1
0
mirror of https://github.com/Nyr/openvpn-install.git synced 2024-11-23 21:46:08 +03:00
Commit Graph

120 Commits

Author SHA1 Message Date
Nyr
d30e11d019 Improve TUN device check
While it looks hackish, I don't think there's a better way (in Bash) to open
the /dev/net/tun character device.

Checking for presence of /dev/net/tun like were doing is not good enough.
2020-05-14 19:05:05 +02:00
Nyr
b392e7da8b Improved easy-rsa setup
No need to write the tarball to disk.
2020-05-10 20:02:08 +02:00
Nyr
07249185dd Improve nf_tables test for OVZ
This test is more reliable and flexible.
2020-05-05 18:23:21 +02:00
Nyr
2852150a5b OpenVZ nf_tables workaround
nf_tables is not available in old OpenVZ kernels, so we need to use
iptables-legacy instead.

This issue only affects Debian 10 as it is the only distribution using iptables
with a nf_tables backend by default.

This is supposedly resolved in the newest kernels: https://bit.ly/3fgNZCh

Additionally, a bugfix for the ip6tables path is also included.
2020-05-05 16:47:25 +02:00
Nyr
61549ffcef Improved firewall installation logic
New logic makes way more sense:
- If either firewalld or iptables are present, use whatever we have
- If not, install firewalld in CentOS/Fedora and iptables in Debian/Ubuntu
2020-05-01 17:52:12 +02:00
Nyr
ef30d9863c Improved firewall management
- Always use firewalld for CentOS and Fedora
- Cleaner check to find out if firewalld is active
2020-04-30 00:28:27 +02:00
Nyr
e0fa45b688 Fixes #642 2020-04-29 13:24:55 +02:00
Nyr
11b929ac82 Reworked OS detection
- Made OS detection more flexible and fine-grained
- Fedora is now officially supported
2020-04-24 17:48:24 +02:00
Nyr
f659724a6f Addresses #694
- Use a checkip service which works fine over HTTP to avoid issues in systems
where ca-certificates is not available
- Increase timeout to 10 seconds, because the new service is a bit slower from
some locations
- Improve grep sanitization
2020-04-21 16:45:49 +02:00
Nyr
cec053def4 Miscellaneous improvements
- Fix #694: added sanitization during the public IP address configuration and
switch to AWS checkip since the Akamai service doesn't support HTTPS.
- Add validation to cover an unlikely case where: server is behind NAT,
checkip service is unreachable and user doesn't provide input when asked for
the public IP address or hostname.
- Other small improvements not worth describing in detail.
2020-04-21 02:28:29 +02:00
Nyr
c6159aefb8 Update DNS providers
- Verisign removed (performance is subpar compared to competitors)
- NTT is back (fast and reliable)
- AdGuard added (for ad blocking)
2020-04-16 23:42:11 +02:00
Nyr
6f9daf49f5 Small style improvements 2020-04-16 23:33:14 +02:00
Nyr
5229459f99 IPv6 support
Clients will be provided with IPv6 connectivity if the server has it.

Other very small and unimportant improvements are also included in this commit.
2020-04-01 01:17:17 +02:00
Nyr
67e8427ba5
Remove the iptables NAT table check
LowEndSpirit fixed the issue on their end, so this is longer needed.

Additionally, the check causes unneeded trouble for users whose system doesn't
have the iptables package installed.
2020-04-01 00:54:00 +02:00
Nyr
9ea14fcbfc Update to easy-rsa v3.0.7 2020-03-31 02:35:50 +02:00
Nyr
6c4a21b5b9 Fix #727 2020-03-18 19:38:35 +01:00
Nyr
92d90dac29 Update error message
LowEndSpirit no longer requires that.
2019-12-23 20:19:57 +01:00
Nyr
71f5fcc023 Resolves #664 2019-10-16 22:09:25 +02:00
Nyr
6a29a6babd Miscellaneous improvements
This commit contains lots changes which are not very significant on its own but
provide important usability improvements and future proofing.

It also includes changes which required OpenVPN v2.4+ and were pending until
that version became widely available.

- General cleanup
- Improved IP address and NAT configuration
- Added input validation and sanitization
- Fix #603
- Remove "sndbuf" and "recvbuf" parameters
- Add server-side "explicit-exit-notify"
- Switch from "setenv opt" to "ignore-unknown-option"
- Switch from "tls-auth" to "tls-crypt"
- Other minor bugfixes and optimizations
2019-09-26 19:13:33 +02:00
Nyr
68e48d21b6 Check for unsupported distributions 2019-09-21 14:39:58 +02:00
Nyr
1c79a9603b Fix LimitNPROC in containers
See #206 for context.
2019-09-06 02:44:17 +02:00
Nyr
43ef4f920d Fedora support
The installer now works with Fedora and is probably ready for CentOS 8 too.
2019-06-13 03:15:18 +02:00
Nyr
a46a23d84a Migrate to the new systemd service
OpenVPN 2.4 packages provide a new systemd service unit which uses a different
directory structure. This commit drops support for Ubuntu 16.04 which has v2.3
packages.
2019-06-12 21:28:55 +02:00
Nyr
a6048d509f Switch to systemd for iptables configuration
See #464.
2019-06-07 16:17:14 +02:00
Nyr
510f9e1bf8 Remove support for old init systems
It was broken since b3953963ba anyway.
2019-05-24 14:47:02 +02:00
Nyr
d4efae3b10 Revert "Update to easy-rsa v3.0.6"
This reverts commit 43ccc5fd1c.
2019-04-24 16:52:47 +02:00
Nyr
43ccc5fd1c Update to easy-rsa v3.0.6 2019-02-02 13:21:30 +01:00
Nyr
456fbf189d Cleaner .ovpn files 2018-12-15 21:26:14 +01:00
Nyr
c90989a0e2 Use a predefined DH group
This is way faster than generating our own, see #532.
2018-10-20 14:52:24 +02:00
Nyr
6e21afcdda Update to easy-rsa v3.0.5 2018-09-25 15:20:15 +02:00
Sidd
22adb31b2e Disable compression to mitigate VORACLE (#509) 2018-08-28 14:18:58 +02:00
Nyr
cc81838501 Revert "Improve iptables configuration"
This reverts commit fdc2bfbdac.
2018-06-14 22:40:45 +02:00
Nyr
fdc2bfbdac Improve iptables configuration
See #464.
2018-06-08 17:46:09 +02:00
Nyr
b3953963ba Switch from /etc/sysctl.conf to systemd-sysctl 2018-06-08 16:07:49 +02:00
Nyr
6061a29028 Small UX improvements 2018-05-10 17:24:43 +02:00
Kcchouette
269551c25f
Update openvpn-install.sh 2018-05-03 11:03:15 +02:00
Nyr
d717353769 Cleanup
- SELinux in CentOS already has rules for both udp/1194 and tcp/1194,
so the protocol check was not needed.
- Remove unneeded arguments from some grep and rm commands.
2018-04-26 15:10:18 +02:00
Nyr
83234ddae4 Improve NAT detection
Cleaner and better:
- Not relying in an external service
- Avoids a false positive when the server has multiple public IPv4
addresses and the user selects one which is not the default gateway
2018-04-21 21:06:41 +02:00
Nyr
ff254aeb1e General cleanup 2018-04-21 20:41:16 +02:00
Nyr
cb28b57e09 Remove wget dependency in CentOS
curl is always included with CentOS and wget is always included with
Debian/Ubuntu. So it was useless to install wget in CentOS like we were
doing for those cases when it wasn't already installed. Now curl will
be used instead.
2018-04-19 21:25:18 +02:00
Nyr
2726a148ee Remove IP address detection fallback
It was never used, the one-liner is enough.
2018-04-19 21:00:58 +02:00
Nyr
cb2a5b8028 Clarify NAT configuration dialog
Closes #451.
2018-04-16 17:53:48 +02:00
Nyr
e73503054e Update DNS list
Added 1.1.1.1 and removed two mostly unpopular choices.

Currently discarded services are: Yandex, Neustar, NTT, HE, Quad9 and
Freenom World. The list was starting to get too big.
2018-04-04 17:28:09 +02:00
Nyr
33452242a1 Fix system resolvers option for environments running systemd-resolved 2018-01-21 18:21:53 +01:00
Nyr
02d634437b Update to easy-rsa v3.0.4 2018-01-21 17:54:33 +01:00
Nyr
0397827abe Resolves #353 2017-09-11 18:53:49 +02:00
Nyr
8f881565b7 Update to easy-rsa v3.0.3 2017-08-29 17:56:46 +02:00
Nyr
9c0579052f Fix #352
Set EASYRSA_CRL_DAYS to 3650 instead of the default 180.

OpenVPN 2.4+ enforces the nextUpdate value in the CRL as a hard limit,
and will not work if more than 6 months passed since it was generated.
2017-08-29 17:55:14 +02:00
Nyr
b2d8c73e1b Debian 9 compatibility and small bug fixes
- Removed Debian 9 compatibility warning
- openvpn-blacklist is no longer uninstalled on removal
- Improvement: removal of /usr/share/doc/openvpn* hasn't been needed
for years
- Fixed: live iptables removal was failing for Debian since
6d51476047
2017-06-20 19:19:10 +02:00
Nyr
82776145f2 Add temporal warning for Debian Stretch users 2017-06-18 17:58:53 +02:00