1
0
mirror of https://github.com/Nyr/openvpn-install.git synced 2024-12-01 01:16:05 +03:00
Commit Graph

161 Commits

Author SHA1 Message Date
Nyr
cec053def4 Miscellaneous improvements
- Fix #694: added sanitization during the public IP address configuration and
switch to AWS checkip since the Akamai service doesn't support HTTPS.
- Add validation to cover an unlikely case where: server is behind NAT,
checkip service is unreachable and user doesn't provide input when asked for
the public IP address or hostname.
- Other small improvements not worth describing in detail.
2020-04-21 02:28:29 +02:00
Nyr
c6159aefb8 Update DNS providers
- Verisign removed (performance is subpar compared to competitors)
- NTT is back (fast and reliable)
- AdGuard added (for ad blocking)
2020-04-16 23:42:11 +02:00
Nyr
6f9daf49f5 Small style improvements 2020-04-16 23:33:14 +02:00
Nyr
5229459f99 IPv6 support
Clients will be provided with IPv6 connectivity if the server has it.

Other very small and unimportant improvements are also included in this commit.
2020-04-01 01:17:17 +02:00
Nyr
67e8427ba5
Remove the iptables NAT table check
LowEndSpirit fixed the issue on their end, so this is longer needed.

Additionally, the check causes unneeded trouble for users whose system doesn't
have the iptables package installed.
2020-04-01 00:54:00 +02:00
Nyr
9ea14fcbfc Update to easy-rsa v3.0.7 2020-03-31 02:35:50 +02:00
Nyr
6c4a21b5b9 Fix #727 2020-03-18 19:38:35 +01:00
Nyr
92d90dac29 Update error message
LowEndSpirit no longer requires that.
2019-12-23 20:19:57 +01:00
Nyr
71f5fcc023 Resolves #664 2019-10-16 22:09:25 +02:00
Nyr
6a29a6babd Miscellaneous improvements
This commit contains lots changes which are not very significant on its own but
provide important usability improvements and future proofing.

It also includes changes which required OpenVPN v2.4+ and were pending until
that version became widely available.

- General cleanup
- Improved IP address and NAT configuration
- Added input validation and sanitization
- Fix #603
- Remove "sndbuf" and "recvbuf" parameters
- Add server-side "explicit-exit-notify"
- Switch from "setenv opt" to "ignore-unknown-option"
- Switch from "tls-auth" to "tls-crypt"
- Other minor bugfixes and optimizations
2019-09-26 19:13:33 +02:00
Nyr
68e48d21b6 Check for unsupported distributions 2019-09-21 14:39:58 +02:00
Nyr
1c79a9603b Fix LimitNPROC in containers
See #206 for context.
2019-09-06 02:44:17 +02:00
Nyr
43ef4f920d Fedora support
The installer now works with Fedora and is probably ready for CentOS 8 too.
2019-06-13 03:15:18 +02:00
Nyr
a46a23d84a Migrate to the new systemd service
OpenVPN 2.4 packages provide a new systemd service unit which uses a different
directory structure. This commit drops support for Ubuntu 16.04 which has v2.3
packages.
2019-06-12 21:28:55 +02:00
Nyr
a6048d509f Switch to systemd for iptables configuration
See #464.
2019-06-07 16:17:14 +02:00
Nyr
510f9e1bf8 Remove support for old init systems
It was broken since b3953963ba anyway.
2019-05-24 14:47:02 +02:00
Nyr
d4efae3b10 Revert "Update to easy-rsa v3.0.6"
This reverts commit 43ccc5fd1c.
2019-04-24 16:52:47 +02:00
Nyr
43ccc5fd1c Update to easy-rsa v3.0.6 2019-02-02 13:21:30 +01:00
Nyr
456fbf189d Cleaner .ovpn files 2018-12-15 21:26:14 +01:00
Nyr
c90989a0e2 Use a predefined DH group
This is way faster than generating our own, see #532.
2018-10-20 14:52:24 +02:00
Nyr
6e21afcdda Update to easy-rsa v3.0.5 2018-09-25 15:20:15 +02:00
Sidd
22adb31b2e Disable compression to mitigate VORACLE (#509) 2018-08-28 14:18:58 +02:00
Nyr
cc81838501 Revert "Improve iptables configuration"
This reverts commit fdc2bfbdac.
2018-06-14 22:40:45 +02:00
Nyr
fdc2bfbdac Improve iptables configuration
See #464.
2018-06-08 17:46:09 +02:00
Nyr
b3953963ba Switch from /etc/sysctl.conf to systemd-sysctl 2018-06-08 16:07:49 +02:00
Nyr
6061a29028 Small UX improvements 2018-05-10 17:24:43 +02:00
Kcchouette
269551c25f
Update openvpn-install.sh 2018-05-03 11:03:15 +02:00
Nyr
d717353769 Cleanup
- SELinux in CentOS already has rules for both udp/1194 and tcp/1194,
so the protocol check was not needed.
- Remove unneeded arguments from some grep and rm commands.
2018-04-26 15:10:18 +02:00
Nyr
83234ddae4 Improve NAT detection
Cleaner and better:
- Not relying in an external service
- Avoids a false positive when the server has multiple public IPv4
addresses and the user selects one which is not the default gateway
2018-04-21 21:06:41 +02:00
Nyr
ff254aeb1e General cleanup 2018-04-21 20:41:16 +02:00
Nyr
cb28b57e09 Remove wget dependency in CentOS
curl is always included with CentOS and wget is always included with
Debian/Ubuntu. So it was useless to install wget in CentOS like we were
doing for those cases when it wasn't already installed. Now curl will
be used instead.
2018-04-19 21:25:18 +02:00
Nyr
2726a148ee Remove IP address detection fallback
It was never used, the one-liner is enough.
2018-04-19 21:00:58 +02:00
Nyr
cb2a5b8028 Clarify NAT configuration dialog
Closes #451.
2018-04-16 17:53:48 +02:00
Nyr
e73503054e Update DNS list
Added 1.1.1.1 and removed two mostly unpopular choices.

Currently discarded services are: Yandex, Neustar, NTT, HE, Quad9 and
Freenom World. The list was starting to get too big.
2018-04-04 17:28:09 +02:00
Nyr
33452242a1 Fix system resolvers option for environments running systemd-resolved 2018-01-21 18:21:53 +01:00
Nyr
02d634437b Update to easy-rsa v3.0.4 2018-01-21 17:54:33 +01:00
Nyr
0397827abe Resolves #353 2017-09-11 18:53:49 +02:00
Nyr
8f881565b7 Update to easy-rsa v3.0.3 2017-08-29 17:56:46 +02:00
Nyr
9c0579052f Fix #352
Set EASYRSA_CRL_DAYS to 3650 instead of the default 180.

OpenVPN 2.4+ enforces the nextUpdate value in the CRL as a hard limit,
and will not work if more than 6 months passed since it was generated.
2017-08-29 17:55:14 +02:00
Nyr
b2d8c73e1b Debian 9 compatibility and small bug fixes
- Removed Debian 9 compatibility warning
- openvpn-blacklist is no longer uninstalled on removal
- Improvement: removal of /usr/share/doc/openvpn* hasn't been needed
for years
- Fixed: live iptables removal was failing for Debian since
6d51476047
2017-06-20 19:19:10 +02:00
Nyr
82776145f2 Add temporal warning for Debian Stretch users 2017-06-18 17:58:53 +02:00
Nyr
c0f0d47a64 Upgrade HMAC digest algorithm to SHA-512
This was long overdue for compatibility reasons. My decision to force
the upgrade now, has been made following recomendations published in
the OpenVPN 2.4 audit performed by Cryptography Engineering LLC.
2017-06-04 13:16:57 +02:00
Nyr
6d51476047 Enable internal networking
See #299.
2017-04-27 14:46:34 +02:00
Nyr
28f238bc43 Fix #284 2017-03-31 13:52:08 +02:00
Nyr
c94bc5e3b4 Multiple firewall bug fixes
- When FirewallD is detected, NAT is now applied via FirewallD instead
of iptables (fixes #267).
- iptables REJECT/DROP/ACCEPT rules where not being properly detected.
- iptables rules were applied even when FirewallD was detected and the
same rules were being applied via firewall-cmd.
2017-03-23 18:11:35 +01:00
Nyr
7d93fbf62f Small and boring improvements 2017-01-31 18:19:19 +01:00
Nyr
a31aaf82f3 Fix #255
Ubuntu no longer includes the rc.local file, so iptables weren’t
applied after a system reboot.
2017-01-29 19:03:49 +01:00
Nyr
971474e531 Improved iptables management
Rules are now instantly removed when uninstalling.
2017-01-28 22:05:42 +01:00
Nyr
6939dffb09 Fixed firewall and SELinux for TCP
- Firewall/SELinux configuration wasn't updated to work with TCP (fixes
#250)
- Uncluttered protocol selection a bit
2017-01-20 15:12:54 +01:00
Nyr
0e4bba792b TCP support
Also, my English sucks.
2017-01-04 03:41:47 +01:00
Nyr
c6880407dd UX improvements
Fixes #241.
2016-12-11 19:11:57 +01:00
Nyr
597d16d094 Upgrade cipher to AES-128-CBC
Will be the new default starting with OpenVPN 2.4.
2016-12-11 17:03:25 +01:00
Tony Xu
799b8f9a76 fix net.ipv4.ip_forward settings
If the `/etc/sysctl.conf` contains `net.ipv4.ip_forward_use_pmtu`
2016-09-06 23:52:08 +08:00
Nyr
791c54786c Better way to enable IP forwarding
Should be more universal than the previous approach.
2016-09-06 16:20:52 +02:00
Michael
56f079289e Changed iptables to not lookup hosts
Should be faster lookup on iptables if firewall rules contain lots
of host IP addresses (no need for a DNS lookup on each one!)
2016-08-22 20:14:34 +01:00
Nyr
ef1ae85797 Change cipher to AES-128-CBC 2016-05-16 02:52:33 +02:00
Nyr
ae5b5ce2be Drop privileges after initialization 2016-05-15 20:50:37 +02:00
Nyr
c5b4907fd6 Enable tls-auth 2016-05-15 19:22:32 +02:00
Nyr
acca10ba1a Prevent DNS leaks on Windows 10
- This will generate a warning in unsupported environments.
- This will not work if the client is using an OpenVPN version lower
than 2.3.9
- For OpenVPN 2.3.3+, ignore-unknown-option could be used instead of
setenv opt to prevent a warning.

TL;DR: upgrade to the latest OpenVPN on Windows, ignore the warning
elsewhere.

Thanks a lot for your continuous work on OpenVPN, @ValdikSS.
2016-05-15 01:49:50 +02:00
Nyr
52f419e0d5 Detect users running with "sh" instead of bash
And changed error codes. Sorry, not sorry.
2016-05-10 14:12:32 +02:00
Nyr
2bcb4681a1 Added Verisign DNS 2016-04-07 16:57:47 +02:00
Nyr
7fb12dc5cb Use "hash" instead of "which"
Always better to use builtins, and “which” is even missing in some
minimal templates.
2016-03-14 19:41:39 +01:00
Nyr
91b9373311 TAP is not needed
Not sure why it was there in the first place.
2016-03-13 22:45:34 +01:00
Nyr
3a96224d1f Revoking doesn't need a restart
The CRL is checked with every new connection and channel renegotiation,
no need to restart the server.
2016-03-08 01:12:43 +01:00
Nyr
96108e6b2e Clarify NAT question 2016-02-29 19:18:32 +01:00
Nyr
e8958b969e Avoid error message if sestatus isn't available
Just a cosmetic change.
2016-02-19 21:50:28 +01:00
Nyr
eaf6f1fed4 Removed Level 3 DNS
For some countries, Level 3 is now hijacking NXDOMAIN responses, so
removed.
2016-02-14 22:26:10 +01:00
Nyr
cf60872eae SELinux improvements
- Now the port exception is removed when uninstalling.
- sestatus seems to be more widely available.
2016-02-13 19:09:16 +01:00
Nyr
f9dafd6ec6 SELinux compatibility
This should’ve been supported for a long time.
2016-02-12 23:46:53 +01:00
angrysnarl
a1b57a1c31 Fixed rm -rf commands for revoking user certs 2015-12-16 00:15:08 +08:00
Nyr
0df84e4541 Fix #105 2015-12-14 22:36:40 +01:00
Nyr
e58addc2c5 Verify server certificate during easy-rsa download 2015-11-24 23:04:56 +01:00
Nyr
d55effb08c Update to easy-rsa 3.0.1 2015-11-21 15:35:51 +01:00
Nyr
73da43b872 Merge pull request #88 from ValdikSS/buf
Do not allow OpenVPN to set (low) buffer sizes
2015-11-15 19:36:15 +01:00
Nyr
51998f0d56 Merge pull request #87 from ValdikSS/euid
Use EUID to check root
2015-11-15 19:35:26 +01:00
ValdikSS
0265fc0e06 Use different exit codes on error 2015-11-15 13:37:22 +03:00
ValdikSS
15a39afd11 Do not allow OpenVPN to set (low) buffer sizes 2015-11-15 13:36:20 +03:00
ValdikSS
2574097eb4 Use EUID to check root 2015-11-15 13:34:19 +03:00
Nyr
d32416561b Grep for DROP as well as REJECT 2015-10-07 19:57:04 +02:00
Nyr
eb8d8257a0 The BIG commit
- Upgrade to easy-rsa 3.0.0
- Firewall support: rules are added for both FirewallD and iptables if
needed.
- Creation of our own configuration files for both the server and
clients.
- Using subnet topology instead of the deprecated net30.
- Removed port 53 question during install: user can just choose that
port during setup.
- Removed internal networking option: this is a road warrior installer
after all.
- Bugfix: the default easy-rsa directory was not correctly deleted if
one was already there.
2015-09-12 21:48:08 +02:00
Nyr
b46a0541dd Replaced Yandex DNS with Google
Yandex DNS is not stable enough, Google was previously missing.
2015-08-05 02:17:24 +02:00
Hyacinthe Cartiaux
91e09dedf1 Remove a useless use of wc 2015-08-01 20:27:30 +02:00
Nyr
7d467d9666 Multiple improvements
- Better UX for client certificate revocation: a list of the current
client names is shown to the user
- easy-rsa 2.2.2 now used by default: it’s easier for me to maintain a
single version
2015-07-22 08:02:59 +02:00
Nyr
b778c1aed9 Cosmetic bugfix 2015-06-29 09:23:44 +02:00
Nyr
cf48ecd3b0 Bugfixes
- Little fix for Debian Jessie
- Better systemd detection
- Fixed revocation on CentOS
2015-04-28 18:35:54 +02:00
Nyr
68b5ff7e99 Revert "Cleaner port 53 setup"
This reverts commit fb036d575b.
2015-03-10 10:44:47 +01:00
Nyr
fb036d575b Cleaner port 53 setup 2015-02-16 17:33:22 +01:00
Nyr
fad088013c CentOS support and other improvements 2015-02-11 19:51:19 +01:00
Nyr
a256194ecb Add feedback during removal abortion 2015-01-25 20:45:07 +01:00
Nyr
98b39e7354 Added a confirmation dialog before removing 2015-01-21 03:03:14 +01:00
Nyr
6d4af520b8 Bugfix for systems with a non-standard rc.local 2014-11-07 00:53:28 +01:00
Nyr
215140b682 Options for custom DNS and intra-VPN connectivity 2014-11-04 21:57:36 +01:00
Nyr
2174037768 Now using in-line certificates 2014-10-23 03:16:09 +02:00
Nyr
091e487472 Cleanup 2014-10-23 00:19:08 +02:00
Nyr
936a8b8ff0 Removed useless cat 2014-09-25 04:00:32 +02:00
Nyr
091ef01a8b Bug fix + future bulletproofness
- Use always double [[]] blocks (bug fix for the test at line 208 under
some circumstances)
- bash shell is now forced
- All variables are now quoted
2014-09-18 23:34:22 +02:00
Nyr
afb30c44da Now using resolvers from resolv.conf
This will help with some ISPs restricting access to third party DNS
servers like it happens with LowEndSpirit and Torqhost.
2014-05-15 18:20:53 +02:00
Nyr
c72a4d2b5e Bugfix: port redirect wasn't correctly set when a custom port was in place 2014-03-12 21:14:38 +01:00
Nyr
a69dae3021 Check if the script is running on a Debian-based system before starting
Fixed some spacing too
2014-03-12 21:06:57 +01:00
Nyr
6d89279940 Bugfix for systems with multiple IPv4 addresses available 2013-12-20 18:50:30 +01:00