## Summary
- Remove Amazon Linux 2 support from the installer
- Amazon Linux 2023 remains fully supported
## Motivation
Amazon Linux 2 is reaching EOL.
Additionally, Amazon Linux 2 ships with **OpenSSL 1.0.2k** (from 2017)
which is incompatible with Easy-RSA 3.2.x. The newer Easy-RSA versions
use `openssl x509 -ext` which doesn't exist in OpenSSL 1.0.x, causing
certificate generation to fail.
This blocks our ability to upgrade Easy-RSA:
bda450948a
## Changes
- Updated OS detection to reject Amazon Linux 2 with a clear message
- Removed Amazon Linux 2 specific code paths (EPEL installation, yum
commands)
- Removed from CI test matrix
- Updated README supported distributions table
- Updated Makefile test targets
- Also, add Amazon Linux 2023 Unbound handling
## Summary
- Add `CHACHA20-POLY1305` as a data channel cipher option
- Add `ECDHE-*-CHACHA20-POLY1305` control channel cipher options
- Add version check (requires OpenVPN 2.5+)
- Update README documentation
ChaCha20-Poly1305 is particularly useful on devices without hardware AES
acceleration (AES-NI), such as ARM-based devices (Raspberry Pi, etc.)
and older CPUs, where it can provide better performance than AES.
Closes#1244Closes#190
## Summary
- Rename constants to `DEFAULT_CERT_VALIDITY_DURATION_DAYS` and
`DEFAULT_CRL_VALIDITY_DURATION_DAYS` for clarity
- Replace all hardcoded `3650` values with the constants
- Split `DAYS_VALID` into `CLIENT_CERT_DURATION_DAYS` and
`SERVER_CERT_DURATION_DAYS` for more granular control over client vs
server certificate validity
- Increase CRL validity to 15 years (5475 days) to provide a 5-year
safety buffer over the default 10-year certificate validity
- Update README with new headless install variables
## Breaking changes
- `DAYS_VALID` environment variable is replaced by
`CLIENT_CERT_DURATION_DAYS` and `SERVER_CERT_DURATION_DAYS`
## Summary
- Add certificate renewal for both client and server certificates
- Allow custom validity period during renewal (prompts user, defaults to
3650 days)
- Show expiry info inline in menus (e.g., "Renew the server certificate
(expires in 3542 days)")
- Regenerate `.ovpn` files after client renewal
- Restart OpenVPN service after server renewal
- Extract reusable helper functions to reduce code duplication
- Add robust input validation and error handling
## New menu option
```
What do you want to do?
1) Add a new user
2) Revoke existing user
3) Renew certificate ← NEW
4) Remove OpenVPN
5) Exit
```
## Renewal submenu
```
What do you want to renew?
1) Renew a client certificate
2) Renew the server certificate (expires in 3542 days)
3) Back to main menu
```
Client list shows expiry for each:
```
Select the existing client certificate you want to renew
1) alice (expires in 3542 days)
2) bob (expires in 30 days)
3) charlie (EXPIRED 5 days ago)
```
## Helper functions added
Extracted common code into reusable functions:
- `getHomeDir()` - home directory detection
- `regenerateCRL()` - CRL regeneration after cert changes
- `generateClientConfig()` - .ovpn file generation
- `selectClient()` - client listing with optional expiry display
- `getDaysUntilExpiry()` - certificate expiry calculation
- `formatExpiry()` - human-readable expiry formatting
## Test plan
- [x] Client certificate renewal tested in Docker CI
- [x] Server certificate renewal tested in Docker CI
- [x] Certificate validity verified after renewal (~3650 days)
- [x] VPN connectivity tested with renewed certificate
Closes#974#1002#1228#1060
## Summary
- Install OpenVPN from official upstream repositories instead of
distribution packages
- Gets the latest stable releases with security fixes and new features
- Properly cleans up repos and GPG keys on uninstall
## Repository sources
| OS | Repository |
|---|---|
| Debian/Ubuntu | `build.openvpn.net/debian/openvpn/stable` |
| CentOS/Oracle/Fedora | Fedora Copr `@OpenVPN/openvpn-release-2.6` |
| Amazon Linux/Arch | Distribution packages (no official repo available)
|
## Changes
- Add `installOpenVPNRepo()` function to configure official repos before
package installation
- Remove duplicate package installations between repo setup and install
functions
- Clean up repos and GPG keys during uninstall
- Standardize `log_success` (`[OK]`) for major milestones only
---
Close https://github.com/angristan/openvpn-install/pull/1294
Replace the warning about outdated documentation with a note
clarifying that TLS 1.2 is kept as minimum for client compatibility
while acknowledging OpenVPN 2.5+ features.
This set of changes adjusts the script so that you can run it multiple times with the same input and not have any unexpected changes. This makes it appropriate for "enforcing state", as required by automated provisioners like Puppet, Salt, Chef, or Ansible.
- Unbound, OpenVPN, easy-rsa, and other dependencies are only installed from upstream if they are not already present. This prevents multiple runs of the script from causing unexpected version upgrades.
- The easy-rsa system is put in a folder called "easy-rsa-auto" so it can't conflict with the "easy-rsa" folder from some older OpenVPN packages
- The easy-rsa CA is only initialized once
- SERVER_CN and SERVER_NAME are randomly generated once and saved for future reference
- File append ('>>') is only done strictly after a file is created with '>' (e.g. /etc/sysctl.d/20-openvpn.conf)
- Clients are only added to easy-rsa once
- If AUTO_INSTALL == y, then the script operates in install mode and doesn't enter manageMenu
