From 71bb6e8371e0c9b03ace8c88e7e4834808239a11 Mon Sep 17 00:00:00 2001
From: Timofey Vasenin <timofey.vasenin@gmail.com>
Date: Mon, 7 May 2018 23:50:01 +0700
Subject: [PATCH 01/12] Remove unneeded -r argument from some rm commands

Backport the relevant part of:
https://github.com/Nyr/openvpn-install/commit/d7173537692df686afa26e74c456aede8bc569f3
---
 openvpn-install.sh | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/openvpn-install.sh b/openvpn-install.sh
index 1b6af00..d0c3215 100644
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@@ -140,14 +140,14 @@ if [[ -e /etc/openvpn/server.conf ]]; then
 			cd /etc/openvpn/easy-rsa/
 			./easyrsa --batch revoke $CLIENT
 			EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
-			rm -rf pki/reqs/$CLIENT.req
-			rm -rf pki/private/$CLIENT.key
-			rm -rf pki/issued/$CLIENT.crt
-			rm -rf /etc/openvpn/crl.pem
+			rm -f pki/reqs/$CLIENT.req
+			rm -f pki/private/$CLIENT.key
+			rm -f pki/issued/$CLIENT.crt
+			rm -f /etc/openvpn/crl.pem
 			cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/crl.pem
 			chmod 644 /etc/openvpn/crl.pem
-			rm -rf $(find /home -maxdepth 2 | grep $CLIENT.ovpn) 2>/dev/null
-			rm -rf /root/$CLIENT.ovpn 2>/dev/null
+			rm -f $(find /home -maxdepth 2 | grep $CLIENT.ovpn) 2>/dev/null
+			rm -f /root/$CLIENT.ovpn 2>/dev/null
 			echo ""
 			echo "Certificate for client $CLIENT revoked"
 			echo "Exiting..."
@@ -470,7 +470,7 @@ WantedBy=multi-user.target" > /etc/systemd/system/iptables.service
 	mv ~/EasyRSA-3.0.4/ /etc/openvpn/
 	mv /etc/openvpn/EasyRSA-3.0.4/ /etc/openvpn/easy-rsa/
 	chown -R root:root /etc/openvpn/easy-rsa/
-	rm -rf ~/EasyRSA-3.0.4.tgz
+	rm -f ~/EasyRSA-3.0.4.tgz
 	cd /etc/openvpn/easy-rsa/
 	# Generate a random, alphanumeric identifier of 16 characters for CN and one for server name
 	SERVER_CN="cn_$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)"

From 2f6821d778779bb38dbb52915752980a7c46cedc Mon Sep 17 00:00:00 2001
From: Stanislas <stanislas.lange@oxalide.com>
Date: Tue, 8 May 2018 20:53:57 +0200
Subject: [PATCH 02/12] Add support for Ubuntu 18.04

---
 README.md          | 1 +
 openvpn-install.sh | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 71ead65..7ffa7b3 100644
--- a/README.md
+++ b/README.md
@@ -62,6 +62,7 @@ The script is made to work on these OS and architectures :
 - **Ubuntu 14.04 LTS** (i386, amd64)
 - **Ubuntu 16.04 LTS** (i386, amd64, armhf)
 - **Ubuntu 17.10** (i386, amd64, armhf, arm64)
+- **Ubuntu 18.04 LTS** (i386, amd64, armhf, arm64)
 - **Fedora 25** (amd64)
 - **Fedora 26** (amd64)
 - **Fedora 27** (amd64)
diff --git a/openvpn-install.sh b/openvpn-install.sh
index d0c3215..645da2e 100644
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@@ -25,7 +25,7 @@ if [[ -e /etc/debian_version ]]; then
 	VERSION_ID=$(cat /etc/os-release | grep "VERSION_ID")
 	IPTABLES='/etc/iptables/iptables.rules'
 	SYSCTL='/etc/sysctl.conf'
-	if [[ "$VERSION_ID" != 'VERSION_ID="7"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="8"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="9"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="14.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="17.10"' ]]; then
+	if [[ "$VERSION_ID" != 'VERSION_ID="7"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="8"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="9"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="14.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="17.10"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="18.04"' ]]; then
 		echo "Your version of Debian/Ubuntu is not supported."
 		echo "I can't install a recent version of OpenVPN on your system."
 		echo ""

From b3fba4fddcd5797cf64237fe66451ef679ca6426 Mon Sep 17 00:00:00 2001
From: Timofey Vasenin <timofey.vasenin@gmail.com>
Date: Wed, 9 May 2018 02:01:32 +0700
Subject: [PATCH 03/12] [backport] Fix system resolvers option for environments
 running systemd-resolved (#214)

---
 openvpn-install.sh | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/openvpn-install.sh b/openvpn-install.sh
index 645da2e..c960034 100644
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@@ -510,8 +510,15 @@ ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf
 	# DNS resolvers
 	case $DNS in
 		1)
+		# Locate the proper resolv.conf
+		# Needed for systems running systemd-resolved
+		if grep -q "127.0.0.53" "/etc/resolv.conf"; then
+			RESOLVCONF='/run/systemd/resolve/resolv.conf'
+		else
+			RESOLVCONF='/etc/resolv.conf'
+		fi
 		# Obtain the resolvers from resolv.conf and use them for OpenVPN
-		grep -v '#' /etc/resolv.conf | grep 'nameserver' | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read line; do
+		grep -v '#' $RESOLVCONF | grep 'nameserver' | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read line; do
 			echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server.conf
 		done
 		;;

From d2a3b3bec673cdb010860e5075e17bf7fb4f1c40 Mon Sep 17 00:00:00 2001
From: Timofey Vasenin <timofey.vasenin@gmail.com>
Date: Wed, 9 May 2018 02:23:36 +0700
Subject: [PATCH 04/12] Backport improvements of external IP handling (#213)

* [backport] Remove IP address detection fallback

It was never used, the one-liner is enough.

* [backport] Improve NAT detection

Cleaner and better:
- Not relying in an external service
- Avoids a false positive when the server has multiple public IPv4
addresses and the user selects one which is not the default gateway
---
 openvpn-install.sh | 31 +++++++++++--------------------
 1 file changed, 11 insertions(+), 20 deletions(-)

diff --git a/openvpn-install.sh b/openvpn-install.sh
index c960034..93ca3c5 100644
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@@ -83,13 +83,6 @@ newclient () {
 	echo "</tls-auth>" >> $homeDir/$1.ovpn
 }
 
-# Try to get our IP from the system and fallback to the Internet.
-# I do this to make the script compatible with NATed servers (LowEndSpirit/Scaleway)
-# and to avoid getting an IPv6.
-IP=$(ip addr | grep 'inet' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -o -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1)
-if [[ "$IP" = "" ]]; then
-	IP=$(wget -qO- ipv4.icanhazip.com)
-fi
 # Get Internet network interface with default route
 NIC=$(ip -4 route ls | grep default | grep -Po '(?<=dev )(\S+)' | head -1)
 
@@ -220,10 +213,18 @@ else
 	echo "I need to know the IPv4 address of the network interface you want OpenVPN listening to."
 	echo "If your server is running behind a NAT, (e.g. LowEndSpirit, Scaleway) leave the IP address as it is. (local/private IP)"
 	echo "Otherwise, it should be your public IPv4 address."
+	# Autodetect IP address and pre-fill for the user
+	IP=$(ip addr | grep 'inet' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1)
 	read -p "IP address: " -e -i $IP IP
 	echo ""
 	echo "What port do you want for OpenVPN?"
 	read -p "Port: " -e -i 1194 PORT
+	# If $IP is a private IP address, the server must be behind NAT
+	if echo "$IP" | grep -qE '^(10\.|172\.1[6789]\.|172\.2[0-9]\.|172\.3[01]\.|192\.168)'; then
+		echo ""
+		echo "This server is behind NAT. What is the public IPv4 address or hostname?"
+		read -p "Public IP address / hostname: " -e PUBLICIP
+	fi
 	echo ""
 	echo "What protocol do you want for OpenVPN?"
 	echo "Unless UDP is blocked, you should not use TCP (unnecessarily slower)"
@@ -661,19 +662,9 @@ verb 3" >> /etc/openvpn/server.conf
 			chkconfig openvpn on
 		fi
 	fi
-	# Try to detect a NATed connection and ask about it to potential LowEndSpirit/Scaleway users
-	EXTERNALIP=$(wget -qO- ipv4.icanhazip.com)
-	if [[ "$IP" != "$EXTERNALIP" ]]; then
-		echo ""
-		echo "Looks like your server is behind a NAT!"
-		echo ""
-        echo "If your server is NATed (e.g. LowEndSpirit, Scaleway, or behind a router),"
-        echo "then I need to know the address that can be used to access it from outside."
-        echo "If that's not the case, just ignore this and leave the next field blank"
-        read -p "External IP or domain name: " -e USEREXTERNALIP
-		if [[ "$USEREXTERNALIP" != "" ]]; then
-			IP=$USEREXTERNALIP
-		fi
+	# If the server is behind a NAT, use the correct IP address
+	if [[ "$PUBLICIP" != "" ]]; then
+		IP=$PUBLICIP
 	fi
 	# client-template.txt is created so we have a template to add further users later
 	echo "client" > /etc/openvpn/client-template.txt

From 6cecc16f0db54b4a81383f5e0a80b67ee244c113 Mon Sep 17 00:00:00 2001
From: Angristan <Angristan@users.noreply.github.com>
Date: Thu, 10 May 2018 00:29:05 +0200
Subject: [PATCH 05/12] Fixes #217 "Package 'gpg' has no installation
 candidate"

---
 openvpn-install.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/openvpn-install.sh b/openvpn-install.sh
index 93ca3c5..cc05a99 100644
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@@ -336,7 +336,7 @@ else
 	read -n1 -r -p "Press any key to continue..."
 
 	if [[ "$OS" = 'debian' ]]; then
-		apt-get install ca-certificates gpg -y
+		apt-get install ca-certificates gnupg -y
 		# We add the OpenVPN repo to get the latest version.
 		# Debian 7
 		if [[ "$VERSION_ID" = 'VERSION_ID="7"' ]]; then

From b8f0b44c55861a2805b48f080ac24200648afa35 Mon Sep 17 00:00:00 2001
From: Jebtrix <Jebtrix@users.noreply.github.com>
Date: Tue, 29 May 2018 04:18:24 -0400
Subject: [PATCH 06/12] [FIX] Unable to select AdGuard DNS choice (#228)

---
 openvpn-install.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/openvpn-install.sh b/openvpn-install.sh
index cc05a99..e74d854 100644
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@@ -242,8 +242,8 @@ else
 	echo "   7) Google (Anycast: worldwide)"
 	echo "   8) Yandex Basic (Russia)"
 	echo "   9) AdGuard DNS (Russia)"
-	while [[ $DNS != "1" && $DNS != "2" && $DNS != "3" && $DNS != "4" && $DNS != "5" && $DNS != "6" && $DNS != "7" && $DNS != "8" ]]; do
-		read -p "DNS [1-8]: " -e -i 1 DNS
+	while [[ $DNS != "1" && $DNS != "2" && $DNS != "3" && $DNS != "4" && $DNS != "5" && $DNS != "6" && $DNS != "7" && $DNS != "8" && $DNS != "9" ]]; do
+		read -p "DNS [1-9]: " -e -i 1 DNS
 	done
 	echo ""
 	echo "See https://github.com/Angristan/OpenVPN-install#encryption to learn more about "

From c42b028538b38a4aa8973565e05903fdde0b9a91 Mon Sep 17 00:00:00 2001
From: cezar97 <cezar97@protonmail.com>
Date: Fri, 6 Jul 2018 01:25:57 +0300
Subject: [PATCH 07/12] Add "Check for DNS leaks" paragraph in README (#242)

---
 README.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/README.md b/README.md
index 7ffa7b3..21b1a3f 100644
--- a/README.md
+++ b/README.md
@@ -255,6 +255,10 @@ SHA-1 is not safe anymore, so I use SHA-256 which is safe and widely used.
 
 TLS-Auth is not enabled by default by OpenVPN, but it is in this script.
 
+## Check for DNS leaks
+
+Go to [dnsleaktest.com](https://dnsleaktest.com/) or [ipleak.net](https://ipleak.net/) with your browser. Only your server's IP should show up.
+
 ## Say thanks
 
 You can [say thanks](https://saythanks.io/to/Angristan) if you want!

From 63ac18075d07a1c944e9b4e08ba6e01b99c9cf2e Mon Sep 17 00:00:00 2001
From: cezar97 <cezar97@protonmail.com>
Date: Fri, 6 Jul 2018 23:11:22 +0300
Subject: [PATCH 08/12] Add quad9 secondary DNS (#248)

See https://www.quad9.net/faq/#Is_there_a_service_that_Quad9_offers_that_does_not_have_the_blocklist_or_other_security.
---
 openvpn-install.sh | 1 +
 1 file changed, 1 insertion(+)

diff --git a/openvpn-install.sh b/openvpn-install.sh
index e74d854..44647c5 100644
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@@ -529,6 +529,7 @@ ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf
 		;;
 		3) # Quad9
 		echo 'push "dhcp-option DNS 9.9.9.9"' >> /etc/openvpn/server.conf
+		echo 'push "dhcp-option DNS 149.112.112.112"' >> /etc/openvpn/server.conf
 		;;
 		4) # FDN
 		echo 'push "dhcp-option DNS 80.67.169.40"' >> /etc/openvpn/server.conf

From 5501de73c8742bef58aa62685ca4c898cae2e616 Mon Sep 17 00:00:00 2001
From: Sayem Chowdhury <sayem314@gmail.com>
Date: Sun, 15 Jul 2018 15:25:59 +0600
Subject: [PATCH 09/12] Improved code (#243)

---
 openvpn-install.sh | 130 +++++++++++++++++++++++++++------------------
 1 file changed, 78 insertions(+), 52 deletions(-)

diff --git a/openvpn-install.sh b/openvpn-install.sh
index 44647c5..046b319 100644
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@@ -4,16 +4,19 @@
 # https://github.com/Angristan/OpenVPN-install
 
 
+# Verify root
 if [[ "$EUID" -ne 0 ]]; then
 	echo "Sorry, you need to run this as root"
 	exit 1
 fi
 
+# Verify tun
 if [[ ! -e /dev/net/tun ]]; then
 	echo "TUN is not available"
 	exit 2
 fi
 
+# Check if CentOS 5
 if grep -qs "CentOS release 5" "/etc/redhat-release"; then
 	echo "CentOS 5 is too old and not supported"
 	exit 3
@@ -22,7 +25,7 @@ fi
 if [[ -e /etc/debian_version ]]; then
 	OS="debian"
 	# Getting the version number, to verify that a recent version of OpenVPN is available
-	VERSION_ID=$(cat /etc/os-release | grep "VERSION_ID")
+	VERSION_ID=$(grep "VERSION_ID" /etc/os-release)
 	IPTABLES='/etc/iptables/iptables.rules'
 	SYSCTL='/etc/sysctl.conf'
 	if [[ "$VERSION_ID" != 'VERSION_ID="7"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="8"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="9"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="14.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="17.10"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="18.04"' ]]; then
@@ -33,7 +36,7 @@ if [[ -e /etc/debian_version ]]; then
 		echo "then you can continue, a recent version of OpenVPN is available on these."
 		echo "Keep in mind they are not supported, though."
 		while [[ $CONTINUE != "y" && $CONTINUE != "n" ]]; do
-			read -p "Continue ? [y/n]: " -e CONTINUE
+			read -rp "Continue ? [y/n]: " -e CONTINUE
 		done
 		if [[ "$CONTINUE" = "n" ]]; then
 			echo "Ok, bye !"
@@ -59,28 +62,33 @@ fi
 
 newclient () {
 	# Where to write the custom client.ovpn?
-	if [ -e /home/$1 ]; then  # if $1 is a user name
+	if [ -e "/home/$1" ]; then  # if $1 is a user name
 		homeDir="/home/$1"
-	elif [ ${SUDO_USER} ]; then   # if not, use SUDO_USER
+	elif [ "${SUDO_USER}" ]; then   # if not, use SUDO_USER
 		homeDir="/home/${SUDO_USER}"
 	else  # if not SUDO_USER, use /root
 		homeDir="/root"
 	fi
 	# Generates the custom client.ovpn
-	cp /etc/openvpn/client-template.txt $homeDir/$1.ovpn
-	echo "<ca>" >> $homeDir/$1.ovpn
-	cat /etc/openvpn/easy-rsa/pki/ca.crt >> $homeDir/$1.ovpn
-	echo "</ca>" >> $homeDir/$1.ovpn
-	echo "<cert>" >> $homeDir/$1.ovpn
-	cat /etc/openvpn/easy-rsa/pki/issued/$1.crt >> $homeDir/$1.ovpn
-	echo "</cert>" >> $homeDir/$1.ovpn
-	echo "<key>" >> $homeDir/$1.ovpn
-	cat /etc/openvpn/easy-rsa/pki/private/$1.key >> $homeDir/$1.ovpn
-	echo "</key>" >> $homeDir/$1.ovpn
-	echo "key-direction 1" >> $homeDir/$1.ovpn
-	echo "<tls-auth>" >> $homeDir/$1.ovpn
-	cat /etc/openvpn/tls-auth.key >> $homeDir/$1.ovpn
-	echo "</tls-auth>" >> $homeDir/$1.ovpn
+	cp /etc/openvpn/client-template.txt "$homeDir/$1.ovpn"
+	{
+		echo "<ca>"
+		cat "/etc/openvpn/easy-rsa/pki/ca.crt"
+		echo "</ca>"
+
+		echo "<cert>"
+		cat "/etc/openvpn/easy-rsa/pki/issued/$1.crt"
+		echo "</cert>"
+
+		echo "<key>"
+		cat "/etc/openvpn/easy-rsa/pki/private/$1.key"
+		echo "</key>"
+		echo "key-direction 1"
+
+		echo "<tls-auth>"
+		cat "/etc/openvpn/tls-auth.key"
+		echo "</tls-auth>"
+	} >> "$homeDir/$1.ovpn"
 }
 
 # Get Internet network interface with default route
@@ -94,22 +102,27 @@ if [[ -e /etc/openvpn/server.conf ]]; then
 		echo ""
 		echo "Looks like OpenVPN is already installed"
 		echo ""
+
 		echo "What do you want to do?"
 		echo "   1) Add a cert for a new user"
 		echo "   2) Revoke existing user cert"
 		echo "   3) Remove OpenVPN"
 		echo "   4) Exit"
-		read -p "Select an option [1-4]: " option
+		read -rp "Select an option [1-4]: " option
+
 		case $option in
 			1)
 			echo ""
 			echo "Tell me a name for the client cert"
 			echo "Please, use one word only, no special characters"
-			read -p "Client name: " -e -i newclient CLIENT
-			cd /etc/openvpn/easy-rsa/
+			read -rp "Client name: " -e -i newclient CLIENT
+
+			cd /etc/openvpn/easy-rsa/ || return
 			./easyrsa build-client-full $CLIENT nopass
+
 			# Generates the custom client.ovpn
 			newclient "$CLIENT"
+
 			echo ""
 			echo "Client $CLIENT added, certs available at $homeDir/$CLIENT.ovpn"
 			exit
@@ -121,16 +134,18 @@ if [[ -e /etc/openvpn/server.conf ]]; then
 				echo "You have no existing clients!"
 				exit 5
 			fi
+
 			echo ""
 			echo "Select the existing client certificate you want to revoke"
 			tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | nl -s ') '
 			if [[ "$NUMBEROFCLIENTS" = '1' ]]; then
-				read -p "Select one client [1]: " CLIENTNUMBER
+				read -rp "Select one client [1]: " CLIENTNUMBER
 			else
-				read -p "Select one client [1-$NUMBEROFCLIENTS]: " CLIENTNUMBER
+				read -rp "Select one client [1-$NUMBEROFCLIENTS]: " CLIENTNUMBER
 			fi
+
 			CLIENT=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | sed -n "$CLIENTNUMBER"p)
-			cd /etc/openvpn/easy-rsa/
+			cd /etc/openvpn/easy-rsa/ || return
 			./easyrsa --batch revoke $CLIENT
 			EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
 			rm -f pki/reqs/$CLIENT.req
@@ -141,6 +156,7 @@ if [[ -e /etc/openvpn/server.conf ]]; then
 			chmod 644 /etc/openvpn/crl.pem
 			rm -f $(find /home -maxdepth 2 | grep $CLIENT.ovpn) 2>/dev/null
 			rm -f /root/$CLIENT.ovpn 2>/dev/null
+
 			echo ""
 			echo "Certificate for client $CLIENT revoked"
 			echo "Exiting..."
@@ -148,7 +164,7 @@ if [[ -e /etc/openvpn/server.conf ]]; then
 			;;
 			3)
 			echo ""
-			read -p "Do you really want to remove OpenVPN? [y/n]: " -e -i n REMOVE
+			read -rp "Do you really want to remove OpenVPN? [y/n]: " -e -i n REMOVE
 			if [[ "$REMOVE" = 'y' ]]; then
 				PORT=$(grep '^port ' /etc/openvpn/server.conf | cut -d " " -f 2)
 				if pgrep firewalld; then
@@ -206,6 +222,7 @@ else
 	clear
 	echo "Welcome to the secure OpenVPN installer (github.com/Angristan/OpenVPN-install)"
 	echo ""
+
 	# OpenVPN setup and first user creation
 	echo "I need to ask you a few questions before starting the setup"
 	echo "You can leave the default options and just press enter if you are ok with them"
@@ -213,23 +230,25 @@ else
 	echo "I need to know the IPv4 address of the network interface you want OpenVPN listening to."
 	echo "If your server is running behind a NAT, (e.g. LowEndSpirit, Scaleway) leave the IP address as it is. (local/private IP)"
 	echo "Otherwise, it should be your public IPv4 address."
+
 	# Autodetect IP address and pre-fill for the user
 	IP=$(ip addr | grep 'inet' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1)
-	read -p "IP address: " -e -i $IP IP
+	read -rp "IP address: " -e -i $IP IP
 	echo ""
 	echo "What port do you want for OpenVPN?"
-	read -p "Port: " -e -i 1194 PORT
+	read -rp "Port: " -e -i 1194 PORT
+
 	# If $IP is a private IP address, the server must be behind NAT
 	if echo "$IP" | grep -qE '^(10\.|172\.1[6789]\.|172\.2[0-9]\.|172\.3[01]\.|192\.168)'; then
 		echo ""
 		echo "This server is behind NAT. What is the public IPv4 address or hostname?"
-		read -p "Public IP address / hostname: " -e PUBLICIP
+		read -rp "Public IP address / hostname: " -e PUBLICIP
 	fi
 	echo ""
 	echo "What protocol do you want for OpenVPN?"
 	echo "Unless UDP is blocked, you should not use TCP (unnecessarily slower)"
-	while [[ $PROTOCOL != "UDP" && $PROTOCOL != "TCP" ]]; do
-		read -p "Protocol [UDP/TCP]: " -e -i UDP PROTOCOL
+	until [[ "$PROTOCOL" == "UDP" || "$PROTOCOL" == "TCP" ]]; do
+		read -rp "Protocol [UDP/TCP]: " -e -i UDP PROTOCOL
 	done
 	echo ""
 	echo "What DNS do you want to use with the VPN?"
@@ -242,8 +261,8 @@ else
 	echo "   7) Google (Anycast: worldwide)"
 	echo "   8) Yandex Basic (Russia)"
 	echo "   9) AdGuard DNS (Russia)"
-	while [[ $DNS != "1" && $DNS != "2" && $DNS != "3" && $DNS != "4" && $DNS != "5" && $DNS != "6" && $DNS != "7" && $DNS != "8" && $DNS != "9" ]]; do
-		read -p "DNS [1-9]: " -e -i 1 DNS
+	until [[ "$DNS" =~ ^[0-9]+$ ]] && [ "$DNS" -ge 1 -a "$DNS" -le 9 ]; do
+		read -rp "DNS [1-9]: " -e -i 1 DNS
 	done
 	echo ""
 	echo "See https://github.com/Angristan/OpenVPN-install#encryption to learn more about "
@@ -261,8 +280,8 @@ else
 	echo "   5) CAMELLIA-192-CBC"
 	echo "   6) CAMELLIA-256-CBC"
 	echo "   7) SEED-CBC"
-	while [[ $CIPHER != "1" && $CIPHER != "2" && $CIPHER != "3" && $CIPHER != "4" && $CIPHER != "5" && $CIPHER != "6" && $CIPHER != "7" ]]; do
-		read -p "Cipher [1-7]: " -e -i 1 CIPHER
+	until [[ "$CIPHER" =~ ^[0-9]+$ ]] && [ "$CIPHER" -ge 1 -a "$CIPHER" -le 7 ]; do
+		read -rp "Cipher [1-7]: " -e -i 1 CIPHER
 	done
 	case $CIPHER in
 		1)
@@ -292,8 +311,8 @@ else
 	echo "   1) 2048 bits (fastest)"
 	echo "   2) 3072 bits (recommended, best compromise)"
 	echo "   3) 4096 bits (most secure)"
-	while [[ $DH_KEY_SIZE != "1" && $DH_KEY_SIZE != "2" && $DH_KEY_SIZE != "3" ]]; do
-		read -p "DH key size [1-3]: " -e -i 2 DH_KEY_SIZE
+	until [[ "$DH_KEY_SIZE" =~ ^[0-9]+$ ]] && [ "$DH_KEY_SIZE" -ge 1 -a "$DH_KEY_SIZE" -le 3 ]; do
+		read -rp "DH key size [1-3]: " -e -i 2 DH_KEY_SIZE
 	done
 	case $DH_KEY_SIZE in
 		1)
@@ -311,8 +330,8 @@ else
 	echo "   1) 2048 bits (fastest)"
 	echo "   2) 3072 bits (recommended, best compromise)"
 	echo "   3) 4096 bits (most secure)"
-	while [[ $RSA_KEY_SIZE != "1" && $RSA_KEY_SIZE != "2" && $RSA_KEY_SIZE != "3" ]]; do
-		read -p "RSA key size [1-3]: " -e -i 2 RSA_KEY_SIZE
+	until [[ "$RSA_KEY_SIZE" =~ ^[0-9]+$ ]] && [ "$RSA_KEY_SIZE" -ge 1 -a "$RSA_KEY_SIZE" -le 3 ]; do
+		read -rp "RSA key size [1-3]: " -e -i 2 RSA_KEY_SIZE
 	done
 	case $RSA_KEY_SIZE in
 		1)
@@ -329,7 +348,9 @@ else
 	echo "Finally, tell me a name for the client certificate and configuration"
 	while [[ $CLIENT = "" ]]; do
 		echo "Please, use one word only, no special characters"
-		read -p "Client name: " -e -i client CLIENT
+		read -rp "Client name: " -e -i client CLIENT
+		# Remove special characters
+		CLIENT=$(echo $CLIENT | tr -dc '[:alnum:]\n\r')
 	done
 	echo ""
 	echo "Okay, that was all I needed. We are ready to setup your OpenVPN server now"
@@ -437,8 +458,8 @@ WantedBy=multi-user.target" > /etc/systemd/system/iptables.service
 		echo "Not doing that could cause problems between dependencies, or missing files in repositories."
 		echo ""
 		echo "Continuing will update your installed packages and install needed ones."
-		while [[ $CONTINUE != "y" && $CONTINUE != "n" ]]; do
-			read -p "Continue ? [y/n]: " -e -i y CONTINUE
+		until [[ $CONTINUE == "y" || $CONTINUE == "n" ]]; do
+			read -rp "Continue ? [y/n]: " -e -i y CONTINUE
 		done
 		if [[ "$CONTINUE" = "n" ]]; then
 			echo "Ok, bye !"
@@ -472,10 +493,10 @@ WantedBy=multi-user.target" > /etc/systemd/system/iptables.service
 	mv /etc/openvpn/EasyRSA-3.0.4/ /etc/openvpn/easy-rsa/
 	chown -R root:root /etc/openvpn/easy-rsa/
 	rm -f ~/EasyRSA-3.0.4.tgz
-	cd /etc/openvpn/easy-rsa/
+	cd /etc/openvpn/easy-rsa/ || return
 	# Generate a random, alphanumeric identifier of 16 characters for CN and one for server name
-	SERVER_CN="cn_$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)"
-	SERVER_NAME="server_$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)"
+	SERVER_CN="cn_$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 16 | head -n 1)"
+	SERVER_NAME="server_$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 16 | head -n 1)"
 	echo "set_var EASYRSA_KEY_SIZE $RSA_KEY_SIZE" > vars
 	echo "set_var EASYRSA_REQ_CN $SERVER_CN" >> vars
 	# Create the PKI, set up the CA, the DH params and the server + client certificates
@@ -494,11 +515,7 @@ WantedBy=multi-user.target" > /etc/systemd/system/iptables.service
 
 	# Generate server.conf
 	echo "port $PORT" > /etc/openvpn/server.conf
-	if [[ "$PROTOCOL" = 'UDP' ]]; then
-		echo "proto udp" >> /etc/openvpn/server.conf
-	elif [[ "$PROTOCOL" = 'TCP' ]]; then
-		echo "proto tcp" >> /etc/openvpn/server.conf
-	fi
+	echo "proto $(echo $PROTOCOL | tr '[:upper:]' '[:lower:]')" >> /etc/openvpn/server.conf
 	echo "dev tun
 user nobody
 group $NOGROUP
@@ -519,7 +536,7 @@ ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf
 			RESOLVCONF='/etc/resolv.conf'
 		fi
 		# Obtain the resolvers from resolv.conf and use them for OpenVPN
-		grep -v '#' $RESOLVCONF | grep 'nameserver' | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read line; do
+		grep -v '#' $RESOLVCONF | grep 'nameserver' | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read -r line; do
 			echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server.conf
 		done
 		;;
@@ -556,7 +573,7 @@ ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf
 		echo 'push "dhcp-option DNS 176.103.130.131"' >> /etc/openvpn/server.conf
 		;;
 	esac
-echo 'push "redirect-gateway def1 bypass-dhcp" '>> /etc/openvpn/server.conf
+echo 'push "redirect-gateway def1 bypass-dhcp" ' >> /etc/openvpn/server.conf
 echo "crl-verify crl.pem
 ca ca.crt
 cert $SERVER_NAME.crt
@@ -581,12 +598,16 @@ verb 3" >> /etc/openvpn/server.conf
 	if ! grep -q "\<net.ipv4.ip_forward\>" $SYSCTL; then
 		echo 'net.ipv4.ip_forward=1' >> $SYSCTL
 	fi
+
 	# Avoid an unneeded reboot
 	echo 1 > /proc/sys/net/ipv4/ip_forward
+
 	# Set NAT for the VPN subnet
 	iptables -t nat -A POSTROUTING -o $NIC -s 10.8.0.0/24 -j MASQUERADE
+
 	# Save persitent iptables rules
 	iptables-save > $IPTABLES
+
 	if pgrep firewalld; then
 		# We don't use --add-service=openvpn because that would only work with
 		# the default port. Using both permanent and not permanent rules to
@@ -601,6 +622,7 @@ verb 3" >> /etc/openvpn/server.conf
 		firewall-cmd --zone=trusted --add-source=10.8.0.0/24
 		firewall-cmd --permanent --zone=trusted --add-source=10.8.0.0/24
 	fi
+
 	if iptables -L -n | grep -qE 'REJECT|DROP'; then
 		# If iptables has at least one REJECT rule, we asume this is needed.
 		# Not the best approach but I can't think of other and this shouldn't
@@ -613,8 +635,9 @@ verb 3" >> /etc/openvpn/server.conf
 		iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
 		iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
 		# Save persitent OpenVPN rules
-        iptables-save > $IPTABLES
+		iptables-save > $IPTABLES
 	fi
+
 	# If SELinux is enabled and a custom port was selected, we need this
 	if hash sestatus 2>/dev/null; then
 		if sestatus | grep "Current mode" | grep -qs "enforcing"; then
@@ -631,6 +654,7 @@ verb 3" >> /etc/openvpn/server.conf
 			fi
 		fi
 	fi
+
 	# And finally, restart OpenVPN
 	if [[ "$OS" = 'debian' ]]; then
 		# Little hack to check for systemd
@@ -663,10 +687,12 @@ verb 3" >> /etc/openvpn/server.conf
 			chkconfig openvpn on
 		fi
 	fi
+
 	# If the server is behind a NAT, use the correct IP address
 	if [[ "$PUBLICIP" != "" ]]; then
 		IP=$PUBLICIP
 	fi
+	
 	# client-template.txt is created so we have a template to add further users later
 	echo "client" > /etc/openvpn/client-template.txt
 	if [[ "$PROTOCOL" = 'UDP' ]]; then

From 1c7e06ed07b13237a0665d960a1e0592ba2a4105 Mon Sep 17 00:00:00 2001
From: Sam Mingo <github@jake8us.org>
Date: Sat, 11 Aug 2018 16:33:07 -0400
Subject: [PATCH 10/12] Update README.md (#268)

Fixed typos + phrasing
---
 README.md | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/README.md b/README.md
index 21b1a3f..0a2a5cf 100644
--- a/README.md
+++ b/README.md
@@ -40,11 +40,11 @@ When OpenVPN is installed, you can run the script again, and you will get the ch
 
 This script is based on the great work of [Nyr and its contributors](https://github.com/Nyr/openvpn-install).
 
-I made it because I wanted to have a more secured OpenVPN out-of-the-box. It works like the original script, but is more focused on privacy and espicially better encryption. Nyr's original script uses mainly default parameters regarding encryption, and some of them are unsecure. See [#encryption](#encryption).
+I made it because I wanted to have a more secured OpenVPN out-of-the-box. It works like the original script, but is more focused on privacy and especially better encryption. Nyr's original script uses mainly default parameters regarding encryption, and some of them are insecure. See [#encryption](#encryption).
 
 Also, Nyr and myself clearly have not the same point of view regarding this script, that's why it's a fork.
 
-The only drawback is that you need to use a recent version of OpenVPN, because some parameters that requires TLS 1.2 are only availble since OpenVPN 2.3.3. Therefore I restrain the compatibility of this script to a few but widely used GNU/Linux distributions, to get a recent version of OpenVPN from trusted third-party repositories, if needed. That is not a complete drawback tough, because it means that you can have the latest version with all the new features and security fixes. See [compatibilty](#compatibility).
+The only drawback is that you need to use a recent version of OpenVPN, because some parameters that requires TLS 1.2 are only available since OpenVPN 2.3.3. Therefore I restrain the compatibility of this script to a few but widely used GNU/Linux distributions, to get a recent version of OpenVPN from trusted third-party repositories, if needed. That is not a complete drawback tough, because it means that you can have the latest version with all the new features and security fixes. See [compatibility](#compatibility).
 
 On the client-side, it's less problematic, but if you want to use an OpenVPN server installed with this script with an old client (\<2.3.3), it won't work. However I don't see why you would use an outdated client.
 
@@ -186,7 +186,7 @@ The [SWEET32 vulnerability page](https://community.openvpn.net/openvpn/wiki/SWEE
 
 Indeed, AES is today's standard. It's the fastest and more secure cipher available today. [SEED](https://en.wikipedia.org/wiki/SEED) and [Camellia](https://en.wikipedia.org/wiki/Camellia_(cipher)) are not vulnerable to date but are slower than AES and relatively less trusted.
 
-As they have not any proven vulnerabilities, I decided to give the user the choice to use them, though I don't see any particular reason to this day to use it. Maybe someday if AES happens to be broken. Here is an exemple about [why Camellia is good, but AES is better and should be used](http://crypto.stackexchange.com/questions/476/why-does-nobody-use-or-break-the-camellia-cipher/477#477).
+As they have not any proven vulnerabilities, I decided to give the user the choice to use them, though I don't see any particular reason to this day to use it. Maybe someday if AES happens to be broken. Here is an example about [why Camellia is good, but AES is better and should be used](http://crypto.stackexchange.com/questions/476/why-does-nobody-use-or-break-the-camellia-cipher/477#477).
 
 Currently AES is only available in its CBC mode, which is weaker than GCM.
 
@@ -214,7 +214,7 @@ Thus, the best data channel cipher currently available in OpenVPN is `AES-128-CB
 
 ### Control channel's cipher
 
-According to the [Hardening](https://community.openvpn.net/openvpn/wiki/Hardening#Useof--tls-cipher) page of the OpenVPN wiki, TLS 1.2 is not supported by OpenVPN <2.3.3, so it uses a TLS 1.0 cipher by default, which is unsecure.
+According to the [Hardening](https://community.openvpn.net/openvpn/wiki/Hardening#Useof--tls-cipher) page of the OpenVPN wiki, TLS 1.2 is not supported by OpenVPN <2.3.3, so it uses a TLS 1.0 cipher by default, which is insecure.
 
 > The following are TLSv1.2 DHE + RSA choices, requiring a compatible peer running at least OpenVPN 2.3.3:
 - TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
@@ -230,7 +230,7 @@ Thus, I have chosen `TLS-DHE-RSA-WITH-AES-128-GCM-SHA256` as the control channel
 
 OpenVPN uses a 2048 bits DH key [by default](https://github.com/OpenVPN/easy-rsa/blob/master/easyrsa3/vars.example#L97).
 
-2048 bits is OK, but both [NSA](https://cryptome.org/2016/01/CNSA-Suite-and-Quantum-Computing-FAQ.pdf) and [ANSSI](https://www.ssi.gouv.fr/uploads/2015/01/RGS_v-2-0_B1.pdf) recommend at least a 3072 bits for a future-proof key. Like RSA, the size of the key will have an impact on speed, I leave the choice to use a 2048, 3072 or 4096 bits key. 4096 bits is what's most used and recommened today, but 3072 bits is still good.
+2048 bits is OK, but both [NSA](https://cryptome.org/2016/01/CNSA-Suite-and-Quantum-Computing-FAQ.pdf) and [ANSSI](https://www.ssi.gouv.fr/uploads/2015/01/RGS_v-2-0_B1.pdf) recommend at least a 3072 bits for a future-proof key. Like RSA, the size of the key will have an impact on speed, I leave the choice to use a 2048, 3072 or 4096 bits key. 4096 bits is what's most used and recommended today, but 3072 bits is still good.
 
 In OpenVPN 2.4, we will be able to use ECDH key. It uses elliptic curves instead of prime numbers' factorization for a reduced key size and calculation time, thus it's faster and more secure.
 

From df172b962d40483d9d950bf988e9fef62ea62ad5 Mon Sep 17 00:00:00 2001
From: Jebtrix <Jebtrix@users.noreply.github.com>
Date: Sat, 18 Aug 2018 09:57:24 -0400
Subject: [PATCH 11/12] Add option to generate random port in private port
 range (#229)

---
 openvpn-install.sh | 22 +++++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)

diff --git a/openvpn-install.sh b/openvpn-install.sh
index 046b319..df5b77d 100644
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@@ -236,7 +236,27 @@ else
 	read -rp "IP address: " -e -i $IP IP
 	echo ""
 	echo "What port do you want for OpenVPN?"
-	read -rp "Port: " -e -i 1194 PORT
+	echo "   1) Default: 1194"
+	echo "   2) Custom"
+	echo "   3) Random [49152-65535]"
+	until [[ "$PORT_CHOICE" =~ ^[1-3]$ ]]; do
+		read -p "Port choice [1-3]: " -e -i 1 PORT_CHOICE
+	done
+	case $PORT_CHOICE in
+		1)
+			PORT="1194"
+		;;
+		2)
+			until [[ "$PORT" =~ ^[0-9]+$ ]] && [ "$PORT" -ge 1 -a "$PORT" -le 65535 ]; do
+				read -p "Custom port [1-65535]: " -e -i 1194 PORT
+			done
+		;;
+		3)
+			# Generate random number within private ports range
+			PORT=$(shuf -i49152-65535 -n1)
+			echo "Random Port: $PORT"
+		;;
+	esac
 
 	# If $IP is a private IP address, the server must be behind NAT
 	if echo "$IP" | grep -qE '^(10\.|172\.1[6789]\.|172\.2[0-9]\.|172\.3[01]\.|192\.168)'; then

From a0267c994dbe42e543f9e085dedc35587e89cafd Mon Sep 17 00:00:00 2001
From: Angristan <angristan@pm.me>
Date: Sat, 18 Aug 2018 16:08:32 +0200
Subject: [PATCH 12/12] Fix License copyright holders

---
 LICENSE | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/LICENSE b/LICENSE
index 5b44955..1727729 100644
--- a/LICENSE
+++ b/LICENSE
@@ -1,6 +1,7 @@
-The MIT License (MIT)
+MIT License
 
-Copyright (c) 2016 Nyr, Angristan
+Copyright (c) 2013 Nyr
+Copyright (c) 2016 Angristan (Stanislas Lange)
 
 Permission is hereby granted, free of charge, to any person obtaining a copy of
 this software and associated documentation files (the "Software"), to deal in