Merge branch 'master' into openvpn-2.4-update

2018-03-03 22:39:19 +01:00 · 2018-03-03 22:39:19 +01:00 · 15512c9625
commit 15512c9625
parent 8cd151f58e 42f6553dcc
2 changed files with 17 additions and 8 deletions
--- a/README.md
+++ b/README.md
@ -1,4 +1,5 @@
 # OpenVPN-install
+
 OpenVPN installer for Debian, Ubuntu, Fedora, CentOS and Arch Linux.

 This script will let you setup your own secure VPN server in just a few minutes.
@ -16,10 +17,11 @@ You can get a cheap VPS to run this script at [Vultr](https://goo.gl/Xyd1Sc), [D

 First, get the script and make it executable :

-```
+```bash
 wget https://raw.githubusercontent.com/Angristan/OpenVPN-install/master/openvpn-install.sh
 chmod +x openvpn-install.sh
 ```
+
 Then run it :

 `./openvpn-install.sh`
@ -32,9 +34,9 @@ When OpenVPN is installed, you can run the script again, and you will get the ch
 - Remove a client
 - Uninstall OpenVPN

-![](https://lut.im/Z8xfJ8WqyO/3JoPmJK8VRp6zwOE)
+![](https://i.imgur.com/AlW9g7t.png)

-## Why make a fork ?
+## The fork

 This script is based on the great work of [Nyr and its contributors](https://github.com/Nyr/openvpn-install).

@ -73,6 +75,7 @@ On the client-side, it's less problematic, but if you want to use an OpenVPN ser

 - ❌ = tested and not compatible

+
 (It should also work on Debian unstable/testing and Ubuntu beta).

 If your're using an Ubuntu version that is not supported by the script, be aware that it's not supported by Ubuntu either, thus it's insecure.
@ -80,6 +83,7 @@ If your're using an Ubuntu version that is not supported by the script, be aware
 ## Features

 This fork includes the following features :
+
 - Every feature of the [original script](https://github.com/Nyr/openvpn-install)
 - Better encryption, see below
 - Better DNS resolvers, see below
@ -114,13 +118,13 @@ Any other fast, trustable and neutral servers proposition is welcome.

 The main reason why I made this fork is to improve the encryption. Indeed, OpenVPN's default parameters are weak (and that's what [Nyr's script](https://github.com/Nyr/openvpn-install) uses).

-I want to justify all my choices regarding the encryption settings I have chosen, to prove that I'm not some random noob as some may think. 😉 
+I want to justify all my choices regarding the encryption settings I have chosen, to prove that I'm not some random noob as some may think. 😉

 However I'm far from a crypto expert, so don't hesitate to doubt what I say (I put links to my sources anyway), and to open an issue to correct me.

 OpenVPN 2.4 will be a great update on the encryption part, because we'll be able to use elliptic curves, so ECDSA and ECDH (as well for the control channel), and AES GCM. They are faster and more secure. I will, of course, update the script when it will be available.

-**Note:** With OpenVPN's default parameters, you have a relatively weak encryption. Nonetheless, your trafic is still encrypted, so unless you're under surveillance, probably no one will try to decrypt it. Yet it's not a reason to use old and weak algorithm when there are much better ones available. 😉 
+**Note:** With OpenVPN's default parameters, you have a relatively weak encryption. Nonetheless, your trafic is still encrypted, so unless you're under surveillance, probably no one will try to decrypt it. Yet it's not a reason to use old and weak algorithm when there are much better ones available. 😉

 ### TLS version

@ -150,7 +154,7 @@ It also supports SHA1 and MD5, which are unsafe, and all the SHA2 family. I didn

 ### Data channel's cipher

-By default, OpenVPN uses `BF-CBC` as the data channel cipher. Blowfish is an old (1993) an weak alogorithm. What's *funny* is that even the official OpenVPN documentation admits it. 
+By default, OpenVPN uses `BF-CBC` as the data channel cipher. Blowfish is an old (1993) an weak alogorithm. What's *funny* is that even the official OpenVPN documentation admits it.

 >The default is BF-CBC, an abbreviation for Blowfish in Cipher Block Chaining mode.
 Using BF-CBC is no longer recommended, because of its 64-bit block size. This small block size allows attacks based on collisions, as demonstrated by SWEET32. See https://community.openvpn.net/openvpn/wiki/SWEET32 for details.
@ -174,11 +178,13 @@ Convinced ?

 The [SWEET32 vulnerability page](https://community.openvpn.net/openvpn/wiki/SWEET32) from OpenVPN's documentation says :
 >The following ciphers are affected, and should no longer be used:
+
 - BF-*
 - DES* (including 3DES variants)
 - RC2-*

 >The following ciphers are *not* affected:
+
 - AES-*
 - CAMELLIA-*
 - SEED-*
@ -248,7 +254,7 @@ SHA-1 is not safe anymore, so I use SHA-256 which is safe and widely used.

 >The primary benefit is that an unauthenticated client cannot cause the same CPU/crypto load against a server as the junk traffic can be dropped much sooner. This can aid in mitigating denial-of-service attempts.

->This feature by itself does not improve the TLS auth in any way, although it offers a 2nd line of defense if a future flaw is discovered in a particular TLS cipher-suite or implementation (such as CVE-2014-0160, Heartbleed, where the tls-auth key provided protection against attackers who did not have a copy). However, it offers no protection at all in the event of a complete cryptographic break that can allow decryption of a cipher-suite's traffic. 
+>This feature by itself does not improve the TLS auth in any way, although it offers a 2nd line of defense if a future flaw is discovered in a particular TLS cipher-suite or implementation (such as CVE-2014-0160, Heartbleed, where the tls-auth key provided protection against attackers who did not have a copy). However, it offers no protection at all in the event of a complete cryptographic break that can allow decryption of a cipher-suite's traffic.

 [Source](https://openvpn.net/index.php/open-source/documentation/howto.html#security)

--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@ -517,6 +517,8 @@ else
 		elif [[ "$VERSION_ID" = 'VERSION_ID="9"' ]]; then
 			echo "deb http://build.openvpn.net/debian/openvpn/stable stretch main" > /etc/apt/sources.list.d/openvpn.list
 			wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
+			apt update
+		fi
 		# Ubuntu 14.04
 		elif [[ "$VERSION_ID" = 'VERSION_ID="14.04"' ]]; then
 			echo "deb http://build.openvpn.net/debian/openvpn/stable trusty main" > /etc/apt/sources.list.d/openvpn.list
@ -650,7 +652,7 @@ WantedBy=multi-user.target" > /etc/systemd/system/iptables.service
 	cd /etc/openvpn/easy-rsa/
 	if [[ $CERT_TYPE == "1" ]]; then
 		echo "set_var EASYRSA_ALGO ec
-set_var EASYRSA_CURVE $CERT_CURVE" > vars
+    set_var EASYRSA_CURVE $CERT_CURVE" > vars
 	elif [[ $CERT_TYPE == "2" ]]; then
 		echo "set_var EASYRSA_KEY_SIZE $RSA_SIZE" > vars
 	fi
@ -892,6 +894,7 @@ persist-tun
 remote-cert-tls server
 verify-x509-name $SERVER_NAME name
 auth $HMAC_AUTH
+auth-nocache
 $CIPHER
 tls-client
 tls-version-min 1.2