Nyr
9c0579052f
Fix #352
...
Set EASYRSA_CRL_DAYS to 3650 instead of the default 180.
OpenVPN 2.4+ enforces the nextUpdate value in the CRL as a hard limit,
and will not work if more than 6 months passed since it was generated.
2017-08-29 17:55:14 +02:00
Nyr
b2d8c73e1b
Debian 9 compatibility and small bug fixes
...
- Removed Debian 9 compatibility warning
- openvpn-blacklist is no longer uninstalled on removal
- Improvement: removal of /usr/share/doc/openvpn* hasn't been needed
for years
- Fixed: live iptables removal was failing for Debian since
6d51476047
2017-06-20 19:19:10 +02:00
Nyr
82776145f2
Add temporal warning for Debian Stretch users
2017-06-18 17:58:53 +02:00
Nyr
c0f0d47a64
Upgrade HMAC digest algorithm to SHA-512
...
This was long overdue for compatibility reasons. My decision to force
the upgrade now, has been made following recomendations published in
the OpenVPN 2.4 audit performed by Cryptography Engineering LLC.
2017-06-04 13:16:57 +02:00
Nyr
bcca288029
Offer updated
2017-05-30 15:15:14 +02:00
Nyr
6d51476047
Enable internal networking
...
See #299 .
2017-04-27 14:46:34 +02:00
Nyr
28f238bc43
Fix #284
2017-03-31 13:52:08 +02:00
Nyr
0d1db4608f
Fix #280
2017-03-29 01:01:51 +02:00
Nyr
c94bc5e3b4
Multiple firewall bug fixes
...
- When FirewallD is detected, NAT is now applied via FirewallD instead
of iptables (fixes #267 ).
- iptables REJECT/DROP/ACCEPT rules where not being properly detected.
- iptables rules were applied even when FirewallD was detected and the
same rules were being applied via firewall-cmd.
2017-03-23 18:11:35 +01:00
Nyr
0c5af3a4f2
Fix formatting
...
Formatting was broken by GitHub with their new Flavored Markdown
specification.
2017-03-23 18:08:34 +01:00
Nyr
7d93fbf62f
Small and boring improvements
2017-01-31 18:19:19 +01:00
Nyr
a31aaf82f3
Fix #255
...
Ubuntu no longer includes the rc.local file, so iptables weren’t
applied after a system reboot.
2017-01-29 19:03:49 +01:00
Nyr
971474e531
Improved iptables management
...
Rules are now instantly removed when uninstalling.
2017-01-28 22:05:42 +01:00
Nyr
6939dffb09
Fixed firewall and SELinux for TCP
...
- Firewall/SELinux configuration wasn't updated to work with TCP (fixes
#250 )
- Uncluttered protocol selection a bit
2017-01-20 15:12:54 +01:00
Nyr
0e4bba792b
TCP support
...
Also, my English sucks.
2017-01-04 03:41:47 +01:00
Nyr
c6880407dd
UX improvements
...
Fixes #241 .
2016-12-11 19:11:57 +01:00
Nyr
597d16d094
Upgrade cipher to AES-128-CBC
...
Will be the new default starting with OpenVPN 2.4.
2016-12-11 17:03:25 +01:00
Nyr
b6f0c42b5b
Merge pull request #194 from hhktony/patch-3
...
Bugfix for situations when net.ipv4.ip_forward_use_pmtu is set in /etc/sysctl.conf.
2016-09-06 18:30:23 +02:00
Tony Xu
799b8f9a76
fix net.ipv4.ip_forward settings
...
If the `/etc/sysctl.conf` contains `net.ipv4.ip_forward_use_pmtu`
2016-09-06 23:52:08 +08:00
Nyr
791c54786c
Better way to enable IP forwarding
...
Should be more universal than the previous approach.
2016-09-06 16:20:52 +02:00
Nyr
6e349e31cb
Merge pull request #184 from redorkulated/master
...
Changed iptables to not lookup hosts
2016-09-01 16:23:57 +02:00
Michael
56f079289e
Changed iptables to not lookup hosts
...
Should be faster lookup on iptables if firewall rules contain lots
of host IP addresses (no need for a DNS lookup on each one!)
2016-08-22 20:14:34 +01:00
Nyr
dab9a210c2
Offer updated
2016-07-23 16:50:02 +02:00
Nyr
5e29198c21
Offer updated
2016-07-23 16:44:41 +02:00
Nyr
ef1ae85797
Change cipher to AES-128-CBC
2016-05-16 02:52:33 +02:00
Nyr
ae5b5ce2be
Drop privileges after initialization
2016-05-15 20:50:37 +02:00
Nyr
c5b4907fd6
Enable tls-auth
2016-05-15 19:22:32 +02:00
Nyr
acca10ba1a
Prevent DNS leaks on Windows 10
...
- This will generate a warning in unsupported environments.
- This will not work if the client is using an OpenVPN version lower
than 2.3.9
- For OpenVPN 2.3.3+, ignore-unknown-option could be used instead of
setenv opt to prevent a warning.
TL;DR: upgrade to the latest OpenVPN on Windows, ignore the warning
elsewhere.
Thanks a lot for your continuous work on OpenVPN, @ValdikSS.
2016-05-15 01:49:50 +02:00
Nyr
52f419e0d5
Detect users running with "sh" instead of bash
...
And changed error codes. Sorry, not sorry.
2016-05-10 14:12:32 +02:00
Nyr
2bcb4681a1
Added Verisign DNS
2016-04-07 16:57:47 +02:00
Nyr
7fb12dc5cb
Use "hash" instead of "which"
...
Always better to use builtins, and “which” is even missing in some
minimal templates.
2016-03-14 19:41:39 +01:00
Nyr
91b9373311
TAP is not needed
...
Not sure why it was there in the first place.
2016-03-13 22:45:34 +01:00
Nyr
3a96224d1f
Revoking doesn't need a restart
...
The CRL is checked with every new connection and channel renegotiation,
no need to restart the server.
2016-03-08 01:12:43 +01:00
Nyr
96108e6b2e
Clarify NAT question
2016-02-29 19:18:32 +01:00
Nyr
e8958b969e
Avoid error message if sestatus isn't available
...
Just a cosmetic change.
2016-02-19 21:50:28 +01:00
Nyr
eaf6f1fed4
Removed Level 3 DNS
...
For some countries, Level 3 is now hijacking NXDOMAIN responses, so
removed.
2016-02-14 22:26:10 +01:00
Nyr
cf60872eae
SELinux improvements
...
- Now the port exception is removed when uninstalling.
- sestatus seems to be more widely available.
2016-02-13 19:09:16 +01:00
Nyr
f9dafd6ec6
SELinux compatibility
...
This should’ve been supported for a long time.
2016-02-12 23:46:53 +01:00
Nyr
186737c769
Improved one-liner
...
git.io now supports HTTPS :)
2016-02-12 23:21:32 +01:00
Nyr
9779b817b6
Update README.md
...
The “isn’t bulletproof” part was confusing to some users which were
emailing me about security. I was just talking about compatibility.
2016-02-05 21:36:41 +01:00
Nyr
aa5c024b8e
Merge pull request #107 from angrysnarl/master
...
Fixed rm -rf commands for revoking user certs
2015-12-15 17:17:31 +01:00
angrysnarl
a1b57a1c31
Fixed rm -rf commands for revoking user certs
2015-12-16 00:15:08 +08:00
Nyr
0df84e4541
Fix #105
2015-12-14 22:36:40 +01:00
Nyr
e58addc2c5
Verify server certificate during easy-rsa download
2015-11-24 23:04:56 +01:00
Nyr
d55effb08c
Update to easy-rsa 3.0.1
2015-11-21 15:35:51 +01:00
Nyr
73da43b872
Merge pull request #88 from ValdikSS/buf
...
Do not allow OpenVPN to set (low) buffer sizes
2015-11-15 19:36:15 +01:00
Nyr
51998f0d56
Merge pull request #87 from ValdikSS/euid
...
Use EUID to check root
2015-11-15 19:35:26 +01:00
Nyr
5a0babb807
Merge pull request #86 from ValdikSS/exit
...
Use different exit codes on error
2015-11-15 19:35:13 +01:00
ValdikSS
0265fc0e06
Use different exit codes on error
2015-11-15 13:37:22 +03:00
ValdikSS
15a39afd11
Do not allow OpenVPN to set (low) buffer sizes
2015-11-15 13:36:20 +03:00