Merge branch 'master' into patch-5

2020-04-27 19:01:10 +02:00 · 2020-04-27 19:01:10 +02:00 · b2828e6164
commit b2828e6164
parent 4ccd6163ae 369c8dadaa
5 changed files with 552 additions and 497 deletions
--- a/.github/ISSUE_TEMPLATE/somehting-else.md
+++ b/.github/ISSUE_TEMPLATE/somehting-else.md
@ -1,19 +0,0 @@
---
-name: Something else
-about: Not a bug nor a feature request?
-title: ''
-labels: ''
-assignees: ''
-
---
-
-**Checklist**
-
- [ ] I read the [README](https://github.com/angristan/openvpn-install/blob/master/README.md)
- [ ] I read the [FAQ](https://github.com/angristan/openvpn-install/blob/master/FAQ.md)
- [ ] I searched the [issues](https://github.com/angristan/openvpn-install/issues?q=is%3Aissue+)
- [ ] My issue is about the script, and not OpenVPN itself
-
-<!---
-If you need help with OpenVPN itself, please us the [community forums](https://forums.openvpn.net/) or [Stack Overflow](https://stackoverflow.com/questions/tagged/openvpn)
--->
--- a/.github/workflows/push.yml
+++ b/.github/workflows/push.yml
@ -1,5 +1,12 @@
-on: [push, pull_request]
-name: ShellCheck
+on:
+  push:
+    branches:
+    - master
+  pull_request:
+    branches:
+    - master
+
+name: Lint
 jobs:
  shellcheck:
    runs-on: ubuntu-latest
@ -9,3 +16,11 @@ jobs:
      uses: ludeeus/action-shellcheck@0.0.1
      with:
        args: openvpn-install.sh -e SC1091,SC2164,SC2034,SC1072,SC1073,SC1009
+  shfmt:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@master
+    - name: shfmt
+      uses: bltavares/actions/shfmt@master
+      env:
+        SHFMT_ARGS: -d
--- a/FAQ.md
+++ b/FAQ.md
@ -20,6 +20,7 @@ You can, of course, it's even recommended, update the `openvpn` package with you
 On Linux you need to add these lines to your `.ovpn` file based on your Distribution.

 Debian 9, 10 and Ubuntu 16.04, 18.04
+
 ```
 script-security 2
 up /etc/openvpn/update-resolv-conf
@ -27,6 +28,7 @@ down /etc/openvpn/update-resolv-conf
 ```

 Centos 6, 7
+
 ```
 script-security 2
 up /usr/share/doc/openvpn-2.4.8/contrib/pull-resolv-conf/client.up
@ -34,6 +36,7 @@ down /usr/share/doc/openvpn-2.4.8/contrib/pull-resolv-conf/client.down
 ```

 Centos 8, Fedora 30, 31
+
 ```
 script-security 2
 up /usr/share/doc/openvpn/contrib/pull-resolv-conf/client.up
@ -41,6 +44,7 @@ down /usr/share/doc/openvpn/contrib/pull-resolv-conf/client.down
 ```

 Arch Linux
+
 ```
 script-security 2
 up /usr/share/openvpn/contrib/pull-resolv-conf/client.up
@ -71,13 +75,7 @@ If your client is <2.3.3, remove `tls-version-min 1.2` from your `/etc/openvpn/s

 **Q:** DNS is not working on my Linux client

-**A:** Make sure the `resolvconf` package is installed. If it does not solve the issue, look at https://wiki.archlinux.org/index.php/OpenVPN#Update_systemd-resolved_script
-
---
-
-**Q:** How to setup openVPN in a LXC container? (f.e. Proxmox)
-
-**A:** See https://github.com/Nyr/openvpn-install/wiki/How-to-setup-openVPN-in-a-LXC-container-(f.e.-Proxmox)
+**A:** See "How do I fix DNS leaks?" question

 ---

@ -89,6 +87,26 @@ Sysctl options are at `/etc/sysctl.d/20-openvpn.conf`

 ---

+**Q:** How can I access other clients connected to the same OpenVPN server?
+
+**A:** Add `client-to-client` to your `server.conf`
+
+---
+
+**Q:** My router can't connect
+
+**A:**
+
+- `Options error: No closing quotation (") in config.ovpn:46` :
+
+  type `yes` when asked to customize encryption settings and choose `tls-auth`
+
+- `Options error: Unrecognized option or missing parameter(s) in config.ovpn:36: tls-version-min (2.3.2)` :
+
+  see question "Can I use an OpenVPN 2.3 client?"
+
+---
+
 **Q:** How can I access computers on the remote LAN?

 **A:** Add a route with the subnet of your remote network to `/etc/openvpn/server.conf` and restart openvpn. Example: `push "route 192.168.1.0 255.255.255.0"`
--- a/README.md
+++ b/README.md
@ -8,14 +8,14 @@ You can also check out [wireguard-install](https://github.com/angristan/wireguar

 ## Usage

-First, get the script and make it executable :
+First, get the script and make it executable:

 ```bash
 curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh
 chmod +x openvpn-install.sh
 ```

-Then run it :
+Then run it:

 ```sh
 ./openvpn-install.sh
@ -25,7 +25,7 @@ You need to run the script as root and have the TUN module enabled.

 The first time you run it, you'll have to follow the assistant and answer a few questions to setup your VPN server.

-When OpenVPN is installed, you can run the script again, and you will get the choice to :
+When OpenVPN is installed, you can run the script again, and you will get the choice to:

 - Add a client
 - Remove a client
@ -42,6 +42,7 @@ If you have any question, head to the [FAQ](#faq) first. Please read everything
 It's also possible to run the script headless, e.g. without waiting for user input, in an automated manner.

 Example usage:
+
 ```bash
 AUTO_INSTALL=y ./openvpn-install.sh

@ -72,11 +73,14 @@ Other variables can be set depending on your choice (encryption, compression). Y

 Password-protected clients are not supported by the headless installation method since user input is expected by Easy-RSA.

+The headless install is more-or-less idempotent, in that it has been made safe to run multiple times with the same parameters, e.g. by a state provisioner like Ansible/Terraform/Salt/Chef/Puppet. It will only install and regenerate the Easy-RSA PKI if it doesn't already exist, and it will only install OpenVPN and other upstream dependencies if OpenVPN isn't already installed. It will recreate all local config and re-generate the client file on each headless run.
+
 ### Headless User Addition

 It's also possible to automate the addition of a new user. Here, the key is to provide the (string) value of the `MENU_OPTION` variable along with the remaining mandatory variables before invoking the script.

 The following Bash script adds a new user `foo` to an existing OpenVPN configuration
+
 ```bash
 #!/bin/bash
 export MENU_OPTION="1"
@ -107,20 +111,17 @@ export PASS="1"

 The script supports these OS and architectures:

-|                | i386 | amd64 | armhf | arm64 |
-| -------------- | ---- | ----- | ----- | ----- |
-| Amazon Linux 2 |  ❔  |  ✅  |   ❔  |   ❔  |
-|  Arch Linux    |  ❔  |  ✅  |   ❔  |   ✅  |
-|   Centos 8     |  ❌  |  ✅  |   ❔  |   ❔  |
-|   CentOS 7     |  ❔  |  ✅  |   ❌  |   ✅  |
-|   Debian 8     |  ✅  |  ✅  |   ❌  |   ❌  |
-|   Debian 9     |  ❌  |  ✅  |   ✅  |   ✅  |
-|   Debian 10    |  ❔  |  ✅  |   ✅  |   ❔  |
-|   Fedora 27    |  ❔  |  ✅  |   ❔  |   ❔  |
-|   Fedora 28    |  ❔  |  ✅  |   ❔  |   ❔  |
-| Ubuntu 16.04   |  ✅  |  ✅  |   ❌  |   ❌  |
-| Ubuntu 18.04   |  ❌  |  ✅  |   ✅  |   ✅  |
-| Ubuntu 19.04   |  ❌  |  ✅  |   ✅  |   ✅  |
+|                 | i386 | amd64 | armhf | arm64 |
+| --------------- | ---- | ----- | ----- | ----- |
+| Amazon Linux 2  | ❔   | ✅    | ❔    | ❔    |
+| Arch Linux      | ❔   | ✅    | ❔    | ✅    |
+| CentOS 7        | ❔   | ✅    | ❌    | ✅    |
+| CentOS 8        | ❌   | ✅    | ❔    | ❔    |
+| Debian 8        | ✅   | ✅    | ❌    | ❌    |
+| Debian >= 9     | ❌   | ✅    | ✅    | ✅    |
+| Fedora >= 27    | ❔   | ✅    | ❔    | ❔    |
+| Ubuntu 16.04    | ✅   | ✅    | ❌    | ❌    |
+| Ubuntu >= 18.04 | ❌   | ✅    | ✅    | ✅    |

 To be noted:

@ -142,9 +143,9 @@ More Q&A in [FAQ.md](FAQ.md).

 **A:** I recommend these:

- [Vultr](https://goo.gl/Xyd1Sc): Worldwide locations, IPv6 support, starting at $3.50/month
+- [Vultr](https://goo.gl/Xyd1Sc): Worldwide locations, IPv6 support, starting at \$3.50/month
 - [PulseHeberg](https://goo.gl/76yqW5): France, unlimited bandwidth, starting at €3/month
- [Digital Ocean](https://goo.gl/qXrNLK): Worldwide locations, IPv6 support, starting at $5/month
+- [Digital Ocean](https://goo.gl/qXrNLK): Worldwide locations, IPv6 support, starting at \$5/month

 ---

@ -174,12 +175,15 @@ More Q&A in [FAQ.md](FAQ.md).

 More Q&A in [FAQ.md](FAQ.md).

-##  One-stop solutions for public cloud
+## One-stop solutions for public cloud

 Solutions that provision a ready to use OpenVPN server based on this script in one go are available for:

- - AWS using Terraform at [`openvpn-terraform-install`](https://github.com/dumrauf/openvpn-terraform-install)
+- AWS using Terraform at [`openvpn-terraform-install`](https://github.com/dumrauf/openvpn-terraform-install)

+## Contributing / Code formatting
+
+We use [shellcheck](https://github.com/koalaman/shellcheck) and [shfmt](https://github.com/mvdan/sh) to enforce bash styling guidelines and good practices. They are executed for each commit / PR with GitHub Actions, so you can check the configuration [here](https://github.com/angristan/openvpn-install/blob/master/.github/workflows/push.yml).

 ## Security and Encryption

@ -190,6 +194,7 @@ OpenVPN 2.4 was a great update regarding encryption. It added support for ECDSA,
 If you want more information about an option mentioned below, head to the [OpenVPN manual](https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage). It is very complete.

 Most of OpenVPN's encryption-related stuff is managed by [Easy-RSA](https://github.com/OpenVPN/easy-rsa). Defaults parameters are in the [vars.example](https://github.com/OpenVPN/easy-rsa/blob/v3.0.6/easyrsa3/vars.example) file.
+
 ### Compression

 By default, OpenVPN doesn't enable compression. This script provides support for LZ0 and LZ4 (v1/v2) algorithms, the latter being more efficient.
@ -227,15 +232,15 @@ By default, OpenVPN uses `BF-CBC` as the data channel cipher. Blowfish is an old
 >
 > Using BF-CBC is no longer recommended, because of its 64-bit block size. This small block size allows attacks based on collisions, as demonstrated by SWEET32. See https://community.openvpn.net/openvpn/wiki/SWEET32 for details.

->Security researchers at INRIA published an attack on 64-bit block ciphers, such as 3DES and Blowfish. They show that they are able to recover plaintext when the same data is sent often enough, and show how they can use cross-site scripting vulnerabilities to send data of interest often enough. This works over HTTPS, but also works for HTTP-over-OpenVPN. See https://sweet32.info/ for a much better and more elaborate explanation.
+> Security researchers at INRIA published an attack on 64-bit block ciphers, such as 3DES and Blowfish. They show that they are able to recover plaintext when the same data is sent often enough, and show how they can use cross-site scripting vulnerabilities to send data of interest often enough. This works over HTTPS, but also works for HTTP-over-OpenVPN. See https://sweet32.info/ for a much better and more elaborate explanation.
 >
 > OpenVPN's default cipher, BF-CBC, is affected by this attack.

-Indeed, AES is today's standard. It's the fastest and more secure cipher available today. [SEED](https://en.wikipedia.org/wiki/SEED) and [Camellia](https://en.wikipedia.org/wiki/Camellia_(cipher)) are not vulnerable to date but are slower than AES and relatively less trusted.
+Indeed, AES is today's standard. It's the fastest and more secure cipher available today. [SEED](https://en.wikipedia.org/wiki/SEED) and [Camellia](<https://en.wikipedia.org/wiki/Camellia_(cipher)>) are not vulnerable to date but are slower than AES and relatively less trusted.

 > Of the currently supported ciphers, OpenVPN currently recommends using AES-256-CBC or AES-128-CBC. OpenVPN 2.4 and newer will also support GCM. For 2.4+, we recommend using AES-256-GCM or AES-128-GCM.

-AES-256 is 40% slower than AES-128, and there isn't any real reason to use a 256 bits key over a 128 bits key with AES. (Source : [1](http://security.stackexchange.com/questions/14068/why-most-people-use-256-bit-encryption-instead-of-128-bit),[2](http://security.stackexchange.com/questions/6141/amount-of-simple-operations-that-is-safely-out-of-reach-for-all-humanity/6149#6149)). Moreover, AES-256 is more vulnerable to [Timing attacks](https://en.wikipedia.org/wiki/Timing_attack).
+AES-256 is 40% slower than AES-128, and there isn't any real reason to use a 256 bits key over a 128 bits key with AES. (Source: [1](http://security.stackexchange.com/questions/14068/why-most-people-use-256-bit-encryption-instead-of-128-bit),[2](http://security.stackexchange.com/questions/6141/amount-of-simple-operations-that-is-safely-out-of-reach-for-all-humanity/6149#6149)). Moreover, AES-256 is more vulnerable to [Timing attacks](https://en.wikipedia.org/wiki/Timing_attack).

 AES-GCM is an [AEAD cipher](https://en.wikipedia.org/wiki/Authenticated_encryption) which means it simultaneously provides confidentiality, integrity, and authenticity assurances on the data.

@ -250,7 +255,7 @@ The script supports the following ciphers:

 And defaults to `AES-128-GCM`.

-OpenVPN 2.4 added a feature called "NCP": *Negotiable Crypto Parameters*. It means you can provide a cipher suite like with HTTPS. It is set to `AES-256-GCM:AES-128-GCM` by default and overrides the `--cipher` parameter when used with an OpenVPN 2.4 client. For the sake of simplicity, the script set both the `--cipher` and `--ncp-cipher` to the cipher chosen above.
+OpenVPN 2.4 added a feature called "NCP": _Negotiable Crypto Parameters_. It means you can provide a cipher suite like with HTTPS. It is set to `AES-256-GCM:AES-128-GCM` by default and overrides the `--cipher` parameter when used with an OpenVPN 2.4 client. For the sake of simplicity, the script set both the `--cipher` and `--ncp-cipher` to the cipher chosen above.

 ### Control channel

@ -311,6 +316,7 @@ About `tls-crypt`:
 > Encrypt and authenticate all control channel packets with the key from keyfile. (See --tls-auth for more background.)
 >
 > Encrypting (and authenticating) control channel packets:
+>
 > - provides more privacy by hiding the certificate used for the TLS connection,
 > - makes it harder to identify OpenVPN traffic as such,
 > - provides "poor-man's" post-quantum security, against attackers who will never know the pre-shared key (i.e. no forward secrecy).
--- a/openvpn-install.sh
+++ b/openvpn-install.sh