([1312398](1312398b9chttps://redirect.github.com/super-linter/super-linter/issues/5797 ))
([8972772](8972772732https://redirect.github.com/super-linter/super-linter/issues/5890 ))
([fe3e1f8](fe3e1f83b7https://redirect.github.com/super-linter/super-linter/issues/5851 ))
([c2e85a9](c2e85a9f03https://redirect.github.com/super-linter/super-linter/issues/5852 ))
([042c6b1](042c6b1917https://redirect.github.com/super-linter/super-linter/issues/5887 ))
([22b7ba9](22b7ba91d0https://redirect.github.com/super-linter/super-linter/issues/5891 ))
([b601212](b6012126dfhttps://redirect.github.com/super-linter/super-linter/issues/5897 ))
([ef71e94](ef71e944abhttps://redirect.github.com/super-linter/super-linter/issues/5896 ))
([09a01eb](09a01ebbe6https://redirect.github.com/super-linter/super-linter/issues/5853 ))
([55b065d](55b065d3c2https://redirect.github.com/super-linter/super-linter/issues/5832 ))
([8605c2b](8605c2b584https://redirect.github.com/super-linter/super-linter/issues/5877 ))
([e90ee32](e90ee328a2https://redirect.github.com/super-linter/super-linter/issues/5876 ))
([ebf8cc8](ebf8cc807ahttps://redirect.github.com/super-linter/super-linter/issues/5879 ))
([47392ad](47392ad663https://redirect.github.com/super-linter/super-linter/issues/5780 ))
([f019ee3](f019ee34d2https://redirect.github.com/super-linter/super-linter/issues/5880 ))
([3fd69a1](3fd69a107bhttps://redirect.github.com/super-linter/super-linter/issues/5874 ))
([2b6aa12](2b6aa12906https://redirect.github.com/super-linter/super-linter/issues/5847 ))
([31da61e](31da61e189🧰 Maintenance
- add super-linter configuration in the bug template
([#​5910](https://redirect.github.com/super-linter/super-linter/issues/5910 ))
([26ddd8b](26ddd8b084https://redirect.github.com/super-linter/super-linter/issues/5894 ))
([cc20e45](cc20e4561ehttps://redirect.github.com/super-linter/super-linter/issues/5863 ))
([d9d1909](d9d19095echttps://redirect.github.com/super-linter/super-linter/issues/5871 ))
([12da497](12da4973c6https://redirect.github.com/super-linter/super-linter/issues/5862 ))
([fc094cc](fc094cc1a4https://redirect.github.com/super-linter/super-linter/issues/5869 ))
([bcf8ca8](bcf8ca82adhttps://redirect.github.com/super-linter/super-linter/issues/5928 ))
([70e0239](70e0239117https://redirect.github.com/super-linter/super-linter/issues/5864 ))
([ce59f5c](ce59f5c323https://redirect.github.com/super-linter/super-linter/issues/5892 ))
([d2d7334](d2d73347d3https://redirect.github.com/super-linter/super-linter/issues/5898 ))
([e374e48](e374e48933https://redirect.github.com/super-linter/super-linter/issues/5901 ))
([2ecf945](2ecf945339📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/ ).
View the [repository job
log](https://developer.mend.io/github/angristan/openvpn-install ).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi40Mi4yIiwidXBkYXRlZEluVmVyIjoiNDIuNDIuMiIsInRhcmdldEJyYW5jaCI6Im1hc3RlciIsImxhYmVscyI6W119-->
---------
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Stanislas Lange <git@slange.me >
2025-12-11 11:12:00 +01:00
renovate[bot]
9162924468
chore(deps): update actions/checkout action to v6 ( #1338 )
...
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| [actions/checkout](https://redirect.github.com/actions/checkout ) |
action | major | `v4` -> `v6` |
---
### Release Notes
<details>
<summary>actions/checkout (actions/checkout)</summary>
### [`v6`](https://redirect.github.com/actions/checkout/compare/v5...v6 )
[Compare
Source](https://redirect.github.com/actions/checkout/compare/v5...v6 )
### [`v5`](https://redirect.github.com/actions/checkout/compare/v4...v5 )
[Compare
Source](https://redirect.github.com/actions/checkout/compare/v4...v5 )
</details>
---
### Configuration
📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/ ).
View the [repository job
log](https://developer.mend.io/github/angristan/openvpn-install ).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi40Mi4yIiwidXBkYXRlZEluVmVyIjoiNDIuNDIuMiIsInRhcmdldEJyYW5jaCI6Im1hc3RlciIsImxhYmVscyI6W119-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-12-11 10:29:01 +01:00
Stanislas
2ecd4bd6e4
feat: add Data Channel Offload (DCO) availability check ( #1331 )
...
- Add detection and logging for OpenVPN Data Channel Offload (DCO)
support during installation
- DCO is a kernel acceleration feature (merged into Linux 6.16) that
improves VPN performance
- Add DCO documentation to README
2025-12-10 18:53:45 +01:00
renovate[bot]
3e46cfb3bd
chore(deps): update dependency openvpn/easy-rsa to v3.2.4 ( #1335 )
...
This PR contains the following updates:
| Package | Update | Change |
|---|---|---|
| [OpenVPN/easy-rsa](https://redirect.github.com/OpenVPN/easy-rsa ) |
patch | `3.2.3` -> `3.2.4` |
---
### Release Notes
<details>
<summary>OpenVPN/easy-rsa (OpenVPN/easy-rsa)</summary>
###
[`v3.2.4`](https://redirect.github.com/OpenVPN/easy-rsa/releases/tag/v3.2.4 ):
3.2.4
[Compare
Source](https://redirect.github.com/OpenVPN/easy-rsa/compare/v3.2.3...v3.2.4 )
#### What's Changed
- export-p12: Move inline file to 'inline/private' folder by
[@​TinCanTech](https://redirect.github.com/TinCanTech ) in
[#​1356](https://redirect.github.com/OpenVPN/easy-rsa/pull/1356 )
- Restructure help by
[@​TinCanTech](https://redirect.github.com/TinCanTech ) in
[#​1363](https://redirect.github.com/OpenVPN/easy-rsa/pull/1363 )
- New global option: `--no-lockfile` = env-var: `$EASYRSA_NO_LOCKFILE`
by [@​TinCanTech](https://redirect.github.com/TinCanTech ) in
[#​1364](https://redirect.github.com/OpenVPN/easy-rsa/pull/1364 )
- Restructure `verify_working_env()` by
[@​TinCanTech](https://redirect.github.com/TinCanTech ) in
[#​1367](https://redirect.github.com/OpenVPN/easy-rsa/pull/1367 )
- Improve verbose by
[@​TinCanTech](https://redirect.github.com/TinCanTech ) in
[#​1368](https://redirect.github.com/OpenVPN/easy-rsa/pull/1368 )
- Windows easyrsa-shell-init.sh: Replace 'read -p' by
[@​TinCanTech](https://redirect.github.com/TinCanTech ) in
[#​1371](https://redirect.github.com/OpenVPN/easy-rsa/pull/1371 )
- mutual\_exclusions(): Include basic checks for --startdate/--enddate
by [@​TinCanTech](https://redirect.github.com/TinCanTech ) in
[#​1372](https://redirect.github.com/OpenVPN/easy-rsa/pull/1372 )
- easyrsa-shell-init.sh: Allow Easy-RSA to use '\User$HOME' directory by
[@​TinCanTech](https://redirect.github.com/TinCanTech ) in
[#​1374](https://redirect.github.com/OpenVPN/easy-rsa/pull/1374 )
- Remove 'easyrsa\_mkdir()', use only 'mkdir' by
[@​TinCanTech](https://redirect.github.com/TinCanTech ) in
[#​1376](https://redirect.github.com/OpenVPN/easy-rsa/pull/1376 )
- revoke: Archive request and private key files and expand help by
[@​TinCanTech](https://redirect.github.com/TinCanTech ) in
[#​1378](https://redirect.github.com/OpenVPN/easy-rsa/pull/1378 )
- set\_no\_clobber(): Add simple error detection by
[@​TinCanTech](https://redirect.github.com/TinCanTech ) in
[#​1379](https://redirect.github.com/OpenVPN/easy-rsa/pull/1379 )
- random: Use verify\_working\_env() to configure EASYRSA\_OPENSSL by
[@​TinCanTech](https://redirect.github.com/TinCanTech ) in
[#​1381](https://redirect.github.com/OpenVPN/easy-rsa/pull/1381 )
- self\_sign(): Force use of Easy-RSA X509-type file 'selfsign' by
[@​TinCanTech](https://redirect.github.com/TinCanTech ) in
[#​1383](https://redirect.github.com/OpenVPN/easy-rsa/pull/1383 )
**Full Changelog**:
<https://github.com/OpenVPN/easy-rsa/compare/v3.2.3...v3.2.4 >
</details>
---
### Configuration
📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/ ).
View the [repository job
log](https://developer.mend.io/github/angristan/openvpn-install ).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi40Mi4yIiwidXBkYXRlZEluVmVyIjoiNDIuNDIuMiIsInRhcmdldEJyYW5jaCI6Im1hc3RlciIsImxhYmVscyI6W119-->
---------
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
2025-12-10 18:39:39 +01:00
Stanislas Lange
5d9687f8b0
style: format renovate.json with prettier
2025-12-10 18:32:03 +01:00
Stanislas
ba1d0419a8
fix: use PAT to trigger CI after hash update ( #1337 )
...
- Commits made with `GITHUB_TOKEN` don't trigger workflows
- Using a PAT allows the hash update commit to trigger CI checks
- Fixes the issue where PR #1335 didn't have CI triggered after the hash
update
2025-12-10 18:23:58 +01:00
Stanislas Lange
a6154c2653
Disable renovate check for disabled workflow
2025-12-10 18:14:57 +01:00
Stanislas Lange
2f24d2aec7
Remove Dependabot configuration
2025-12-10 18:14:01 +01:00
Stanislas
a4c51f9bf9
ci: add Renovate for Easy-RSA version updates ( #1333 )
...
## Summary
- Add Renovate configuration to automatically track Easy-RSA releases
- Add GitHub Action to auto-update SHA256 hash on Renovate PRs
## How it works
1. **Renovate** detects a new Easy-RSA release → creates PR updating
`EASYRSA_VERSION`
2. **GitHub Action** triggers on the PR → downloads tarball → computes
SHA256 → commits fix
3. PR is ready to merge with both version and hash updated
---
I intentionally updated to the second-to-last version in
bda450948a
2025-12-10 18:08:54 +01:00
Stanislas
b9a1650027
feat: drop Amazon Linux 2 support ( #1332 )
...
## Summary
- Remove Amazon Linux 2 support from the installer
- Amazon Linux 2023 remains fully supported
## Motivation
Amazon Linux 2 is reaching EOL.
Additionally, Amazon Linux 2 ships with **OpenSSL 1.0.2k** (from 2017)
which is incompatible with Easy-RSA 3.2.x. The newer Easy-RSA versions
use `openssl x509 -ext` which doesn't exist in OpenSSL 1.0.x, causing
certificate generation to fail.
This blocks our ability to upgrade Easy-RSA:
bda450948a
2025-12-10 17:54:00 +01:00
Stanislas Lange
bda450948a
feat: update EasyRSA version and revoke command
2025-12-10 16:58:35 +01:00
Stanislas
c0fcf91972
feat: add ChaCha20-Poly1305 cipher support ( #1330 )
...
## Summary
- Add `CHACHA20-POLY1305` as a data channel cipher option
- Add `ECDHE-*-CHACHA20-POLY1305` control channel cipher options
- Add version check (requires OpenVPN 2.5+)
- Update README documentation
ChaCha20-Poly1305 is particularly useful on devices without hardware AES
acceleration (AES-NI), such as ARM-based devices (Raspberry Pi, etc.)
and older CPUs, where it can provide better performance than AES.
Closes #1244 Closes #190
2025-12-10 00:11:25 +01:00
Stanislas
ffcffac061
refactor: improve certificate duration variable naming ( #1329 )
...
## Summary
- Rename constants to `DEFAULT_CERT_VALIDITY_DURATION_DAYS` and
`DEFAULT_CRL_VALIDITY_DURATION_DAYS` for clarity
- Replace all hardcoded `3650` values with the constants
- Split `DAYS_VALID` into `CLIENT_CERT_DURATION_DAYS` and
`SERVER_CERT_DURATION_DAYS` for more granular control over client vs
server certificate validity
- Increase CRL validity to 15 years (5475 days) to provide a 5-year
safety buffer over the default 10-year certificate validity
- Update README with new headless install variables
## Breaking changes
- `DAYS_VALID` environment variable is replaced by
`CLIENT_CERT_DURATION_DAYS` and `SERVER_CERT_DURATION_DAYS`
2025-12-09 23:33:57 +01:00
Stanislas Lange
f9a544104e
docs: add missing headless variables to README
...
Add MULTI_CLIENT and DAYS_VALID to the documented headless install
variables, matching what the script actually supports.
2025-12-09 21:55:36 +01:00
Stanislas
6b09270347
feat: add certificate renewal functionality ( #1328 )
...
## Summary
- Add certificate renewal for both client and server certificates
- Allow custom validity period during renewal (prompts user, defaults to
3650 days)
- Show expiry info inline in menus (e.g., "Renew the server certificate
(expires in 3542 days)")
- Regenerate `.ovpn` files after client renewal
- Restart OpenVPN service after server renewal
- Extract reusable helper functions to reduce code duplication
- Add robust input validation and error handling
## New menu option
```
What do you want to do?
1) Add a new user
2) Revoke existing user
3) Renew certificate ← NEW
4) Remove OpenVPN
5) Exit
```
## Renewal submenu
```
What do you want to renew?
1) Renew a client certificate
2) Renew the server certificate (expires in 3542 days)
3) Back to main menu
```
Client list shows expiry for each:
```
Select the existing client certificate you want to renew
1) alice (expires in 3542 days)
2) bob (expires in 30 days)
3) charlie (EXPIRED 5 days ago)
```
## Helper functions added
Extracted common code into reusable functions:
- `getHomeDir()` - home directory detection
- `regenerateCRL()` - CRL regeneration after cert changes
- `generateClientConfig()` - .ovpn file generation
- `selectClient()` - client listing with optional expiry display
- `getDaysUntilExpiry()` - certificate expiry calculation
- `formatExpiry()` - human-readable expiry formatting
## Test plan
- [x] Client certificate renewal tested in Docker CI
- [x] Server certificate renewal tested in Docker CI
- [x] Certificate validity verified after renewal (~3650 days)
- [x] VPN connectivity tested with renewed certificate
Closes #974 #1002 #1228 #1060
2025-12-09 21:49:19 +01:00
Stanislas Lange
fb2041d9bb
Improve command logging in run_cmd function
2025-12-09 21:41:08 +01:00
Omid Shojaee
625821dfd0
Allow custom certificate duration when creating clients ( #1250 )
...
For those who need it, the script asks for how many days the new client
should be valid. This defaults to 3650 days. Then it sets the
```EASYRSA_CERT_EXPIRE``` variable accordingly.
This script is meant to be simple which means it is for those who are
not tech-savvy to handle the complex task of installing and configuring
OpenVPN.
However if the user has a large number of clients and all of them are
valid for 10 years, it is very hard to keep track of them. This PR helps
them to set a reasonable validity period, while the default is the same.
---------
Co-authored-by: Stanislas Lange <git@slange.me >
2025-12-09 20:04:29 +01:00
Stanislas
66890fb5d3
ci: prevent duplicate workflow runs ( #1324 )
...
## Summary
- Restrict `push` trigger to `master` branch only (feature branch pushes
won't trigger CI)
- Add concurrency groups to cancel redundant runs when new commits are
pushed
- Works correctly with fork PRs using standard `pull_request` event
2025-12-09 19:47:02 +01:00
Stanislas
8bd0c73f8f
Use official OpenVPN repositories for latest stable versions ( #1323 )
...
## Summary
- Install OpenVPN from official upstream repositories instead of
distribution packages
- Gets the latest stable releases with security fixes and new features
- Properly cleans up repos and GPG keys on uninstall
## Repository sources
| OS | Repository |
|---|---|
| Debian/Ubuntu | `build.openvpn.net/debian/openvpn/stable` |
| CentOS/Oracle/Fedora | Fedora Copr `@OpenVPN/openvpn-release-2.6` |
| Amazon Linux/Arch | Distribution packages (no official repo available)
|
## Changes
- Add `installOpenVPNRepo()` function to configure official repos before
package installation
- Remove duplicate package installations between repo setup and install
functions
- Clean up repos and GPG keys during uninstall
- Standardize `log_success` (`[OK]`) for major milestones only
---
Close https://github.com/angristan/openvpn-install/pull/1294
2025-12-09 19:45:56 +01:00
Stanislas Lange
b23517dbb0
Fix MULTI_CLIENT prompt blocking auto-install mode
...
The duplicate-cn feature added an interactive prompt that wasn't
following the auto-install pattern, causing the script to hang
when running with AUTO_INSTALL=y.
2025-12-09 18:30:57 +01:00
Stanislas Lange
cd0fc55bf7
docs: add duplicate-cn feature to README
2025-12-09 18:15:54 +01:00
Shahzain Ali
9e439b60ad
Add option to allow multiple devices per client profile (duplicate-cn) ( #1278 )
...
Added duplicate-cn for connecting multiple clients using same .ovpn
---------
Co-authored-by: Stanislas Lange <git@slange.me >
2025-12-09 18:12:23 +01:00
Stanislas Lange
8a133b7bed
ci: run Docker e2e tests on pull requests
2025-12-09 18:06:53 +01:00
Stanislas
004fbb477a
Add structured logging system with color-coded output and file logging ( #1321 )
...
## Summary
- Add comprehensive logging system with color-coded log levels ([INFO],
[WARN], [ERROR], [OK])
- Wrap all command executions with `run_cmd()` to capture output and
prevent leaks to stdout
- Add file logging with timestamps (default: `openvpn-install.log`)
- Suppress interactive prompts in auto-install mode for cleaner
CI/scripted usage
- Show log file location hint on errors for easier debugging
## Changes
- **openvpn-install.sh**: New logging functions (`log_info`, `log_warn`,
`log_error`, `log_fatal`, `log_success`, `log_prompt`, `log_header`,
`log_menu`, `run_cmd`), all `echo` statements converted to use logging
functions
- **test/validate-output.sh**: New E2E validator that ensures all script
output uses proper log formatting (catches raw echo leaks)
- **test/server-entrypoint.sh**: Integrates output validation into
Docker tests
- **test/Dockerfile.server**: Copies validation script into container
## Configuration
- `VERBOSE=1` - Show command output in terminal
- `LOG_FILE=path` - Customize log location (default:
`openvpn-install.log`)
- `LOG_FILE=""` - Disable file logging
- `FORCE_COLOR=1` - Force colored output in non-TTY environments
2025-12-09 15:52:37 +01:00
Stanislas Lange
adc4c6d220
Remove cloud provisioning solutions section from README
...
I don't maintain them, so I can't vouch that they work.
Close https://github.com/angristan/openvpn-install/pull/934 as well
2025-12-09 15:02:49 +01:00
Stanislas Lange
0ed153b8ec
Update pull request template to clarify maintenance burden of added features
2025-12-09 14:17:19 +01:00
Stanislas
a3389c126c
Add Docker-based E2E testing ( #1320 )
...
### Summary
- Add automated end-to-end testing using Docker to verify the installation script works across 18 Linux distributions
- Add Oracle Linux 9 support to the installation script
- Drop support for EOL distributions (Debian 8/9/10, CentOS 7, Ubuntu 16.04)
- Disable Digital Ocean droplets based end-to-end tests, let's use docker from now on
### Changes
**New test infrastructure:**
- `test/Dockerfile.server` - Multi-OS server image with `BASE_IMAGE` build arg
- `test/Dockerfile.client` - Ubuntu 24.04 client for connectivity testing
- `test/server-entrypoint.sh` - Runs install script, verifies files exist, asserts iptables NAT rules, starts OpenVPN
- `test/client-entrypoint.sh` - Connects to VPN, verifies tun0 interface, pings gateway
- `docker-compose.yml` - Orchestrates server + client with shared volume
- `.github/workflows/docker-test.yml` - CI matrix testing 18 OS variants
- `.github/workflows/test.yml` - Removed push/PR triggers, now manual only for DO tests
- `Makefile` - Local testing commands (`make test`, `make test-ubuntu-24.04`, etc.)
**Distributions tested (18 total):**
| Family | Versions |
|--------|----------|
| Ubuntu | 18.04, 20.04, 22.04, 24.04 |
| Debian | 11, 12 |
| Fedora | 40, 41 |
| Rocky Linux | 8, 9 |
| AlmaLinux | 8, 9 |
| Oracle Linux | 8, 9 |
| Amazon Linux | 2, 2023 |
| CentOS Stream | 9 |
| Arch Linux | latest |
2025-12-07 12:27:41 +01:00
Stanislas Lange
94c1af2b5d
Remove Fedora 43 OS image from CI workflow
2025-12-04 23:18:15 +01:00
Stanislas Lange
f92582fb2f
Update Fedora OS images in CI workflow to include 42 and 43
2025-12-04 23:15:24 +01:00
Stanislas Lange
469bc2f883
Update OS images in CI workflow to include Debian 13 and remove 11
2025-12-04 23:12:57 +01:00
Stanislas
93284de7df
Fix typo in FAQ
...
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com >
2025-12-04 23:04:11 +01:00
Stanislas Lange
cc834519ff
Fix path to easy-rsa tarball in checksum verification
2025-12-04 23:04:11 +01:00
Stanislas Lange
39dd034717
Fix textlint terminology: websites -> sites
2025-12-04 23:04:11 +01:00
Stanislas Lange
fafd10687f
Disable MD041 rule for template files with HTML comments
2025-12-04 23:04:11 +01:00
Stanislas Lange
7e9a713657
Fix shfmt formatting for constant comments
2025-12-04 23:04:11 +01:00
Stanislas Lange
6b92f8a61f
Quote shell variables in test.yml to fix shellcheck warnings
2025-12-04 23:04:11 +01:00
Stanislas Lange
62c336022f
Add permissions to test.yml for security best practices
2025-12-04 23:04:11 +01:00
Stanislas Lange
cad43ad99e
Add permissions to lint.yml for security best practices
2025-12-04 23:04:11 +01:00
Stanislas Lange
3a0260e9b8
Make openvpn-install.sh executable
2025-12-04 23:04:11 +01:00
Stanislas Lange
77f28d1595
ci: add fetch-depth: 0 for super-linter v7 compatibility
...
Super-linter v7 requires full git history to find the default branch
for comparison. Without fetch-depth: 0, it fails with 'master branch
doesn't exist' error.
2025-12-04 23:04:11 +01:00
Stanislas Lange
b7557dd77f
refactor: extract magic numbers to named constants
...
Move hardcoded values to readonly constants at the top of the script:
- CERT_VALIDITY_DAYS: certificate expiry (10 years)
- CRL_VALIDITY_DAYS: CRL expiry (10 years)
- EASYRSA_VERSION: easy-rsa version
- EASYRSA_SHA256: easy-rsa checksum
This improves maintainability and makes it easier to update these
values in the future.
2025-12-04 23:04:11 +01:00
Stanislas Lange
7304dbaac8
style: reduce shellcheck disables and fix warnings
...
- Remove unnecessary shellcheck disables (SC2164, SC1072, SC1073, SC1009)
- Add explanatory comments for remaining disables
- Fix SC2181: use direct exit code check instead of $?
- Fix SC2086: quote DH_KEY_SIZE variable
2025-12-04 23:04:11 +01:00
Stanislas Lange
bfcd624592
docs: fix sysctl config path in FAQ (20 -> 99)
...
The script uses /etc/sysctl.d/99-openvpn.conf but the FAQ
incorrectly referenced /etc/sysctl.d/20-openvpn.conf
2025-12-04 23:04:11 +01:00
Stanislas Lange
46a295b538
docs: update security section note for OpenVPN 2.5+
...
Replace the warning about outdated documentation with a note
clarifying that TLS 1.2 is kept as minimum for client compatibility
while acknowledging OpenVPN 2.5+ features.
2025-12-04 23:04:11 +01:00
Stanislas Lange
bf31e0ca64
docs: fix broken workflow link (push.yml -> lint.yml)
...
The workflow file was renamed but the README link was not updated.
2025-12-04 23:04:11 +01:00
Stanislas Lange
7c2c491fab
ci: update appleboy/ssh-action from v0.1.6 to v1.2.0
...
Updates to a more recent stable version with bug fixes and
improvements.
2025-12-04 23:04:11 +01:00
Stanislas Lange
00f3cd1605
ci: update Super Linter from v4.1.0 to v7
...
The super-linter project has been moved to the super-linter org
and significantly updated. v7 includes many improvements and
bug fixes.
2025-12-04 23:04:11 +01:00
Stanislas Lange
d61b16f3b8
ci: replace deprecated set-output with GITHUB_OUTPUT
...
The set-output workflow command was deprecated in favor of
environment files. See:
https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/
2025-12-04 23:04:11 +01:00
Stanislas Lange
960be1a658
security: add validation for root.hints download
...
Verify that the downloaded root.hints file is not empty and contains
expected DNS root server content before using it.
2025-12-04 23:04:11 +01:00
Stanislas Lange
94f0967878
security: add SHA256 checksum verification for easy-rsa download
...
Adds integrity verification to prevent supply chain attacks when
downloading easy-rsa from GitHub releases.
2025-12-04 23:04:11 +01:00
