diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml index 7d1aa44..d5689d8 100644 --- a/.github/FUNDING.yml +++ b/.github/FUNDING.yml @@ -1,3 +1,3 @@ -patreon: angristan -liberapay: angristan -ko_fi: angristan +patreon: stanislas +liberapay: stanislas +ko_fi: stanislas diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..f4d737f --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,10 @@ +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "daily" + assignees: + - "angristan" + reviewers: + - "angristan" diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 4628851..7aaf095 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -1,26 +1,22 @@ -on: - push: - branches: - - master - pull_request: - branches: - - master +on: push name: Lint + jobs: shellcheck: runs-on: ubuntu-latest steps: - - uses: actions/checkout@master - - name: shellcheck - uses: ludeeus/action-shellcheck@0.0.1 - env: - SHELLCHECK_OPTS: -e SC1091,SC2164,SC2034,SC1072,SC1073,SC1009 + - uses: actions/checkout@v2 + - name: shellcheck + uses: ludeeus/action-shellcheck@0.5.0 + env: + SHELLCHECK_OPTS: -e SC1091,SC2164,SC2034,SC1072,SC1073,SC1009 + shfmt: runs-on: ubuntu-latest steps: - - uses: actions/checkout@master - - name: shfmt - uses: bltavares/actions/shfmt@master - env: - SHFMT_ARGS: -d + - uses: actions/checkout@v2 + - name: shfmt + uses: bltavares/actions/shfmt@master + env: + SHFMT_ARGS: -d diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index e7b1e1c..c37f47e 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -21,7 +21,7 @@ jobs: - centos-7-x64 - centos-8-x64 steps: - - uses: actions/checkout@master + - uses: actions/checkout@v2 - name: Setup doctl uses: digitalocean/action-doctl@v2 @@ -51,7 +51,7 @@ jobs: - name: Setup remote server (Debian/Ubuntu) if: steps.server_os.outputs.value == 'debian' || steps.server_os.outputs.value == 'ubuntu' - uses: appleboy/ssh-action@master + uses: appleboy/ssh-action@v0.1.2 with: host: ${{ steps.server_ip.outputs.value }} username: root @@ -60,7 +60,7 @@ jobs: - name: Setup remote server (Fedora) if: steps.server_os.outputs.value == 'fedora' - uses: appleboy/ssh-action@master + uses: appleboy/ssh-action@v0.1.2 with: host: ${{ steps.server_ip.outputs.value }} username: root @@ -69,7 +69,7 @@ jobs: - name: Setup remote server (CentOS) if: steps.server_os.outputs.value == 'centos' - uses: appleboy/ssh-action@master + uses: appleboy/ssh-action@v0.1.2 with: host: ${{ steps.server_ip.outputs.value }} username: root @@ -77,7 +77,7 @@ jobs: script: set -x && yum install -y git - name: Download repo and checkout current commit - uses: appleboy/ssh-action@master + uses: appleboy/ssh-action@v0.1.2 with: host: ${{ steps.server_ip.outputs.value }} username: root @@ -85,7 +85,7 @@ jobs: script: set -x && git clone https://github.com/angristan/openvpn-install.git && cd openvpn-install && git checkout ${{ github.event.pull_request.head.sha }} - name: Run openvpn-install.sh in headless mode - uses: appleboy/ssh-action@master + uses: appleboy/ssh-action@v0.1.2 with: host: ${{ steps.server_ip.outputs.value }} username: root diff --git a/FAQ.md b/FAQ.md index 72a8ecc..0c26a6b 100644 --- a/FAQ.md +++ b/FAQ.md @@ -10,7 +10,7 @@ You can, of course, it's even recommended, update the `openvpn` package with you **Q:** How do I check for DNS leaks? -**A:** Go to [dnsleaktest.com](https://dnsleaktest.com/) or [ipleak.net](https://ipleak.net/) with your browser. Only your server's IP should show up. +**A:** Go to [browserleaks.com](https://browserleaks.com/dns) or [ipleak.net](https://ipleak.net/) (both perform IPv4 and IPv6 check) with your browser. Only your server's IP should show up. --- diff --git a/README.md b/README.md index 4f93e55..23a3957 100644 --- a/README.md +++ b/README.md @@ -37,7 +37,7 @@ In your home directory, you will have `.ovpn` files. These are the client config If you have any question, head to the [FAQ](#faq) first. Please read everything before opening an issue. -**PLEASE do net send me emails or private messages asking for help.** The only place to get help is the issues. Other people may be able to help and in the future, other users may also run into the same issue as you. My time is not available for free just for you, you're not special. +**PLEASE do not send me emails or private messages asking for help.** The only place to get help is the issues. Other people may be able to help and in the future, other users may also run into the same issue as you. My time is not available for free just for you, you're not special. ### Headless install @@ -117,13 +117,12 @@ The script supports these OS and architectures: | --------------- | ---- | ----- | ----- | ----- | | Amazon Linux 2 | ❔ | ✅ | ❔ | ❔ | | Arch Linux | ❔ | ✅ | ❔ | ✅ | -| CentOS 7 | ❔ | ✅ | ❌ | ✅ | -| CentOS 8 | ❌ | ✅ | ❔ | ❔ | -| Debian 8 | ✅ | ✅ | ❌ | ❌ | -| Debian >= 9 | ❌ | ✅ | ✅ | ✅ | +| CentOS 7 | ✅ | ✅ | ✅ | ✅ | +| CentOS 8 | ❌ | ✅ | ❌ | ✅ | +| Debian >= 9 | ✅ | ✅ | ✅ | ✅ | | Fedora >= 27 | ❔ | ✅ | ❔ | ❔ | | Ubuntu 16.04 | ✅ | ✅ | ❌ | ❌ | -| Ubuntu >= 18.04 | ❌ | ✅ | ✅ | ✅ | +| Ubuntu >= 18.04 | ✅ | ✅ | ✅ | ✅ | To be noted: @@ -146,8 +145,9 @@ More Q&A in [FAQ.md](FAQ.md). **A:** I recommend these: - [Vultr](https://goo.gl/Xyd1Sc): Worldwide locations, IPv6 support, starting at \$3.50/month -- [PulseHeberg](https://goo.gl/76yqW5): France, unlimited bandwidth, starting at €3/month +- [Hetzner](https://hetzner.cloud/?ref=ywtlvZsjgeDq): Germany, IPv6, 20 TB of traffic, starting at €3/month - [Digital Ocean](https://goo.gl/qXrNLK): Worldwide locations, IPv6 support, starting at \$5/month +- [PulseHeberg](https://goo.gl/76yqW5): France, unlimited bandwidth, starting at €3/month --- @@ -183,7 +183,22 @@ Solutions that provision a ready to use OpenVPN server based on this script in o - AWS using Terraform at [`openvpn-terraform-install`](https://github.com/dumrauf/openvpn-terraform-install) -## Contributing / Code formatting +## Contributing + +### Contributors hall-of-fame + +Thanks ❤️ + +[![](https://sourcerer.io/fame/angristan/angristan/openvpn-install/images/0)](https://github.com/angristan/openvpn-install/graphs/contributors) +[![](https://sourcerer.io/fame/angristan/angristan/openvpn-install/images/1)](https://github.com/angristan/openvpn-install/graphs/contributors) +[![](https://sourcerer.io/fame/angristan/angristan/openvpn-install/images/2)](https://github.com/angristan/openvpn-install/graphs/contributors) +[![](https://sourcerer.io/fame/angristan/angristan/openvpn-install/images/3)](https://github.com/angristan/openvpn-install/graphs/contributors) +[![](https://sourcerer.io/fame/angristan/angristan/openvpn-install/images/4)](https://github.com/angristan/openvpn-install/graphs/contributors) +[![](https://sourcerer.io/fame/angristan/angristan/openvpn-install/images/5)](https://github.com/angristan/openvpn-install/graphs/contributors) +[![](https://sourcerer.io/fame/angristan/angristan/openvpn-install/images/6)](https://github.com/angristan/openvpn-install/graphs/contributors) +[![](https://sourcerer.io/fame/angristan/angristan/openvpn-install/images/7)](https://github.com/angristan/openvpn-install/graphs/contributors) + +### Code formatting We use [shellcheck](https://github.com/koalaman/shellcheck) and [shfmt](https://github.com/mvdan/sh) to enforce bash styling guidelines and good practices. They are executed for each commit / PR with GitHub Actions, so you can check the configuration [here](https://github.com/angristan/openvpn-install/blob/master/.github/workflows/push.yml). @@ -195,13 +210,13 @@ OpenVPN 2.4 was a great update regarding encryption. It added support for ECDSA, If you want more information about an option mentioned below, head to the [OpenVPN manual](https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage). It is very complete. -Most of OpenVPN's encryption-related stuff is managed by [Easy-RSA](https://github.com/OpenVPN/easy-rsa). Defaults parameters are in the [vars.example](https://github.com/OpenVPN/easy-rsa/blob/v3.0.6/easyrsa3/vars.example) file. +Most of OpenVPN's encryption-related stuff is managed by [Easy-RSA](https://github.com/OpenVPN/easy-rsa). Defaults parameters are in the [vars.example](https://github.com/OpenVPN/easy-rsa/blob/v3.0.7/easyrsa3/vars.example) file. ### Compression By default, OpenVPN doesn't enable compression. This script provides support for LZ0 and LZ4 (v1/v2) algorithms, the latter being more efficient. -However, it is discouraged to use compression since it since the [VORACLE attack](https://protonvpn.com/blog/voracle-attack/) makes use of it. +However, it is discouraged to use compression since the [VORACLE attack](https://protonvpn.com/blog/voracle-attack/) makes use of it. ### TLS version diff --git a/openvpn-install.sh b/openvpn-install.sh index 014c4e7..88090e0 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -18,14 +18,13 @@ function tunAvailable() { function checkOS() { if [[ -e /etc/debian_version ]]; then OS="debian" - # shellcheck disable=SC1091 source /etc/os-release if [[ $ID == "debian" || $ID == "raspbian" ]]; then - if [[ $VERSION_ID -lt 8 ]]; then + if [[ $VERSION_ID -lt 9 ]]; then echo "⚠️ Your version of Debian is not supported." echo "" - echo "However, if you're using Debian >= 8 or unstable/testing then you can continue, at your own risk." + echo "However, if you're using Debian >= 9 or unstable/testing then you can continue, at your own risk." echo "" until [[ $CONTINUE =~ (y|n) ]]; do read -rp "Continue? [y/n]: " -e CONTINUE @@ -51,7 +50,6 @@ function checkOS() { fi fi elif [[ -e /etc/system-release ]]; then - # shellcheck disable=SC1091 source /etc/os-release if [[ $ID == "fedora" ]]; then OS="fedora" @@ -61,7 +59,7 @@ function checkOS() { if [[ ! $VERSION_ID =~ (7|8) ]]; then echo "⚠️ Your version of CentOS is not supported." echo "" - echo "The script only support CentOS 7." + echo "The script only support CentOS 7 and CentOS 8." echo "" exit 1 fi @@ -315,7 +313,7 @@ function installQuestions() { echo " 12) NextDNS (Anycast: worldwide)" echo " 13) Custom" until [[ $DNS =~ ^[0-9]+$ ]] && [ "$DNS" -ge 1 ] && [ "$DNS" -le 13 ]; do - read -rp "DNS [1-12]: " -e -i 3 DNS + read -rp "DNS [1-12]: " -e -i 11 DNS if [[ $DNS == 2 ]] && [[ -e /etc/unbound/unbound.conf ]]; then echo "" echo "Unbound is already installed." @@ -653,11 +651,6 @@ function installOpenVPN() { apt-get update apt-get -y install ca-certificates gnupg # We add the OpenVPN repo to get the latest version. - if [[ $VERSION_ID == "8" ]]; then - echo "deb http://build.openvpn.net/debian/openvpn/stable jessie main" >/etc/apt/sources.list.d/openvpn.list - wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add - - apt-get update - fi if [[ $VERSION_ID == "16.04" ]]; then echo "deb http://build.openvpn.net/debian/openvpn/stable xenial main" >/etc/apt/sources.list.d/openvpn.list wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add - @@ -695,7 +688,7 @@ function installOpenVPN() { if [[ ! -d /etc/openvpn/server/easy-rsa/ ]]; then local version="3.0.7" wget -O ~/easy-rsa.tgz https://github.com/OpenVPN/easy-rsa/releases/download/v${version}/EasyRSA-${version}.tgz - mkdir /etc/openvpn/server/easy-rsa + mkdir -p /etc/openvpn/server/easy-rsa tar xzf ~/easy-rsa.tgz --strip-components=1 --directory /etc/openvpn/server/easy-rsa rm -f ~/easy-rsa.tgz @@ -720,11 +713,6 @@ function installOpenVPN() { # Create the PKI, set up the CA, the DH params and the server certificate ./easyrsa init-pki - - # Workaround to remove unharmful error until easy-rsa 3.0.7 - # https://github.com/OpenVPN/easy-rsa/issues/261 - sed -i 's/^RANDFILE/#RANDFILE/g' pki/openssl-easyrsa.cnf - ./easyrsa --batch build-ca nopass if [[ $DH_TYPE == "2" ]]; then @@ -1034,9 +1022,9 @@ verb 3" >>/etc/openvpn/server/client-template.txt function newClient() { echo "" echo "Tell me a name for the client." - echo "Use one word only, no special characters." + echo "The name must consist of alphanumeric character. It may also include an underscore or a dash." - until [[ $CLIENT =~ ^[a-zA-Z0-9_]+$ ]]; do + until [[ $CLIENT =~ ^[a-zA-Z0-9_-]+$ ]]; do read -rp "Client name: " -e CLIENT done @@ -1193,7 +1181,6 @@ function removeUnbound() { function removeOpenVPN() { echo "" - # shellcheck disable=SC2034 read -rp "Do you really want to remove OpenVPN? [y/n]: " -e -i n REMOVE if [[ $REMOVE == 'y' ]]; then # Get OpenVPN port from the configuration