1
0
mirror of https://github.com/Nyr/openvpn-install.git synced 2024-11-27 23:46:07 +03:00
Commit Graph

195 Commits

Author SHA1 Message Date
Nyr
28f238bc43 Fix #284 2017-03-31 13:52:08 +02:00
Nyr
0d1db4608f Fix #280 2017-03-29 01:01:51 +02:00
Nyr
c94bc5e3b4 Multiple firewall bug fixes
- When FirewallD is detected, NAT is now applied via FirewallD instead
of iptables (fixes #267).
- iptables REJECT/DROP/ACCEPT rules where not being properly detected.
- iptables rules were applied even when FirewallD was detected and the
same rules were being applied via firewall-cmd.
2017-03-23 18:11:35 +01:00
Nyr
0c5af3a4f2 Fix formatting
Formatting was broken by GitHub with their new Flavored Markdown
specification.
2017-03-23 18:08:34 +01:00
Nyr
7d93fbf62f Small and boring improvements 2017-01-31 18:19:19 +01:00
Nyr
a31aaf82f3 Fix #255
Ubuntu no longer includes the rc.local file, so iptables weren’t
applied after a system reboot.
2017-01-29 19:03:49 +01:00
Nyr
971474e531 Improved iptables management
Rules are now instantly removed when uninstalling.
2017-01-28 22:05:42 +01:00
Nyr
6939dffb09 Fixed firewall and SELinux for TCP
- Firewall/SELinux configuration wasn't updated to work with TCP (fixes
#250)
- Uncluttered protocol selection a bit
2017-01-20 15:12:54 +01:00
Nyr
0e4bba792b TCP support
Also, my English sucks.
2017-01-04 03:41:47 +01:00
Nyr
c6880407dd UX improvements
Fixes #241.
2016-12-11 19:11:57 +01:00
Nyr
597d16d094 Upgrade cipher to AES-128-CBC
Will be the new default starting with OpenVPN 2.4.
2016-12-11 17:03:25 +01:00
Nyr
b6f0c42b5b Merge pull request #194 from hhktony/patch-3
Bugfix for situations when net.ipv4.ip_forward_use_pmtu is set in /etc/sysctl.conf.
2016-09-06 18:30:23 +02:00
Tony Xu
799b8f9a76 fix net.ipv4.ip_forward settings
If the `/etc/sysctl.conf` contains `net.ipv4.ip_forward_use_pmtu`
2016-09-06 23:52:08 +08:00
Nyr
791c54786c Better way to enable IP forwarding
Should be more universal than the previous approach.
2016-09-06 16:20:52 +02:00
Nyr
6e349e31cb Merge pull request #184 from redorkulated/master
Changed iptables to not lookup hosts
2016-09-01 16:23:57 +02:00
Michael
56f079289e Changed iptables to not lookup hosts
Should be faster lookup on iptables if firewall rules contain lots
of host IP addresses (no need for a DNS lookup on each one!)
2016-08-22 20:14:34 +01:00
Nyr
dab9a210c2 Offer updated 2016-07-23 16:50:02 +02:00
Nyr
5e29198c21 Offer updated 2016-07-23 16:44:41 +02:00
Nyr
ef1ae85797 Change cipher to AES-128-CBC 2016-05-16 02:52:33 +02:00
Nyr
ae5b5ce2be Drop privileges after initialization 2016-05-15 20:50:37 +02:00
Nyr
c5b4907fd6 Enable tls-auth 2016-05-15 19:22:32 +02:00
Nyr
acca10ba1a Prevent DNS leaks on Windows 10
- This will generate a warning in unsupported environments.
- This will not work if the client is using an OpenVPN version lower
than 2.3.9
- For OpenVPN 2.3.3+, ignore-unknown-option could be used instead of
setenv opt to prevent a warning.

TL;DR: upgrade to the latest OpenVPN on Windows, ignore the warning
elsewhere.

Thanks a lot for your continuous work on OpenVPN, @ValdikSS.
2016-05-15 01:49:50 +02:00
Nyr
52f419e0d5 Detect users running with "sh" instead of bash
And changed error codes. Sorry, not sorry.
2016-05-10 14:12:32 +02:00
Nyr
2bcb4681a1 Added Verisign DNS 2016-04-07 16:57:47 +02:00
Nyr
7fb12dc5cb Use "hash" instead of "which"
Always better to use builtins, and “which” is even missing in some
minimal templates.
2016-03-14 19:41:39 +01:00
Nyr
91b9373311 TAP is not needed
Not sure why it was there in the first place.
2016-03-13 22:45:34 +01:00
Nyr
3a96224d1f Revoking doesn't need a restart
The CRL is checked with every new connection and channel renegotiation,
no need to restart the server.
2016-03-08 01:12:43 +01:00
Nyr
96108e6b2e Clarify NAT question 2016-02-29 19:18:32 +01:00
Nyr
e8958b969e Avoid error message if sestatus isn't available
Just a cosmetic change.
2016-02-19 21:50:28 +01:00
Nyr
eaf6f1fed4 Removed Level 3 DNS
For some countries, Level 3 is now hijacking NXDOMAIN responses, so
removed.
2016-02-14 22:26:10 +01:00
Nyr
cf60872eae SELinux improvements
- Now the port exception is removed when uninstalling.
- sestatus seems to be more widely available.
2016-02-13 19:09:16 +01:00
Nyr
f9dafd6ec6 SELinux compatibility
This should’ve been supported for a long time.
2016-02-12 23:46:53 +01:00
Nyr
186737c769 Improved one-liner
git.io now supports HTTPS :)
2016-02-12 23:21:32 +01:00
Nyr
9779b817b6 Update README.md
The “isn’t bulletproof” part was confusing to some users which were
emailing me about security. I was just talking about compatibility.
2016-02-05 21:36:41 +01:00
Nyr
aa5c024b8e Merge pull request #107 from angrysnarl/master
Fixed rm -rf commands for revoking user certs
2015-12-15 17:17:31 +01:00
angrysnarl
a1b57a1c31 Fixed rm -rf commands for revoking user certs 2015-12-16 00:15:08 +08:00
Nyr
0df84e4541 Fix #105 2015-12-14 22:36:40 +01:00
Nyr
e58addc2c5 Verify server certificate during easy-rsa download 2015-11-24 23:04:56 +01:00
Nyr
d55effb08c Update to easy-rsa 3.0.1 2015-11-21 15:35:51 +01:00
Nyr
73da43b872 Merge pull request #88 from ValdikSS/buf
Do not allow OpenVPN to set (low) buffer sizes
2015-11-15 19:36:15 +01:00
Nyr
51998f0d56 Merge pull request #87 from ValdikSS/euid
Use EUID to check root
2015-11-15 19:35:26 +01:00
Nyr
5a0babb807 Merge pull request #86 from ValdikSS/exit
Use different exit codes on error
2015-11-15 19:35:13 +01:00
ValdikSS
0265fc0e06 Use different exit codes on error 2015-11-15 13:37:22 +03:00
ValdikSS
15a39afd11 Do not allow OpenVPN to set (low) buffer sizes 2015-11-15 13:36:20 +03:00
ValdikSS
2574097eb4 Use EUID to check root 2015-11-15 13:34:19 +03:00
Nyr
d32416561b Grep for DROP as well as REJECT 2015-10-07 19:57:04 +02:00
Nyr
5c65625bcc Merge pull request #76 from PeterDaveHello/patch-1
Don't run the script if download failed
2015-10-07 13:38:21 +02:00
Peter Dave Hello
5741989e69 Update README.md
Use `&&` instead of `;` in the command,
do not run the script if download failed.
2015-10-07 16:00:06 +08:00
Nyr
eb8d8257a0 The BIG commit
- Upgrade to easy-rsa 3.0.0
- Firewall support: rules are added for both FirewallD and iptables if
needed.
- Creation of our own configuration files for both the server and
clients.
- Using subnet topology instead of the deprecated net30.
- Removed port 53 question during install: user can just choose that
port during setup.
- Removed internal networking option: this is a road warrior installer
after all.
- Bugfix: the default easy-rsa directory was not correctly deleted if
one was already there.
2015-09-12 21:48:08 +02:00
Nyr
abe2ac44b1 Offer updated 2015-09-04 20:56:25 +02:00