Merge remote-tracking branch 'angristan/master'

.github/FUNDING.yml

@@ -0,0 +1,3 @@
+patreon: angristan
+liberapay: angristan
+ko_fi: angristan

.github/ISSUE_TEMPLATE.md

@@ -2,10 +2,12 @@
 
 Before opening an issue, please make sure:
 
-- You installed OpenVPN with the lastest version of the script
+- You installed OpenVPN with the latest version of the script
 - You read the FAQ
 - Your issue is about the script, NOT OpenVPN itself
 - ⚠ PLEASE Post your OpenVPN version and OS for both the server and the client if needed
 
+FYI, you can excute the script with `bash -x openvpn-install.sh` to enable debug mode.
+
 You can format your comments with Markdown: https://guides.github.com/features/mastering-markdown/
 --->

.github/workflows/push.yml

@@ -0,0 +1,11 @@
+on: push
+name: ShellCheck
+jobs:
+  shellcheck:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@master
+    - name: shellcheck
+      uses: actions/bin/shellcheck@master
+      with:
+        args: openvpn-install.sh -e SC1091,SC2164,SC2034,SC1072,SC1073,SC1009

.travis.yml

@@ -1,4 +0,0 @@
-language: shell
-
-script:
-  - shellcheck -e SC1091,SC2164,SC2034,SC1072,SC1073,SC1009 openvpn-install.sh

LICENSE

@@ -1,7 +1,7 @@
 MIT License
 
 Copyright (c) 2013 Nyr
-Copyright (c) 2016 Angristan (Stanislas Lange)
+Copyright (c) 2016 Stanislas Lange (angristan)
 
 Permission is hereby granted, free of charge, to any person obtaining a copy of
 this software and associated documentation files (the "Software"), to deal in

README.md

@@ -1,7 +1,5 @@
 # openvpn-install
 
-[![Travis CI](https://travis-ci.com/angristan/openvpn-install.svg?branch=master)](https://travis-ci.com/angristan/openvpn-install)
-
 OpenVPN installer for Debian, Ubuntu, Fedora, CentOS and Arch Linux.
 
 This script will let you setup your own secure VPN server in just a few seconds.
@@ -13,7 +11,7 @@ You can also check out [wireguard-install](https://github.com/angristan/wireguar
 First, get the script and make it executable :
 
 ```bash
-curl -O https://raw.githubusercontent.com/Angristan/openvpn-install/master/openvpn-install.sh
+curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh
 chmod +x openvpn-install.sh
 ```
 
@@ -97,7 +95,7 @@ export PASS="1"
 - Choice to use a self-hosted resolver with Unbound (supports already existing Unbound installations)
 - Choice between TCP and UDP
 - NATed IPv6 support
-- Compression disabled by default to prevent VORACLE. LZ4 and LZ0 algorithms available otherwise.
+- Compression disabled by default to prevent VORACLE. LZ4 (v1/v2) and LZ0 algorithms available otherwise.
 - Unprivileged mode: run as `nobody`/`nogroup`
 - Block DNS leaks on Windows 10
 - Randomised server certificate name
@@ -108,17 +106,19 @@ export PASS="1"
 
 The script supports these OS and architectures:
 
-|              | i386 | amd64 | armhf | arm64 |
+|                | i386 | amd64 | armhf | arm64 |
-| ------------ | ---- | ----- | ----- | ----- |
+| -------------- | ---- | ----- | ----- | ----- |
-|  Arch Linux  |   ❔  |  ✅  |   ❔   |   ❔  |
+| Amazon Linux 2 |  ❔  |  ✅  |   ❔  |   ❔  |
-|   CentOS 7   |   ❔  |  ✅  |   ❌   |   ✅  |
+|  Arch Linux    |  ❔  |  ✅  |   ❔  |   ❔  |
-|   Debian 8   |   ✅  |  ✅  |   ❌   |   ❌  |
+|   CentOS 7     |  ❔  |  ✅  |   ❌  |   ✅  |
-|   Debian 9   |   ❌  |  ✅  |   ✅   |   ✅  |
+|   Debian 8     |  ✅  |  ✅  |   ❌  |   ❌  |
-|   Fedora 27  |   ❔  |  ✅  |   ❔   |   ❔  |
+|   Debian 9     |  ❌  |  ✅  |   ✅  |   ✅  |
-|   Fedora 28  |   ❔  |  ✅  |   ❔   |   ❔  |
+|   Debian 10    |  ❔  |  ✅  |   ✅  |   ❔  |
-| Ubuntu 16.04 |   ✅  |  ✅  |   ❌   |   ❌  |
+|   Fedora 27    |  ❔  |  ✅  |   ❔  |   ❔  |
-| Ubuntu 18.04 |   ❌  |  ✅  |   ✅   |   ✅  |
+|   Fedora 28    |  ❔  |  ✅  |   ❔  |   ❔  |
-| Ubuntu 19.04 |   ❌  |  ✅  |   ✅   |   ✅  |
+| Ubuntu 16.04   |  ✅  |  ✅  |   ❌  |   ❌  |
+| Ubuntu 18.04   |  ❌  |  ✅  |   ✅  |   ✅  |
+| Ubuntu 19.04   |  ❌  |  ✅  |   ✅  |   ✅  |
 
 To be noted:
 
@@ -183,7 +183,7 @@ If you want more information about an option mentioned below, head to the [OpenV
 Most of OpenVPN's encryption-related stuff is managed by [Easy-RSA](https://github.com/OpenVPN/easy-rsa). Defaults parameters are in the [vars.example](https://github.com/OpenVPN/easy-rsa/blob/v3.0.6/easyrsa3/vars.example) file.
 ### Compression
 
-By default, OpenVPN doesn't enable compression. This script provides support for LZ0 and LZ4 algorithms, the latter being more efficient.
+By default, OpenVPN doesn't enable compression. This script provides support for LZ0 and LZ4 (v1/v2) algorithms, the latter being more efficient.
 
 However, it is discouraged to use compression since it since the [VORACLE attack](https://protonvpn.com/blog/voracle-attack/) makes use of it.
 
@@ -278,11 +278,9 @@ It defaults to `prime256v1`.
 From the OpenVPN wiki, about `--auth`:
 
 > Authenticate data channel packets and (if enabled) tls-auth control channel packets with HMAC using message digest algorithm alg. (The default is SHA1 ). HMAC is a commonly used message authentication algorithm (MAC) that uses a data string, a secure hash algorithm, and a key, to produce a digital signature.
-> 
+>
 > If an AEAD cipher mode (e.g. GCM) is chosen, the specified --auth algorithm is ignored for the data channel, and the authentication method of the AEAD cipher is used instead. Note that alg still specifies the digest used for tls-auth.
 
-SHA1 [isn't safe anymore](https://en.wikipedia.org/wiki/SHA-1#Attacks).
-
 The script provides the following choices:
 
 - `SHA256`
@@ -296,13 +294,13 @@ It defaults to `SHA256`.
 From the OpenVPN wiki, about `tls-auth`:
 
 > Add an additional layer of HMAC authentication on top of the TLS control channel to mitigate DoS attacks and attacks on the TLS stack.
-> 
+>
 > In a nutshell, --tls-auth enables a kind of "HMAC firewall" on OpenVPN's TCP/UDP port, where TLS control channel packets bearing an incorrect HMAC signature can be dropped immediately without response.
 
 About `tls-crypt`:
 
 > Encrypt and authenticate all control channel packets with the key from keyfile. (See --tls-auth for more background.)
-> 
+>
 > Encrypting (and authenticating) control channel packets:
 > - provides more privacy by hiding the certificate used for the TLS connection,
 > - makes it harder to identify OpenVPN traffic as such,

Vagrantfile

@@ -5,6 +5,7 @@ autostart_machines = ENV['VAGRANT_AUTOSTART'] == 'true' || false
 # else, run `vagrant up <hostname>`
 
 machines = [
+  { hostname: 'debian-10', box: 'debian/stretch64' },
   { hostname: 'debian-9', box: 'debian/stretch64' },
   { hostname: 'debian-8', box: 'debian/jessie64' },
   { hostname: 'ubuntu-1604', box: 'ubuntu/bionic64' },

openvpn-install.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Secure OpenVPN server installer for Debian, Ubuntu, CentOS, Fedora and Arch Linux
+# Secure OpenVPN server installer for Debian, Ubuntu, CentOS, Amazon Linux 2, Fedora and Arch Linux
 # https://github.com/angristan/openvpn-install
 
 function isRoot () {
@@ -20,8 +20,8 @@ function checkOS () {
 		OS="debian"
 		source /etc/os-release
 
-		if [[ "$ID" == "debian" ]]; then
+		if [[ "$ID" == "debian" || "$ID" == "raspbian" ]]; then
-			if [[ ! $VERSION_ID =~ (8|9) ]]; then
+			if [[ ! $VERSION_ID =~ (8|9|10) ]]; then
 				echo "⚠️ Your version of Debian is not supported."
 				echo ""
 				echo "However, if you're using Debian >= 9 or unstable/testing then you can continue."
@@ -50,27 +50,34 @@ function checkOS () {
 				fi
 			fi
 		fi
-	elif [[ -e /etc/fedora-release ]]; then
+	elif [[ -e /etc/system-release ]]; then
-		OS=fedora
+		source /etc/os-release
-	elif [[ -e /etc/centos-release ]]; then
+		if [[ "$ID" = "centos" ]]; then
-		if ! grep -qs "^CentOS Linux release 7" /etc/centos-release; then
+			OS="centos"
-			echo "Your version of CentOS is not supported."
+			if [[ ! $VERSION_ID == "7" ]]; then
-			echo "The script only support CentOS 7."
+				echo "⚠️ Your version of CentOS is not supported."
-			echo ""
+				echo ""
-			unset CONTINUE
+				echo "The script only support CentOS 7."
-			until [[ $CONTINUE =~ (y|n) ]]; do
+				echo ""
-				read -rp "Continue anyway? [y/n]: " -e CONTINUE
-			done
-			if [[ "$CONTINUE" = "n" ]]; then
-				echo "Ok, bye!"
 				exit 1
 			fi
 		fi
-		OS=centos
+		if [[ "$ID" = "amzn" ]]; then
+			OS="amzn"
+			if [[ ! $VERSION_ID == "2" ]]; then
+				echo "⚠️ Your version of Amazon Linux is not supported."
+				echo ""
+				echo "The script only support Amazon Linux 2."
+				echo ""
+				exit 1
+			fi
+		fi
+	elif [[ -e /etc/fedora-release ]]; then
+		OS=fedora
 	elif [[ -e /etc/arch-release ]]; then
 		OS=arch
 	else
-		echo "Looks like you aren't running this installer on a Debian, Ubuntu, Fedora, CentOS or Arch Linux system"
+		echo "Looks like you aren't running this installer on a Debian, Ubuntu, Fedora, CentOS, Amazon Linux 2 or Arch Linux system"
 		exit 1
 	fi
 }
@@ -101,7 +108,7 @@ hide-version: yes
 use-caps-for-id: yes
 prefetch: yes' >> /etc/unbound/unbound.conf
 
-		elif [[ "$OS" = "centos" ]]; then
+		elif [[ "$OS" =~ (centos|amzn) ]]; then
 			yum install -y unbound
 
 			# Configuration
@@ -128,7 +135,7 @@ prefetch: yes' >> /etc/unbound/unbound.conf
 			curl -o /etc/unbound/root.hints https://www.internic.net/domain/named.cache
 
 			mv /etc/unbound/unbound.conf /etc/unbound/unbound.conf.old
-			
+
 			echo 'server:
 	use-syslog: yes
 	do-daemonize: no
@@ -148,7 +155,7 @@ prefetch: yes' >> /etc/unbound/unbound.conf
 	prefetch: yes' > /etc/unbound/unbound.conf
 		fi
 
-		if [[ ! "$OS" =~ (fedora|centos) ]];then
+		if [[ ! "$OS" =~ (fedora|centos|amzn) ]];then
 			# DNS Rebinding fix
 			echo "private-address: 10.0.0.0/8
 private-address: 172.16.0.0/12
@@ -284,8 +291,9 @@ function installQuestions () {
 	echo "   9) Google (Anycast: worldwide)"
 	echo "   10) Yandex Basic (Russia)"
 	echo "   11) AdGuard DNS (Russia)"
-	until [[ "$DNS" =~ ^[0-9]+$ ]] && [ "$DNS" -ge 1 ] && [ "$DNS" -le 11 ]; do
+	echo "   12) Custom"
-		read -rp "DNS [1-10]: " -e -i 3 DNS
+	until [[ "$DNS" =~ ^[0-9]+$ ]] && [ "$DNS" -ge 1 ] && [ "$DNS" -le 12 ]; do
+		read -rp "DNS [1-12]: " -e -i 3 DNS
 			if [[ $DNS == 2 ]] && [[ -e /etc/unbound/unbound.conf ]]; then
 				echo ""
 				echo "Unbound is already installed."
@@ -302,6 +310,16 @@ function installQuestions () {
 					unset DNS
 					unset CONTINUE
 				fi
+			elif [[ $DNS == "12" ]]; then
+				until [[ "$DNS1" =~ ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ ]]; do
+					read -rp "Primary DNS: " -e DNS1
+				done
+				until [[ "$DNS2" =~ ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ ]]; do
+					read -rp "Secondary DNS (optional): " -e DNS2
+					if [[ "$DNS2" == "" ]]; then
+						break
+					fi
+				done
 			fi
 	done
 	echo ""
@@ -310,17 +328,21 @@ function installQuestions () {
 		read -rp"Enable compression? [y/n]: " -e -i n COMPRESSION_ENABLED
 	done
 	if [[ $COMPRESSION_ENABLED == "y" ]];then
-		echo "Choose which compression algorithm you want to use:"
+		echo "Choose which compression algorithm you want to use: (they are ordered by efficiency)"
-		echo "   1) LZ4 (more efficient)"
+		echo "   1) LZ4-v2"
-		echo "   2) LZ0"
+		echo "   2) LZ4"
-		until [[ $COMPRESSION_CHOICE =~ ^[1-2]$ ]]; do
+		echo "   3) LZ0"
-			read -rp"Compression algorithm [1-2]: " -e -i 1 COMPRESSION_CHOICE
+		until [[ $COMPRESSION_CHOICE =~ ^[1-3]$ ]]; do
+			read -rp"Compression algorithm [1-3]: " -e -i 1 COMPRESSION_CHOICE
 		done
 		case $COMPRESSION_CHOICE in
 			1)
-			COMPRESSION_ALG="lz4"
+			COMPRESSION_ALG="lz4-v2"
 			;;
 			2)
+			COMPRESSION_ALG="lz4"
+			;;
+			3)
 			COMPRESSION_ALG="lzo"
 			;;
 		esac
@@ -600,6 +622,9 @@ function installOpenVPN () {
 	elif [[ "$OS" = 'centos' ]]; then
 		yum install -y epel-release
 		yum install -y openvpn iptables openssl wget ca-certificates curl
+	elif [[ "$OS" = 'amzn' ]]; then
+		amazon-linux-extras install -y epel
+		yum install -y openvpn iptables openssl wget ca-certificates curl
 	elif [[ "$OS" = 'fedora' ]]; then
 		dnf install -y openvpn iptables openssl wget ca-certificates curl
 	elif [[ "$OS" = 'arch' ]]; then
@@ -642,6 +667,11 @@ function installOpenVPN () {
 	SERVER_CN="cn_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)"
 	SERVER_NAME="server_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)"
 	echo "set_var EASYRSA_REQ_CN $SERVER_CN" >> vars
+
+	# Workaround to remove unharmful error until easy-rsa 3.0.7
+	# https://github.com/OpenVPN/easy-rsa/issues/261
+	sed -i 's/^RANDFILE/#RANDFILE/g' pki/openssl-easyrsa.cnf
+
 	# Create the PKI, set up the CA, the DH params and the server certificate
 	./easyrsa init-pki
 	./easyrsa --batch build-ca nopass
@@ -650,10 +680,10 @@ function installOpenVPN () {
 		# ECDH keys are generated on-the-fly so we don't need to generate them beforehand
 		openssl dhparam -out dh.pem $DH_KEY_SIZE
 	fi
-	
+
 	./easyrsa build-server-full "$SERVER_NAME" nopass
 	EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
-	
+
 	case $TLS_SIG in
 		1)
 			# Generate tls-crypt key
@@ -664,13 +694,13 @@ function installOpenVPN () {
 			openvpn --genkey --secret /etc/openvpn/tls-auth.key
 		;;
 	esac
-	
+
 	# Move all the generated files
 	cp pki/ca.crt pki/private/ca.key "pki/issued/$SERVER_NAME.crt" "pki/private/$SERVER_NAME.key" /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn
 	if [[ $DH_TYPE == "2" ]]; then
 		cp dh.pem /etc/openvpn
 	fi
-	
+
 	# Make cert revocation list readable for non-root
 	chmod 644 /etc/openvpn/crl.pem
 
@@ -746,6 +776,12 @@ ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf
 			echo 'push "dhcp-option DNS 176.103.130.130"' >> /etc/openvpn/server.conf
 			echo 'push "dhcp-option DNS 176.103.130.131"' >> /etc/openvpn/server.conf
 		;;
+		12) # Custom DNS
+		echo "push \"dhcp-option DNS $DNS1\"" >> /etc/openvpn/server.conf
+		if [[ "$DNS2" != "" ]]; then
+			echo "push \"dhcp-option DNS $DNS2\"" >> /etc/openvpn/server.conf
+		fi
+		;;
 	esac
 	echo 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/server.conf
 
@@ -781,7 +817,7 @@ push "redirect-gateway ipv6"' >> /etc/openvpn/server.conf
 	echo "crl-verify crl.pem
 ca ca.crt
 cert $SERVER_NAME.crt
-key $SERVER_NAME.key 
+key $SERVER_NAME.key
 auth $HMAC_ALG
 cipher $CIPHER
 ncp-ciphers $CIPHER
@@ -799,7 +835,7 @@ verb 3" >> /etc/openvpn/server.conf
 	if [[ "$IPV6_SUPPORT" = 'y' ]]; then
 		echo 'net.ipv6.conf.all.forwarding=1' >> /etc/sysctl.d/20-openvpn.conf
 	fi
-	# Avoid an unneeded reboot
+	# Apply sysctl rules
 	sysctl --system
 
 	# If SELinux is enabled and a custom port was selected, we need this
@@ -815,7 +851,7 @@ verb 3" >> /etc/openvpn/server.conf
 	if [[ "$OS" = 'arch' || "$OS" = 'fedora' ]]; then
 		# Don't modify package-provided service
 		cp /usr/lib/systemd/system/openvpn-server@.service /etc/systemd/system/openvpn-server@.service
-		
+
 		# Workaround to fix OpenVPN service on OpenVZ
 		sed -i 's|LimitNPROC|#LimitNPROC|' /etc/systemd/system/openvpn-server@.service
 		# Another workaround to keep using /etc/openvpn/
@@ -836,12 +872,12 @@ verb 3" >> /etc/openvpn/server.conf
 	else
 		# Don't modify package-provided service
 		cp /lib/systemd/system/openvpn\@.service /etc/systemd/system/openvpn\@.service
-		
+
 		# Workaround to fix OpenVPN service on OpenVZ
 		sed -i 's|LimitNPROC|#LimitNPROC|' /etc/systemd/system/openvpn\@.service
 		# Another workaround to keep using /etc/openvpn/
 		sed -i 's|/etc/openvpn/server|/etc/openvpn|' /etc/systemd/system/openvpn\@.service
-		
+
 		systemctl daemon-reload
 		systemctl restart openvpn@server
 		systemctl enable openvpn@server
@@ -856,17 +892,17 @@ verb 3" >> /etc/openvpn/server.conf
 
 	# Script to add rules
 	echo "#!/bin/sh
-iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o $NIC -j MASQUERADE
+iptables -t nat -I POSTROUTING 1 -s 10.8.0.0/24 -o $NIC -j MASQUERADE
-iptables -A INPUT -i tun0 -j ACCEPT
+iptables -I INPUT 1 -i tun0 -j ACCEPT
-iptables -A FORWARD -i $NIC -o tun0 -j ACCEPT
+iptables -I FORWARD 1 -i $NIC -o tun0 -j ACCEPT
-iptables -A FORWARD -i tun0 -o $NIC -j ACCEPT
+iptables -I FORWARD 1 -i tun0 -o $NIC -j ACCEPT
-iptables -A INPUT -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" > /etc/iptables/add-openvpn-rules.sh
+iptables -I INPUT 1 -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" > /etc/iptables/add-openvpn-rules.sh
 
 	if [[ "$IPV6_SUPPORT" = 'y' ]]; then
-		echo "ip6tables -t nat -A POSTROUTING -s fd42:42:42:42::/112 -o $NIC -j MASQUERADE
+		echo "ip6tables -t nat -I POSTROUTING 1 -s fd42:42:42:42::/112 -o $NIC -j MASQUERADE
-ip6tables -A INPUT -i tun0 -j ACCEPT
+ip6tables -I INPUT 1 -i tun0 -j ACCEPT
-ip6tables -A FORWARD -i $NIC -o tun0 -j ACCEPT
+ip6tables -I FORWARD 1 -i $NIC -o tun0 -j ACCEPT
-ip6tables -A FORWARD -i tun0 -o $NIC -j ACCEPT" >> /etc/iptables/add-openvpn-rules.sh
+ip6tables -I FORWARD 1 -i tun0 -o $NIC -j ACCEPT" >> /etc/iptables/add-openvpn-rules.sh
 	fi
 
 	# Script to remove rules
@@ -978,9 +1014,9 @@ function newClient () {
 	# Home directory of the user, where the client configuration (.ovpn) will be written
 	if [ -e "/home/$CLIENT" ]; then  # if $1 is a user name
 		homeDir="/home/$CLIENT"
-	elif [ "${SUDO_USER}" ]; then   # if not, use SUDO_USER
+	elif [ "${SUDO_USER}" ]; then # if not, use SUDO_USER
 		homeDir="/home/${SUDO_USER}"
-	else  # if not SUDO_USER, use /root
+	else # if not SUDO_USER, use /root
 		homeDir="/root"
 	fi
 
@@ -1086,7 +1122,7 @@ function removeUnbound () {
 			apt-get autoremove --purge -y unbound
 		elif [[ "$OS" = 'arch' ]]; then
 			pacman --noconfirm -R unbound
-		elif [[ "$OS" = 'centos' ]]; then
+		elif [[ "$OS" =~ (centos|amzn) ]]; then
 			yum remove -y unbound
 		elif [[ "$OS" = 'fedora' ]]; then
 			dnf remove -y unbound
@@ -1151,7 +1187,7 @@ function removeOpenVPN () {
 			fi
 		elif [[ "$OS" = 'arch' ]]; then
 			pacman --noconfirm -R openvpn
-		elif [[ "$OS" = 'centos' ]]; then
+		elif [[ "$OS" =~ (centos|amzn) ]]; then
 			yum remove -y openvpn
 		elif [[ "$OS" = 'fedora' ]]; then
 			dnf remove -y openvpn