Nyr
d4efae3b10
Revert "Update to easy-rsa v3.0.6"
...
This reverts commit 43ccc5fd1c
.
2019-04-24 16:52:47 +02:00
Nyr
43ccc5fd1c
Update to easy-rsa v3.0.6
2019-02-02 13:21:30 +01:00
Nyr
456fbf189d
Cleaner .ovpn files
2018-12-15 21:26:14 +01:00
Nyr
c90989a0e2
Use a predefined DH group
...
This is way faster than generating our own, see #532 .
2018-10-20 14:52:24 +02:00
Nyr
6e21afcdda
Update to easy-rsa v3.0.5
2018-09-25 15:20:15 +02:00
Sidd
22adb31b2e
Disable compression to mitigate VORACLE ( #509 )
2018-08-28 14:18:58 +02:00
Nyr
cc81838501
Revert "Improve iptables configuration"
...
This reverts commit fdc2bfbdac
.
2018-06-14 22:40:45 +02:00
Nyr
fdc2bfbdac
Improve iptables configuration
...
See #464 .
2018-06-08 17:46:09 +02:00
Nyr
b3953963ba
Switch from /etc/sysctl.conf to systemd-sysctl
2018-06-08 16:07:49 +02:00
Nyr
6061a29028
Small UX improvements
2018-05-10 17:24:43 +02:00
Kcchouette
269551c25f
Update openvpn-install.sh
2018-05-03 11:03:15 +02:00
Nyr
d717353769
Cleanup
...
- SELinux in CentOS already has rules for both udp/1194 and tcp/1194,
so the protocol check was not needed.
- Remove unneeded arguments from some grep and rm commands.
2018-04-26 15:10:18 +02:00
Nyr
83234ddae4
Improve NAT detection
...
Cleaner and better:
- Not relying in an external service
- Avoids a false positive when the server has multiple public IPv4
addresses and the user selects one which is not the default gateway
2018-04-21 21:06:41 +02:00
Nyr
ff254aeb1e
General cleanup
2018-04-21 20:41:16 +02:00
Nyr
cb28b57e09
Remove wget dependency in CentOS
...
curl is always included with CentOS and wget is always included with
Debian/Ubuntu. So it was useless to install wget in CentOS like we were
doing for those cases when it wasn't already installed. Now curl will
be used instead.
2018-04-19 21:25:18 +02:00
Nyr
2726a148ee
Remove IP address detection fallback
...
It was never used, the one-liner is enough.
2018-04-19 21:00:58 +02:00
Nyr
cb2a5b8028
Clarify NAT configuration dialog
...
Closes #451 .
2018-04-16 17:53:48 +02:00
Nyr
e73503054e
Update DNS list
...
Added 1.1.1.1 and removed two mostly unpopular choices.
Currently discarded services are: Yandex, Neustar, NTT, HE, Quad9 and
Freenom World. The list was starting to get too big.
2018-04-04 17:28:09 +02:00
Nyr
33452242a1
Fix system resolvers option for environments running systemd-resolved
2018-01-21 18:21:53 +01:00
Nyr
02d634437b
Update to easy-rsa v3.0.4
2018-01-21 17:54:33 +01:00
Nyr
0397827abe
Resolves #353
2017-09-11 18:53:49 +02:00
Nyr
8f881565b7
Update to easy-rsa v3.0.3
2017-08-29 17:56:46 +02:00
Nyr
9c0579052f
Fix #352
...
Set EASYRSA_CRL_DAYS to 3650 instead of the default 180.
OpenVPN 2.4+ enforces the nextUpdate value in the CRL as a hard limit,
and will not work if more than 6 months passed since it was generated.
2017-08-29 17:55:14 +02:00
Nyr
b2d8c73e1b
Debian 9 compatibility and small bug fixes
...
- Removed Debian 9 compatibility warning
- openvpn-blacklist is no longer uninstalled on removal
- Improvement: removal of /usr/share/doc/openvpn* hasn't been needed
for years
- Fixed: live iptables removal was failing for Debian since
6d51476047
2017-06-20 19:19:10 +02:00
Nyr
82776145f2
Add temporal warning for Debian Stretch users
2017-06-18 17:58:53 +02:00
Nyr
c0f0d47a64
Upgrade HMAC digest algorithm to SHA-512
...
This was long overdue for compatibility reasons. My decision to force
the upgrade now, has been made following recomendations published in
the OpenVPN 2.4 audit performed by Cryptography Engineering LLC.
2017-06-04 13:16:57 +02:00
Nyr
6d51476047
Enable internal networking
...
See #299 .
2017-04-27 14:46:34 +02:00
Nyr
28f238bc43
Fix #284
2017-03-31 13:52:08 +02:00
Nyr
c94bc5e3b4
Multiple firewall bug fixes
...
- When FirewallD is detected, NAT is now applied via FirewallD instead
of iptables (fixes #267 ).
- iptables REJECT/DROP/ACCEPT rules where not being properly detected.
- iptables rules were applied even when FirewallD was detected and the
same rules were being applied via firewall-cmd.
2017-03-23 18:11:35 +01:00
Nyr
7d93fbf62f
Small and boring improvements
2017-01-31 18:19:19 +01:00
Nyr
a31aaf82f3
Fix #255
...
Ubuntu no longer includes the rc.local file, so iptables weren’t
applied after a system reboot.
2017-01-29 19:03:49 +01:00
Nyr
971474e531
Improved iptables management
...
Rules are now instantly removed when uninstalling.
2017-01-28 22:05:42 +01:00
Nyr
6939dffb09
Fixed firewall and SELinux for TCP
...
- Firewall/SELinux configuration wasn't updated to work with TCP (fixes
#250 )
- Uncluttered protocol selection a bit
2017-01-20 15:12:54 +01:00
Nyr
0e4bba792b
TCP support
...
Also, my English sucks.
2017-01-04 03:41:47 +01:00
Nyr
c6880407dd
UX improvements
...
Fixes #241 .
2016-12-11 19:11:57 +01:00
Nyr
597d16d094
Upgrade cipher to AES-128-CBC
...
Will be the new default starting with OpenVPN 2.4.
2016-12-11 17:03:25 +01:00
Tony Xu
799b8f9a76
fix net.ipv4.ip_forward settings
...
If the `/etc/sysctl.conf` contains `net.ipv4.ip_forward_use_pmtu`
2016-09-06 23:52:08 +08:00
Nyr
791c54786c
Better way to enable IP forwarding
...
Should be more universal than the previous approach.
2016-09-06 16:20:52 +02:00
Michael
56f079289e
Changed iptables to not lookup hosts
...
Should be faster lookup on iptables if firewall rules contain lots
of host IP addresses (no need for a DNS lookup on each one!)
2016-08-22 20:14:34 +01:00
Nyr
ef1ae85797
Change cipher to AES-128-CBC
2016-05-16 02:52:33 +02:00
Nyr
ae5b5ce2be
Drop privileges after initialization
2016-05-15 20:50:37 +02:00
Nyr
c5b4907fd6
Enable tls-auth
2016-05-15 19:22:32 +02:00
Nyr
acca10ba1a
Prevent DNS leaks on Windows 10
...
- This will generate a warning in unsupported environments.
- This will not work if the client is using an OpenVPN version lower
than 2.3.9
- For OpenVPN 2.3.3+, ignore-unknown-option could be used instead of
setenv opt to prevent a warning.
TL;DR: upgrade to the latest OpenVPN on Windows, ignore the warning
elsewhere.
Thanks a lot for your continuous work on OpenVPN, @ValdikSS.
2016-05-15 01:49:50 +02:00
Nyr
52f419e0d5
Detect users running with "sh" instead of bash
...
And changed error codes. Sorry, not sorry.
2016-05-10 14:12:32 +02:00
Nyr
2bcb4681a1
Added Verisign DNS
2016-04-07 16:57:47 +02:00
Nyr
7fb12dc5cb
Use "hash" instead of "which"
...
Always better to use builtins, and “which” is even missing in some
minimal templates.
2016-03-14 19:41:39 +01:00
Nyr
91b9373311
TAP is not needed
...
Not sure why it was there in the first place.
2016-03-13 22:45:34 +01:00
Nyr
3a96224d1f
Revoking doesn't need a restart
...
The CRL is checked with every new connection and channel renegotiation,
no need to restart the server.
2016-03-08 01:12:43 +01:00
Nyr
96108e6b2e
Clarify NAT question
2016-02-29 19:18:32 +01:00
Nyr
e8958b969e
Avoid error message if sestatus isn't available
...
Just a cosmetic change.
2016-02-19 21:50:28 +01:00
Nyr
eaf6f1fed4
Removed Level 3 DNS
...
For some countries, Level 3 is now hijacking NXDOMAIN responses, so
removed.
2016-02-14 22:26:10 +01:00
Nyr
cf60872eae
SELinux improvements
...
- Now the port exception is removed when uninstalling.
- sestatus seems to be more widely available.
2016-02-13 19:09:16 +01:00
Nyr
f9dafd6ec6
SELinux compatibility
...
This should’ve been supported for a long time.
2016-02-12 23:46:53 +01:00
angrysnarl
a1b57a1c31
Fixed rm -rf commands for revoking user certs
2015-12-16 00:15:08 +08:00
Nyr
0df84e4541
Fix #105
2015-12-14 22:36:40 +01:00
Nyr
e58addc2c5
Verify server certificate during easy-rsa download
2015-11-24 23:04:56 +01:00
Nyr
d55effb08c
Update to easy-rsa 3.0.1
2015-11-21 15:35:51 +01:00
Nyr
73da43b872
Merge pull request #88 from ValdikSS/buf
...
Do not allow OpenVPN to set (low) buffer sizes
2015-11-15 19:36:15 +01:00
Nyr
51998f0d56
Merge pull request #87 from ValdikSS/euid
...
Use EUID to check root
2015-11-15 19:35:26 +01:00
ValdikSS
0265fc0e06
Use different exit codes on error
2015-11-15 13:37:22 +03:00
ValdikSS
15a39afd11
Do not allow OpenVPN to set (low) buffer sizes
2015-11-15 13:36:20 +03:00
ValdikSS
2574097eb4
Use EUID to check root
2015-11-15 13:34:19 +03:00
Nyr
d32416561b
Grep for DROP as well as REJECT
2015-10-07 19:57:04 +02:00
Nyr
eb8d8257a0
The BIG commit
...
- Upgrade to easy-rsa 3.0.0
- Firewall support: rules are added for both FirewallD and iptables if
needed.
- Creation of our own configuration files for both the server and
clients.
- Using subnet topology instead of the deprecated net30.
- Removed port 53 question during install: user can just choose that
port during setup.
- Removed internal networking option: this is a road warrior installer
after all.
- Bugfix: the default easy-rsa directory was not correctly deleted if
one was already there.
2015-09-12 21:48:08 +02:00
Nyr
b46a0541dd
Replaced Yandex DNS with Google
...
Yandex DNS is not stable enough, Google was previously missing.
2015-08-05 02:17:24 +02:00
Hyacinthe Cartiaux
91e09dedf1
Remove a useless use of wc
2015-08-01 20:27:30 +02:00
Nyr
7d467d9666
Multiple improvements
...
- Better UX for client certificate revocation: a list of the current
client names is shown to the user
- easy-rsa 2.2.2 now used by default: it’s easier for me to maintain a
single version
2015-07-22 08:02:59 +02:00
Nyr
b778c1aed9
Cosmetic bugfix
2015-06-29 09:23:44 +02:00
Nyr
cf48ecd3b0
Bugfixes
...
- Little fix for Debian Jessie
- Better systemd detection
- Fixed revocation on CentOS
2015-04-28 18:35:54 +02:00
Nyr
68b5ff7e99
Revert "Cleaner port 53 setup"
...
This reverts commit fb036d575b
.
2015-03-10 10:44:47 +01:00
Nyr
fb036d575b
Cleaner port 53 setup
2015-02-16 17:33:22 +01:00
Nyr
fad088013c
CentOS support and other improvements
2015-02-11 19:51:19 +01:00
Nyr
a256194ecb
Add feedback during removal abortion
2015-01-25 20:45:07 +01:00
Nyr
98b39e7354
Added a confirmation dialog before removing
2015-01-21 03:03:14 +01:00
Nyr
6d4af520b8
Bugfix for systems with a non-standard rc.local
2014-11-07 00:53:28 +01:00
Nyr
215140b682
Options for custom DNS and intra-VPN connectivity
2014-11-04 21:57:36 +01:00
Nyr
2174037768
Now using in-line certificates
2014-10-23 03:16:09 +02:00
Nyr
091e487472
Cleanup
2014-10-23 00:19:08 +02:00
Nyr
936a8b8ff0
Removed useless cat
2014-09-25 04:00:32 +02:00
Nyr
091ef01a8b
Bug fix + future bulletproofness
...
- Use always double [[]] blocks (bug fix for the test at line 208 under
some circumstances)
- bash shell is now forced
- All variables are now quoted
2014-09-18 23:34:22 +02:00
Nyr
afb30c44da
Now using resolvers from resolv.conf
...
This will help with some ISPs restricting access to third party DNS
servers like it happens with LowEndSpirit and Torqhost.
2014-05-15 18:20:53 +02:00
Nyr
c72a4d2b5e
Bugfix: port redirect wasn't correctly set when a custom port was in place
2014-03-12 21:14:38 +01:00
Nyr
a69dae3021
Check if the script is running on a Debian-based system before starting
...
Fixed some spacing too
2014-03-12 21:06:57 +01:00
Nyr
6d89279940
Bugfix for systems with multiple IPv4 addresses available
2013-12-20 18:50:30 +01:00
Nyr
ee9750a210
Use Easy-RSA 2.2.2 instead of the master branch with Debian Jessie and Ubuntu Saucy
...
This was needed for Debian Jessie, but using always the latest Easy-RSA
was a bad idea.
I will force Easy-RSA 2.2.2 for now and until Jessie becomes stable.
Then we can probably just use the distro packages instead of Github,
but for now this will work.
2013-12-19 22:09:20 +01:00
Nyr
b30130b506
Bugfixes
...
- easy-rsa was downloaded from Github even on systems where it was available by default.
- easy-rsa.tar.gz is now removed when no longer needed.
2013-10-04 19:04:12 +02:00
Nyr
6c22c657f7
Update openvpn-install.sh
2013-08-22 17:00:53 +02:00
Nyr
2533e2e113
Bugfix: routes not being pushed
2013-08-05 00:58:43 +02:00
Nyr
0eda63842c
Remove temporary files when they are no longer needed
2013-08-04 14:22:02 +02:00
Nyr
31040f475a
2048 bit keys by default and Debian Jessie compatibility
2013-08-04 14:11:38 +02:00
Nyr
730691c8a1
Various bugfixes and improvements
...
- Assisted configuration for servers behind a NAT
- Better IP autodetection
- Fix certificate revocation
2013-07-07 21:28:08 +02:00
Nyr
ce8077f048
Bugfix: better IPv4 autodetection on some IPv6 enabled servers
2013-05-14 22:05:53 +02:00
Nyr
4f631dab20
Bugfix: iptables were incorrectly positioned on /etc/rc.local
2013-05-14 20:59:03 +02:00
Nyr
c0adc8c75b
Added option for client certificate revocation
2013-05-14 17:41:53 +02:00
Nyr
e95049a76a
First commit
2013-05-14 14:04:19 +02:00