Stanislas
d8aa625639
feat: add native firewalld support ( #1388 )
...
## Summary
- Add native firewalld support for RHEL/Fedora/CentOS systems
- When firewalld is active, use `firewall-cmd --permanent` instead of
raw iptables
- Rules persist across `firewall-cmd --reload`
- Fall back to iptables when firewalld is not active
- Add `After=firewalld.service` to iptables systemd unit for safety
## Changes
**Install:** Detect firewalld, use `firewall-cmd` to add port,
masquerade, and rich rules. Fall back to iptables if inactive.
**Uninstall:** Detect which method was used and clean up accordingly.
**Tests:** Add `fedora-42-firewalld` CI test with firewalld enabled.
---
Closes https://github.com/angristan/openvpn-install/issues/356
Closes https://github.com/angristan/openvpn-install/pull/1200
2025-12-13 20:49:40 +01:00
renovate[bot]
be2a195bb5
chore(deps): update dependency openvpn/easy-rsa to v3.2.5 ( #1381 )
...
This PR contains the following updates:
| Package | Update | Change |
|---|---|---|
| [OpenVPN/easy-rsa](https://redirect.github.com/OpenVPN/easy-rsa ) |
patch | `3.2.4` -> `3.2.5` |
---
### Release Notes
<details>
<summary>OpenVPN/easy-rsa (OpenVPN/easy-rsa)</summary>
###
[`v3.2.5`](https://redirect.github.com/OpenVPN/easy-rsa/releases/tag/v3.2.5 ):
3.2.5
[Compare
Source](https://redirect.github.com/OpenVPN/easy-rsa/compare/v3.2.4...v3.2.5 )
#### What's Changed
- Replace `local` / `global` `openssl-easyrsa.cnf` by
[@​TinCanTech](https://redirect.github.com/TinCanTech ) in
[#​1394](https://redirect.github.com/OpenVPN/easy-rsa/pull/1394 )
- init-pki: Introduce configurable cryptography by
[@​TinCanTech](https://redirect.github.com/TinCanTech ) in
[#​1397](https://redirect.github.com/OpenVPN/easy-rsa/pull/1397 )
- Drop x509 type kdc built-in by
[@​TinCanTech](https://redirect.github.com/TinCanTech ) in
[#​1399](https://redirect.github.com/OpenVPN/easy-rsa/pull/1399 )
- Always generate an `openssl-easyrsa.cnf` or `x509-types` tmp-file by
[@​TinCanTech](https://redirect.github.com/TinCanTech ) in
[#​1401](https://redirect.github.com/OpenVPN/easy-rsa/pull/1401 )
- Libressl use `$EASYRSA_FORCE_SAFE_SSL` by
[@​TinCanTech](https://redirect.github.com/TinCanTech ) in
[#​1402](https://redirect.github.com/OpenVPN/easy-rsa/pull/1402 )
- Update EasyRSA-Advanced.md by
[@​TinCanTech](https://redirect.github.com/TinCanTech ) in
[#​1403](https://redirect.github.com/OpenVPN/easy-rsa/pull/1403 )
- `source_vars()`: Add `grep` regex for assign by equal `=` by
[@​TinCanTech](https://redirect.github.com/TinCanTech ) in
[#​1405](https://redirect.github.com/OpenVPN/easy-rsa/pull/1405 )
- export\_pkcs(), PKCS12 inline: Respect $EASYRSA\_NO\_INLINE by
[@​TinCanTech](https://redirect.github.com/TinCanTech ) in
[#​1407](https://redirect.github.com/OpenVPN/easy-rsa/pull/1407 )
- Introduce peer-fingerprint inline lists by
[@​TinCanTech](https://redirect.github.com/TinCanTech ) in
[#​1410](https://redirect.github.com/OpenVPN/easy-rsa/pull/1410 )
- help: Add '-b' alias for --batch and correct default 'vars' file by
[@​TinCanTech](https://redirect.github.com/TinCanTech ) in
[#​1411](https://redirect.github.com/OpenVPN/easy-rsa/pull/1411 )
- New function ssl\_cert\_sig\_digest(); Extract certificae digest name
by [@​TinCanTech](https://redirect.github.com/TinCanTech ) in
[#​1414](https://redirect.github.com/OpenVPN/easy-rsa/pull/1414 )
- Upgrading OpenSSL for Windows to 3.6.0 by
[@​ecrist](https://redirect.github.com/ecrist ) in
[#​1416](https://redirect.github.com/OpenVPN/easy-rsa/pull/1416 )
**Full Changelog**:
<https://github.com/OpenVPN/easy-rsa/compare/v3.2.4...v3.2.5 >
</details>
---
### Configuration
📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/ ).
View the [repository job
log](https://developer.mend.io/github/angristan/openvpn-install ).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi40Mi4yIiwidXBkYXRlZEluVmVyIjoiNDIuNDIuMiIsInRhcmdldEJyYW5jaCI6Im1hc3RlciIsImxhYmVscyI6W119-->
---------
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Stanislas Lange <git@slange.me >
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
2025-12-13 19:48:07 +01:00
Stanislas
75ea8ef1c1
ci: only cancel in-progress jobs for pull requests ( #1378 )
...
- Only cancel in-progress CI jobs for pull requests, not for master
branch pushes
- Ensures all master branch jobs run to completion while still saving CI
resources on PRs
2025-12-13 15:14:15 +01:00
Stanislas
3561d13389
feat: add tls-crypt-v2 support with per-client keys ( #1377 )
...
## Summary
- Add support for OpenVPN's `tls-crypt-v2` feature (per-client TLS keys)
- Set `tls-crypt-v2` as the new recommended default
- Add CI tests for all 3 TLS key types
Closes #983
Closes #758
Closes https://github.com/angristan/openvpn-install/pull/1257
## What is tls-crypt-v2?
Unlike `tls-crypt` (shared key), `tls-crypt-v2` generates unique keys
per client:
- **Better security**: Compromised client keys don't affect other
clients
- **Easier management**: Individual client key revocation without
regenerating server key
- **Scalability**: Better suited for large deployments
Requires OpenVPN 2.5+ (released 2020).
## Menu options
```
1) tls-crypt-v2 (recommended): Encrypts control channel, unique key per client
2) tls-crypt: Encrypts control channel, shared key for all clients
3) tls-auth: Authenticates control channel, no encryption
```
2025-12-13 14:32:38 +01:00
Stanislas
2c53bc0f83
feat: add run_cmd_fatal, fix Fedora, improve CI ( #1369 )
...
## Summary
This PR contains three related improvements:
### 1. Add `run_cmd_fatal` for critical operations
- New helper function that wraps `run_cmd` and exits on failure
- Converts critical operations (package installs, PKI setup, certificate
generation) to fail fast
- Non-critical operations (systemctl, cleanup) still use `run_cmd`
- Password-protected client certs run directly to preserve interactive
prompt
### 2. Fix Fedora installation
- Skip Copr repository setup since Fedora already ships OpenVPN 2.6.x
- Simplifies installation and removes external repository dependency
### 3. Improve CI test reliability
- Fail fast when `openvpn-test.service` fails during startup
- Add `journalctl` output to error diagnostics
- Display service status in wait loop
- Increase VPN gateway ping count from 3 to 10 for stability
2025-12-13 13:31:54 +01:00
Stanislas
9e1bb4b175
feat: enable proper systemd support in Docker tests ( #1373 )
...
- Replace the `sed` hack that disabled `systemctl` commands with proper
systemd support in Docker containers
- This allows testing the actual `systemctl` commands used by the
install script
- No more manual workarounds for starting OpenVPN/Unbound services
2025-12-13 01:14:54 +01:00
Guo Yunhe
bbf93a19d5
Add openSUSE Tumbleweed/Leap support ( #1166 )
...
<!---
❗ ️ Please read ❗ ️
➡️ Please make sure you've followed the guidelines:
https://github.com/angristan/openvpn-install#contributing
✅ Please make sure your changes are tested and working
🗣️ Please avoid large PRs, and discuss changes in a GitHub issue first
✋ If the changes are too big and not in line with the project, they will
probably be rejected. Remember that this script is meant to be simple
and easy to use.
--->
---------
Co-authored-by: Stanislas Lange <git@slange.me >
2025-12-11 21:22:12 +01:00
Stanislas
4b00f44e8e
feat: add version 10 support for RHEL-based distributions ( #1346 )
...
## Summary
- Add version 10 support for CentOS Stream, Rocky Linux, AlmaLinux, and
Oracle Linux
- Consolidate version check logic into a single check for all RHEL-based
distributions
- Fix Rocky Linux Docker image names to `rockylinux/rockylinux:tag`
- Increase Easy-RSA download curl retry from 3 to 5
- Fail early if EPEL/Copr repository setup fails
- Fix Oracle Linux EPEL package name (`oracle-epel-release-el*` instead
of `epel-release`)
## Changes
### `openvpn-install.sh`
- Combine version checks for CentOS/Rocky/AlmaLinux and Oracle Linux
into one
- Update error message to list supported distributions
- Change Easy-RSA download `--retry 3` to `--retry 5`
- Add `|| log_fatal` to EPEL and Copr setup commands to fail early on
errors
- Use `oracle-epel-release-el{8,9,10}` for Oracle Linux instead of
`epel-release`
### `.github/workflows/docker-test.yml`
- Add CentOS Stream 10 (`quay.io/centos/centos:stream10`)
- Add Rocky Linux 10 (`rockylinux/rockylinux:10`)
- Add AlmaLinux 10 (`almalinux:10`)
- Add Oracle Linux 10 (`oraclelinux:10`)
- Fix Rocky Linux image names from `rockylinux:X` to
`rockylinux/rockylinux:X`
## Test plan
- [ ] CI passes for existing distributions
- [ ] CI passes for new version 10 distributions (where images are
available)
2025-12-11 20:22:00 +01:00
Stanislas
0d4d2229f4
test: add e2e tests for certificate revocation ( #1345 )
...
## Summary
- Add end-to-end tests for certificate revocation functionality
- Test that a revoked client certificate cannot connect to the VPN
- Test that a new certificate can be created with the same name as a
revoked one (validating the fix from #1185 )
- Test that the new certificate can successfully connect
## Test Flow
1. **Initial connectivity tests** - existing tests pass
2. **Certificate revocation test**:
- Create a new client `revoketest`
- Connect with the certificate (verifies it works)
- Disconnect the client
- Revoke the certificate via the install script
- Try to reconnect with revoked cert (verifies connection is rejected)
3. **Reuse revoked name test**:
- Create a new certificate with the same name `revoketest`
- Verify both revoked and valid entries exist in `index.txt`
- Connect with the new certificate (verifies it works)
## Changes
| File | Changes |
|------|---------|
| `test/server-entrypoint.sh` | Start OpenVPN in background, add
revocation test orchestration |
| `test/client-entrypoint.sh` | Add revocation test phases with signal
file coordination |
| `docker-compose.yml` | Remove read-only restriction on shared volume
for client |
| `Makefile` | Increase timeout from 60 to 180 iterations |
| `.github/workflows/docker-test.yml` | Increase timeouts, fix shared
volume |
2025-12-11 18:22:16 +01:00
Stanislas Lange
690414a56e
ci: update Fedora versions to 42 and 43
2025-12-11 17:21:48 +01:00
Stanislas Lange
d9e11822db
fix: use pgrep -f to detect OpenVPN server, not transient processes
...
The previous check using `pgrep -x openvpn` was matching transient
openvpn processes like `openvpn --genkey` that run during installation,
causing false positives. This led to race conditions where the CI
thought the server was running when it was actually still installing.
Use `pgrep -f "openvpn.*server.conf"` to specifically match the actual
OpenVPN server process running with the server configuration.
2025-12-11 17:21:48 +01:00
Stanislas Lange
6cca56f5b5
ci: add install script log output in docker-test workflow
...
Add step to display the install script log file (openvpn-install.log)
which includes timestamps and all installation activity.
This makes debugging CI failures easier by providing detailed logs
directly in the workflow output.
2025-12-11 17:21:48 +01:00
Stanislas Lange
599d122113
fix: use pgrep -x to accurately check for OpenVPN process in docker-test workflow
2025-12-11 16:26:45 +01:00
renovate[bot]
1aae852c60
chore(deps): update super-linter/super-linter action to v8 ( #1339 )
...
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
|
[super-linter/super-linter](https://redirect.github.com/super-linter/super-linter )
| action | major | `v7` -> `v8` |
---
### Release Notes
<details>
<summary>super-linter/super-linter (super-linter/super-linter)</summary>
###
[`v8`](https://redirect.github.com/super-linter/super-linter/blob/HEAD/CHANGELOG.md#680-2024-07-31 )
[Compare
Source](https://redirect.github.com/super-linter/super-linter/compare/v7...v8 )
##### 🚀 Features
- allow using both prettier and standardjs
([#​5679](https://redirect.github.com/super-linter/super-linter/issues/5679 ))
([2daf461](2daf461143https://redirect.github.com/super-linter/super-linter/issues/5940 ))
([20c4df5](20c4df58c0https://redirect.github.com/super-linter/super-linter/issues/5868 ))
([c770a8d](c770a8d253https://redirect.github.com/super-linter/super-linter/issues/5809 ))
([5be4926](5be4926633https://redirect.github.com/super-linter/super-linter/issues/5688 )
- write github actions step summary
([#​5867](https://redirect.github.com/super-linter/super-linter/issues/5867 ))
([57c8658](57c86588c3https://redirect.github.com/super-linter/super-linter/issues/5650 )
##### 🐛 Bugfixes
- avoid duplicated content in summary
([#​5939](https://redirect.github.com/super-linter/super-linter/issues/5939 ))
([ef57e13](ef57e132e1https://redirect.github.com/super-linter/super-linter/issues/5899 ))
([78ed3ef](78ed3ef5fchttps://redirect.github.com/super-linter/super-linter/issues/5927 ))
([eec862d](eec862d0eahttps://redirect.github.com/super-linter/super-linter/issues/5870 ))
([6bd7659](6bd76596f3⬆️ Dependency updates
- **bundler:** bump rubocop-minitest in /dependencies
([#​5875](https://redirect.github.com/super-linter/super-linter/issues/5875 ))
([9751e62](9751e62beehttps://redirect.github.com/super-linter/super-linter/issues/5777 ))
([763dcc4](763dcc4d45https://redirect.github.com/super-linter/super-linter/issues/5878 ))
([592d903](592d903c50https://redirect.github.com/super-linter/super-linter/issues/5872 ))
([587fe0a](587fe0a8b9https://redirect.github.com/super-linter/super-linter/issues/5754 ))
([6bb3f78](6bb3f789bbhttps://redirect.github.com/super-linter/super-linter/issues/5882 ))
([b5bf9f2](b5bf9f297dhttps://redirect.github.com/super-linter/super-linter/issues/5883 ))
([95feeac](95feeacb0ahttps://redirect.github.com/super-linter/super-linter/issues/5764 ))
([b75f1cf](b75f1cfcefhttps://redirect.github.com/super-linter/super-linter/issues/5873 ))
([f068663](f06866359bhttps://redirect.github.com/super-linter/super-linter/issues/5748 ))
([81ab76d](81ab76d001https://redirect.github.com/super-linter/super-linter/issues/5881 ))
([d84d439](d84d439393https://redirect.github.com/super-linter/super-linter/issues/5885 ))
([d384e67](d384e674c7https://redirect.github.com/super-linter/super-linter/issues/5856 ))
([81196f4](81196f4267https://redirect.github.com/super-linter/super-linter/issues/5884 ))
([8a044b5](8a044b58dehttps://redirect.github.com/super-linter/super-linter/issues/5765 ))
([4931da5](4931da55dahttps://redirect.github.com/super-linter/super-linter/issues/5858 ))
([ae1dba5](ae1dba53fdhttps://redirect.github.com/super-linter/super-linter/issues/5857 ))
([913bd0d](913bd0dd47https://redirect.github.com/super-linter/super-linter/issues/5768 ))
([33bb4b4](33bb4b46d4https://redirect.github.com/super-linter/super-linter/issues/5861 ))
([ed72e66](ed72e66416https://redirect.github.com/super-linter/super-linter/issues/5860 ))
([dd4313c](dd4313c9b3https://redirect.github.com/super-linter/super-linter/issues/5770 ))
([27170b8](27170b8e92https://redirect.github.com/super-linter/super-linter/issues/5849 ))
([19c5fce](19c5fcea2ehttps://redirect.github.com/babel/eslint-parser )
in /dependencies
([#​5886](https://redirect.github.com/super-linter/super-linter/issues/5886 ))
([387a2b5](387a2b5626https://redirect.github.com/babel/preset-react )
in /dependencies
([#​5740](https://redirect.github.com/super-linter/super-linter/issues/5740 ))
([4eeb628](4eeb62862ehttps://redirect.github.com/babel/preset-typescript )
in /dependencies
([#​5734](https://redirect.github.com/super-linter/super-linter/issues/5734 ))
([de4b193](de4b193006https://redirect.github.com/react-native/eslint-config )
in /dependencies
([#​5835](https://redirect.github.com/super-linter/super-linter/issues/5835 ))
([28c228d](28c228dfc0https://redirect.github.com/typescript-eslint/eslint-plugin )
in /dependencies
([#​5895](https://redirect.github.com/super-linter/super-linter/issues/5895 ))
([7f5b018](7f5b018fb7https://redirect.github.com/super-linter/super-linter/issues/5738 ))
([1312398](1312398b9chttps://redirect.github.com/super-linter/super-linter/issues/5797 ))
([8972772](8972772732https://redirect.github.com/super-linter/super-linter/issues/5890 ))
([fe3e1f8](fe3e1f83b7https://redirect.github.com/super-linter/super-linter/issues/5851 ))
([c2e85a9](c2e85a9f03https://redirect.github.com/super-linter/super-linter/issues/5852 ))
([042c6b1](042c6b1917https://redirect.github.com/super-linter/super-linter/issues/5887 ))
([22b7ba9](22b7ba91d0https://redirect.github.com/super-linter/super-linter/issues/5891 ))
([b601212](b6012126dfhttps://redirect.github.com/super-linter/super-linter/issues/5897 ))
([ef71e94](ef71e944abhttps://redirect.github.com/super-linter/super-linter/issues/5896 ))
([09a01eb](09a01ebbe6https://redirect.github.com/super-linter/super-linter/issues/5853 ))
([55b065d](55b065d3c2https://redirect.github.com/super-linter/super-linter/issues/5832 ))
([8605c2b](8605c2b584https://redirect.github.com/super-linter/super-linter/issues/5877 ))
([e90ee32](e90ee328a2https://redirect.github.com/super-linter/super-linter/issues/5876 ))
([ebf8cc8](ebf8cc807ahttps://redirect.github.com/super-linter/super-linter/issues/5879 ))
([47392ad](47392ad663https://redirect.github.com/super-linter/super-linter/issues/5780 ))
([f019ee3](f019ee34d2https://redirect.github.com/super-linter/super-linter/issues/5880 ))
([3fd69a1](3fd69a107bhttps://redirect.github.com/super-linter/super-linter/issues/5874 ))
([2b6aa12](2b6aa12906https://redirect.github.com/super-linter/super-linter/issues/5847 ))
([31da61e](31da61e189🧰 Maintenance
- add super-linter configuration in the bug template
([#​5910](https://redirect.github.com/super-linter/super-linter/issues/5910 ))
([26ddd8b](26ddd8b084https://redirect.github.com/super-linter/super-linter/issues/5894 ))
([cc20e45](cc20e4561ehttps://redirect.github.com/super-linter/super-linter/issues/5863 ))
([d9d1909](d9d19095echttps://redirect.github.com/super-linter/super-linter/issues/5871 ))
([12da497](12da4973c6https://redirect.github.com/super-linter/super-linter/issues/5862 ))
([fc094cc](fc094cc1a4https://redirect.github.com/super-linter/super-linter/issues/5869 ))
([bcf8ca8](bcf8ca82adhttps://redirect.github.com/super-linter/super-linter/issues/5928 ))
([70e0239](70e0239117https://redirect.github.com/super-linter/super-linter/issues/5864 ))
([ce59f5c](ce59f5c323https://redirect.github.com/super-linter/super-linter/issues/5892 ))
([d2d7334](d2d73347d3https://redirect.github.com/super-linter/super-linter/issues/5898 ))
([e374e48](e374e48933https://redirect.github.com/super-linter/super-linter/issues/5901 ))
([2ecf945](2ecf945339📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/ ).
View the [repository job
log](https://developer.mend.io/github/angristan/openvpn-install ).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi40Mi4yIiwidXBkYXRlZEluVmVyIjoiNDIuNDIuMiIsInRhcmdldEJyYW5jaCI6Im1hc3RlciIsImxhYmVscyI6W119-->
---------
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Stanislas Lange <git@slange.me >
2025-12-11 11:12:00 +01:00
renovate[bot]
9162924468
chore(deps): update actions/checkout action to v6 ( #1338 )
...
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| [actions/checkout](https://redirect.github.com/actions/checkout ) |
action | major | `v4` -> `v6` |
---
### Release Notes
<details>
<summary>actions/checkout (actions/checkout)</summary>
### [`v6`](https://redirect.github.com/actions/checkout/compare/v5...v6 )
[Compare
Source](https://redirect.github.com/actions/checkout/compare/v5...v6 )
### [`v5`](https://redirect.github.com/actions/checkout/compare/v4...v5 )
[Compare
Source](https://redirect.github.com/actions/checkout/compare/v4...v5 )
</details>
---
### Configuration
📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/ ).
View the [repository job
log](https://developer.mend.io/github/angristan/openvpn-install ).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi40Mi4yIiwidXBkYXRlZEluVmVyIjoiNDIuNDIuMiIsInRhcmdldEJyYW5jaCI6Im1hc3RlciIsImxhYmVscyI6W119-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-12-11 10:29:01 +01:00
Stanislas
ba1d0419a8
fix: use PAT to trigger CI after hash update ( #1337 )
...
- Commits made with `GITHUB_TOKEN` don't trigger workflows
- Using a PAT allows the hash update commit to trigger CI checks
- Fixes the issue where PR #1335 didn't have CI triggered after the hash
update
2025-12-10 18:23:58 +01:00
Stanislas Lange
a6154c2653
Disable renovate check for disabled workflow
2025-12-10 18:14:57 +01:00
Stanislas
a4c51f9bf9
ci: add Renovate for Easy-RSA version updates ( #1333 )
...
## Summary
- Add Renovate configuration to automatically track Easy-RSA releases
- Add GitHub Action to auto-update SHA256 hash on Renovate PRs
## How it works
1. **Renovate** detects a new Easy-RSA release → creates PR updating
`EASYRSA_VERSION`
2. **GitHub Action** triggers on the PR → downloads tarball → computes
SHA256 → commits fix
3. PR is ready to merge with both version and hash updated
---
I intentionally updated to the second-to-last version in
bda450948a
2025-12-10 18:08:54 +01:00
Stanislas
b9a1650027
feat: drop Amazon Linux 2 support ( #1332 )
...
## Summary
- Remove Amazon Linux 2 support from the installer
- Amazon Linux 2023 remains fully supported
## Motivation
Amazon Linux 2 is reaching EOL.
Additionally, Amazon Linux 2 ships with **OpenSSL 1.0.2k** (from 2017)
which is incompatible with Easy-RSA 3.2.x. The newer Easy-RSA versions
use `openssl x509 -ext` which doesn't exist in OpenSSL 1.0.x, causing
certificate generation to fail.
This blocks our ability to upgrade Easy-RSA:
bda450948a
2025-12-10 17:54:00 +01:00
Stanislas
66890fb5d3
ci: prevent duplicate workflow runs ( #1324 )
...
## Summary
- Restrict `push` trigger to `master` branch only (feature branch pushes
won't trigger CI)
- Add concurrency groups to cancel redundant runs when new commits are
pushed
- Works correctly with fork PRs using standard `pull_request` event
2025-12-09 19:47:02 +01:00
Stanislas Lange
8a133b7bed
ci: run Docker e2e tests on pull requests
2025-12-09 18:06:53 +01:00
Stanislas
a3389c126c
Add Docker-based E2E testing ( #1320 )
...
### Summary
- Add automated end-to-end testing using Docker to verify the installation script works across 18 Linux distributions
- Add Oracle Linux 9 support to the installation script
- Drop support for EOL distributions (Debian 8/9/10, CentOS 7, Ubuntu 16.04)
- Disable Digital Ocean droplets based end-to-end tests, let's use docker from now on
### Changes
**New test infrastructure:**
- `test/Dockerfile.server` - Multi-OS server image with `BASE_IMAGE` build arg
- `test/Dockerfile.client` - Ubuntu 24.04 client for connectivity testing
- `test/server-entrypoint.sh` - Runs install script, verifies files exist, asserts iptables NAT rules, starts OpenVPN
- `test/client-entrypoint.sh` - Connects to VPN, verifies tun0 interface, pings gateway
- `docker-compose.yml` - Orchestrates server + client with shared volume
- `.github/workflows/docker-test.yml` - CI matrix testing 18 OS variants
- `.github/workflows/test.yml` - Removed push/PR triggers, now manual only for DO tests
- `Makefile` - Local testing commands (`make test`, `make test-ubuntu-24.04`, etc.)
**Distributions tested (18 total):**
| Family | Versions |
|--------|----------|
| Ubuntu | 18.04, 20.04, 22.04, 24.04 |
| Debian | 11, 12 |
| Fedora | 40, 41 |
| Rocky Linux | 8, 9 |
| AlmaLinux | 8, 9 |
| Oracle Linux | 8, 9 |
| Amazon Linux | 2, 2023 |
| CentOS Stream | 9 |
| Arch Linux | latest |
2025-12-07 12:27:41 +01:00
Stanislas Lange
94c1af2b5d
Remove Fedora 43 OS image from CI workflow
2025-12-04 23:18:15 +01:00
Stanislas Lange
f92582fb2f
Update Fedora OS images in CI workflow to include 42 and 43
2025-12-04 23:15:24 +01:00
Stanislas Lange
469bc2f883
Update OS images in CI workflow to include Debian 13 and remove 11
2025-12-04 23:12:57 +01:00
Stanislas Lange
6b92f8a61f
Quote shell variables in test.yml to fix shellcheck warnings
2025-12-04 23:04:11 +01:00
Stanislas Lange
62c336022f
Add permissions to test.yml for security best practices
2025-12-04 23:04:11 +01:00
Stanislas Lange
cad43ad99e
Add permissions to lint.yml for security best practices
2025-12-04 23:04:11 +01:00
Stanislas Lange
77f28d1595
ci: add fetch-depth: 0 for super-linter v7 compatibility
...
Super-linter v7 requires full git history to find the default branch
for comparison. Without fetch-depth: 0, it fails with 'master branch
doesn't exist' error.
2025-12-04 23:04:11 +01:00
Stanislas Lange
7c2c491fab
ci: update appleboy/ssh-action from v0.1.6 to v1.2.0
...
Updates to a more recent stable version with bug fixes and
improvements.
2025-12-04 23:04:11 +01:00
Stanislas Lange
00f3cd1605
ci: update Super Linter from v4.1.0 to v7
...
The super-linter project has been moved to the super-linter org
and significantly updated. v7 includes many improvements and
bug fixes.
2025-12-04 23:04:11 +01:00
Stanislas Lange
d61b16f3b8
ci: replace deprecated set-output with GITHUB_OUTPUT
...
The set-output workflow command was deprecated in favor of
environment files. See:
https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/
2025-12-04 23:04:11 +01:00
Stanislas Lange
19e4b7961f
CI: add Fedora 41 and remove 39 for e2e workflow
2025-03-10 10:27:19 +01:00
Stanislas Lange
dc114f3243
Update distribution matrix for end-to-end tests
2024-11-07 20:49:42 +01:00
Stanislas Lange
0d58ddcb8c
Update distribution matrix for end-to-end tests
2024-11-07 20:46:51 +01:00
Stanislas Lange
2ce1ee765e
Remove centos-stream-8-x64 from test workflow
...
Not available on DO anymore
2024-07-12 18:22:34 +02:00
Stanislas Lange
67701fac77
CI: wait for dpkg lock in debian/ubuntu setup step
2024-05-16 20:37:23 +02:00
Stanislas Lange
0cc002e17d
CI: wait for dpkg lock in debian/ubuntu setup step
2024-05-16 20:33:32 +02:00
Stanislas Lange
a2725d61a3
CI: update actions/checkout to v4
2024-05-16 20:13:47 +02:00
Stanislas Lange
305e9868cf
CI: update linux distributions used in end-to-end tests
2024-05-16 20:08:12 +02:00
Stanislas Lange
6a127fa2b6
Enable manual trigger of actions
2024-05-16 20:02:01 +02:00
Stanislas
1a249c621d
ci: test workflow server images update ( #1183 )
...
* test ci
* remove ubuntu 18.04
* remove fedora 35 and add 37 38
* disable centos stream 9, add debian 12
2023-11-20 21:14:04 +01:00
Stanislas Lange
d2556ff235
Add support for CentOS 9 + update supported distributions
2023-01-22 00:57:40 +01:00
Stanislas Lange
2f76bb5e40
Update easy-rsa to 3.1.2 and fix compatibility with Ubuntu 22.04
...
Based on this patch by @zerodivisi0n: https://github.com/angristan/openvpn-install/issues/1000#issuecomment-1283484772
2023-01-22 00:10:46 +01:00
Stanislas Lange
ca8d58d5f0
Fix checkout in test workflow
2023-01-22 00:10:46 +01:00
dependabot[bot]
638b51168a
build(deps): bump appleboy/ssh-action from 0.1.5 to 0.1.6 ( #1074 )
...
Bumps [appleboy/ssh-action](https://github.com/appleboy/ssh-action ) from 0.1.5 to 0.1.6.
- [Release notes](https://github.com/appleboy/ssh-action/releases )
- [Commits](https://github.com/appleboy/ssh-action/compare/v0.1.5...v0.1.6 )
---
updated-dependencies:
- dependency-name: appleboy/ssh-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-01-03 14:05:27 +01:00
dependabot[bot]
d629791a95
build(deps): bump actions/checkout from 3.1.0 to 3.2.0 ( #1075 )
...
Bumps [actions/checkout](https://github.com/actions/checkout ) from 3.1.0 to 3.2.0.
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](https://github.com/actions/checkout/compare/v3.1.0...v3.2.0 )
---
updated-dependencies:
- dependency-name: actions/checkout
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-01-03 14:05:14 +01:00
Stanislas
d3751457ab
Remove Debian 9 in e2e tests as it has been removed by DO
2022-11-21 19:15:22 +01:00
dependabot[bot]
83111c58e7
build(deps): bump actions/checkout from 3.0.2 to 3.1.0
...
Bumps [actions/checkout](https://github.com/actions/checkout ) from 3.0.2 to 3.1.0.
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](https://github.com/actions/checkout/compare/v3.0.2...v3.1.0 )
---
updated-dependencies:
- dependency-name: actions/checkout
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
2022-11-21 19:07:13 +01:00
dependabot[bot]
a7e54a47ce
build(deps): bump appleboy/ssh-action from 0.1.4 to 0.1.5
...
Bumps [appleboy/ssh-action](https://github.com/appleboy/ssh-action ) from 0.1.4 to 0.1.5.
- [Release notes](https://github.com/appleboy/ssh-action/releases )
- [Commits](https://github.com/appleboy/ssh-action/compare/v0.1.4...v0.1.5 )
---
updated-dependencies:
- dependency-name: appleboy/ssh-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
2022-11-21 19:07:04 +01:00
