From a7e54a47ce74c598fceea0bbd9b95c5ed1f8a70e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 1 Aug 2022 03:00:54 +0000 Subject: [PATCH 01/27] build(deps): bump appleboy/ssh-action from 0.1.4 to 0.1.5 Bumps [appleboy/ssh-action](https://github.com/appleboy/ssh-action) from 0.1.4 to 0.1.5. - [Release notes](https://github.com/appleboy/ssh-action/releases) - [Commits](https://github.com/appleboy/ssh-action/compare/v0.1.4...v0.1.5) --- updated-dependencies: - dependency-name: appleboy/ssh-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- .github/workflows/test.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index a0b796e..bd28f79 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -50,7 +50,7 @@ jobs: - name: Setup remote server (Debian/Ubuntu) if: steps.server_os.outputs.value == 'debian' || steps.server_os.outputs.value == 'ubuntu' - uses: appleboy/ssh-action@v0.1.4 + uses: appleboy/ssh-action@v0.1.5 with: host: ${{ steps.server_ip.outputs.value }} username: root @@ -59,7 +59,7 @@ jobs: - name: Setup remote server (Fedora) if: steps.server_os.outputs.value == 'fedora' - uses: appleboy/ssh-action@v0.1.4 + uses: appleboy/ssh-action@v0.1.5 with: host: ${{ steps.server_ip.outputs.value }} username: root @@ -68,7 +68,7 @@ jobs: - name: Setup remote server (CentOS) if: steps.server_os.outputs.value == 'centos' - uses: appleboy/ssh-action@v0.1.4 + uses: appleboy/ssh-action@v0.1.5 with: host: ${{ steps.server_ip.outputs.value }} username: root @@ -76,7 +76,7 @@ jobs: script: set -x && yum install -y git - name: Download repo and checkout current commit - uses: appleboy/ssh-action@v0.1.4 + uses: appleboy/ssh-action@v0.1.5 with: host: ${{ steps.server_ip.outputs.value }} username: root @@ -84,7 +84,7 @@ jobs: script: set -x && git clone https://github.com/angristan/openvpn-install.git && cd openvpn-install && git checkout ${{ github.event.pull_request.head.sha }} - name: Run openvpn-install.sh in headless mode - uses: appleboy/ssh-action@v0.1.4 + uses: appleboy/ssh-action@v0.1.5 with: host: ${{ steps.server_ip.outputs.value }} username: root From 83111c58e787313ebc3a1e85b782aa6c2286abba Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 1 Nov 2022 03:00:50 +0000 Subject: [PATCH 02/27] build(deps): bump actions/checkout from 3.0.2 to 3.1.0 Bumps [actions/checkout](https://github.com/actions/checkout) from 3.0.2 to 3.1.0. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v3.0.2...v3.1.0) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/lint.yml | 2 +- .github/workflows/test.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index ea69759..b53d67f 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -7,7 +7,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout Code - uses: actions/checkout@v3.0.2 + uses: actions/checkout@v3.1.0 - name: Lint Code Base uses: github/super-linter@v4.1.0 env: diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index bd28f79..22af688 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -20,7 +20,7 @@ jobs: - centos-7-x64 - centos-stream-8-x64 steps: - - uses: actions/checkout@v3.0.2 + - uses: actions/checkout@v3.1.0 - name: Setup doctl uses: digitalocean/action-doctl@v2 From 0de56f8f335c74ad7de99c6165d1a8bc1d2e3149 Mon Sep 17 00:00:00 2001 From: Padraig Doran Date: Mon, 21 Nov 2022 18:12:46 +0000 Subject: [PATCH 03/27] Use --genkey secret filename instead (#1059) Fix for: WARNING: Using --genkey --secret filename is DEPRECATED. Use --genkey secret filename instead. https://community.openvpn.net/openvpn/wiki/DeprecatedOptions#Option:--secret Status Removed Deprecated in: OpenVPN v2.4 Removed in: OpenVPN v2.5 Affects: --genkey Result if used: User Warning printed Replaced by: secret (No leading double dash) Examples: Use --genkey secret filename Notes: --- openvpn-install.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 64d8ed0..c905976 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -742,11 +742,11 @@ function installOpenVPN() { case $TLS_SIG in 1) # Generate tls-crypt key - openvpn --genkey --secret /etc/openvpn/tls-crypt.key + openvpn --genkey secret /etc/openvpn/tls-crypt.key ;; 2) # Generate tls-auth key - openvpn --genkey --secret /etc/openvpn/tls-auth.key + openvpn --genkey secret /etc/openvpn/tls-auth.key ;; esac else From d3751457ab6fb4e012764ed2d47ab9ab279f9675 Mon Sep 17 00:00:00 2001 From: Stanislas Date: Mon, 21 Nov 2022 19:15:22 +0100 Subject: [PATCH 04/27] Remove Debian 9 in e2e tests as it has been removed by DO --- .github/workflows/test.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 22af688..d030f08 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -11,7 +11,6 @@ jobs: strategy: matrix: os-image: - - debian-9-x64 - debian-10-x64 - debian-11-x64 - ubuntu-18-04-x64 From 86a6d2d3e7715fac982657826202518d29e8af95 Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Mon, 21 Nov 2022 19:33:24 +0100 Subject: [PATCH 05/27] Revert "Use --genkey secret filename instead (#1059)" This reverts commit 0de56f8f335c74ad7de99c6165d1a8bc1d2e3149. --- openvpn-install.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index c905976..64d8ed0 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -742,11 +742,11 @@ function installOpenVPN() { case $TLS_SIG in 1) # Generate tls-crypt key - openvpn --genkey secret /etc/openvpn/tls-crypt.key + openvpn --genkey --secret /etc/openvpn/tls-crypt.key ;; 2) # Generate tls-auth key - openvpn --genkey secret /etc/openvpn/tls-auth.key + openvpn --genkey --secret /etc/openvpn/tls-auth.key ;; esac else From d629791a95e308171ec003424fc7c197bb9b1e0c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 3 Jan 2023 14:05:14 +0100 Subject: [PATCH 06/27] build(deps): bump actions/checkout from 3.1.0 to 3.2.0 (#1075) Bumps [actions/checkout](https://github.com/actions/checkout) from 3.1.0 to 3.2.0. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v3.1.0...v3.2.0) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/lint.yml | 2 +- .github/workflows/test.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index b53d67f..7301cdf 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -7,7 +7,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout Code - uses: actions/checkout@v3.1.0 + uses: actions/checkout@v3.2.0 - name: Lint Code Base uses: github/super-linter@v4.1.0 env: diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index d030f08..a869a1c 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -19,7 +19,7 @@ jobs: - centos-7-x64 - centos-stream-8-x64 steps: - - uses: actions/checkout@v3.1.0 + - uses: actions/checkout@v3.2.0 - name: Setup doctl uses: digitalocean/action-doctl@v2 From 638b51168a9726be3d72253abcd18a0ed3cd6878 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 3 Jan 2023 14:05:27 +0100 Subject: [PATCH 07/27] build(deps): bump appleboy/ssh-action from 0.1.5 to 0.1.6 (#1074) Bumps [appleboy/ssh-action](https://github.com/appleboy/ssh-action) from 0.1.5 to 0.1.6. - [Release notes](https://github.com/appleboy/ssh-action/releases) - [Commits](https://github.com/appleboy/ssh-action/compare/v0.1.5...v0.1.6) --- updated-dependencies: - dependency-name: appleboy/ssh-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/test.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index a869a1c..af95572 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -49,7 +49,7 @@ jobs: - name: Setup remote server (Debian/Ubuntu) if: steps.server_os.outputs.value == 'debian' || steps.server_os.outputs.value == 'ubuntu' - uses: appleboy/ssh-action@v0.1.5 + uses: appleboy/ssh-action@v0.1.6 with: host: ${{ steps.server_ip.outputs.value }} username: root @@ -58,7 +58,7 @@ jobs: - name: Setup remote server (Fedora) if: steps.server_os.outputs.value == 'fedora' - uses: appleboy/ssh-action@v0.1.5 + uses: appleboy/ssh-action@v0.1.6 with: host: ${{ steps.server_ip.outputs.value }} username: root @@ -67,7 +67,7 @@ jobs: - name: Setup remote server (CentOS) if: steps.server_os.outputs.value == 'centos' - uses: appleboy/ssh-action@v0.1.5 + uses: appleboy/ssh-action@v0.1.6 with: host: ${{ steps.server_ip.outputs.value }} username: root @@ -75,7 +75,7 @@ jobs: script: set -x && yum install -y git - name: Download repo and checkout current commit - uses: appleboy/ssh-action@v0.1.5 + uses: appleboy/ssh-action@v0.1.6 with: host: ${{ steps.server_ip.outputs.value }} username: root @@ -83,7 +83,7 @@ jobs: script: set -x && git clone https://github.com/angristan/openvpn-install.git && cd openvpn-install && git checkout ${{ github.event.pull_request.head.sha }} - name: Run openvpn-install.sh in headless mode - uses: appleboy/ssh-action@v0.1.5 + uses: appleboy/ssh-action@v0.1.6 with: host: ${{ steps.server_ip.outputs.value }} username: root From 8e427ee9c2ec47487fe12d0f11a2ff8ef0264c6f Mon Sep 17 00:00:00 2001 From: Stanislas Date: Tue, 3 Jan 2023 14:06:19 +0100 Subject: [PATCH 08/27] Delete .github/ISSUE_TEMPLATE directory --- .github/ISSUE_TEMPLATE/bug.yml | 74 ----------------------- .github/ISSUE_TEMPLATE/feature-request.md | 21 ------- 2 files changed, 95 deletions(-) delete mode 100644 .github/ISSUE_TEMPLATE/bug.yml delete mode 100644 .github/ISSUE_TEMPLATE/feature-request.md diff --git a/.github/ISSUE_TEMPLATE/bug.yml b/.github/ISSUE_TEMPLATE/bug.yml deleted file mode 100644 index 0eacdc9..0000000 --- a/.github/ISSUE_TEMPLATE/bug.yml +++ /dev/null @@ -1,74 +0,0 @@ -name: Bug Report -description: File a bug report -title: "[Bug]: " -body: - - type: markdown - attributes: - value: | - Thanks for taking the time to fill out this bug report! - - **PLEASE** prioritise these communities before opening an issue. - - https://forums.openvpn.net - - https://stackoverflow.com/questions/tagged/openvpn - - https://github.com/angristan/openvpn-install/discussions - - ⚠️ **ANY ISSUE THAT IS NOT CLEARLY A BUG REPORT WILL BE CLOSED AND/OR CONVERTED TO A DISCUSSION.** - - - type: checkboxes - id: pre - attributes: - label: Make sure your check these beforehand! - description: Search before opening an issue. - options: - - label: Issues - https://github.com/angristan/openvpn-install/issues - required: true - - label: README and FAQ - https://github.com/angristan/openvpn-install - required: true - - label: Wiki - https://github.com/angristan/openvpn-install/wiki - required: true - - label: Discussions - https://github.com/angristan/openvpn-install/discussions - required: true - - - type: input - id: server - attributes: - label: Server OS - description: What OS is the OpenVPN server running on? - placeholder: Debian 10 - validations: - required: false - - - type: input - id: openvpn - attributes: - label: OpenVPN version - description: What OpenVPN version is running on your server? - placeholder: 2.5.0 - validations: - required: false - - - type: input - id: client - attributes: - label: Client - description: What OS and client are you using? Please specify the versions. - placeholder: Viscosity 1.10.1 on macOS 12.1 - validations: - required: false - - - type: textarea - id: issue - attributes: - label: What is the bug? - description: Also tell us, what did you expect to happen? - placeholder: Tell us what you see! - value: "A bug happened!" - validations: - required: true - - - type: textarea - id: logs - attributes: - label: Relevant log output - description: Please copy and paste any relevant log output. This will be automatically formatted into code, so no need for backticks. - render: shell diff --git a/.github/ISSUE_TEMPLATE/feature-request.md b/.github/ISSUE_TEMPLATE/feature-request.md deleted file mode 100644 index dcc367d..0000000 --- a/.github/ISSUE_TEMPLATE/feature-request.md +++ /dev/null @@ -1,21 +0,0 @@ ---- -name: Feature request -about: Suggest an idea for this project -title: "" -labels: "" -assignees: "" ---- - -**Checklist** - -- [ ] I read the [README](https://github.com/angristan/openvpn-install/blob/master/README.md) -- [ ] I read the [FAQ](https://github.com/angristan/openvpn-install/blob/master/FAQ.md) -- [ ] I searched the [issues](https://github.com/angristan/openvpn-install/issues?q=is%3Aissue+) -- [ ] My issue is about the script, and not OpenVPN itself - - From 039ebaafe1ab862b9a362df3456b57d25cac961e Mon Sep 17 00:00:00 2001 From: xumia <59720581+xumia@users.noreply.github.com> Date: Tue, 3 Jan 2023 21:06:59 +0800 Subject: [PATCH 09/27] Fix the wrong client config when the certificate contains END string (#1067) --- openvpn-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 64d8ed0..4bdc587 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -1125,7 +1125,7 @@ function newClient() { echo "" echo "" - awk '/BEGIN/,/END/' "/etc/openvpn/easy-rsa/pki/issued/$CLIENT.crt" + awk '/BEGIN/,/END CERTIFICATE/' "/etc/openvpn/easy-rsa/pki/issued/$CLIENT.crt" echo "" echo "" From 9b5361d32d3677ee8c4c6ad1bcf0991b92772010 Mon Sep 17 00:00:00 2001 From: Christian Ramelow Date: Tue, 3 Jan 2023 14:09:37 +0100 Subject: [PATCH 10/27] Adds the `--no-same-owner` flag to tar command (#1070) Close #1069 --- openvpn-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 4bdc587..090c7a0 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -705,7 +705,7 @@ function installOpenVPN() { local version="3.0.7" wget -O ~/easy-rsa.tgz https://github.com/OpenVPN/easy-rsa/releases/download/v${version}/EasyRSA-${version}.tgz mkdir -p /etc/openvpn/easy-rsa - tar xzf ~/easy-rsa.tgz --strip-components=1 --directory /etc/openvpn/easy-rsa + tar xzf ~/easy-rsa.tgz --strip-components=1 --no-same-owner --directory /etc/openvpn/easy-rsa rm -f ~/easy-rsa.tgz cd /etc/openvpn/easy-rsa/ || return From 4ee44c8e468a9a7c7e6ea7fb9f0bb839e74bb73c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20St=C3=A1rek?= Date: Fri, 6 Jan 2023 21:33:54 +0100 Subject: [PATCH 11/27] Use DNS fallback to ifconfig.co (#1066) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Jan Stárek --- openvpn-install.sh | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 090c7a0..434b707 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -627,9 +627,13 @@ function installOpenVPN() { # Behind NAT, we'll default to the publicly reachable IPv4/IPv6. if [[ $IPV6_SUPPORT == "y" ]]; then - PUBLIC_IP=$(curl --retry 5 --retry-connrefused https://ifconfig.co) + if ! PUBLIC_IP=$(curl -f --retry 5 --retry-connrefused https://ifconfig.co) ; then + PUBLIC_IP=$(dig -6 TXT +short o-o.myaddr.l.google.com @ns1.google.com | tr -d '"') + fi else - PUBLIC_IP=$(curl --retry 5 --retry-connrefused -4 https://ifconfig.co) + if ! PUBLIC_IP=$(curl -f --retry 5 --retry-connrefused -4 https://ifconfig.co) ; then + PUBLIC_IP=$(dig -4 TXT +short o-o.myaddr.l.google.com @ns1.google.com | tr -d '"') + fi fi ENDPOINT=${ENDPOINT:-$PUBLIC_IP} fi From 2a57e89489974e9ace314283248a918aed8d2dd4 Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Fri, 6 Jan 2023 21:39:02 +0100 Subject: [PATCH 12/27] Public IP detection: change provider Close #1076 #924 #1039 #925 --- openvpn-install.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 434b707..7c6f741 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -627,11 +627,11 @@ function installOpenVPN() { # Behind NAT, we'll default to the publicly reachable IPv4/IPv6. if [[ $IPV6_SUPPORT == "y" ]]; then - if ! PUBLIC_IP=$(curl -f --retry 5 --retry-connrefused https://ifconfig.co) ; then + if ! PUBLIC_IP=$(curl -f --retry 5 --retry-connrefused https://ip.seeip.org); then PUBLIC_IP=$(dig -6 TXT +short o-o.myaddr.l.google.com @ns1.google.com | tr -d '"') fi else - if ! PUBLIC_IP=$(curl -f --retry 5 --retry-connrefused -4 https://ifconfig.co) ; then + if ! PUBLIC_IP=$(curl -f --retry 5 --retry-connrefused -4 https://ip.seeip.org); then PUBLIC_IP=$(dig -4 TXT +short o-o.myaddr.l.google.com @ns1.google.com | tr -d '"') fi fi From 38d3bf9afa0733245a6b2eb7e149aaed54cddc67 Mon Sep 17 00:00:00 2001 From: s7r Date: Wed, 18 Jan 2023 22:05:09 +0000 Subject: [PATCH 13/27] Update FAQ with IPv6 prefix policies for ULA addresses (#1083) * Update FAQ with IPv6 prefix policies for ULA addresses Most operating systems will prefer IPv4 rather than IPv6 ULA, which defeats the purpose of redirect-gateway ipv6. It's nothing the script can do to automate this. --- FAQ.md | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/FAQ.md b/FAQ.md index 825a9ba..5acd78b 100644 --- a/FAQ.md +++ b/FAQ.md @@ -151,3 +151,25 @@ route 10.0.0.0 255.0.0.0 ``` So for example - here it would route all traffic of `10.0.0.0/8` to the vpn. And the rest through the internet. + +--- + +**Q:** I have enabled IPv6 and my VPN client gets an IPv6 address. Why do I reach the websites or other dual-stacked destionations via IPv4 only? + +**A:** This is because inside the tunnel you don't get a publicly routable IPv6 address, instead you get an ULA (Unlique Local Lan) address. Operating systems don't prefer this all the time. You can fix this in your operating system policies as it's unrelated to the VPN itself: + +Windows (commands needs to run cmd.exe as Administrator): + +``` +netsh interface ipv6 add prefixpolicy fd00::/8 3 1 +``` + +Linux: + +edit `/etc/gai.conf` and uncomment the following line and also change its value to `1`: + +``` +label fc00::/7 1 +``` + +This will not work properly unless you add you your VPN server `server.conf` one or two lines to push at least 1 (one) IPv6 DNS server. Most providers have IPv6 servers as well, add two more lines of `push "dhcp-option DNS "` From 48f8c16d3a95a980329cf41b33f8f9e1605f8839 Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Sat, 21 Jan 2023 23:00:23 +0100 Subject: [PATCH 14/27] Add issue and PR templates --- .github/issue_template.md | 10 ++++++++++ .github/pull_request_template.md | 8 ++++++++ 2 files changed, 18 insertions(+) create mode 100644 .github/issue_template.md create mode 100644 .github/pull_request_template.md diff --git a/.github/issue_template.md b/.github/issue_template.md new file mode 100644 index 0000000..4d38a8d --- /dev/null +++ b/.github/issue_template.md @@ -0,0 +1,10 @@ + diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md new file mode 100644 index 0000000..d26ab9b --- /dev/null +++ b/.github/pull_request_template.md @@ -0,0 +1,8 @@ + From 2d0eca1a1d16e796be1b8338bc52f768b5b0a305 Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Sat, 21 Jan 2023 23:06:44 +0100 Subject: [PATCH 15/27] Update issue/PR template + contributing guidelines --- .github/issue_template.md | 13 ++++++------- .github/pull_request_template.md | 11 +++++------ README.md | 4 ++++ 3 files changed, 15 insertions(+), 13 deletions(-) diff --git a/.github/issue_template.md b/.github/issue_template.md index 4d38a8d..adfdb1a 100644 --- a/.github/issue_template.md +++ b/.github/issue_template.md @@ -1,10 +1,9 @@ diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index d26ab9b..43bed85 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -1,8 +1,7 @@ diff --git a/README.md b/README.md index 4e81f28..9fa1c18 100644 --- a/README.md +++ b/README.md @@ -192,6 +192,10 @@ Solutions that provision a ready to use OpenVPN server based on this script in o ## Contributing +## Discuss changes + +Please open an issue before submitting a PR if you want to discuss a change, especially if it's a big one. + ### Code formatting We use [shellcheck](https://github.com/koalaman/shellcheck) and [shfmt](https://github.com/mvdan/sh) to enforce bash styling guidelines and good practices. They are executed for each commit / PR with GitHub Actions, so you can check the configuration [here](https://github.com/angristan/openvpn-install/blob/master/.github/workflows/push.yml). From 580c617d9844fbba82eb0f3fb92bfe5289781102 Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Sat, 21 Jan 2023 23:18:52 +0100 Subject: [PATCH 16/27] Update issue template --- .github/issue_template.md | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/issue_template.md b/.github/issue_template.md index adfdb1a..2166d42 100644 --- a/.github/issue_template.md +++ b/.github/issue_template.md @@ -5,5 +5,6 @@ 💡 It helps keep the issue tracker clean and focused on bugs and feature requests. 🙏 Please include as much information as possible, and make sure you're running the latest version of the script. +✍️ Please state the Linux distribution you're using and its version, as well as the OpenVPN version. ✋ For feature requests, remember that this script is meant to be simple and easy to use. If you want to add a lot of options, it's better to fork the project. ---> From 64cbbce0b7fd6c324c0d08c32ee961b9e8246f07 Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Sat, 21 Jan 2023 23:40:01 +0100 Subject: [PATCH 17/27] Add OpenVPN 2.5 notice to README --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index 9fa1c18..7dbba89 100644 --- a/README.md +++ b/README.md @@ -202,6 +202,9 @@ We use [shellcheck](https://github.com/koalaman/shellcheck) and [shfmt](https:// ## Security and Encryption +> **Warning** +> This has not been updated for OpenVPN 2.5 and later. + OpenVPN's default settings are pretty weak regarding encryption. This script aims to improve that. OpenVPN 2.4 was a great update regarding encryption. It added support for ECDSA, ECDH, AES GCM, NCP and tls-crypt. From 0ac1bf4f51716516d2817998fbbda005c616a09d Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Sat, 21 Jan 2023 23:41:03 +0100 Subject: [PATCH 18/27] Format markdown table in readme --- README.md | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index 7dbba89..f38c0d3 100644 --- a/README.md +++ b/README.md @@ -118,17 +118,17 @@ The script supports these OS and architectures: | | i386 | amd64 | armhf | arm64 | | --------------- | ---- | ----- | ----- | ----- | -| Amazon Linux 2 | ❔ | ✅ | ❔ | ❔ | -| Arch Linux | ❔ | ✅ | ❔ | ✅ | -| CentOS 7 | ✅ | ✅ | ✅ | ✅ | -| CentOS 8 | ❌ | ✅ | ❌ | ✅ | -| Debian >= 9 | ✅ | ✅ | ✅ | ✅ | -| Fedora >= 27 | ❔ | ✅ | ❔ | ❔ | -| Ubuntu 16.04 | ✅ | ✅ | ❌ | ❌ | -| Ubuntu >= 18.04 | ✅ | ✅ | ✅ | ✅ | -| Oracle Linux 8 | ❌ | ✅ | ❌ | ❔ | -| Rocky Linux 8 | ❔ | ✅ | ❔ | ❔ | -| AlmaLinux 8 | ❌ | ✅ | ❌ | ❔ | +| Amazon Linux 2 | ❔ | ✅ | ❔ | ❔ | +| Arch Linux | ❔ | ✅ | ❔ | ✅ | +| CentOS 7 | ✅ | ✅ | ✅ | ✅ | +| CentOS 8 | ❌ | ✅ | ❌ | ✅ | +| Debian >= 9 | ✅ | ✅ | ✅ | ✅ | +| Fedora >= 27 | ❔ | ✅ | ❔ | ❔ | +| Ubuntu 16.04 | ✅ | ✅ | ❌ | ❌ | +| Ubuntu >= 18.04 | ✅ | ✅ | ✅ | ✅ | +| Oracle Linux 8 | ❌ | ✅ | ❌ | ❔ | +| Rocky Linux 8 | ❔ | ✅ | ❔ | ❔ | +| AlmaLinux 8 | ❌ | ✅ | ❌ | ❔ | To be noted: From ca8d58d5f0090a8c43a2e1a3b6577263843ef88a Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Sun, 22 Jan 2023 00:06:05 +0100 Subject: [PATCH 19/27] Fix checkout in test workflow --- .github/workflows/test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index af95572..b9b7747 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -80,7 +80,7 @@ jobs: host: ${{ steps.server_ip.outputs.value }} username: root key: ${{ secrets.SSH_KEY }} - script: set -x && git clone https://github.com/angristan/openvpn-install.git && cd openvpn-install && git checkout ${{ github.event.pull_request.head.sha }} + script: set -x && git clone https://github.com/angristan/openvpn-install.git && cd openvpn-install && git checkout ${{ github.sha }} - name: Run openvpn-install.sh in headless mode uses: appleboy/ssh-action@v0.1.6 From 2f76bb5e40f6f41a5bb2928379499b74da93f653 Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Sun, 22 Jan 2023 00:06:51 +0100 Subject: [PATCH 20/27] Update easy-rsa to 3.1.2 and fix compatibility with Ubuntu 22.04 Based on this patch by @zerodivisi0n: https://github.com/angristan/openvpn-install/issues/1000#issuecomment-1283484772 --- .github/workflows/test.yml | 1 + openvpn-install.sh | 12 +++++------- 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index b9b7747..4270574 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -15,6 +15,7 @@ jobs: - debian-11-x64 - ubuntu-18-04-x64 - ubuntu-20-04-x64 + - ubuntu-22-04-x64 - fedora-35-x64 - centos-7-x64 - centos-stream-8-x64 diff --git a/openvpn-install.sh b/openvpn-install.sh index 7c6f741..6bb39c5 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -706,7 +706,7 @@ function installOpenVPN() { # Install the latest version of easy-rsa from source, if not already installed. if [[ ! -d /etc/openvpn/easy-rsa/ ]]; then - local version="3.0.7" + local version="3.1.2" wget -O ~/easy-rsa.tgz https://github.com/OpenVPN/easy-rsa/releases/download/v${version}/EasyRSA-${version}.tgz mkdir -p /etc/openvpn/easy-rsa tar xzf ~/easy-rsa.tgz --strip-components=1 --no-same-owner --directory /etc/openvpn/easy-rsa @@ -729,18 +729,16 @@ function installOpenVPN() { SERVER_NAME="server_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)" echo "$SERVER_NAME" >SERVER_NAME_GENERATED - echo "set_var EASYRSA_REQ_CN $SERVER_CN" >>vars - # Create the PKI, set up the CA, the DH params and the server certificate ./easyrsa init-pki - ./easyrsa --batch build-ca nopass + ./easyrsa --batch --req-cn="$SERVER_CN" build-ca nopass if [[ $DH_TYPE == "2" ]]; then # ECDH keys are generated on-the-fly so we don't need to generate them beforehand openssl dhparam -out dh.pem $DH_KEY_SIZE fi - ./easyrsa build-server-full "$SERVER_NAME" nopass + ./easyrsa --batch build-server-full "$SERVER_NAME" nopass EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl case $TLS_SIG in @@ -1087,11 +1085,11 @@ function newClient() { cd /etc/openvpn/easy-rsa/ || return case $PASS in 1) - ./easyrsa build-client-full "$CLIENT" nopass + ./easyrsa --batch build-client-full "$CLIENT" nopass ;; 2) echo "⚠️ You will be asked for the client password below ⚠️" - ./easyrsa build-client-full "$CLIENT" + ./easyrsa --batch build-client-full "$CLIENT" ;; esac echo "Client $CLIENT added." From d2556ff235e9daa5fa10245050c4432f03a0258f Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Sun, 22 Jan 2023 00:57:26 +0100 Subject: [PATCH 21/27] Add support for CentOS 9 + update supported distributions --- .github/workflows/test.yml | 4 ++++ README.md | 33 +++++++++++++++++---------------- openvpn-install.sh | 2 +- 3 files changed, 22 insertions(+), 17 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 4270574..4473eed 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -17,8 +17,12 @@ jobs: - ubuntu-20-04-x64 - ubuntu-22-04-x64 - fedora-35-x64 + # - fedora-36-x64 + # - fedora-37-x64 + # dnf is broken: https://ask.fedoraproject.org/t/dnf-operations-use-large-amount-of-ram-and-may-fail-in-low-memory-environments/26427 - centos-7-x64 - centos-stream-8-x64 + - centos-stream-9-x64 steps: - uses: actions/checkout@v3.2.0 diff --git a/README.md b/README.md index f38c0d3..393b702 100644 --- a/README.md +++ b/README.md @@ -114,27 +114,28 @@ export PASS="1" ## Compatibility -The script supports these OS and architectures: +The script supports these Linux distributions: -| | i386 | amd64 | armhf | arm64 | -| --------------- | ---- | ----- | ----- | ----- | -| Amazon Linux 2 | ❔ | ✅ | ❔ | ❔ | -| Arch Linux | ❔ | ✅ | ❔ | ✅ | -| CentOS 7 | ✅ | ✅ | ✅ | ✅ | -| CentOS 8 | ❌ | ✅ | ❌ | ✅ | -| Debian >= 9 | ✅ | ✅ | ✅ | ✅ | -| Fedora >= 27 | ❔ | ✅ | ❔ | ❔ | -| Ubuntu 16.04 | ✅ | ✅ | ❌ | ❌ | -| Ubuntu >= 18.04 | ✅ | ✅ | ✅ | ✅ | -| Oracle Linux 8 | ❌ | ✅ | ❌ | ❔ | -| Rocky Linux 8 | ❔ | ✅ | ❔ | ❔ | -| AlmaLinux 8 | ❌ | ✅ | ❌ | ❔ | +| | Support | +| ------------------ | ------- | +| AlmaLinux 8 | ✅ | +| Amazon Linux 2 | ✅ | +| Arch Linux | ✅ | +| CentOS 7 | ✅ 🤖 | +| CentOS Stream >= 8 | ✅ 🤖 | +| Debian >= 10 | ✅ 🤖 | +| Fedora >= 35 | ✅ 🤖 | +| Oracle Linux 8 | ✅ | +| Rocky Linux 8 | ✅ | +| Ubuntu >= 18.04 | ✅ 🤖 | To be noted: -- It should work on Debian 8+ and Ubuntu 16.04+. But versions not in the table above are not officially supported. +- The script is regularly tested against the distributions marked with a 🤖 only. + - It's only test on `amd64` architecture. +- It should work on older versions such as Debian 8+, Ubuntu 16.04+ and previous Fedora releases. But versions not in the table above are not officially supported. + - It should also support versions between the LTS versions, but these are not tested. - The script requires `systemd`. -- The script is regularly tested against `amd64` only. ## Fork diff --git a/openvpn-install.sh b/openvpn-install.sh index 6bb39c5..c47e08f 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -57,7 +57,7 @@ function checkOS() { fi if [[ $ID == "centos" || $ID == "rocky" || $ID == "almalinux" ]]; then OS="centos" - if [[ ! $VERSION_ID =~ (7|8) ]]; then + if [[ $VERSION_ID -lt 7 ]]; then echo "⚠️ Your version of CentOS is not supported." echo "" echo "The script only support CentOS 7 and CentOS 8." From 33fe6af1315cf1f5a43397bf65341e683deac463 Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Sun, 22 Jan 2023 01:55:06 +0100 Subject: [PATCH 22/27] Update cloud providers --- README.md | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 393b702..b856e95 100644 --- a/README.md +++ b/README.md @@ -151,10 +151,9 @@ More Q&A in [FAQ.md](FAQ.md). **A:** I recommend these: -- [Vultr](https://www.vultr.com/?ref=8537055-6G): Worldwide locations, IPv6 support, starting at \$3.50/month -- [Hetzner](https://hetzner.cloud/?ref=ywtlvZsjgeDq): Germany, IPv6, 20 TB of traffic, starting at €3/month -- [Digital Ocean](https://goo.gl/qXrNLK): Worldwide locations, IPv6 support, starting at \$5/month -- [PulseHeberg](https://goo.gl/76yqW5): France, unlimited bandwidth, starting at €3/month +- [Vultr](https://www.vultr.com/?ref=8948982-8H): Worldwide locations, IPv6 support, starting at \$5/month +- [Hetzner](https://hetzner.cloud/?ref=ywtlvZsjgeDq): Germany, Finland and USA. IPv6, 20 TB of traffic, starting at 4.5€/month +- [Digital Ocean](https://m.do.co/c/ed0ba143fe53): Worldwide locations, IPv6 support, starting at \$4/month --- From d096f7a3a24063cade1c9b0c0a4cb4d0e1aea457 Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Sun, 22 Jan 2023 16:42:48 +0100 Subject: [PATCH 23/27] Add star history --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index b856e95..d3e3037 100644 --- a/README.md +++ b/README.md @@ -353,3 +353,7 @@ You can [say thanks](https://saythanks.io/to/angristan) if you want! Many thanks to the [contributors](https://github.com/Angristan/OpenVPN-install/graphs/contributors) and Nyr's original work. This project is under the [MIT Licence](https://raw.githubusercontent.com/Angristan/openvpn-install/master/LICENSE) + +## Star History + +[![Star History Chart](https://api.star-history.com/svg?repos=angristan/openvpn-install&type=Date)](https://star-history.com/#angristan/openvpn-install&Date) From 80feebed16b3baa5979f764ee3272443f2fe08e6 Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Sun, 22 Jan 2023 16:43:13 +0100 Subject: [PATCH 24/27] Remove visitors badge --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index d3e3037..fba65c8 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,6 @@ ![Test](https://github.com/angristan/openvpn-install/workflows/Test/badge.svg) ![Lint](https://github.com/angristan/openvpn-install/workflows/Lint/badge.svg) -![visitors](https://visitor-badge.glitch.me/badge?page_id=angristan.openvpn-install) [![Say Thanks!](https://img.shields.io/badge/Say%20Thanks-!-1EAEDB.svg)](https://saythanks.io/to/angristan) OpenVPN installer for Debian, Ubuntu, Fedora, CentOS, Arch Linux, Oracle Linux, Rocky Linux and AlmaLinux. From 1a249c621d63aa16f95b59673df8ae5c64d3c002 Mon Sep 17 00:00:00 2001 From: Stanislas Date: Mon, 20 Nov 2023 21:14:04 +0100 Subject: [PATCH 25/27] ci: test workflow server images update (#1183) * test ci * remove ubuntu 18.04 * remove fedora 35 and add 37 38 * disable centos stream 9, add debian 12 --- .github/workflows/test.yml | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 4473eed..71ea00a 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -2,6 +2,7 @@ on: push: branches: - master + - ci name: Test jobs: @@ -13,16 +14,14 @@ jobs: os-image: - debian-10-x64 - debian-11-x64 - - ubuntu-18-04-x64 + - debian-12-x64 - ubuntu-20-04-x64 - ubuntu-22-04-x64 - - fedora-35-x64 - # - fedora-36-x64 - # - fedora-37-x64 - # dnf is broken: https://ask.fedoraproject.org/t/dnf-operations-use-large-amount-of-ram-and-may-fail-in-low-memory-environments/26427 + - fedora-37-x64 + - fedora-38-x64 - centos-7-x64 - centos-stream-8-x64 - - centos-stream-9-x64 + # - centos-stream-9-x64 # yum oomkill steps: - uses: actions/checkout@v3.2.0 From 651e36c6cb0359ab7f4e699e2c71d3917acba69c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Salbe=C3=AF?= Date: Mon, 20 Nov 2023 21:19:13 +0100 Subject: [PATCH 26/27] Fix syntax error on Rocky Linux version check (#1182) Co-authored-by: David Salbei --- openvpn-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index c47e08f..06ad608 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -57,7 +57,7 @@ function checkOS() { fi if [[ $ID == "centos" || $ID == "rocky" || $ID == "almalinux" ]]; then OS="centos" - if [[ $VERSION_ID -lt 7 ]]; then + if [[ ${VERSION_ID%.*} -lt 7 ]]; then echo "⚠️ Your version of CentOS is not supported." echo "" echo "The script only support CentOS 7 and CentOS 8." From 5a4b31bd0d711da5df5febc944167b3cdb0a28bf Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Mon, 20 Nov 2023 21:21:51 +0100 Subject: [PATCH 27/27] Fix typo in README --- README.md | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index fba65c8..dd83d6a 100644 --- a/README.md +++ b/README.md @@ -117,21 +117,21 @@ The script supports these Linux distributions: | | Support | | ------------------ | ------- | -| AlmaLinux 8 | ✅ | -| Amazon Linux 2 | ✅ | -| Arch Linux | ✅ | -| CentOS 7 | ✅ 🤖 | -| CentOS Stream >= 8 | ✅ 🤖 | -| Debian >= 10 | ✅ 🤖 | -| Fedora >= 35 | ✅ 🤖 | -| Oracle Linux 8 | ✅ | -| Rocky Linux 8 | ✅ | -| Ubuntu >= 18.04 | ✅ 🤖 | +| AlmaLinux 8 | ✅ | +| Amazon Linux 2 | ✅ | +| Arch Linux | ✅ | +| CentOS 7 | ✅ 🤖 | +| CentOS Stream >= 8 | ✅ 🤖 | +| Debian >= 10 | ✅ 🤖 | +| Fedora >= 35 | ✅ 🤖 | +| Oracle Linux 8 | ✅ | +| Rocky Linux 8 | ✅ | +| Ubuntu >= 18.04 | ✅ 🤖 | To be noted: - The script is regularly tested against the distributions marked with a 🤖 only. - - It's only test on `amd64` architecture. + - It's only tested on `amd64` architecture. - It should work on older versions such as Debian 8+, Ubuntu 16.04+ and previous Fedora releases. But versions not in the table above are not officially supported. - It should also support versions between the LTS versions, but these are not tested. - The script requires `systemd`.