jtbr
b3fb14bcb4
enable tls-auth and perfect forwarding secrecy
2016-04-10 18:53:29 +02:00
jtbr
d844154a45
run openvpn unprivileged
2016-04-10 18:36:15 +02:00
jtbr
01003c88f8
fix dns option 3 with single quotes
2016-04-10 18:26:49 +02:00
Florian STOSSE
9aeb5b7c47
Remove old fix
...
This fix was intended to overcome hardcoded buffers values in old OpenVPN revisions (see https://www.lowendtalk.com/discussion/40099/why-openvpn-is-so-slow-cool-story ). This is not needed anymore, as OpenVPN now use OS buffers (see https://community.openvpn.net/openvpn/ticket/461 and https://community.openvpn.net/openvpn/changeset/c72dbb8b470ab7b25fc74e41aed4212db48a9d2f/ ). It should lead to better performances over fast networks.
Signed-off-by: Florian STOSSE <contact@harvester.fr>
2016-03-22 11:47:24 +01:00
Angristan
6b4c00c394
Clarification for NAT
2016-03-21 21:43:34 +01:00
Angristan
21d8f78f4f
Disable compression
2016-03-21 17:43:48 +01:00
Harvester
bf97d67f26
Revert ciphers
...
My bad !
2016-03-21 17:13:36 +01:00
Harvester
787784058a
Disable compression client-side too
2016-03-21 16:18:18 +01:00
Florian Stosse
064c5bfe4a
Typo
...
OpenVPN doesn't really like the way it was written
2016-03-21 13:30:17 +01:00
Florian Stosse
1a73a20240
Also change tls-cipher for clients
2016-03-21 13:26:37 +01:00
Florian Stosse
b15cd6cf81
Add more than one cipogers to tls-cipher
...
Just in case we need to fallback or downgrade
2016-03-21 13:20:35 +01:00
Florian Stosse
8b89b1743c
Disable compression
...
For a hardened OpenVPN configuration, compression should be disabled : https://github.com/BetterCrypto/Applied-Crypto-Hardening/pull/91#issuecomment-75388575
2016-03-21 13:13:57 +01:00
Angristan
faaa48d372
Fix ca-certificates errors
2016-03-19 22:51:00 +01:00
Angristan
1bf105e809
The BIG update
...
Deleted latest and legacy mode
Use OpenVPN 2.3.10 with custom repo
Add a check at start for Debian/Ubuntu
Fast mode with 2048 bits RSA and DH, 128 bits AES, SHA-256 certificate
Slow mode with 4096 bits RSA and DH, 256 bits AES, SHA-384 certificate
AES-256-CBC and SHA512 for HMAC auth
Add OpenNIC as a DNS option + GeoIP API
Delete NTT and Huricane Electric DNS
Other improvements
2016-03-19 17:41:18 +01:00
Angristan
157c27512a
Combine latest and legacy version
2016-03-15 19:11:35 +01:00
Angristan
4fef7869d9
Fix which bug on CentOS 7 minimal
...
7fb12dc5cb
2016-03-14 21:37:14 +01:00
Angristan
1be02be239
TAP is not needed
2016-03-14 21:22:08 +01:00
Angristan
cbc7abc3dd
Clarifies that it supports Scaleway NATed servers
2016-03-14 18:03:02 +01:00
Angristan
48252378ff
Revert changes
2016-03-13 20:47:18 +01:00
Angristan
f49f187de2
Install which
2016-03-13 19:21:58 +01:00
Angristan
e9d6191925
Set FDN as default DNS
2016-03-13 15:13:46 +01:00
Angristan
f22fbc3cf0
No need to cp vars.example
2016-03-10 13:17:07 +01:00
Angristan
9b8ad887c3
New cipher
2016-03-09 22:59:03 +01:00
Angristan
5bc1d8e37a
Add 4096 bits DH
2016-03-09 21:11:13 +01:00
Angristan
85c466e634
Remove 4096 bits DH
2016-03-09 21:10:41 +01:00
Angristan
a7e89ed0dd
Add 4096 bits DH
2016-03-09 21:08:24 +01:00
Angristan
9146fd5523
Reorder DNS Servers
2016-03-08 23:53:30 +01:00
Angristan
1614923b1a
TLS 1.2 only
2016-03-08 23:15:52 +01:00
Angristan
0ac534115a
Use real encryption : AES-256-CBC
2016-03-08 17:40:22 +01:00
Angristan
6463979cc7
Update openvpn-install.sh
2016-03-08 17:12:09 +01:00
Angristan
efdd53c79f
Remove logs and add FDN's DNS servers
2016-02-29 17:47:01 +01:00
Angristan
8d95e922ce
update from source with latest commits
2016-02-27 10:52:51 +01:00
Angristan
c428975b66
Delete logs
2015-12-25 22:17:51 +01:00
angrysnarl
a1b57a1c31
Fixed rm -rf commands for revoking user certs
2015-12-16 00:15:08 +08:00
Nyr
0df84e4541
Fix #105
2015-12-14 22:36:40 +01:00
Nyr
e58addc2c5
Verify server certificate during easy-rsa download
2015-11-24 23:04:56 +01:00
Nyr
d55effb08c
Update to easy-rsa 3.0.1
2015-11-21 15:35:51 +01:00
Nyr
73da43b872
Merge pull request #88 from ValdikSS/buf
...
Do not allow OpenVPN to set (low) buffer sizes
2015-11-15 19:36:15 +01:00
Nyr
51998f0d56
Merge pull request #87 from ValdikSS/euid
...
Use EUID to check root
2015-11-15 19:35:26 +01:00
ValdikSS
0265fc0e06
Use different exit codes on error
2015-11-15 13:37:22 +03:00
ValdikSS
15a39afd11
Do not allow OpenVPN to set (low) buffer sizes
2015-11-15 13:36:20 +03:00
ValdikSS
2574097eb4
Use EUID to check root
2015-11-15 13:34:19 +03:00
Nyr
d32416561b
Grep for DROP as well as REJECT
2015-10-07 19:57:04 +02:00
Nyr
eb8d8257a0
The BIG commit
...
- Upgrade to easy-rsa 3.0.0
- Firewall support: rules are added for both FirewallD and iptables if
needed.
- Creation of our own configuration files for both the server and
clients.
- Using subnet topology instead of the deprecated net30.
- Removed port 53 question during install: user can just choose that
port during setup.
- Removed internal networking option: this is a road warrior installer
after all.
- Bugfix: the default easy-rsa directory was not correctly deleted if
one was already there.
2015-09-12 21:48:08 +02:00
Nyr
b46a0541dd
Replaced Yandex DNS with Google
...
Yandex DNS is not stable enough, Google was previously missing.
2015-08-05 02:17:24 +02:00
Hyacinthe Cartiaux
91e09dedf1
Remove a useless use of wc
2015-08-01 20:27:30 +02:00
Nyr
7d467d9666
Multiple improvements
...
- Better UX for client certificate revocation: a list of the current
client names is shown to the user
- easy-rsa 2.2.2 now used by default: it’s easier for me to maintain a
single version
2015-07-22 08:02:59 +02:00
Nyr
b778c1aed9
Cosmetic bugfix
2015-06-29 09:23:44 +02:00
Nyr
cf48ecd3b0
Bugfixes
...
- Little fix for Debian Jessie
- Better systemd detection
- Fixed revocation on CentOS
2015-04-28 18:35:54 +02:00
Nyr
68b5ff7e99
Revert "Cleaner port 53 setup"
...
This reverts commit fb036d575b
.
2015-03-10 10:44:47 +01:00
Nyr
fb036d575b
Cleaner port 53 setup
2015-02-16 17:33:22 +01:00
Nyr
fad088013c
CentOS support and other improvements
2015-02-11 19:51:19 +01:00
Nyr
a256194ecb
Add feedback during removal abortion
2015-01-25 20:45:07 +01:00
Nyr
98b39e7354
Added a confirmation dialog before removing
2015-01-21 03:03:14 +01:00
Nyr
6d4af520b8
Bugfix for systems with a non-standard rc.local
2014-11-07 00:53:28 +01:00
Nyr
215140b682
Options for custom DNS and intra-VPN connectivity
2014-11-04 21:57:36 +01:00
Nyr
2174037768
Now using in-line certificates
2014-10-23 03:16:09 +02:00
Nyr
091e487472
Cleanup
2014-10-23 00:19:08 +02:00
Nyr
936a8b8ff0
Removed useless cat
2014-09-25 04:00:32 +02:00
Nyr
091ef01a8b
Bug fix + future bulletproofness
...
- Use always double [[]] blocks (bug fix for the test at line 208 under
some circumstances)
- bash shell is now forced
- All variables are now quoted
2014-09-18 23:34:22 +02:00
Nyr
afb30c44da
Now using resolvers from resolv.conf
...
This will help with some ISPs restricting access to third party DNS
servers like it happens with LowEndSpirit and Torqhost.
2014-05-15 18:20:53 +02:00
Nyr
c72a4d2b5e
Bugfix: port redirect wasn't correctly set when a custom port was in place
2014-03-12 21:14:38 +01:00
Nyr
a69dae3021
Check if the script is running on a Debian-based system before starting
...
Fixed some spacing too
2014-03-12 21:06:57 +01:00
Nyr
6d89279940
Bugfix for systems with multiple IPv4 addresses available
2013-12-20 18:50:30 +01:00
Nyr
ee9750a210
Use Easy-RSA 2.2.2 instead of the master branch with Debian Jessie and Ubuntu Saucy
...
This was needed for Debian Jessie, but using always the latest Easy-RSA
was a bad idea.
I will force Easy-RSA 2.2.2 for now and until Jessie becomes stable.
Then we can probably just use the distro packages instead of Github,
but for now this will work.
2013-12-19 22:09:20 +01:00
Nyr
b30130b506
Bugfixes
...
- easy-rsa was downloaded from Github even on systems where it was available by default.
- easy-rsa.tar.gz is now removed when no longer needed.
2013-10-04 19:04:12 +02:00
Nyr
6c22c657f7
Update openvpn-install.sh
2013-08-22 17:00:53 +02:00
Nyr
2533e2e113
Bugfix: routes not being pushed
2013-08-05 00:58:43 +02:00
Nyr
0eda63842c
Remove temporary files when they are no longer needed
2013-08-04 14:22:02 +02:00
Nyr
31040f475a
2048 bit keys by default and Debian Jessie compatibility
2013-08-04 14:11:38 +02:00
Nyr
730691c8a1
Various bugfixes and improvements
...
- Assisted configuration for servers behind a NAT
- Better IP autodetection
- Fix certificate revocation
2013-07-07 21:28:08 +02:00
Nyr
ce8077f048
Bugfix: better IPv4 autodetection on some IPv6 enabled servers
2013-05-14 22:05:53 +02:00
Nyr
4f631dab20
Bugfix: iptables were incorrectly positioned on /etc/rc.local
2013-05-14 20:59:03 +02:00
Nyr
c0adc8c75b
Added option for client certificate revocation
2013-05-14 17:41:53 +02:00
Nyr
e95049a76a
First commit
2013-05-14 14:04:19 +02:00