Merge pull request #1 from angristan/master

update fork

.editorconfig

@@ -0,0 +1,3 @@
+[*.sh]
+indent_style = tab
+indent_size = 4

.github/FUNDING.yml

@@ -0,0 +1,3 @@
+patreon: stanislas
+liberapay: stanislas
+ko_fi: stanislas

.github/ISSUE_TEMPLATE.md

@@ -1,10 +0,0 @@
-<!---
-
-Before opening an issue, please make sure:
-
-- You installed OpenVPN with the lastest version of the script
-- You read the FAQ
-- Your issue is about the script, NOT OpenVPN itself
-- ⚠ PLEASE Post your OpenVPN version and OS for both the server and the client if needed
-
---->

.github/ISSUE_TEMPLATE/bug-report-or-suport-request.md

@@ -0,0 +1,49 @@
+---
+name: Bug report / Support request
+about: Create a report to help us improve
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+**Checklist**
+
+- [ ] I read the [README](https://github.com/angristan/openvpn-install/blob/master/README.md)
+- [ ] I read the [FAQ](https://github.com/angristan/openvpn-install/blob/master/FAQ.md)
+- [ ] I searched the [issues](https://github.com/angristan/openvpn-install/issues?q=is%3Aissue+)
+- [ ] My issue is about the script, and not OpenVPN itself
+
+<!---
+If you need help with OpenVPN itself, please us the [community forums](https://forums.openvpn.net/) or [Stack Overflow](https://stackoverflow.com/questions/tagged/openvpn)
+--->
+
+**Describe the issue**
+A clear and concise description of what the bug is.
+
+**To Reproduce**
+Steps to reproduce the behavior:
+
+1. ...
+
+**Expected behavior**
+A clear and concise description of what you expected to happen.
+
+**Logs**
+If applicable, add logs or screenshots to help explain your problem.
+
+If you can reproduce the issue, please run the script in debug mode and post the output: `bash -x openvpn-install.sh`
+
+**Server if applicable):**
+
+- OS: [e.g. Debian 10]
+- Hosting provider (if applicable): [e.g. Vultr, AWS]
+
+**Client (if applicable):**
+
+- Device: [e.g. iPhone6]
+- OS: [e.g. iOS8.1]
+- Client: [e.g. OpenVPN Connect]
+
+**Additional context**
+Add any other context about the problem here.

.github/ISSUE_TEMPLATE/feature-request.md

@@ -0,0 +1,31 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+**Checklist**
+
+- [ ] I read the [README](https://github.com/angristan/openvpn-install/blob/master/README.md)
+- [ ] I read the [FAQ](https://github.com/angristan/openvpn-install/blob/master/FAQ.md)
+- [ ] I searched the [issues](https://github.com/angristan/openvpn-install/issues?q=is%3Aissue+)
+- [ ] My issue is about the script, and not OpenVPN itself
+
+<!---
+If you need help with OpenVPN itself, please us the [community forums](https://forums.openvpn.net/) or [Stack Overflow](https://stackoverflow.com/questions/tagged/openvpn)
+--->
+
+**Is your feature request related to a problem? Please describe.**
+A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
+
+**Describe the solution you'd like**
+A clear and concise description of what you want to happen.
+
+**Describe alternatives you've considered**
+A clear and concise description of any alternative solutions or features you've considered.
+
+**Additional context**
+Add any other context or screenshots about the feature request here.

.github/dependabot.yml

@@ -0,0 +1,10 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    assignees:
+      - "angristan"
+    reviewers:
+      - "angristan"

.github/linters/.markdown-lint.yml

@@ -0,0 +1 @@
+{ 'MD013': null, 'MD045': null, 'MD040': null, 'MD036': null }

.github/workflows/lint.yml

@@ -0,0 +1,14 @@
+on: [push, pull_request, pull_request_target]
+
+name: Lint
+
+jobs:
+  super-linter:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v2
+      - name: Lint Code Base
+        uses: github/super-linter@v3.13.2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/test.yml

@@ -0,0 +1,97 @@
+on:
+  push:
+    branches:
+      - master
+
+name: Test
+jobs:
+  install:
+    runs-on: ubuntu-latest
+    if: github.repository == 'angristan/openvpn-install' && github.actor == 'angristan'
+    strategy:
+      matrix:
+        os-image:
+          - debian-9-x64
+          - debian-10-x64
+          - ubuntu-18-04-x64
+          - ubuntu-16-04-x64
+          - ubuntu-20-04-x64
+          - fedora-31-x64
+          - fedora-32-x64
+          - centos-7-x64
+          - centos-8-x64
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: Setup doctl
+        uses: digitalocean/action-doctl@v2
+        with:
+          token: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }}
+
+      - name: Create server
+        run: doctl compute droplet create openvpn-action-$GITHUB_RUN_ID-$GITHUB_RUN_NUMBER-${{ matrix.os-image }} --size s-1vcpu-1gb --image ${{ matrix.os-image }} --region lon1 --enable-ipv6 --ssh-keys be:66:76:61:a8:71:93:aa:e3:19:ba:d8:0d:d2:2d:d4 --wait
+
+      - name: Get server ID
+        run: echo ::set-output name=value::$(doctl compute droplet list -o json | jq -r '.[] | select(.name == "'openvpn-action-$GITHUB_RUN_ID-$GITHUB_RUN_NUMBER-${{ matrix.os-image }}'").id')
+        id: server_id
+
+      - name: Move server to dedicated project
+        run: doctl projects resources assign ${{ secrets.DIGITALOCEAN_PROJECT_ID }} --resource=do:droplet:${{ steps.server_id.outputs.value }}
+
+      - name: Wait for server to boot
+        run: sleep 90
+
+      - name: Get server IP
+        run: echo ::set-output name=value::$(doctl compute droplet list -o json | jq -r '.[] | select(.name == "'openvpn-action-$GITHUB_RUN_ID-$GITHUB_RUN_NUMBER-${{ matrix.os-image }}'").networks.v4 | .[] | select(.type == "'public'").ip_address')
+        id: server_ip
+
+      - name: Get server OS
+        run: echo ::set-output name=value::$(echo ${{ matrix.os-image }} | cut -d '-' -f1)
+        id: server_os
+
+      - name: Setup remote server (Debian/Ubuntu)
+        if: steps.server_os.outputs.value == 'debian' || steps.server_os.outputs.value == 'ubuntu'
+        uses: appleboy/ssh-action@v0.1.3
+        with:
+          host: ${{ steps.server_ip.outputs.value }}
+          username: root
+          key: ${{ secrets.SSH_KEY }}
+          script: set -x && apt-get update && apt-get install -y git
+
+      - name: Setup remote server (Fedora)
+        if: steps.server_os.outputs.value == 'fedora'
+        uses: appleboy/ssh-action@v0.1.3
+        with:
+          host: ${{ steps.server_ip.outputs.value }}
+          username: root
+          key: ${{ secrets.SSH_KEY }}
+          script: set -x && dnf install -y git
+
+      - name: Setup remote server (CentOS)
+        if: steps.server_os.outputs.value == 'centos'
+        uses: appleboy/ssh-action@v0.1.3
+        with:
+          host: ${{ steps.server_ip.outputs.value }}
+          username: root
+          key: ${{ secrets.SSH_KEY }}
+          script: set -x && yum install -y git
+
+      - name: Download repo and checkout current commit
+        uses: appleboy/ssh-action@v0.1.3
+        with:
+          host: ${{ steps.server_ip.outputs.value }}
+          username: root
+          key: ${{ secrets.SSH_KEY }}
+          script: set -x && git clone https://github.com/angristan/openvpn-install.git && cd openvpn-install && git checkout ${{ github.event.pull_request.head.sha }}
+
+      - name: Run openvpn-install.sh in headless mode
+        uses: appleboy/ssh-action@v0.1.3
+        with:
+          host: ${{ steps.server_ip.outputs.value }}
+          username: root
+          key: ${{ secrets.SSH_KEY }}
+          script: 'set -x && AUTO_INSTALL=y bash -x ~/openvpn-install/openvpn-install.sh && ps aux | grep openvpn | grep -v grep > /dev/null 2>&1 && echo "Success: OpenVPN is running" && exit 0 || echo "Failure: OpenVPN is not running" && exit 1'
+
+      - name: Delete server
+        run: doctl compute droplet delete -f openvpn-action-$GITHUB_RUN_ID-$GITHUB_RUN_NUMBER-${{ matrix.os-image }}
+        if: always()

.gitlab-ci.yml

@@ -1,11 +0,0 @@
-image: debian:buster-slim
-
-stages:
-  - Bash linting
-
-shellcheck:
-  stage: Bash linting
-  script:
-  - apt-get update
-  - apt-get install -y shellcheck
-  - shellcheck -e SC1091,SC2164,SC2034,SC1072,SC1073,SC1009 openvpn-install.sh

FAQ.md

@@ -0,0 +1,145 @@
+# FAQ
+
+**Q:** The script has been updated since I installed OpenVPN. How do I update?
+
+**A:** You can't. Managing updates and new features from the script would require way too much work. Your only solution is to uninstall OpenVPN and reinstall with the updated script.
+
+You can, of course, it's even recommended, update the `openvpn` package with your package manager.
+
+---
+
+**Q:** How do I check for DNS leaks?
+
+**A:** Go to [browserleaks.com](https://browserleaks.com/dns) or [ipleak.net](https://ipleak.net/) (both perform IPv4 and IPv6 check) with your browser. Only your server's IP should show up.
+
+---
+
+**Q:** How do I fix DNS leaks?
+
+**A:** On Windows 10 DNS leaks are blocked by default with the `block-outside-dns` option.
+On Linux you need to add these lines to your `.ovpn` file based on your Distribution.
+
+Debian 9, 10 and Ubuntu 16.04, 18.04
+
+```
+script-security 2
+up /etc/openvpn/update-resolv-conf
+down /etc/openvpn/update-resolv-conf
+```
+
+Centos 6, 7
+
+```
+script-security 2
+up /usr/share/doc/openvpn-2.4.8/contrib/pull-resolv-conf/client.up
+down /usr/share/doc/openvpn-2.4.8/contrib/pull-resolv-conf/client.down
+```
+
+Centos 8, Fedora 30, 31
+
+```
+script-security 2
+up /usr/share/doc/openvpn/contrib/pull-resolv-conf/client.up
+down /usr/share/doc/openvpn/contrib/pull-resolv-conf/client.down
+```
+
+Arch Linux
+
+```
+script-security 2
+up /usr/share/openvpn/contrib/pull-resolv-conf/client.up
+down /usr/share/openvpn/contrib/pull-resolv-conf/client.down
+```
+
+---
+
+**Q:** Can I use an OpenVPN 2.3 client?
+
+**A:** Yes. I really recommend using an up-to-date client, but if you really need it, choose the following options:
+
+- No compression or LZ0
+- RSA certificate
+- DH Key
+- AES CBC
+- tls-auth
+
+If your client is <2.3.3, remove `tls-version-min 1.2` from your `/etc/openvpn/server.conf` and `.ovpn` files.
+
+---
+
+**Q:** IPv6 is not working on my Hetzner VM
+
+**A:** This an issue on their side. See <https://angristan.xyz/fix-ipv6-hetzner-cloud/>
+
+---
+
+**Q:** DNS is not working on my Linux client
+
+**A:** See "How do I fix DNS leaks?" question
+
+---
+
+**Q:** What syctl and iptables changes are made by the script?
+
+**A:** Iptables rules are saved at `/etc/iptables/add-openvpn-rules.sh` and `/etc/iptables/rm-openvpn-rules.sh`. They are managed by the service `/etc/systemd/system/iptables-openvpn.service`
+
+Sysctl options are at `/etc/sysctl.d/20-openvpn.conf`
+
+---
+
+**Q:** How can I access other clients connected to the same OpenVPN server?
+
+**A:** Add `client-to-client` to your `server.conf`
+
+---
+
+**Q:** My router can't connect
+
+**A:**
+
+- `Options error: No closing quotation (") in config.ovpn:46` :
+
+  type `yes` when asked to customize encryption settings and choose `tls-auth`
+
+- `Options error: Unrecognized option or missing parameter(s) in config.ovpn:36: tls-version-min (2.3.2)` :
+
+  see question "Can I use an OpenVPN 2.3 client?"
+
+---
+
+**Q:** How can I access computers the OpenVPN server's remote LAN?
+
+**A:** Add a route with the subnet of the remote network to `/etc/openvpn/server.conf` and restart openvpn. Example: `push "route 192.168.1.0 255.255.255.0"` if the server's LAN is `192.168.1.0/24`
+
+---
+
+**Q:** How can I add multiple users in one go?
+
+**A:** Here is a sample bash script to achieve this:
+
+```sh
+userlist=(user1 user2 user3)
+
+for i in ${userlist[@]};do
+   MENU_OPTION=1 CLIENT=$i PASS=1 ./openvpn-install.sh
+done
+```
+
+---
+
+**Q:** How do I change the default `.ovpn` file created for future clients?
+
+**A:** You can edit the template out of which `.ovpn` files are created by editing `/etc/openvpn/client-template.txt`
+
+---
+
+**Q:** For my clients - I want to set my internal network to pass through the VPN and the rest to go through my internet?
+
+**A:** You would need to edit the `.ovpn` file. You can edit the template out of which those files are created by editing `/etc/openvpn/client-template.txt` file and adding
+
+```sh
+route-nopull
+route 10.0.0.0 255.0.0.0
+```
+
+So for example - here it would route all traffic of `10.0.0.0/8` to the vpn. And the rest through the internet.

LICENSE

@@ -1,7 +1,7 @@
 MIT License
 
 Copyright (c) 2013 Nyr
-Copyright (c) 2016 Angristan (Stanislas Lange)
+Copyright (c) 2016 Stanislas Lange (angristan)
 
 Permission is hereby granted, free of charge, to any person obtaining a copy of
 this software and associated documentation files (the "Software"), to deal in

README.md

@@ -1,21 +1,25 @@
 # openvpn-install
 
-[![GitLab CI](https://gitlab.com/angristan/openvpn-install/badges/master/pipeline.svg)](https://gitlab.com/angristan/openvpn-install/pipelines)
+![Test](https://github.com/angristan/openvpn-install/workflows/Test/badge.svg)
+![Lint](https://github.com/angristan/openvpn-install/workflows/Lint/badge.svg)
+![visitors](https://visitor-badge.glitch.me/badge?page_id=angristan.openvpn-install)
 
 OpenVPN installer for Debian, Ubuntu, Fedora, CentOS and Arch Linux.
 
 This script will let you setup your own secure VPN server in just a few seconds.
 
+You can also check out [wireguard-install](https://github.com/angristan/wireguard-install), a simple installer for a simpler, safer, faster and more modern VPN protocol.
+
 ## Usage
 
-First, get the script and make it executable :
+First, get the script and make it executable:
 
 ```bash
-curl -O https://raw.githubusercontent.com/Angristan/openvpn-install/master/openvpn-install.sh
+curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh
 chmod +x openvpn-install.sh
 ```
 
-Then run it :
+Then run it:
 
 ```sh
 ./openvpn-install.sh
@@ -25,7 +29,7 @@ You need to run the script as root and have the TUN module enabled.
 
 The first time you run it, you'll have to follow the assistant and answer a few questions to setup your VPN server.
 
-When OpenVPN is installed, you can run the script again, and you will get the choice to :
+When OpenVPN is installed, you can run the script again, and you will get the choice to:
 
 - Add a client
 - Remove a client
@@ -33,7 +37,61 @@ When OpenVPN is installed, you can run the script again, and you will get the ch
 
 In your home directory, you will have `.ovpn` files. These are the client configuration files. Download them from your server and connect using your favorite OpenVPN client.
 
-If you have any question, head to the [FAQ](#faq) first.
+If you have any question, head to the [FAQ](#faq) first. Please read everything before opening an issue.
+
+**PLEASE do not send me emails or private messages asking for help.** The only place to get help is the issues. Other people may be able to help and in the future, other users may also run into the same issue as you. My time is not available for free just for you, you're not special.
+
+### Headless install
+
+It's also possible to run the script headless, e.g. without waiting for user input, in an automated manner.
+
+Example usage:
+
+```bash
+AUTO_INSTALL=y ./openvpn-install.sh
+
+# or
+
+export AUTO_INSTALL=y
+./openvpn-install.sh
+```
+
+A default set of variables will then be set, by passing the need for user input.
+
+If you want to customise your installation, you can export them or specify them on the same line, as shown above.
+
+- `APPROVE_INSTALL=y`
+- `APPROVE_IP=y`
+- `IPV6_SUPPORT=n`
+- `PORT_CHOICE=1`
+- `PROTOCOL_CHOICE=1`
+- `DNS=1`
+- `COMPRESSION_ENABLED=n`
+- `CUSTOMIZE_ENC=n`
+- `CLIENT=clientname`
+- `PASS=1`
+
+If the server is behind NAT, you can specify its endpoint with the `ENDPOINT` variable. If the endpoint is the public IP address which it is behind, you can use `ENDPOINT=$(curl -4 ifconfig.co)` (the script will default to this). The endpoint can be an IPv4 or a domain.
+
+Other variables can be set depending on your choice (encryption, compression). You can search for them in the `installQuestions()` function of the script.
+
+Password-protected clients are not supported by the headless installation method since user input is expected by Easy-RSA.
+
+The headless install is more-or-less idempotent, in that it has been made safe to run multiple times with the same parameters, e.g. by a state provisioner like Ansible/Terraform/Salt/Chef/Puppet. It will only install and regenerate the Easy-RSA PKI if it doesn't already exist, and it will only install OpenVPN and other upstream dependencies if OpenVPN isn't already installed. It will recreate all local config and re-generate the client file on each headless run.
+
+### Headless User Addition
+
+It's also possible to automate the addition of a new user. Here, the key is to provide the (string) value of the `MENU_OPTION` variable along with the remaining mandatory variables before invoking the script.
+
+The following Bash script adds a new user `foo` to an existing OpenVPN configuration
+
+```bash
+#!/bin/bash
+export MENU_OPTION="1"
+export CLIENT="foo"
+export PASS="1"
+./openvpn-install.sh
+```
 
 ## Features
 
@@ -46,7 +104,7 @@ If you have any question, head to the [FAQ](#faq) first.
 - Choice to use a self-hosted resolver with Unbound (supports already existing Unbound installations)
 - Choice between TCP and UDP
 - NATed IPv6 support
-- Compression disabled by default to prevent VORACLE. LZ4 and LZ0 algorithms available otherwise.
+- Compression disabled by default to prevent VORACLE. LZ4 (v1/v2) and LZ0 algorithms available otherwise.
 - Unprivileged mode: run as `nobody`/`nogroup`
 - Block DNS leaks on Windows 10
 - Randomised server certificate name
@@ -57,16 +115,16 @@ If you have any question, head to the [FAQ](#faq) first.
 
 The script supports these OS and architectures:
 
-|              | i386 | amd64 | armhf | arm64 |
+|                 | i386 | amd64 | armhf | arm64 |
-| ------------ | ---- | ----- | ----- | ----- |
+| --------------- | ---- | ----- | ----- | ----- |
-|  Arch Linux  |   ❔  |  ✅  |   ❔   |   ❔  |
+| Amazon Linux 2  | ❔   | ✅    | ❔    | ❔    |
-|   CentOS 7   |   ❔  |  ✅  |   ❌   |   ✅  |
+| Arch Linux      | ❔   | ✅    | ❔    | ✅    |
-|   Debian 8   |   ✅  |  ✅  |   ❌   |   ❌  |
+| CentOS 7        | ✅   | ✅    | ✅    | ✅    |
-|   Debian 9   |   ❌  |  ✅  |   ✅   |   ✅  |
+| CentOS 8        | ❌   | ✅    | ❌    | ✅    |
-|   Fedora 27  |   ❔  |  ✅  |   ❔   |   ❔  |
+| Debian >= 9     | ✅   | ✅    | ✅    | ✅    |
-|   Fedora 28  |   ❔  |  ✅  |   ❔   |   ❔  |
+| Fedora >= 27    | ❔   | ✅    | ❔    | ❔    |
-| Ubuntu 16.04 |   ✅  |  ✅  |   ❌   |   ❌  |
+| Ubuntu 16.04    | ✅   | ✅    | ❌    | ❌    |
-| Ubuntu 18.04 |   ❌  |  ✅  |   ✅   |   ✅  |
+| Ubuntu >= 18.04 | ✅   | ✅    | ✅    | ✅    |
 
 To be noted:
 
@@ -82,17 +140,16 @@ Since 2016, the two scripts have diverged and are not alike anymore, especially
 
 ## FAQ
 
-**LOOK AT THE [WIKI](https://github.com/angristan/openvpn-install/wiki/FAQ) FOR MORE INFORMATION. PLEASE READ BOTH BEFORE OPENING AN ISSUE.**
+More Q&A in [FAQ.md](FAQ.md).
-
-**PLEASE do net send me emails or private messages asking for help.** The only place to get help is the issues. Other people may be able to help and in the future, other users may also run into the same issue as you.
 
 **Q:** Which provider do you recommend?
 
 **A:** I recommend these:
 
-- [Vultr](https://goo.gl/Xyd1Sc): Worldwide locations, IPv6 support, starting at $3.50/month
+- [Vultr](https://goo.gl/Xyd1Sc): Worldwide locations, IPv6 support, starting at \$3.50/month
+- [Hetzner](https://hetzner.cloud/?ref=ywtlvZsjgeDq): Germany, IPv6, 20 TB of traffic, starting at €3/month
+- [Digital Ocean](https://goo.gl/qXrNLK): Worldwide locations, IPv6 support, starting at \$5/month
 - [PulseHeberg](https://goo.gl/76yqW5): France, unlimited bandwidth, starting at €3/month
-- [Digital Ocean](https://goo.gl/qXrNLK): Worldwide locations, IPv6 support, starting at $5/month
 
 ---
 
@@ -102,7 +159,7 @@ Since 2016, the two scripts have diverged and are not alike anymore, especially
 
 - Windows: [The official OpenVPN community client](https://openvpn.net/index.php/download/community-downloads.html).
 - Linux: The `openvpn` package from your distribution. There is an [official APT repository](https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos) for Debian/Ubuntu based distributions.
-- macOS: [Tunnelblick](https://tunnelblick.net/).
+- macOS: [Tunnelblick](https://tunnelblick.net/), [Viscosity](https://www.sparklabs.com/viscosity/).
 - Android: [OpenVPN for Android](https://play.google.com/store/apps/details?id=de.blinkt.openvpn).
 - iOS: [The official OpenVPN Connect client](https://itunes.apple.com/us/app/openvpn-connect/id590379981).
 
@@ -120,6 +177,33 @@ Since 2016, the two scripts have diverged and are not alike anymore, especially
 
 ---
 
+More Q&A in [FAQ.md](FAQ.md).
+
+## One-stop solutions for public cloud
+
+Solutions that provision a ready to use OpenVPN server based on this script in one go are available for:
+
+- AWS using Terraform at [`openvpn-terraform-install`](https://github.com/dumrauf/openvpn-terraform-install)
+
+## Contributing
+
+### Contributors hall-of-fame
+
+Thanks ❤️
+
+[![](https://sourcerer.io/fame/angristan/angristan/openvpn-install/images/0)](https://github.com/angristan/openvpn-install/graphs/contributors)
+[![](https://sourcerer.io/fame/angristan/angristan/openvpn-install/images/1)](https://github.com/angristan/openvpn-install/graphs/contributors)
+[![](https://sourcerer.io/fame/angristan/angristan/openvpn-install/images/2)](https://github.com/angristan/openvpn-install/graphs/contributors)
+[![](https://sourcerer.io/fame/angristan/angristan/openvpn-install/images/3)](https://github.com/angristan/openvpn-install/graphs/contributors)
+[![](https://sourcerer.io/fame/angristan/angristan/openvpn-install/images/4)](https://github.com/angristan/openvpn-install/graphs/contributors)
+[![](https://sourcerer.io/fame/angristan/angristan/openvpn-install/images/5)](https://github.com/angristan/openvpn-install/graphs/contributors)
+[![](https://sourcerer.io/fame/angristan/angristan/openvpn-install/images/6)](https://github.com/angristan/openvpn-install/graphs/contributors)
+[![](https://sourcerer.io/fame/angristan/angristan/openvpn-install/images/7)](https://github.com/angristan/openvpn-install/graphs/contributors)
+
+### Code formatting
+
+We use [shellcheck](https://github.com/koalaman/shellcheck) and [shfmt](https://github.com/mvdan/sh) to enforce bash styling guidelines and good practices. They are executed for each commit / PR with GitHub Actions, so you can check the configuration [here](https://github.com/angristan/openvpn-install/blob/master/.github/workflows/push.yml).
+
 ## Security and Encryption
 
 OpenVPN's default settings are pretty weak regarding encryption. This script aims to improve that.
@@ -128,12 +212,13 @@ OpenVPN 2.4 was a great update regarding encryption. It added support for ECDSA,
 
 If you want more information about an option mentioned below, head to the [OpenVPN manual](https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage). It is very complete.
 
-Most of OpenVPN's encryption-related stuff is managed by [Easy-RSA](https://github.com/OpenVPN/easy-rsa). Defaults parameters are in the [vars.example](https://github.com/OpenVPN/easy-rsa/blob/v3.0.6/easyrsa3/vars.example) file.
+Most of OpenVPN's encryption-related stuff is managed by [Easy-RSA](https://github.com/OpenVPN/easy-rsa). Defaults parameters are in the [vars.example](https://github.com/OpenVPN/easy-rsa/blob/v3.0.7/easyrsa3/vars.example) file.
+
 ### Compression
 
-By default, OpenVPN doesn't enable compression. This script provides support for LZ0 and LZ4 algorithms, the latter being more efficient.
+By default, OpenVPN doesn't enable compression. This script provides support for LZ0 and LZ4 (v1/v2) algorithms, the latter being more efficient.
 
-However, it is discouraged to use compression since it since the [VORACLE attack](https://protonvpn.com/blog/voracle-attack/) makes use of it.
+However, it is discouraged to use compression since the [VORACLE attack](https://protonvpn.com/blog/voracle-attack/) makes use of it.
 
 ### TLS version
 
@@ -164,17 +249,16 @@ By default, OpenVPN uses `BF-CBC` as the data channel cipher. Blowfish is an old
 
 > The default is BF-CBC, an abbreviation for Blowfish in Cipher Block Chaining mode.
 >
-> Using BF-CBC is no longer recommended, because of its 64-bit block size. This small block size allows attacks based on collisions, as demonstrated by SWEET32. See https://community.openvpn.net/openvpn/wiki/SWEET32 for details.
+> Using BF-CBC is no longer recommended, because of its 64-bit block size. This small block size allows attacks based on collisions, as demonstrated by SWEET32. See <https://community.openvpn.net/openvpn/wiki/SWEET32> for details.
-
+> Security researchers at INRIA published an attack on 64-bit block ciphers, such as 3DES and Blowfish. They show that they are able to recover plaintext when the same data is sent often enough, and show how they can use cross-site scripting vulnerabilities to send data of interest often enough. This works over HTTPS, but also works for HTTP-over-OpenVPN. See <https://sweet32.info/> for a much better and more elaborate explanation.
->Security researchers at INRIA published an attack on 64-bit block ciphers, such as 3DES and Blowfish. They show that they are able to recover plaintext when the same data is sent often enough, and show how they can use cross-site scripting vulnerabilities to send data of interest often enough. This works over HTTPS, but also works for HTTP-over-OpenVPN. See ​https://sweet32.info/ for a much better and more elaborate explanation.
 >
 > OpenVPN's default cipher, BF-CBC, is affected by this attack.
 
-Indeed, AES is today's standard. It's the fastest and more secure cipher available today. [SEED](https://en.wikipedia.org/wiki/SEED) and [Camellia](https://en.wikipedia.org/wiki/Camellia_(cipher)) are not vulnerable to date but are slower than AES and relatively less trusted.
+Indeed, AES is today's standard. It's the fastest and more secure cipher available today. [SEED](https://en.wikipedia.org/wiki/SEED) and [Camellia](<https://en.wikipedia.org/wiki/Camellia_(cipher)>) are not vulnerable to date but are slower than AES and relatively less trusted.
 
 > Of the currently supported ciphers, OpenVPN currently recommends using AES-256-CBC or AES-128-CBC. OpenVPN 2.4 and newer will also support GCM. For 2.4+, we recommend using AES-256-GCM or AES-128-GCM.
 
-AES-256 is 40% slower than AES-128, and there isn't any real reason to use a 256 bits key over a 128 bits key with AES. (Source : [1](http://security.stackexchange.com/questions/14068/why-most-people-use-256-bit-encryption-instead-of-128-bit),[2](http://security.stackexchange.com/questions/6141/amount-of-simple-operations-that-is-safely-out-of-reach-for-all-humanity/6149#6149)). Moreover, AES-256 is more vulnerable to [Timing attacks](https://en.wikipedia.org/wiki/Timing_attack).
+AES-256 is 40% slower than AES-128, and there isn't any real reason to use a 256 bits key over a 128 bits key with AES. (Source: [1](http://security.stackexchange.com/questions/14068/why-most-people-use-256-bit-encryption-instead-of-128-bit),[2](http://security.stackexchange.com/questions/6141/amount-of-simple-operations-that-is-safely-out-of-reach-for-all-humanity/6149#6149)). Moreover, AES-256 is more vulnerable to [Timing attacks](https://en.wikipedia.org/wiki/Timing_attack).
 
 AES-GCM is an [AEAD cipher](https://en.wikipedia.org/wiki/Authenticated_encryption) which means it simultaneously provides confidentiality, integrity, and authenticity assurances on the data.
 
@@ -189,7 +273,7 @@ The script supports the following ciphers:
 
 And defaults to `AES-128-GCM`.
 
-OpenVPN 2.4 added a feature called "NCP": *Negotiable Crypto Parameters*. It means you can provide a cipher suite like with HTTPS. It is set to `AES-256-GCM:AES-128-GCM` by default and overrides the `--cipher` parameter when used with an OpenVPN 2.4 client. For the sake of simplicity, the script set both the `--cipher` and `--ncp-cipher` to the cipher chosen above.
+OpenVPN 2.4 added a feature called "NCP": _Negotiable Crypto Parameters_. It means you can provide a cipher suite like with HTTPS. It is set to `AES-256-GCM:AES-128-GCM` by default and overrides the `--cipher` parameter when used with an OpenVPN 2.4 client. For the sake of simplicity, the script set both the `--cipher` and `--ncp-cipher` to the cipher chosen above.
 
 ### Control channel
 
@@ -226,11 +310,9 @@ It defaults to `prime256v1`.
 From the OpenVPN wiki, about `--auth`:
 
 > Authenticate data channel packets and (if enabled) tls-auth control channel packets with HMAC using message digest algorithm alg. (The default is SHA1 ). HMAC is a commonly used message authentication algorithm (MAC) that uses a data string, a secure hash algorithm, and a key, to produce a digital signature.
-> 
+>
 > If an AEAD cipher mode (e.g. GCM) is chosen, the specified --auth algorithm is ignored for the data channel, and the authentication method of the AEAD cipher is used instead. Note that alg still specifies the digest used for tls-auth.
 
-SHA1 [isn't safe anymore](https://en.wikipedia.org/wiki/SHA-1#Attacks).
-
 The script provides the following choices:
 
 - `SHA256`
@@ -244,14 +326,15 @@ It defaults to `SHA256`.
 From the OpenVPN wiki, about `tls-auth`:
 
 > Add an additional layer of HMAC authentication on top of the TLS control channel to mitigate DoS attacks and attacks on the TLS stack.
-> 
+>
 > In a nutshell, --tls-auth enables a kind of "HMAC firewall" on OpenVPN's TCP/UDP port, where TLS control channel packets bearing an incorrect HMAC signature can be dropped immediately without response.
 
 About `tls-crypt`:
 
 > Encrypt and authenticate all control channel packets with the key from keyfile. (See --tls-auth for more background.)
-> 
+>
 > Encrypting (and authenticating) control channel packets:
+>
 > - provides more privacy by hiding the certificate used for the TLS connection,
 > - makes it harder to identify OpenVPN traffic as such,
 > - provides "poor-man's" post-quantum security, against attackers who will never know the pre-shared key (i.e. no forward secrecy).
@@ -264,7 +347,7 @@ The script supports both and uses `tls-crypt` by default.
 
 ## Say thanks
 
-You can [say thanks](https://saythanks.io/to/Angristan) if you want!
+You can [say thanks](https://saythanks.io/to/angristan%40pm.me) if you want!
 
 ## Credits & Licence