Merge branch 'master' into ipv6-nat

2018-09-16 17:51:17 +02:00 · 2018-09-16 17:51:17 +02:00 · 1cecb12620
commit 1cecb12620
parent 4a2c1a5b77 019da89be9
3 changed files with 287 additions and 129 deletions
--- a/5
+++ b/5
@ -1,6 +1,7 @@
-The MIT License (MIT)
+MIT License
-Copyright (c) 2016 Nyr, Angristan
+Copyright (c) 2013 Nyr
 Copyright (c) 2016 Angristan (Stanislas Lange)
 Permission is hereby granted, free of charge, to any person obtaining a copy of
 this software and associated documentation files (the "Software"), to deal in
--- a/README.md
+++ b/README.md
@ -13,7 +13,7 @@ Here is a preview of the installer :
 **You have to enable the TUN module otherwise OpenVPN won't work.** Ask your host if you don't know how to do it. If the TUN module is not enabled, the script will warn you and exit.
-You can get a cheap VPS to run this script for $2.50/month worldwide at [Vultr](https://goo.gl/Xyd1Sc) or 3€/month for unlimited bandwidth in France at [PulseHeberg](https://goo.gl/76yqW5).
+You can get a cheap VPS to run this script for $3.50/month worldwide at [Vultr](https://goo.gl/Xyd1Sc) or 3€/month for unlimited bandwidth in France at [PulseHeberg](https://goo.gl/76yqW5).
 First, get the script and make it executable :
@ -40,11 +40,11 @@ When OpenVPN is installed, you can run the script again, and you will get the ch
 This script is based on the great work of [Nyr and its contributors](https://github.com/Nyr/openvpn-install).
-I made it because I wanted to have a more secured OpenVPN out-of-the-box. It works like the original script, but is more focused on privacy and espicially better encryption. Nyr's original script uses mainly default parameters regarding encryption, and some of them are unsecure. See [#encryption](#encryption).
+I made it because I wanted to have a more secured OpenVPN out-of-the-box. It works like the original script, but is more focused on privacy and especially better encryption. Nyr's original script uses mainly default parameters regarding encryption, and some of them are insecure. See [#encryption](#encryption).
 Also, Nyr and myself clearly have not the same point of view regarding this script, that's why it's a fork.
-The only drawback is that you need to use a recent version of OpenVPN, because some parameters that requires TLS 1.2 are only availble since OpenVPN 2.3.3. Therefore I restrain the compatibility of this script to a few but widely used GNU/Linux distributions, to get a recent version of OpenVPN from trusted third-party repositories, if needed. That is not a complete drawback tough, because it means that you can have the latest version with all the new features and security fixes. See [compatibilty](#compatibility).
+The only drawback is that you need to use a recent version of OpenVPN, because some parameters that requires TLS 1.2 are only available since OpenVPN 2.3.3. Therefore I restrain the compatibility of this script to a few but widely used GNU/Linux distributions, to get a recent version of OpenVPN from trusted third-party repositories, if needed. That is not a complete drawback tough, because it means that you can have the latest version with all the new features and security fixes. See [compatibility](#compatibility).
 On the client-side, it's less problematic, but if you want to use an OpenVPN server installed with this script with an old client (\<2.3.3), it won't work. However I don't see why you would use an outdated client.
@ -56,19 +56,15 @@ On the client-side, it's less problematic, but if you want to use an OpenVPN ser
 The script is made to work on these OS and architectures :
 - **Debian 7** (i386, amd64)
 - **Debian 8** (i386, amd64)
 - **Debian 9** (i386, amd64, armhf, arm64)
 - **Ubuntu 14.04 LTS** (i386, amd64)
 - **Ubuntu 16.04 LTS** (i386, amd64, armhf)
 - **Ubuntu 17.10** (i386, amd64, armhf, arm64)
 - **Ubuntu 18.04 LTS** (i386, amd64, armhf, arm64)
 - **Fedora 25** (amd64)
 - **Fedora 26** (amd64)
 - **Fedora 27** (amd64)
- **CentOS 6** (i386, amd64)
+- **Fedora 28** (amd64)
 - **CentOS 7** (i386, amd64, arm64)
 - **Arch Linux** (i686, amd64, arm64)
 (It should also work on Debian unstable/testing and Ubuntu beta).
@ -82,13 +78,14 @@ This fork includes the following features :
 - Better encryption, see below
 - Better DNS resolvers, see below
 - Choice between TCP and UDP (UDP is still recommended)
 - IPv6 (NATed) support
 - Run server in [unprivileged mode](https://github.com/Angristan/OpenVPN-install/blob/master/openvpn-install.sh#L426), reducing risks to the system
 - [Block DNS leak on Windows 10](https://community.openvpn.net/openvpn/ticket/605)
 - No comp-lzo, as [compression is a vector for oracle attacks, e.g. CRIME or BREACH](https://github.com/BetterCrypto/Applied-Crypto-Hardening/pull/91#issuecomment-75388575)
 - [Arch Linux support](https://github.com/Angristan/OpenVPN-install/pull/2)
 - Up-to-date OpenVPN thanks to [EPEL](http://fedoraproject.org/wiki/EPEL) for CentOS and [swupdate.openvpn.net](https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos) for Ubuntu and Debian. These are third-party yet trusted repositories.
 - Randomized certificate name
- IPv6 (NATed) support
+- The ability to create passwordless clients and clients protected with a password
 - Other improvements !
 ## DNS
@ -98,6 +95,7 @@ The script will ask you which DNS resolvers you want to use when connected to th
 Here are the possibilities :
 - Current system resolvers, those that are in `/etc/resolv.conf`
 - Self-hosted resolver thanks to Unbound
 - [Cloudflare](https://1.1.1.1/), recommended, fastest resolvers available (Anycast servers)
 - [Quad9](https://www.quad9.net), recommended, security and privacy oriented, fast worldwide (Anycast servers)
 - [FDN's DNS Servers](http://www.fdn.fr/actions/dns/), recommended if you're in western europe (France)
@ -106,7 +104,6 @@ Here are the possibilities :
 - [Google Public DNS](https://en.wikipedia.org/wiki/Google_Public_DNS), not recommended, but fast worldwide (Anycast servers)
 - [Yandex Basic DNS](https://dns.yandex.com/), not recommended, but fast in Russia
 - [AdGuard DNS](https://github.com/AdguardTeam/AdguardDNS), located in Russia, blocks ads and trackers
 - Soon : local resolver :D
 Any other fast, trustable and neutral servers proposition is welcome.
@ -187,7 +184,7 @@ The [SWEET32 vulnerability page](https://community.openvpn.net/openvpn/wiki/SWEE
 Indeed, AES is today's standard. It's the fastest and more secure cipher available today. [SEED](https://en.wikipedia.org/wiki/SEED) and [Camellia](https://en.wikipedia.org/wiki/Camellia_(cipher)) are not vulnerable to date but are slower than AES and relatively less trusted.
-As they have not any proven vulnerabilities, I decided to give the user the choice to use them, though I don't see any particular reason to this day to use it. Maybe someday if AES happens to be broken. Here is an exemple about [why Camellia is good, but AES is better and should be used](http://crypto.stackexchange.com/questions/476/why-does-nobody-use-or-break-the-camellia-cipher/477#477).
+As they have not any proven vulnerabilities, I decided to give the user the choice to use them, though I don't see any particular reason to this day to use it. Maybe someday if AES happens to be broken. Here is an example about [why Camellia is good, but AES is better and should be used](http://crypto.stackexchange.com/questions/476/why-does-nobody-use-or-break-the-camellia-cipher/477#477).
 Currently AES is only available in its CBC mode, which is weaker than GCM.
@ -215,7 +212,7 @@ Thus, the best data channel cipher currently available in OpenVPN is `AES-128-CB
 ### Control channel's cipher
-According to the [Hardening](https://community.openvpn.net/openvpn/wiki/Hardening#Useof--tls-cipher) page of the OpenVPN wiki, TLS 1.2 is not supported by OpenVPN <2.3.3, so it uses a TLS 1.0 cipher by default, which is unsecure.
+According to the [Hardening](https://community.openvpn.net/openvpn/wiki/Hardening#Useof--tls-cipher) page of the OpenVPN wiki, TLS 1.2 is not supported by OpenVPN <2.3.3, so it uses a TLS 1.0 cipher by default, which is insecure.
 > The following are TLSv1.2 DHE + RSA choices, requiring a compatible peer running at least OpenVPN 2.3.3:
 - TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
@ -231,7 +228,7 @@ Thus, I have chosen `TLS-DHE-RSA-WITH-AES-128-GCM-SHA256` as the control channel
 OpenVPN uses a 2048 bits DH key [by default](https://github.com/OpenVPN/easy-rsa/blob/master/easyrsa3/vars.example#L97).
-2048 bits is OK, but both [NSA](https://cryptome.org/2016/01/CNSA-Suite-and-Quantum-Computing-FAQ.pdf) and [ANSSI](https://www.ssi.gouv.fr/uploads/2015/01/RGS_v-2-0_B1.pdf) recommend at least a 3072 bits for a future-proof key. Like RSA, the size of the key will have an impact on speed, I leave the choice to use a 2048, 3072 or 4096 bits key. 4096 bits is what's most used and recommened today, but 3072 bits is still good.
+2048 bits is OK, but both [NSA](https://cryptome.org/2016/01/CNSA-Suite-and-Quantum-Computing-FAQ.pdf) and [ANSSI](https://www.ssi.gouv.fr/uploads/2015/01/RGS_v-2-0_B1.pdf) recommend at least a 3072 bits for a future-proof key. Like RSA, the size of the key will have an impact on speed, I leave the choice to use a 2048, 3072 or 4096 bits key. 4096 bits is what's most used and recommended today, but 3072 bits is still good.
 In OpenVPN 2.4, we will be able to use ECDH key. It uses elliptic curves instead of prime numbers' factorization for a reduced key size and calculation time, thus it's faster and more secure.
@ -256,6 +253,10 @@ SHA-1 is not safe anymore, so I use SHA-256 which is safe and widely used.
 TLS-Auth is not enabled by default by OpenVPN, but it is in this script.
 ## Check for DNS leaks
 Go to [dnsleaktest.com](https://dnsleaktest.com/) or [ipleak.net](https://ipleak.net/) with your browser. Only your server's IP should show up.
 ## Say thanks
 You can [say thanks](https://saythanks.io/to/Angristan) if you want!
@ -264,6 +265,4 @@ You can [say thanks](https://saythanks.io/to/Angristan) if you want!
 Thanks to the [contributors](https://github.com/Angristan/OpenVPN-install/graphs/contributors) and of course Nyr's orginal work.
 [Old repo](https://github.com/Angristan/OpenVPN-install-fork-old)
 [MIT Licence](https://raw.githubusercontent.com/Angristan/openvpn-install/master/LICENSE)
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@ -1,31 +1,28 @@
 #!/bin/bash
-# Secure OpenVPN server installer for Debian, Ubuntu, CentOS and Arch Linux
+# Secure OpenVPN server installer for Debian, Ubuntu, CentOS and Fedora
 # https://github.com/Angristan/OpenVPN-install
 # Verify root
 if [[ "$EUID" -ne 0 ]]; then
 	echo "Sorry, you need to run this as root"
 	exit 1
 fi
 # Verify tun
 if [[ ! -e /dev/net/tun ]]; then
 	echo "TUN is not available"
 	exit 2
 fi
 if grep -qs "CentOS release 5" "/etc/redhat-release"; then
 	echo "CentOS 5 is too old and not supported"
 	exit 3
 fi
 if [[ -e /etc/debian_version ]]; then
 	OS="debian"
 	# Getting the version number, to verify that a recent version of OpenVPN is available
-	VERSION_ID=$(cat /etc/os-release | grep "VERSION_ID")
+	VERSION_ID=$(grep "VERSION_ID" /etc/os-release)
 	IPTABLES='/etc/iptables/iptables.rules'
 	SYSCTL='/etc/sysctl.conf'
-	if [[ "$VERSION_ID" != 'VERSION_ID="7"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="8"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="9"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="14.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="17.10"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="18.04"' ]]; then
+	if [[ "$VERSION_ID" != 'VERSION_ID="8"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="9"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="14.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="17.10"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="18.04"' ]]; then
 		echo "Your version of Debian/Ubuntu is not supported."
 		echo "I can't install a recent version of OpenVPN on your system."
 		echo ""
@ -33,10 +30,10 @@ if [[ -e /etc/debian_version ]]; then
 		echo "then you can continue, a recent version of OpenVPN is available on these."
 		echo "Keep in mind they are not supported, though."
 		while [[ $CONTINUE != "y" && $CONTINUE != "n" ]]; do
-			read -p "Continue ? [y/n]: " -e CONTINUE
+			read -rp "Continue? [y/n]: " -e CONTINUE
 		done
 		if [[ "$CONTINUE" = "n" ]]; then
-			echo "Ok, bye !"
+			echo "Ok, bye!"
 			exit 4
 		fi
 	fi
@ -44,43 +41,132 @@ elif [[ -e /etc/fedora-release ]]; then
 	OS=fedora
 	IPTABLES='/etc/iptables/iptables.rules'
 	SYSCTL='/etc/sysctl.d/openvpn.conf'
-elif [[ -e /etc/centos-release || -e /etc/redhat-release || -e /etc/system-release ]]; then
+elif [[ -e /etc/centos-release ]]; then
 	if ! grep -qs "^CentOS Linux release 7" /etc/centos-release; then
 		echo "Your version of CentOS is not supported."
 		echo "The script only support CentOS 7."
 		echo ""
 		unset CONTINUE
 		while [[ $CONTINUE != "y" && $CONTINUE != "n" ]]; do
 			read -rp "Continue anyway? [y/n]: " -e CONTINUE
 		done
 		if [[ "$CONTINUE" = "n" ]]; then
 			echo "Ok, bye!"
 			exit 5
 		fi
 	fi
 	OS=centos
 	IPTABLES='/etc/iptables/iptables.rules'
 	SYSCTL='/etc/sysctl.conf'
 elif [[ -e /etc/arch-release ]]; then
 	OS=arch
 	IPTABLES='/etc/iptables/iptables.rules'
 	SYSCTL='/etc/sysctl.d/openvpn.conf'
 else
-	echo "Looks like you aren't running this installer on a Debian, Ubuntu, CentOS or ArchLinux system"
+	echo "Looks like you aren't running this installer on a Debian, Ubuntu, Fedora or CentOS system"
 	exit 4
 fi
 newclient () {
 	# Where to write the custom client.ovpn?
-	if [ -e /home/$1 ]; then  # if $1 is a user name
+	if [ -e "/home/$1" ]; then  # if $1 is a user name
 		homeDir="/home/$1"
-	elif [ ${SUDO_USER} ]; then   # if not, use SUDO_USER
+	elif [ "${SUDO_USER}" ]; then   # if not, use SUDO_USER
 		homeDir="/home/${SUDO_USER}"
 	else  # if not SUDO_USER, use /root
 		homeDir="/root"
 	fi
 	# Generates the custom client.ovpn
-	cp /etc/openvpn/client-template.txt $homeDir/$1.ovpn
+	cp /etc/openvpn/client-template.txt "$homeDir/$1.ovpn"
-	echo "<ca>" >> $homeDir/$1.ovpn
+	{
-	cat /etc/openvpn/easy-rsa/pki/ca.crt >> $homeDir/$1.ovpn
+		echo "<ca>"
-	echo "</ca>" >> $homeDir/$1.ovpn
+		cat "/etc/openvpn/easy-rsa/pki/ca.crt"
-	echo "<cert>" >> $homeDir/$1.ovpn
+		echo "</ca>"
-	cat /etc/openvpn/easy-rsa/pki/issued/$1.crt >> $homeDir/$1.ovpn
+
-	echo "</cert>" >> $homeDir/$1.ovpn
+		echo "<cert>"
-	echo "<key>" >> $homeDir/$1.ovpn
+		cat "/etc/openvpn/easy-rsa/pki/issued/$1.crt"
-	cat /etc/openvpn/easy-rsa/pki/private/$1.key >> $homeDir/$1.ovpn
+		echo "</cert>"
-	echo "</key>" >> $homeDir/$1.ovpn
+
-	echo "key-direction 1" >> $homeDir/$1.ovpn
+		echo "<key>"
-	echo "<tls-auth>" >> $homeDir/$1.ovpn
+		cat "/etc/openvpn/easy-rsa/pki/private/$1.key"
-	cat /etc/openvpn/tls-auth.key >> $homeDir/$1.ovpn
+		echo "</key>"
-	echo "</tls-auth>" >> $homeDir/$1.ovpn
+		echo "key-direction 1"
 		echo "<tls-auth>"
 		cat "/etc/openvpn/tls-auth.key"
 		echo "</tls-auth>"
 	} >> "$homeDir/$1.ovpn"
 }
 function installLocalDNS () {
 	if [[ ! -e /etc/unbound/unbound.conf ]]; then
 		if [[ "$OS" = "debian" ]]; then
 			apt-get install -y unbound
 			echo 'interface: 10.8.0.1
 access-control: 10.8.0.1/24 allow
 hide-identity: yes
 hide-version: yes
 use-caps-for-id: yes
 prefetch: yes' >> /etc/unbound/unbound.conf
 		elif [[ "$OS" = "centos" ]]; then
 			yum install -y unbound
 			# Configuration
 			sed -i 's|# interface: 0.0.0.0$|interface: 10.8.0.1|' /etc/unbound/unbound.conf
 			sed -i 's|# access-control: 127.0.0.0/8 allow|access-control: 10.8.0.1/24 allow|' /etc/unbound/unbound.conf
 			sed -i 's|# hide-identity: no|hide-identity: yes|' /etc/unbound/unbound.conf
 			sed -i 's|# hide-version: no|hide-version: yes|' /etc/unbound/unbound.conf
 			sed -i 's|use-caps-for-id: no|use-caps-for-id: yes|' /etc/unbound/unbound.conf
 		elif [[ "$OS" = "fedora" ]]; then
 			dnf install -y unbound
 			# Configuration
 			sed -i 's|# interface: 0.0.0.0$|interface: 10.8.0.1|' /etc/unbound/unbound.conf
 			sed -i 's|# access-control: 127.0.0.0/8 allow|access-control: 10.8.0.1/24 allow|' /etc/unbound/unbound.conf
 			sed -i 's|# hide-identity: no|hide-identity: yes|' /etc/unbound/unbound.conf
 			sed -i 's|# hide-version: no|hide-version: yes|' /etc/unbound/unbound.conf
 			sed -i 's|# use-caps-for-id: no|use-caps-for-id: yes|' /etc/unbound/unbound.conf
 		fi
 		if [[ ! "$OS" =~ (fedora|centos) ]];then
 			# DNS Rebinding fix
 			echo "private-address: 10.0.0.0/8
 		private-address: 172.16.0.0/12
 		private-address: 192.168.0.0/16
 		private-address: 169.254.0.0/16
 		private-address: fd00::/8
 		private-address: fe80::/10
 		private-address: 127.0.0.0/8
 		private-address: ::ffff:0:0/96" >> /etc/unbound/unbound.conf
 		fi
 	else
 		# Unbound is already installed
 		echo 'include: /etc/unbound/openvpn.conf' >> /etc/unbound/unbound.conf
 		# Add OpenVPN integration
 		echo 'server:
 interface: 10.8.0.1
 access-control: 10.8.0.1/24 allow
 hide-identity: yes
 hide-version: yes
 use-caps-for-id: yes
 prefetch: yes
 private-address: 10.0.0.0/8
 private-address: 172.16.0.0/12
 private-address: 192.168.0.0/16
 private-address: 169.254.0.0/16
 private-address: fd00::/8
 private-address: fe80::/10
 private-address: 127.0.0.0/8
 private-address: ::ffff:0:0/96' > /etc/unbound/openvpn.conf
 	fi
 	if pgrep systemd-journal; then
 		systemctl enable unbound
 		systemctl start unbound
 	else
 		service unbound restart
 	fi
 }
 # Get Internet network interface with default route
@ -94,22 +180,45 @@ if [[ -e /etc/openvpn/server.conf ]]; then
 		echo ""
 		echo "Looks like OpenVPN is already installed"
 		echo ""
 		echo "What do you want to do?"
 		echo "   1) Add a cert for a new user"
 		echo "   2) Revoke existing user cert"
 		echo "   3) Remove OpenVPN"
 		echo "   4) Exit"
-		read -p "Select an option [1-4]: " option
+		read -rp "Select an option [1-4]: " option
 		case $option in
 			1)
 			echo ""
 			echo "Do you want to protect the configuration file with a password?"
 			echo "(e.g. encrypt the private key with a password)"
 			echo "   1) Add a passwordless client"
 			echo "   2) Use a password for the client"
 			until [[ "$pass" =~ ^[1-2]$ ]]; do
 				read -rp "Select an option [1-2]: " -e -i 1 pass
 			done
 			echo ""
 			echo "Tell me a name for the client cert"
-			echo "Please, use one word only, no special characters"
+			echo "Use one word only, no special characters"
-			read -p "Client name: " -e -i newclient CLIENT
+			until [[ "$CLIENT" =~ ^[a-zA-Z0-9_]+$ ]]; do
 				read -rp "Client name: " -e CLIENT
 			done
 			cd /etc/openvpn/easy-rsa/
-			./easyrsa build-client-full $CLIENT nopass
+			case $pass in
 				1)
 				./easyrsa build-client-full $CLIENT nopass
 				;;
 				2)
 				echo "⚠️ You will be asked for the client password below ⚠️"
 				./easyrsa build-client-full $CLIENT
 				;;
 			esac
 			# Generates the custom client.ovpn
 			newclient "$CLIENT"
 			echo ""
 			echo "Client $CLIENT added, certs available at $homeDir/$CLIENT.ovpn"
 			exit
@ -121,14 +230,16 @@ if [[ -e /etc/openvpn/server.conf ]]; then
 				echo "You have no existing clients!"
 				exit 5
 			fi
 			echo ""
 			echo "Select the existing client certificate you want to revoke"
 			tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | nl -s ') '
 			if [[ "$NUMBEROFCLIENTS" = '1' ]]; then
-				read -p "Select one client [1]: " CLIENTNUMBER
+				read -rp "Select one client [1]: " CLIENTNUMBER
 			else
-				read -p "Select one client [1-$NUMBEROFCLIENTS]: " CLIENTNUMBER
+				read -rp "Select one client [1-$NUMBEROFCLIENTS]: " CLIENTNUMBER
 			fi
 			CLIENT=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | sed -n "$CLIENTNUMBER"p)
 			cd /etc/openvpn/easy-rsa/
 			./easyrsa --batch revoke $CLIENT
@ -141,6 +252,7 @@ if [[ -e /etc/openvpn/server.conf ]]; then
 			chmod 644 /etc/openvpn/crl.pem
 			rm -f $(find /home -maxdepth 2 | grep $CLIENT.ovpn) 2>/dev/null
 			rm -f /root/$CLIENT.ovpn 2>/dev/null
 			echo ""
 			echo "Certificate for client $CLIENT revoked"
 			echo "Exiting..."
@ -148,7 +260,7 @@ if [[ -e /etc/openvpn/server.conf ]]; then
 			;;
 			3)
 			echo ""
-			read -p "Do you really want to remove OpenVPN? [y/n]: " -e -i n REMOVE
+			read -rp "Do you really want to remove OpenVPN? [y/n]: " -e -i n REMOVE
 			if [[ "$REMOVE" = 'y' ]]; then
 				PORT=$(grep '^port ' /etc/openvpn/server.conf | cut -d " " -f 2)
 				if pgrep firewalld; then
@ -181,8 +293,6 @@ if [[ -e /etc/openvpn/server.conf ]]; then
 				fi
 				if [[ "$OS" = 'debian' ]]; then
 					apt-get autoremove --purge -y openvpn
 				elif [[ "$OS" = 'arch' ]]; then
 					pacman -R openvpn --noconfirm
 				else
 					yum remove openvpn -y
 				fi
@ -194,6 +304,35 @@ if [[ -e /etc/openvpn/server.conf ]]; then
 				done
 				rm -rf /etc/openvpn
 				rm -rf /usr/share/doc/openvpn*
 				if [[ -e /etc/unbound/openvpn.conf ]]; then
 					# Remove OpenVPN-related config
 					sed -i 's|include: \/etc\/unbound\/openvpn.conf||' /etc/unbound/unbound.conf
 					rm /etc/unbound/openvpn.conf
 					service unbound restart
 					until [[ $REMOVE_UNBOUND == "y" || $REMOVE_UNBOUND == "n" ]]; do
 						echo ""
 						echo "If you were already using Unbound before installing OpenVPN, I removed the configuration related to OpenVPN."
 						echo "You can keep using Unbound as before."
 						read -rp "Do you want to completely remove Unbound? [y/n]: " -e REMOVE_UNBOUND
 					done
 					if [[ "$REMOVE_UNBOUND" = 'y' ]]; then
 						if [[ "$OS" = 'debian' ]]; then
 							apt-get autoremove --purge -y unbound
 						else
 							yum remove unbound -y
 						fi
 						echo ""
 						echo "Unbound removed!"
 					else
 						echo ""
 						echo "Unbound not removed!"
 					fi
 				fi
 				echo ""
 				echo "OpenVPN removed!"
 			else
@ -209,6 +348,7 @@ else
 	clear
 	echo "Welcome to the secure OpenVPN installer (github.com/Angristan/OpenVPN-install)"
 	echo ""
 	# OpenVPN setup and first user creation
 	echo "I need to ask you a few questions before starting the setup"
 	echo "You can leave the default options and just press enter if you are ok with them"
@ -216,6 +356,7 @@ else
 	echo "I need to know the IPv4 address of the network interface you want OpenVPN listening to."
 	echo "If your server is running behind a NAT, (e.g. LowEndSpirit, Scaleway) leave the IP address as it is. (local/private IP)"
 	echo "Otherwise, it should be your public IPv4 address."
 	# Autodetect IP address and pre-fill for the user
 	IP=$(ip addr | grep 'inet' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1)
 	read -p "IP address: " -e -i $IP IP
@ -223,7 +364,7 @@ else
 	if echo "$IP" | grep -qE '^(10\.|172\.1[6789]\.|172\.2[0-9]\.|172\.3[01]\.|192\.168)'; then
 		echo ""
 		echo "This server is behind NAT. What is the public IPv4 address or hostname?"
-		read -p "Public IP address / hostname: " -e PUBLICIP
+		read -rp "Public IP address / hostname: " -e PUBLICIP
 	fi
 	echo ""
 	echo "Checking for IPv6 connectivity..."
@ -244,22 +385,39 @@ else
 	echo ""
 	echo "What protocol do you want for OpenVPN?"
 	echo "Unless UDP is blocked, you should not use TCP (unnecessarily slower)"
-	while [[ $PROTOCOL != "UDP" && $PROTOCOL != "TCP" ]]; do
+	until [[ "$PROTOCOL" == "UDP" || "$PROTOCOL" == "TCP" ]]; do
-		read -p "Protocol [UDP/TCP]: " -e -i UDP PROTOCOL
+		read -rp "Protocol [UDP/TCP]: " -e -i UDP PROTOCOL
 	done
 	echo ""
 	echo "What DNS do you want to use with the VPN?"
 	echo "   1) Current system resolvers (from /etc/resolv.conf)"
-	echo "   2) Cloudflare (Anycast: worldwide)"
+	echo "   2) Self-hosted DNS Resolver (Unbound)"
-	echo "   3) Quad9 (Anycast: worldwide)"
+	echo "   3) Cloudflare (Anycast: worldwide)"
-	echo "   4) FDN (France)"
+	echo "   4) Quad9 (Anycast: worldwide)"
-	echo "   5) DNS.WATCH (Germany)"
+	echo "   5) FDN (France)"
-	echo "   6) OpenDNS (Anycast: worldwide)"
+	echo "   6) DNS.WATCH (Germany)"
-	echo "   7) Google (Anycast: worldwide)"
+	echo "   7) OpenDNS (Anycast: worldwide)"
-	echo "   8) Yandex Basic (Russia)"
+	echo "   8) Google (Anycast: worldwide)"
-	echo "   9) AdGuard DNS (Russia)"
+	echo "   9) Yandex Basic (Russia)"
-	while [[ $DNS != "1" && $DNS != "2" && $DNS != "3" && $DNS != "4" && $DNS != "5" && $DNS != "6" && $DNS != "7" && $DNS != "8" && $DNS != "9" ]]; do
+	echo "   10) AdGuard DNS (Russia)"
-		read -p "DNS [1-9]: " -e -i 1 DNS
+	until [[ "$DNS" =~ ^[0-9]+$ ]] && [ "$DNS" -ge 1 -a "$DNS" -le 10 ]; do
 		read -rp "DNS [1-10]: " -e -i 1 DNS
 			if [[ $DNS == 2 ]] && [[ -e /etc/unbound/unbound.conf ]]; then
 				echo ""
 				echo "Unbound is already installed."
 				echo "You can allow the script to configure it in order to use it from your OpenVPN clients"
 				echo "We will simply add a second server to /etc/unbound/unbound.conf for the OpenVPN subnet."
 				echo "No changes are made to the current configuration."
 				echo ""
 				while [[ $CONTINUE != "y" && $CONTINUE != "n" ]]; do
 					read -rp "Apply configuration changes to Unbound? [y/n]: " -e CONTINUE
 				done
 				if [[ $CONTINUE = "n" ]];then
 					unset DNS
 					unset CONTINUE
 				fi
 			fi
 	done
 	echo ""
 	echo "See https://github.com/Angristan/OpenVPN-install#encryption to learn more about "
@ -277,8 +435,8 @@ else
 	echo "   5) CAMELLIA-192-CBC"
 	echo "   6) CAMELLIA-256-CBC"
 	echo "   7) SEED-CBC"
-	while [[ $CIPHER != "1" && $CIPHER != "2" && $CIPHER != "3" && $CIPHER != "4" && $CIPHER != "5" && $CIPHER != "6" && $CIPHER != "7" ]]; do
+	until [[ "$CIPHER" =~ ^[0-9]+$ ]] && [ "$CIPHER" -ge 1 -a "$CIPHER" -le 7 ]; do
-		read -p "Cipher [1-7]: " -e -i 1 CIPHER
+		read -rp "Cipher [1-7]: " -e -i 1 CIPHER
 	done
 	case $CIPHER in
 		1)
@ -308,8 +466,8 @@ else
 	echo "   1) 2048 bits (fastest)"
 	echo "   2) 3072 bits (recommended, best compromise)"
 	echo "   3) 4096 bits (most secure)"
-	while [[ $DH_KEY_SIZE != "1" && $DH_KEY_SIZE != "2" && $DH_KEY_SIZE != "3" ]]; do
+	until [[ "$DH_KEY_SIZE" =~ ^[0-9]+$ ]] && [ "$DH_KEY_SIZE" -ge 1 -a "$DH_KEY_SIZE" -le 3 ]; do
-		read -p "DH key size [1-3]: " -e -i 2 DH_KEY_SIZE
+		read -rp "DH key size [1-3]: " -e -i 2 DH_KEY_SIZE
 	done
 	case $DH_KEY_SIZE in
 		1)
@ -327,8 +485,8 @@ else
 	echo "   1) 2048 bits (fastest)"
 	echo "   2) 3072 bits (recommended, best compromise)"
 	echo "   3) 4096 bits (most secure)"
-	while [[ $RSA_KEY_SIZE != "1" && $RSA_KEY_SIZE != "2" && $RSA_KEY_SIZE != "3" ]]; do
+	until [[ "$RSA_KEY_SIZE" =~ ^[0-9]+$ ]] && [ "$RSA_KEY_SIZE" -ge 1 -a "$RSA_KEY_SIZE" -le 3 ]; do
-		read -p "RSA key size [1-3]: " -e -i 2 RSA_KEY_SIZE
+		read -rp "RSA key size [1-3]: " -e -i 2 RSA_KEY_SIZE
 	done
 	case $RSA_KEY_SIZE in
 		1)
@ -342,10 +500,18 @@ else
 		;;
 	esac
 	echo ""
 	echo "Do you want to protect the configuration file with a password?"
 	echo "(e.g. encrypt the private key with a password)"
 	echo "   1) Add a passwordless client"
 	echo "   2) Use a password for the client"
 	until [[ "$pass" =~ ^[1-2]$ ]]; do
 		read -rp "Select an option [1-2]: " -e -i 1 pass
 	done
 	echo ""
 	echo "Finally, tell me a name for the client certificate and configuration"
-	while [[ $CLIENT = "" ]]; do
+	echo "Use one word only, no special characters"
-		echo "Please, use one word only, no special characters"
+	until [[ "$CLIENT" =~ ^[a-zA-Z0-9_]+$ ]]; do
-		read -p "Client name: " -e -i client CLIENT
+		read -rp "Client name: " -e -i client CLIENT
 	done
 	echo ""
 	echo "Okay, that was all I needed. We are ready to setup your OpenVPN server now"
@ -355,12 +521,6 @@ else
 		apt-get update
 		apt-get install ca-certificates gnupg -y
 		# We add the OpenVPN repo to get the latest version.
 		# Debian 7
 		if [[ "$VERSION_ID" = 'VERSION_ID="7"' ]]; then
 			echo "deb http://build.openvpn.net/debian/openvpn/stable wheezy main" > /etc/apt/sources.list.d/openvpn.list
 			wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
 			apt-get update
 		fi
 		# Debian 8
 		if [[ "$VERSION_ID" = 'VERSION_ID="8"' ]]; then
 			echo "deb http://build.openvpn.net/debian/openvpn/stable jessie main" > /etc/apt/sources.list.d/openvpn.list
@ -446,30 +606,6 @@ WantedBy=multi-user.target" > /etc/systemd/system/iptables.service
 			systemctl disable firewalld
 			systemctl mask firewalld
 		fi
 	else
 		# Else, the distro is ArchLinux
 		echo ""
 		echo ""
 		echo "As you're using ArchLinux, I need to update the packages on your system to install those I need."
 		echo "Not doing that could cause problems between dependencies, or missing files in repositories."
 		echo ""
 		echo "Continuing will update your installed packages and install needed ones."
 		while [[ $CONTINUE != "y" && $CONTINUE != "n" ]]; do
 			read -p "Continue ? [y/n]: " -e -i y CONTINUE
 		done
 		if [[ "$CONTINUE" = "n" ]]; then
 			echo "Ok, bye !"
 			exit 4
 		fi
 		if [[ "$OS" = 'arch' ]]; then
 			# Install dependencies
 			pacman -Syu openvpn iptables openssl wget ca-certificates curl --needed --noconfirm
 			iptables-save > /etc/iptables/iptables.rules # iptables won't start if this file does not exist
 			systemctl daemon-reload
 			systemctl enable iptables
 			systemctl start iptables
 		fi
 	fi
 	# Find out if the machine uses nogroup or nobody for the permissionless group
 	if grep -qs "^nogroup:" /etc/group; then
@ -485,14 +621,13 @@ WantedBy=multi-user.target" > /etc/systemd/system/iptables.service
 	# Get easy-rsa
 	wget -O ~/EasyRSA-3.0.4.tgz https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.4/EasyRSA-3.0.4.tgz
 	tar xzf ~/EasyRSA-3.0.4.tgz -C ~/
-	mv ~/EasyRSA-3.0.4/ /etc/openvpn/
+	mv ~/EasyRSA-3.0.4/ /etc/openvpn/easy-rsa/
 	mv /etc/openvpn/EasyRSA-3.0.4/ /etc/openvpn/easy-rsa/
 	chown -R root:root /etc/openvpn/easy-rsa/
 	rm -f ~/EasyRSA-3.0.4.tgz
 	cd /etc/openvpn/easy-rsa/
 	# Generate a random, alphanumeric identifier of 16 characters for CN and one for server name
-	SERVER_CN="cn_$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)"
+	SERVER_CN="cn_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)"
-	SERVER_NAME="server_$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)"
+	SERVER_NAME="server_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)"
 	echo "set_var EASYRSA_KEY_SIZE $RSA_KEY_SIZE" > vars
 	echo "set_var EASYRSA_REQ_CN $SERVER_CN" >> vars
 	# Create the PKI, set up the CA, the DH params and the server + client certificates
@ -500,7 +635,15 @@ WantedBy=multi-user.target" > /etc/systemd/system/iptables.service
 	./easyrsa --batch build-ca nopass
 	openssl dhparam -out dh.pem $DH_KEY_SIZE
 	./easyrsa build-server-full $SERVER_NAME nopass
-	./easyrsa build-client-full $CLIENT nopass
+	case $pass in
 		1)
 			./easyrsa build-client-full $CLIENT nopass
 		;;
 		2)
 			echo "⚠️ You will be asked for the client password below ⚠️"
 			./easyrsa build-client-full $CLIENT
 		;;
 	esac
 	EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
 	# generate tls-auth key
 	openvpn --genkey --secret /etc/openvpn/tls-auth.key
@ -544,38 +687,44 @@ ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf
 			RESOLVCONF='/etc/resolv.conf'
 		fi
 		# Obtain the resolvers from resolv.conf and use them for OpenVPN
-		grep -v '#' $RESOLVCONF | grep 'nameserver' | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read line; do
+		grep -v '#' $RESOLVCONF | grep 'nameserver' | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read -r line; do
 			echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server.conf
 		done
 		;;
-		2) # Cloudflare
+		2)
 		# Install Unbound
 		installLocalDNS
 		echo 'push "dhcp-option DNS 10.8.0.1"' >> /etc/openvpn/server.conf
 		;;
 		3) # Cloudflare
 		echo 'push "dhcp-option DNS 1.0.0.1"' >> /etc/openvpn/server.conf
 		echo 'push "dhcp-option DNS 1.1.1.1"' >> /etc/openvpn/server.conf	
 		;;
-		3) # Quad9
+		4) # Quad9
 		echo 'push "dhcp-option DNS 9.9.9.9"' >> /etc/openvpn/server.conf
 		echo 'push "dhcp-option DNS 149.112.112.112"' >> /etc/openvpn/server.conf
 		;;
-		4) # FDN
+		5) # FDN
 		echo 'push "dhcp-option DNS 80.67.169.40"' >> /etc/openvpn/server.conf
 		echo 'push "dhcp-option DNS 80.67.169.12"' >> /etc/openvpn/server.conf
 		;;
-		5) # DNS.WATCH
+		6) # DNS.WATCH
 		echo 'push "dhcp-option DNS 84.200.69.80"' >> /etc/openvpn/server.conf
 		echo 'push "dhcp-option DNS 84.200.70.40"' >> /etc/openvpn/server.conf
 		;;
-		6) # OpenDNS
+		7) # OpenDNS
 		echo 'push "dhcp-option DNS 208.67.222.222"' >> /etc/openvpn/server.conf
 		echo 'push "dhcp-option DNS 208.67.220.220"' >> /etc/openvpn/server.conf
 		;;
-		7) # Google
+		8) # Google
 		echo 'push "dhcp-option DNS 8.8.8.8"' >> /etc/openvpn/server.conf
 		echo 'push "dhcp-option DNS 8.8.4.4"' >> /etc/openvpn/server.conf
 		;;
-		8) # Yandex Basic
+		9) # Yandex Basic
 		echo 'push "dhcp-option DNS 77.88.8.8"' >> /etc/openvpn/server.conf
 		echo 'push "dhcp-option DNS 77.88.8.1"' >> /etc/openvpn/server.conf
 		;;
-		9) # AdGuard DNS
+		10) # AdGuard DNS
 		echo 'push "dhcp-option DNS 176.103.130.130"' >> /etc/openvpn/server.conf
 		echo 'push "dhcp-option DNS 176.103.130.131"' >> /etc/openvpn/server.conf
 		;;
@ -601,10 +750,13 @@ $CIPHER
 tls-server
 tls-version-min 1.2
 tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
-status openvpn.log
+status /var/log/openvpn/status.log
 verb 3" >> /etc/openvpn/server.conf
-	# Create the sysctl configuration file if needed (mainly for Arch Linux)
+# Create log dir
 mkdir -p /var/log/openvpn
 	# Create the sysctl configuration file if needed
 	if [[ ! -e $SYSCTL ]]; then
 		touch $SYSCTL
 	fi
@ -614,6 +766,7 @@ verb 3" >> /etc/openvpn/server.conf
 	if [[ "$IPV6" = 'y' ]]; then
 		echo 'net.ipv6.conf.all.forwarding=1' >> $SYSCTL
 	fi
 	# Avoid an unneeded reboot
 	sysctl --system
 	# Set NAT for the VPN subnet
@ -623,6 +776,7 @@ verb 3" >> /etc/openvpn/server.conf
 	fi
 	# Save persitent iptables rules
 	iptables-save > $IPTABLES
 	if pgrep firewalld; then
 		# We don't use --add-service=openvpn because that would only work with
 		# the default port. Using both permanent and not permanent rules to
@ -637,6 +791,7 @@ verb 3" >> /etc/openvpn/server.conf
 		firewall-cmd --zone=trusted --add-source=10.8.0.0/24
 		firewall-cmd --permanent --zone=trusted --add-source=10.8.0.0/24
 	fi
 	if iptables -L -n | grep -qE 'REJECT|DROP'; then
 		# If iptables has at least one REJECT rule, we asume this is needed.
 		# Not the best approach but I can't think of other and this shouldn't
@ -649,7 +804,7 @@ verb 3" >> /etc/openvpn/server.conf
 		iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
 		iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
 		# Save persitent OpenVPN rules
-        iptables-save > $IPTABLES
+		iptables-save > $IPTABLES
 	fi
 	if [[ "$IPV6" = 'y' ]]; then
 		if ip6tables -L -n | grep -qE 'REJECT|DROP'; then
@ -680,6 +835,7 @@ verb 3" >> /etc/openvpn/server.conf
 			fi
 		fi
 	fi
 	# And finally, restart OpenVPN
 	if [[ "$OS" = 'debian' ]]; then
 		# Little hack to check for systemd
@ -696,8 +852,8 @@ verb 3" >> /etc/openvpn/server.conf
 		fi
 	else
 		if pgrep systemd-journal; then
-			if [[ "$OS" = 'arch' || "$OS" = 'fedora' ]]; then
+			if [[ "$OS" = 'fedora' ]]; then
-				#Workaround to avoid rewriting the entire script for Arch & Fedora
+				# Workaround to avoid rewriting the entire script for Fedora
 				sed -i 's|/etc/openvpn/server|/etc/openvpn|' /usr/lib/systemd/system/openvpn-server@.service
 				sed -i 's|%i.conf|server.conf|' /usr/lib/systemd/system/openvpn-server@.service
 				systemctl daemon-reload
@ -712,10 +868,12 @@ verb 3" >> /etc/openvpn/server.conf
 			chkconfig openvpn on
 		fi
 	fi
 	# If the server is behind a NAT, use the correct IP address
 	if [[ "$PUBLICIP" != "" ]]; then
 		IP=$PUBLICIP
 	fi
 	# client-template.txt is created so we have a template to add further users later
 	echo "client" > /etc/openvpn/client-template.txt
 	if [[ "$PROTOCOL" = 'UDP' ]]; then