Merge branch 'master' into patch-3

2020-04-27 15:56:19 +02:00 · 2020-04-27 15:56:19 +02:00 · fdb04bee4e
commit fdb04bee4e
parent 8d0b04e83c 87bfd046dd
7 changed files with 720 additions and 475 deletions
--- a/.github/ISSUE_TEMPLATE.md
+++ b/.github/ISSUE_TEMPLATE.md
@ -1,13 +0,0 @@
 <!---
 Before opening an issue, please make sure:
 - You installed OpenVPN with the latest version of the script
 - You read the FAQ
 - Your issue is about the script, NOT OpenVPN itself
 - ⚠ PLEASE Post your OpenVPN version and OS for both the server and the client if needed
 FYI, you can excute the script with `bash -x openvpn-install.sh` to enable debug mode.
 You can format your comments with Markdown: https://guides.github.com/features/mastering-markdown/
 --->
--- a/.github/ISSUE_TEMPLATE/bug-report-or-suport-request.md
+++ b/.github/ISSUE_TEMPLATE/bug-report-or-suport-request.md
@ -0,0 +1,49 @@
 ---
 name: Bug report / Support request
 about: Create a report to help us improve
 title: ''
 labels: ''
 assignees: ''
 ---
 **Checklist**
 - [ ] I read the [README](https://github.com/angristan/openvpn-install/blob/master/README.md)
 - [ ] I read the [FAQ](https://github.com/angristan/openvpn-install/blob/master/FAQ.md)
 - [ ] I searched the [issues](https://github.com/angristan/openvpn-install/issues?q=is%3Aissue+)
 - [ ] My issue is about the script, and not OpenVPN itself
 <!---
 If you need help with OpenVPN itself, please us the [community forums](https://forums.openvpn.net/) or [Stack Overflow](https://stackoverflow.com/questions/tagged/openvpn)
 --->
 **Describe the issue**
 A clear and concise description of what the bug is.
 **To Reproduce**
 Steps to reproduce the behavior:
 1. ...
 **Expected behavior**
 A clear and concise description of what you expected to happen.
 **Logs**
 If applicable, add logs or screenshots to help explain your problem.
 If you can reproduce the issue, please run the script in debug mode and post the output: `bash -x openvpn-install.sh`
 **Server if applicable):**
 - OS: [e.g. Debian 10]
 - Hosting provider (if applicable): [e.g. Vultr, AWS]
 **Client (if applicable):**
 - Device: [e.g. iPhone6]
 - OS: [e.g. iOS8.1]
 - Client: [e.g. OpenVPN Connect]
 **Additional context**
 Add any other context about the problem here.
--- a/.github/ISSUE_TEMPLATE/feature-request.md
+++ b/.github/ISSUE_TEMPLATE/feature-request.md
@ -0,0 +1,31 @@
 ---
 name: Feature request
 about: Suggest an idea for this project
 title: ''
 labels: ''
 assignees: ''
 ---
 **Checklist**
 - [ ] I read the [README](https://github.com/angristan/openvpn-install/blob/master/README.md)
 - [ ] I read the [FAQ](https://github.com/angristan/openvpn-install/blob/master/FAQ.md)
 - [ ] I searched the [issues](https://github.com/angristan/openvpn-install/issues?q=is%3Aissue+)
 - [ ] My issue is about the script, and not OpenVPN itself
 <!---
 If you need help with OpenVPN itself, please us the [community forums](https://forums.openvpn.net/) or [Stack Overflow](https://stackoverflow.com/questions/tagged/openvpn)
 --->
 **Is your feature request related to a problem? Please describe.**
 A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
 **Describe the solution you'd like**
 A clear and concise description of what you want to happen.
 **Describe alternatives you've considered**
 A clear and concise description of any alternative solutions or features you've considered.
 **Additional context**
 Add any other context or screenshots about the feature request here.
--- a/.github/workflows/push.yml
+++ b/.github/workflows/push.yml
@ -1,5 +1,12 @@
-on: push
+on:
-name: ShellCheck
+  push:
    branches:
    - master
  pull_request:
    branches:
    - master
 name: Lint
 jobs:
  shellcheck:
    runs-on: ubuntu-latest
@ -9,3 +16,11 @@ jobs:
      uses: ludeeus/action-shellcheck@0.0.1
      with:
        args: openvpn-install.sh -e SC1091,SC2164,SC2034,SC1072,SC1073,SC1009
  shfmt:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@master
    - name: shfmt
      uses: bltavares/actions/shfmt@master
      env:
        SHFMT_ARGS: -d
--- a/FAQ.md
+++ b/FAQ.md
@ -0,0 +1,106 @@
 # FAQ
 **Q:** The script has been updated since I installed OpenVPN. How do I update?
 **A:** You can't. Managing updates and new features from the script would require way too much work. Your only solution is to uninstall OpenVPN and reinstall with the updated script.
 You can, of course, it's even recommended, update the `openvpn` package with your package manager.
 ---
 **Q:** How do I check for DNS leaks?
 **A:** Go to [dnsleaktest.com](https://dnsleaktest.com/) or [ipleak.net](https://ipleak.net/) with your browser. Only your server's IP should show up.
 ---
 **Q:** How do I fix DNS leaks?
 **A:** On Windows 10 DNS leaks are blocked by default with the `block-outside-dns` option.
 On Linux you need to add these lines to your `.ovpn` file based on your Distribution.
 Debian 9, 10 and Ubuntu 16.04, 18.04
 ```
 script-security 2
 up /etc/openvpn/update-resolv-conf
 down /etc/openvpn/update-resolv-conf
 ```
 Centos 6, 7
 ```
 script-security 2
 up /usr/share/doc/openvpn-2.4.8/contrib/pull-resolv-conf/client.up
 down /usr/share/doc/openvpn-2.4.8/contrib/pull-resolv-conf/client.down
 ```
 Centos 8, Fedora 30, 31
 ```
 script-security 2
 up /usr/share/doc/openvpn/contrib/pull-resolv-conf/client.up
 down /usr/share/doc/openvpn/contrib/pull-resolv-conf/client.down
 ```
 Arch Linux
 ```
 script-security 2
 up /usr/share/openvpn/contrib/pull-resolv-conf/client.up
 down /usr/share/openvpn/contrib/pull-resolv-conf/client.down
 ```
 ---
 **Q:** Can I use an OpenVPN 2.3 client?
 **A:** Yes. I really recommend using an up-to-date client, but if you really need it, choose the following options:
 - No compression or LZ0
 - RSA certificate
 - DH Key
 - AES CBC
 - tls-auth
 If your client is <2.3.3, remove `tls-version-min 1.2` from your `/etc/openvpn/server.conf` and `.ovpn` files.
 ---
 **Q:** IPv6 is not working on my Hetzner VM
 **A:** This an issue on their side. See https://angristan.xyz/fix-ipv6-hetzner-cloud/
 ---
 **Q:** DNS is not working on my Linux client
 **A:** See "How do I fix DNS leaks?" question
 ---
 **Q:** What syctl and iptables changes are made by the script?
 **A:** Iptables rules are saved at `/etc/iptables/add-openvpn-rules.sh` and `/etc/iptables/rm-openvpn-rules.sh`. They are managed by the service `/etc/systemd/system/iptables-openvpn.service`
 Sysctl options are at `/etc/sysctl.d/20-openvpn.conf`
 ---
 **Q:** How can I access other clients connected to the same OpenVPN server?
 **A:** Add `client-to-client` to your `server.conf`
 ---
 **Q:** My router can't connect
 **A:**
 - `Options error: No closing quotation (") in config.ovpn:46` :
  type `yes` when asked to customize encryption settings and choose `tls-auth`
 - `Options error: Unrecognized option or missing parameter(s) in config.ovpn:36: tls-version-min (2.3.2)` :
  see question "Can I use an OpenVPN 2.3 client?"
--- a/README.md
+++ b/README.md
@ -33,13 +33,16 @@ When OpenVPN is installed, you can run the script again, and you will get the ch
 In your home directory, you will have `.ovpn` files. These are the client configuration files. Download them from your server and connect using your favorite OpenVPN client.
-If you have any question, head to the [FAQ](#faq) first.
+If you have any question, head to the [FAQ](#faq) first. Please read everything before opening an issue.
 **PLEASE do net send me emails or private messages asking for help.** The only place to get help is the issues. Other people may be able to help and in the future, other users may also run into the same issue as you. My time is not available for free just for you, you're not special.
 ### Headless install
 It's also possible to run the script headless, e.g. without waiting for user input, in an automated manner.
 Example usage:
 ```bash
 AUTO_INSTALL=y ./openvpn-install.sh
@ -70,11 +73,14 @@ Other variables can be set depending on your choice (encryption, compression). Y
 Password-protected clients are not supported by the headless installation method since user input is expected by Easy-RSA.
 The headless install is more-or-less idempotent, in that it has been made safe to run multiple times with the same parameters, e.g. by a state provisioner like Ansible/Terraform/Salt/Chef/Puppet. It will only install and regenerate the Easy-RSA PKI if it doesn't already exist, and it will only install OpenVPN and other upstream dependencies if OpenVPN isn't already installed. It will recreate all local config and re-generate the client file on each headless run.
 ### Headless User Addition
 It's also possible to automate the addition of a new user. Here, the key is to provide the (string) value of the `MENU_OPTION` variable along with the remaining mandatory variables before invoking the script.
 The following Bash script adds a new user `foo` to an existing OpenVPN configuration
 ```bash
 #!/bin/bash
 export MENU_OPTION="1"
@ -106,19 +112,16 @@ export PASS="1"
 The script supports these OS and architectures:
 |                 | i386 | amd64 | armhf | arm64 |
-| -------------- | ---- | ----- | ----- | ----- |
+| --------------- | ---- | ----- | ----- | ----- |
 | Amazon Linux 2  | ❔   | ✅    | ❔    | ❔    |
 | Arch Linux      | ❔   | ✅    | ❔    | ✅    |
 |   Centos 8     |  ❌  |  ✅  |   ❔  |   ❔  |
 | CentOS 7        | ❔   | ✅    | ❌    | ✅    |
 | CentOS 8        | ❌   | ✅    | ❔    | ❔    |
 | Debian 8        | ✅   | ✅    | ❌    | ❌    |
-|   Debian 9     |  ❌  |  ✅  |   ✅  |   ✅  |
+| Debian >= 9     | ❌   | ✅    | ✅    | ✅    |
-|   Debian 10    |  ❔  |  ✅  |   ✅  |   ❔  |
+| Fedora >= 27    | ❔   | ✅    | ❔    | ❔    |
 |   Fedora 27    |  ❔  |  ✅  |   ❔  |   ❔  |
 |   Fedora 28    |  ❔  |  ✅  |   ❔  |   ❔  |
 | Ubuntu 16.04    | ✅   | ✅    | ❌    | ❌    |
-| Ubuntu 18.04   |  ❌  |  ✅  |   ✅  |   ✅  |
+| Ubuntu >= 18.04 | ❌   | ✅    | ✅    | ✅    |
 | Ubuntu 19.04   |  ❌  |  ✅  |   ✅  |   ✅  |
 To be noted:
@ -134,17 +137,15 @@ Since 2016, the two scripts have diverged and are not alike anymore, especially
 ## FAQ
-**LOOK AT THE [WIKI](https://github.com/angristan/openvpn-install/wiki/FAQ) FOR MORE INFORMATION. PLEASE READ BOTH BEFORE OPENING AN ISSUE.**
+More Q&A in [FAQ.md](FAQ.md).
 **PLEASE do net send me emails or private messages asking for help.** The only place to get help is the issues. Other people may be able to help and in the future, other users may also run into the same issue as you.
 **Q:** Which provider do you recommend?
 **A:** I recommend these:
- [Vultr](https://goo.gl/Xyd1Sc): Worldwide locations, IPv6 support, starting at $3.50/month
+- [Vultr](https://goo.gl/Xyd1Sc): Worldwide locations, IPv6 support, starting at \$3.50/month
 - [PulseHeberg](https://goo.gl/76yqW5): France, unlimited bandwidth, starting at €3/month
- [Digital Ocean](https://goo.gl/qXrNLK): Worldwide locations, IPv6 support, starting at $5/month
+- [Digital Ocean](https://goo.gl/qXrNLK): Worldwide locations, IPv6 support, starting at \$5/month
 ---
@ -172,12 +173,17 @@ Since 2016, the two scripts have diverged and are not alike anymore, especially
 ---
 More Q&A in [FAQ.md](FAQ.md).
 ## One-stop solutions for public cloud
 Solutions that provision a ready to use OpenVPN server based on this script in one go are available for:
 - AWS using Terraform at [`openvpn-terraform-install`](https://github.com/dumrauf/openvpn-terraform-install)
 ## Contributing / Code formatting
 We use [shellcheck](https://github.com/koalaman/shellcheck) and [shfmt](https://github.com/mvdan/sh) to enforce bash styling guidelines and good practices. They are executed for each commit / PR with GitHub Actions, so you can check the configuration [here](https://github.com/angristan/openvpn-install/blob/master/.github/workflows/push.yml).
 ## Security and Encryption
@ -188,6 +194,7 @@ OpenVPN 2.4 was a great update regarding encryption. It added support for ECDSA,
 If you want more information about an option mentioned below, head to the [OpenVPN manual](https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage). It is very complete.
 Most of OpenVPN's encryption-related stuff is managed by [Easy-RSA](https://github.com/OpenVPN/easy-rsa). Defaults parameters are in the [vars.example](https://github.com/OpenVPN/easy-rsa/blob/v3.0.6/easyrsa3/vars.example) file.
 ### Compression
 By default, OpenVPN doesn't enable compression. This script provides support for LZ0 and LZ4 (v1/v2) algorithms, the latter being more efficient.
@ -225,11 +232,11 @@ By default, OpenVPN uses `BF-CBC` as the data channel cipher. Blowfish is an old
 >
 > Using BF-CBC is no longer recommended, because of its 64-bit block size. This small block size allows attacks based on collisions, as demonstrated by SWEET32. See https://community.openvpn.net/openvpn/wiki/SWEET32 for details.
->Security researchers at INRIA published an attack on 64-bit block ciphers, such as 3DES and Blowfish. They show that they are able to recover plaintext when the same data is sent often enough, and show how they can use cross-site scripting vulnerabilities to send data of interest often enough. This works over HTTPS, but also works for HTTP-over-OpenVPN. See https://sweet32.info/ for a much better and more elaborate explanation.
+> Security researchers at INRIA published an attack on 64-bit block ciphers, such as 3DES and Blowfish. They show that they are able to recover plaintext when the same data is sent often enough, and show how they can use cross-site scripting vulnerabilities to send data of interest often enough. This works over HTTPS, but also works for HTTP-over-OpenVPN. See https://sweet32.info/ for a much better and more elaborate explanation.
 >
 > OpenVPN's default cipher, BF-CBC, is affected by this attack.
-Indeed, AES is today's standard. It's the fastest and more secure cipher available today. [SEED](https://en.wikipedia.org/wiki/SEED) and [Camellia](https://en.wikipedia.org/wiki/Camellia_(cipher)) are not vulnerable to date but are slower than AES and relatively less trusted.
+Indeed, AES is today's standard. It's the fastest and more secure cipher available today. [SEED](https://en.wikipedia.org/wiki/SEED) and [Camellia](<https://en.wikipedia.org/wiki/Camellia_(cipher)>) are not vulnerable to date but are slower than AES and relatively less trusted.
 > Of the currently supported ciphers, OpenVPN currently recommends using AES-256-CBC or AES-128-CBC. OpenVPN 2.4 and newer will also support GCM. For 2.4+, we recommend using AES-256-GCM or AES-128-GCM.
@ -248,7 +255,7 @@ The script supports the following ciphers:
 And defaults to `AES-128-GCM`.
-OpenVPN 2.4 added a feature called "NCP": *Negotiable Crypto Parameters*. It means you can provide a cipher suite like with HTTPS. It is set to `AES-256-GCM:AES-128-GCM` by default and overrides the `--cipher` parameter when used with an OpenVPN 2.4 client. For the sake of simplicity, the script set both the `--cipher` and `--ncp-cipher` to the cipher chosen above.
+OpenVPN 2.4 added a feature called "NCP": _Negotiable Crypto Parameters_. It means you can provide a cipher suite like with HTTPS. It is set to `AES-256-GCM:AES-128-GCM` by default and overrides the `--cipher` parameter when used with an OpenVPN 2.4 client. For the sake of simplicity, the script set both the `--cipher` and `--ncp-cipher` to the cipher chosen above.
 ### Control channel
@ -309,6 +316,7 @@ About `tls-crypt`:
 > Encrypt and authenticate all control channel packets with the key from keyfile. (See --tls-auth for more background.)
 >
 > Encrypting (and authenticating) control channel packets:
 >
 > - provides more privacy by hiding the certificate used for the TLS connection,
 > - makes it harder to identify OpenVPN traffic as such,
 > - provides "poor-man's" post-quantum security, against attackers who will never know the pre-shared key (i.e. no forward secrecy).
@ -321,9 +329,7 @@ The script supports both and uses `tls-crypt` by default.
 ## Say thanks
-*Sadly saythanks.io doesn't exist anymore... Thanks for the dozens of messages! It's really meaninful to me.*
+You can [say thanks](https://saythanks.io/to/angristan%40pm.me) if you want!
 *Still want to help? Check the "sponsor" button at the top of the page!*
 ## Credits & Licence
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@ -21,32 +21,31 @@ function checkOS () {
 		# shellcheck disable=SC1091
 		source /etc/os-release
-		if [[ "$ID" == "debian" || "$ID" == "raspbian" ]]; then
+		if [[ $ID == "debian" || $ID == "raspbian" ]]; then
-			if [[ ! $VERSION_ID =~ (8|9|10) ]]; then
+			if [[ $VERSION_ID -lt 8 ]]; then
 				echo "⚠️ Your version of Debian is not supported."
 				echo ""
-				echo "However, if you're using Debian >= 9 or unstable/testing then you can continue."
+				echo "However, if you're using Debian >= 8 or unstable/testing then you can continue, at your own risk."
 				echo "Keep in mind they are not supported, though."
 				echo ""
 				until [[ $CONTINUE =~ (y|n) ]]; do
 					read -rp "Continue? [y/n]: " -e CONTINUE
 				done
-				if [[ "$CONTINUE" = "n" ]]; then
+				if [[ $CONTINUE == "n" ]]; then
 					exit 1
 				fi
 			fi
-		elif [[ "$ID" == "ubuntu" ]];then
+		elif [[ $ID == "ubuntu" ]]; then
 			OS="ubuntu"
-			if [[ ! $VERSION_ID =~ (16.04|18.04|19.04) ]]; then
+			MAJOR_UBUNTU_VERSION=$(echo "$VERSION_ID" | cut -d '.' -f1)
 			if [[ $MAJOR_UBUNTU_VERSION -lt 16 ]]; then
 				echo "⚠️ Your version of Ubuntu is not supported."
 				echo ""
-				echo "However, if you're using Ubuntu > 17 or beta, then you can continue."
+				echo "However, if you're using Ubuntu >= 16.04 or beta, then you can continue, at your own risk."
 				echo "Keep in mind they are not supported, though."
 				echo ""
 				until [[ $CONTINUE =~ (y|n) ]]; do
 					read -rp "Continue? [y/n]: " -e CONTINUE
 				done
-				if [[ "$CONTINUE" = "n" ]]; then
+				if [[ $CONTINUE == "n" ]]; then
 					exit 1
 				fi
 			fi
@ -54,10 +53,10 @@ function checkOS () {
 	elif [[ -e /etc/system-release ]]; then
 		# shellcheck disable=SC1091
 		source /etc/os-release
-		if [[ "$ID" = "fedora" ]]; then
+		if [[ $ID == "fedora" ]]; then
 			OS="fedora"
 		fi
-		if [[ "$ID" = "centos" ]]; then
+		if [[ $ID == "centos" ]]; then
 			OS="centos"
 			if [[ ! $VERSION_ID =~ (7|8) ]]; then
 				echo "⚠️ Your version of CentOS is not supported."
@ -67,9 +66,9 @@ function checkOS () {
 				exit 1
 			fi
 		fi
-		if [[ "$ID" = "amzn" ]]; then
+		if [[ $ID == "amzn" ]]; then
 			OS="amzn"
-			if [[ ! $VERSION_ID == "2" ]]; then
+			if [[ $VERSION_ID != "2" ]]; then
 				echo "⚠️ Your version of Amazon Linux is not supported."
 				echo ""
 				echo "The script only support Amazon Linux 2."
@ -98,9 +97,10 @@ function initialCheck () {
 }
 function installUnbound() {
 	# If Unbound isn't installed, install it
 	if [[ ! -e /etc/unbound/unbound.conf ]]; then
-		if [[ "$OS" =~ (debian|ubuntu) ]]; then
+		if [[ $OS =~ (debian|ubuntu) ]]; then
 			apt-get install -y unbound
 			# Configuration
@ -111,7 +111,7 @@ hide-version: yes
 use-caps-for-id: yes
 prefetch: yes' >>/etc/unbound/unbound.conf
-		elif [[ "$OS" =~ (centos|amzn) ]]; then
+		elif [[ $OS =~ (centos|amzn) ]]; then
 			yum install -y unbound
 			# Configuration
@ -121,7 +121,7 @@ prefetch: yes' >> /etc/unbound/unbound.conf
 			sed -i 's|# hide-version: no|hide-version: yes|' /etc/unbound/unbound.conf
 			sed -i 's|use-caps-for-id: no|use-caps-for-id: yes|' /etc/unbound/unbound.conf
-		elif [[ "$OS" = "fedora" ]]; then
+		elif [[ $OS == "fedora" ]]; then
 			dnf install -y unbound
 			# Configuration
@ -131,13 +131,15 @@ prefetch: yes' >> /etc/unbound/unbound.conf
 			sed -i 's|# hide-version: no|hide-version: yes|' /etc/unbound/unbound.conf
 			sed -i 's|# use-caps-for-id: no|use-caps-for-id: yes|' /etc/unbound/unbound.conf
-		elif [[ "$OS" = "arch" ]]; then
+		elif [[ $OS == "arch" ]]; then
 			pacman -Syu --noconfirm unbound
 			# Get root servers list
 			curl -o /etc/unbound/root.hints https://www.internic.net/domain/named.cache
 			if [[ ! -f /etc/unbound/unbound.conf.old ]]; then
 				mv /etc/unbound/unbound.conf /etc/unbound/unbound.conf.old
 			fi
 			echo 'server:
 	use-syslog: yes
@ -158,7 +160,7 @@ prefetch: yes' >> /etc/unbound/unbound.conf
 	prefetch: yes' >/etc/unbound/unbound.conf
 		fi
-		if [[ ! "$OS" =~ (fedora|centos|amzn) ]];then
+		if [[ ! $OS =~ (fedora|centos|amzn) ]]; then
 			# DNS Rebinding fix
 			echo "private-address: 10.0.0.0/8
 private-address: 172.16.0.0/12
@ -216,7 +218,7 @@ function installQuestions () {
 		echo ""
 		echo "It seems this server is behind NAT. What is its public IPv4 address or hostname?"
 		echo "We need it for the clients to connect to the server."
-		until [[ "$ENDPOINT" != "" ]]; do
+		until [[ $ENDPOINT != "" ]]; do
 			read -rp "Public IPv4 address or hostname: " -e ENDPOINT
 		done
 	fi
@ -247,7 +249,7 @@ function installQuestions () {
 	echo "   1) Default: 1194"
 	echo "   2) Custom"
 	echo "   3) Random [49152-65535]"
-	until [[ "$PORT_CHOICE" =~ ^[1-3]$ ]]; do
+	until [[ $PORT_CHOICE =~ ^[1-3]$ ]]; do
 		read -rp "Port choice [1-3]: " -e -i 1 PORT_CHOICE
 	done
 	case $PORT_CHOICE in
@ -255,7 +257,7 @@ function installQuestions () {
 		PORT="1194"
 		;;
 	2)
-			until [[ "$PORT" =~ ^[0-9]+$ ]] && [ "$PORT" -ge 1 ] && [ "$PORT" -le 65535 ]; do
+		until [[ $PORT =~ ^[0-9]+$ ]] && [ "$PORT" -ge 1 ] && [ "$PORT" -le 65535 ]; do
 			read -rp "Custom port [1-65535]: " -e -i 1194 PORT
 		done
 		;;
@ -270,7 +272,7 @@ function installQuestions () {
 	echo "UDP is faster. Unless it is not available, you shouldn't use TCP."
 	echo "   1) UDP"
 	echo "   2) TCP"
-	until [[ "$PROTOCOL_CHOICE" =~ ^[1-2]$ ]]; do
+	until [[ $PROTOCOL_CHOICE =~ ^[1-2]$ ]]; do
 		read -rp "Protocol [1-2]: " -e -i 1 PROTOCOL_CHOICE
 	done
 	case $PROTOCOL_CHOICE in
@ -293,9 +295,10 @@ function installQuestions () {
 	echo "   8) OpenDNS (Anycast: worldwide)"
 	echo "   9) Google (Anycast: worldwide)"
 	echo "   10) Yandex Basic (Russia)"
-	echo "   11) AdGuard DNS (Russia)"
+	echo "   11) AdGuard DNS (Anycast: worldwide)"
-	echo "   12) Custom"
+	echo "   12) NextDNS (Anycast: worldwide)"
-	until [[ "$DNS" =~ ^[0-9]+$ ]] && [ "$DNS" -ge 1 ] && [ "$DNS" -le 12 ]; do
+	echo "   13) Custom"
 	until [[ $DNS =~ ^[0-9]+$ ]] && [ "$DNS" -ge 1 ] && [ "$DNS" -le 13 ]; do
 		read -rp "DNS [1-12]: " -e -i 3 DNS
 		if [[ $DNS == 2 ]] && [[ -e /etc/unbound/unbound.conf ]]; then
 			echo ""
@ -308,18 +311,18 @@ function installQuestions () {
 			until [[ $CONTINUE =~ (y|n) ]]; do
 				read -rp "Apply configuration changes to Unbound? [y/n]: " -e CONTINUE
 			done
-				if [[ $CONTINUE = "n" ]];then
+			if [[ $CONTINUE == "n" ]]; then
 				# Break the loop and cleanup
 				unset DNS
 				unset CONTINUE
 			fi
-			elif [[ $DNS == "12" ]]; then
+		elif [[ $DNS == "13" ]]; then
-				until [[ "$DNS1" =~ ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ ]]; do
+			until [[ $DNS1 =~ ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ ]]; do
 				read -rp "Primary DNS: " -e DNS1
 			done
-				until [[ "$DNS2" =~ ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ ]]; do
+			until [[ $DNS2 =~ ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ ]]; do
 				read -rp "Secondary DNS (optional): " -e DNS2
-					if [[ "$DNS2" == "" ]]; then
+				if [[ $DNS2 == "" ]]; then
 					break
 				fi
 			done
@ -378,7 +381,7 @@ function installQuestions () {
 		echo "   4) AES-128-CBC"
 		echo "   5) AES-192-CBC"
 		echo "   6) AES-256-CBC"
-		until [[ "$CIPHER_CHOICE" =~ ^[1-6]$ ]]; do
+		until [[ $CIPHER_CHOICE =~ ^[1-6]$ ]]; do
 			read -rp "Cipher [1-6]: " -e -i 1 CIPHER_CHOICE
 		done
 		case $CIPHER_CHOICE in
@ -436,7 +439,7 @@ function installQuestions () {
 			echo "   1) 2048 bits (recommended)"
 			echo "   2) 3072 bits"
 			echo "   3) 4096 bits"
-				until [[ "$RSA_KEY_SIZE_CHOICE" =~ ^[1-3]$ ]]; do
+			until [[ $RSA_KEY_SIZE_CHOICE =~ ^[1-3]$ ]]; do
 				read -rp "RSA key size [1-3]: " -e -i 1 RSA_KEY_SIZE_CHOICE
 			done
 			case $RSA_KEY_SIZE_CHOICE in
@ -521,7 +524,7 @@ function installQuestions () {
 			echo "   1) 2048 bits (recommended)"
 			echo "   2) 3072 bits"
 			echo "   3) 4096 bits"
-				until [[ "$DH_KEY_SIZE_CHOICE" =~ ^[1-3]$ ]]; do
+			until [[ $DH_KEY_SIZE_CHOICE =~ ^[1-3]$ ]]; do
 				read -rp "DH key size [1-3]: " -e -i 1 DH_KEY_SIZE_CHOICE
 			done
 			case $DH_KEY_SIZE_CHOICE in
@ -539,9 +542,9 @@ function installQuestions () {
 		esac
 		echo ""
 		# The "auth" options behaves differently with AEAD ciphers
-		if [[ "$CIPHER" =~ CBC$ ]]; then
+		if [[ $CIPHER =~ CBC$ ]]; then
 			echo "The digest algorithm authenticates data channel packets and tls-auth packets from the control channel."
-		elif [[ "$CIPHER" =~ GCM$ ]]; then
+		elif [[ $CIPHER =~ GCM$ ]]; then
 			echo "The digest algorithm authenticates tls-auth packets from the control channel."
 		fi
 		echo "Which digest algorithm do you want to use for HMAC?"
@ -595,9 +598,13 @@ function installOpenVPN () {
 		PASS=${PASS:-1}
 		CONTINUE=${CONTINUE:-y}
-		# Behind NAT, we'll default to the publicly reachable IPv4.
+		# Behind NAT, we'll default to the publicly reachable IPv4/IPv6.
-		PUBLIC_IPV4=$(curl ifconfig.co)
+		if [[ $IPV6_SUPPORT == "y" ]]; then
-		ENDPOINT=${ENDPOINT:-$PUBLIC_IPV4}
+			PUBLIC_IP=$(curl https://ifconfig.co)
 		else
 			PUBLIC_IP=$(curl -4 https://ifconfig.co)
 		fi
 		ENDPOINT=${ENDPOINT:-$PUBLIC_IP}
 	fi
 	# Run setup questions first, and set other variales if auto-install
@ -605,35 +612,60 @@ function installOpenVPN () {
 	# Get the "public" interface from the default route
 	NIC=$(ip -4 route ls | grep default | grep -Po '(?<=dev )(\S+)' | head -1)
 	if [[ -z $NIC ]] && [[ $IPV6_SUPPORT == 'y' ]]; then
 		NIC=$(ip -6 route show default | sed -ne 's/^default .* dev \([^ ]*\) .*$/\1/p')
 	fi
-	if [[ "$OS" =~ (debian|ubuntu) ]]; then
+	# $NIC can not be empty for script rm-openvpn-rules.sh
 	if [[ -z $NIC ]]; then
 		echo
 		echo "Can not detect public interface."
 		echo "This needs for setup MASQUERADE."
 		until [[ $CONTINUE =~ (y|n) ]]; do
 			read -rp "Continue? [y/n]: " -e CONTINUE
 		done
 		if [[ $CONTINUE == "n" ]]; then
 			exit 1
 		fi
 	fi
 	# If OpenVPN isn't installed yet, install it. This script is more-or-less
 	# idempotent on multiple runs, but will only install OpenVPN from upstream
 	# the first time.
 	if [[ ! -e /etc/openvpn/server.conf ]]; then
 		if [[ $OS =~ (debian|ubuntu) ]]; then
 			apt-get update
 			apt-get -y install ca-certificates gnupg
 			# We add the OpenVPN repo to get the latest version.
-		if [[ "$VERSION_ID" = "8" ]]; then
+			if [[ $VERSION_ID == "8" ]]; then
 				echo "deb http://build.openvpn.net/debian/openvpn/stable jessie main" >/etc/apt/sources.list.d/openvpn.list
 				wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
 				apt-get update
 			fi
-		if [[ "$VERSION_ID" = "16.04" ]]; then
+			if [[ $VERSION_ID == "16.04" ]]; then
 				echo "deb http://build.openvpn.net/debian/openvpn/stable xenial main" >/etc/apt/sources.list.d/openvpn.list
 				wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
 				apt-get update
 			fi
 			# Ubuntu > 16.04 and Debian > 8 have OpenVPN >= 2.4 without the need of a third party repository.
 			apt-get install -y openvpn iptables openssl wget ca-certificates curl
-	elif [[ "$OS" = 'centos' ]]; then
+		elif [[ $OS == 'centos' ]]; then
 			yum install -y epel-release
-		yum install -y openvpn iptables openssl wget ca-certificates curl tar
+			yum install -y openvpn iptables openssl wget ca-certificates curl tar 'policycoreutils-python*'
-	elif [[ "$OS" = 'amzn' ]]; then
+		elif [[ $OS == 'amzn' ]]; then
 			amazon-linux-extras install -y epel
 			yum install -y openvpn iptables openssl wget ca-certificates curl
-	elif [[ "$OS" = 'fedora' ]]; then
+		elif [[ $OS == 'fedora' ]]; then
 			dnf install -y openvpn iptables openssl wget ca-certificates curl
-	elif [[ "$OS" = 'arch' ]]; then
+		elif [[ $OS == 'arch' ]]; then
 			# Install required dependencies and upgrade the system
 			pacman --needed --noconfirm -Syu openvpn iptables openssl wget ca-certificates curl
 		fi
 		# An old version of easy-rsa was available by default in some openvpn packages
 		if [[ -d /etc/openvpn/easy-rsa/ ]]; then
 			rm -rf /etc/openvpn/easy-rsa/
 		fi
 	fi
 	# Find out if the machine uses nogroup or nobody for the permissionless group
 	if grep -qs "^nogroup:" /etc/group; then
@ -642,16 +674,14 @@ function installOpenVPN () {
 		NOGROUP=nobody
 	fi
-	# An old version of easy-rsa was available by default in some openvpn packages
+	# Install the latest version of easy-rsa from source, if not already
-	if [[ -d /etc/openvpn/easy-rsa/ ]]; then
+	# installed.
-		rm -rf /etc/openvpn/easy-rsa/
+	if [[ ! -d /etc/openvpn/easy-rsa/ ]]; then
 	fi
 	# Install the latest version of easy-rsa from source
 		local version="3.0.6"
 		wget -O ~/EasyRSA-unix-v${version}.tgz https://github.com/OpenVPN/easy-rsa/releases/download/v${version}/EasyRSA-unix-v${version}.tgz
 		tar xzf ~/EasyRSA-unix-v${version}.tgz -C ~/
-	mv ~/EasyRSA-v${version} /etc/openvpn/easy-rsa
+		mkdir -p /etc/openvpn/easy-rsa
 		mv ~/EasyRSA-v${version}/* /etc/openvpn/easy-rsa/
 		chown -R root:root /etc/openvpn/easy-rsa/
 		rm -f ~/EasyRSA-unix-v${version}.tgz
@ -668,7 +698,10 @@ function installOpenVPN () {
 		# Generate a random, alphanumeric identifier of 16 characters for CN and one for server name
 		SERVER_CN="cn_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)"
 		echo "$SERVER_CN" >SERVER_CN_GENERATED
 		SERVER_NAME="server_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)"
 		echo "$SERVER_NAME" >SERVER_NAME_GENERATED
 		echo "set_var EASYRSA_REQ_CN $SERVER_CN" >>vars
 		# Create the PKI, set up the CA, the DH params and the server certificate
@ -698,6 +731,12 @@ function installOpenVPN () {
 			openvpn --genkey --secret /etc/openvpn/tls-auth.key
 			;;
 		esac
 	else
 		# If easy-rsa is already installed, grab the generated SERVER_NAME
 		# for client configs
 		cd /etc/openvpn/easy-rsa/ || return
 		SERVER_NAME=$(cat SERVER_NAME_GENERATED)
 	fi
 	# Move all the generated files
 	cp pki/ca.crt pki/private/ca.key "pki/issued/$SERVER_NAME.crt" "pki/private/$SERVER_NAME.key" /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn
@ -710,9 +749,9 @@ function installOpenVPN () {
 	# Generate server.conf
 	echo "port $PORT" >/etc/openvpn/server.conf
-	if [[ "$IPV6_SUPPORT" = 'n' ]]; then
+	if [[ $IPV6_SUPPORT == 'n' ]]; then
 		echo "proto $PROTOCOL" >>/etc/openvpn/server.conf
-	elif [[ "$IPV6_SUPPORT" = 'y' ]]; then
+	elif [[ $IPV6_SUPPORT == 'y' ]]; then
 		echo "proto ${PROTOCOL}6" >>/etc/openvpn/server.conf
 	fi
@ -728,7 +767,7 @@ ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf
 	# DNS resolvers
 	case $DNS in
-		1)
+	1) # Current system resolvers
 		# Locate the proper resolv.conf
 		# Needed for systems running systemd-resolved
 		if grep -q "127.0.0.53" "/etc/resolv.conf"; then
@ -741,7 +780,7 @@ ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf
 			echo "push \"dhcp-option DNS $line\"" >>/etc/openvpn/server.conf
 		done
 		;;
-		2)
+	2) # Self-hosted DNS resolver (Unbound)
 		echo 'push "dhcp-option DNS 10.8.0.1"' >>/etc/openvpn/server.conf
 		;;
 	3) # Cloudflare
@ -780,9 +819,13 @@ ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf
 		echo 'push "dhcp-option DNS 176.103.130.130"' >>/etc/openvpn/server.conf
 		echo 'push "dhcp-option DNS 176.103.130.131"' >>/etc/openvpn/server.conf
 		;;
-		12) # Custom DNS
+	12) # NextDNS
 		echo 'push "dhcp-option DNS 45.90.28.167"' >>/etc/openvpn/server.conf
 		echo 'push "dhcp-option DNS 45.90.30.167"' >>/etc/openvpn/server.conf
 		;;
 	13) # Custom DNS
 		echo "push \"dhcp-option DNS $DNS1\"" >>/etc/openvpn/server.conf
-		if [[ "$DNS2" != "" ]]; then
+		if [[ $DNS2 != "" ]]; then
 			echo "push \"dhcp-option DNS $DNS2\"" >>/etc/openvpn/server.conf
 		fi
 		;;
@ -790,7 +833,7 @@ ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf
 	echo 'push "redirect-gateway def1 bypass-dhcp"' >>/etc/openvpn/server.conf
 	# IPv6 network settings if needed
-	if [[ "$IPV6_SUPPORT" = 'y' ]]; then
+	if [[ $IPV6_SUPPORT == 'y' ]]; then
 		echo 'server-ipv6 fd42:42:42:42::/112
 tun-ipv6
 push tun-ipv6
@ -828,15 +871,18 @@ ncp-ciphers $CIPHER
 tls-server
 tls-version-min 1.2
 tls-cipher $CC_CIPHER
 client-config-dir /etc/openvpn/ccd
 status /var/log/openvpn/status.log
 verb 3" >>/etc/openvpn/server.conf
 	# Create client-config-dir dir
 	mkdir -p /etc/openvpn/ccd
 	# Create log dir
 	mkdir -p /var/log/openvpn
 	# Enable routing
-	echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.d/20-openvpn.conf
+	echo 'net.ipv4.ip_forward=1' >/etc/sysctl.d/20-openvpn.conf
-	if [[ "$IPV6_SUPPORT" = 'y' ]]; then
+	if [[ $IPV6_SUPPORT == 'y' ]]; then
 		echo 'net.ipv6.conf.all.forwarding=1' >>/etc/sysctl.d/20-openvpn.conf
 	fi
 	# Apply sysctl rules
@ -845,14 +891,14 @@ verb 3" >> /etc/openvpn/server.conf
 	# If SELinux is enabled and a custom port was selected, we need this
 	if hash sestatus 2>/dev/null; then
 		if sestatus | grep "Current mode" | grep -qs "enforcing"; then
-			if [[ "$PORT" != '1194' ]]; then
+			if [[ $PORT != '1194' ]]; then
 				semanage port -a -t openvpn_port_t -p "$PROTOCOL" "$PORT"
 			fi
 		fi
 	fi
 	# Finally, restart and enable OpenVPN
-	if [[ "$OS" = 'arch' || "$OS" = 'fedora' || "$OS" = 'centos' ]]; then
+	if [[ $OS == 'arch' || $OS == 'fedora' || $OS == 'centos' ]]; then
 		# Don't modify package-provided service
 		cp /usr/lib/systemd/system/openvpn-server@.service /etc/systemd/system/openvpn-server@.service
@ -861,14 +907,14 @@ verb 3" >> /etc/openvpn/server.conf
 		# Another workaround to keep using /etc/openvpn/
 		sed -i 's|/etc/openvpn/server|/etc/openvpn|' /etc/systemd/system/openvpn-server@.service
 		# On fedora, the service hardcodes the ciphers. We want to manage the cipher ourselves, so we remove it from the service
-		if [[ "$OS" == "fedora" ]];then
+		if [[ $OS == "fedora" ]]; then
 			sed -i 's|--cipher AES-256-GCM --ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC:BF-CBC||' /etc/systemd/system/openvpn-server@.service
 		fi
 		systemctl daemon-reload
 		systemctl restart openvpn-server@server
 		systemctl enable openvpn-server@server
-	elif [[ "$OS" == "ubuntu" ]] && [[ "$VERSION_ID" == "16.04" ]]; then
+		systemctl restart openvpn-server@server
 	elif [[ $OS == "ubuntu" ]] && [[ $VERSION_ID == "16.04" ]]; then
 		# On Ubuntu 16.04, we use the package from the OpenVPN repo
 		# This package uses a sysvinit service
 		systemctl enable openvpn
@ -883,8 +929,8 @@ verb 3" >> /etc/openvpn/server.conf
 		sed -i 's|/etc/openvpn/server|/etc/openvpn|' /etc/systemd/system/openvpn\@.service
 		systemctl daemon-reload
 		systemctl restart openvpn@server
 		systemctl enable openvpn@server
 		systemctl restart openvpn@server
 	fi
 	if [[ $DNS == 2 ]]; then
@ -892,7 +938,7 @@ verb 3" >> /etc/openvpn/server.conf
 	fi
 	# Add iptables rules in two scripts
-	mkdir /etc/iptables
+	mkdir -p /etc/iptables
 	# Script to add rules
 	echo "#!/bin/sh
@ -902,7 +948,7 @@ iptables -I FORWARD 1 -i $NIC -o tun0 -j ACCEPT
 iptables -I FORWARD 1 -i tun0 -o $NIC -j ACCEPT
 iptables -I INPUT 1 -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" >/etc/iptables/add-openvpn-rules.sh
-	if [[ "$IPV6_SUPPORT" = 'y' ]]; then
+	if [[ $IPV6_SUPPORT == 'y' ]]; then
 		echo "ip6tables -t nat -I POSTROUTING 1 -s fd42:42:42:42::/112 -o $NIC -j MASQUERADE
 ip6tables -I INPUT 1 -i tun0 -j ACCEPT
 ip6tables -I FORWARD 1 -i $NIC -o tun0 -j ACCEPT
@ -917,7 +963,7 @@ iptables -D FORWARD -i $NIC -o tun0 -j ACCEPT
 iptables -D FORWARD -i tun0 -o $NIC -j ACCEPT
 iptables -D INPUT -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" >/etc/iptables/rm-openvpn-rules.sh
-	if [[ "$IPV6_SUPPORT" = 'y' ]]; then
+	if [[ $IPV6_SUPPORT == 'y' ]]; then
 		echo "ip6tables -t nat -D POSTROUTING -s fd42:42:42:42::/112 -o $NIC -j MASQUERADE
 ip6tables -D INPUT -i tun0 -j ACCEPT
 ip6tables -D FORWARD -i $NIC -o tun0 -j ACCEPT
@ -948,15 +994,16 @@ WantedBy=multi-user.target" > /etc/systemd/system/iptables-openvpn.service
 	systemctl start iptables-openvpn
 	# If the server is behind a NAT, use the correct IP address for the clients to connect to
-	if [[ "$ENDPOINT" != "" ]]; then
+	if [[ $ENDPOINT != "" ]]; then
 		IP=$ENDPOINT
 	fi
 	# client-template.txt is created so we have a template to add further users later
 	echo "client" >/etc/openvpn/client-template.txt
-	if [[ "$PROTOCOL" = 'udp' ]]; then
+	if [[ $PROTOCOL == 'udp' ]]; then
 		echo "proto udp" >>/etc/openvpn/client-template.txt
-	elif [[ "$PROTOCOL" = 'tcp' ]]; then
+		echo "explicit-exit-notify" >>/etc/openvpn/client-template.txt
 	elif [[ $PROTOCOL == 'tcp' ]]; then
 		echo "proto tcp-client" >>/etc/openvpn/client-template.txt
 	fi
 	echo "remote $IP $PORT
@ -973,6 +1020,7 @@ cipher $CIPHER
 tls-client
 tls-version-min 1.2
 tls-cipher $CC_CIPHER
 ignore-unknown-option block-outside-dns
 setenv opt block-outside-dns # Prevent Windows 10 DNS leak
 verb 3" >>/etc/openvpn/client-template.txt
@ -990,7 +1038,7 @@ function newClient () {
 	echo "Tell me a name for the client."
 	echo "Use one word only, no special characters."
-	until [[ "$CLIENT" =~ ^[a-zA-Z0-9_]+$ ]]; do
+	until [[ $CLIENT =~ ^[a-zA-Z0-9_]+$ ]]; do
 		read -rp "Client name: " -e CLIENT
 	done
@ -1000,10 +1048,15 @@ function newClient () {
 	echo "   1) Add a passwordless client"
 	echo "   2) Use a password for the client"
-	until [[ "$PASS" =~ ^[1-2]$ ]]; do
+	until [[ $PASS =~ ^[1-2]$ ]]; do
 		read -rp "Select an option [1-2]: " -e -i 1 PASS
 	done
 	CLIENTEXISTS=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep -c -E "/CN=$CLIENT\$")
 	if [[ $CLIENTEXISTS == '1' ]]; then
 		echo ""
 		echo "The specified client CN was found in easy-rsa."
 	else
 		cd /etc/openvpn/easy-rsa/ || return
 		case $PASS in
 		1)
@ -1014,6 +1067,8 @@ function newClient () {
 			./easyrsa build-client-full "$CLIENT"
 			;;
 		esac
 		echo "Client $CLIENT added."
 	fi
 	# Home directory of the user, where the client configuration (.ovpn) will be written
 	if [ -e "/home/$CLIENT" ]; then # if $1 is a user name
@ -1062,7 +1117,7 @@ function newClient () {
 	} >>"$homeDir/$CLIENT.ovpn"
 	echo ""
-	echo "Client $CLIENT added, the configuration file is available at $homeDir/$CLIENT.ovpn."
+	echo "The configuration file has been written to $homeDir/$CLIENT.ovpn."
 	echo "Download the .ovpn file and import it in your OpenVPN client."
 	exit 0
@ -1070,7 +1125,7 @@ function newClient () {
 function revokeClient() {
 	NUMBEROFCLIENTS=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep -c "^V")
-	if [[ "$NUMBEROFCLIENTS" = '0' ]]; then
+	if [[ $NUMBEROFCLIENTS == '0' ]]; then
 		echo ""
 		echo "You have no existing clients!"
 		exit 1
@ -1079,7 +1134,7 @@ function revokeClient () {
 	echo ""
 	echo "Select the existing client certificate you want to revoke"
 	tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | nl -s ') '
-	if [[ "$NUMBEROFCLIENTS" = '1' ]]; then
+	if [[ $NUMBEROFCLIENTS == '1' ]]; then
 		read -rp "Select one client [1]: " CLIENTNUMBER
 	else
 		read -rp "Select one client [1-$NUMBEROFCLIENTS]: " CLIENTNUMBER
@ -1089,16 +1144,12 @@ function revokeClient () {
 	cd /etc/openvpn/easy-rsa/ || return
 	./easyrsa --batch revoke "$CLIENT"
 	EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
 	# Cleanup
 	rm -f "pki/reqs/$CLIENT.req"
 	rm -f "pki/private/$CLIENT.key"
 	rm -f "pki/issued/$CLIENT.crt"
 	rm -f /etc/openvpn/crl.pem
 	cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/crl.pem
 	chmod 644 /etc/openvpn/crl.pem
 	find /home/ -maxdepth 2 -name "$CLIENT.ovpn" -delete
 	rm -f "/root/$CLIENT.ovpn"
-	sed -i "s|^$CLIENT,.*||" /etc/openvpn/ipp.txt
+	sed -i "/^$CLIENT,.*/d" /etc/openvpn/ipp.txt
 	echo ""
 	echo "Certificate for client $CLIENT revoked."
@ -1106,9 +1157,8 @@ function revokeClient () {
 function removeUnbound() {
 	# Remove OpenVPN-related config
-	sed -i 's|include: \/etc\/unbound\/openvpn.conf||' /etc/unbound/unbound.conf
+	sed -i '/include: \/etc\/unbound\/openvpn.conf/d' /etc/unbound/unbound.conf
 	rm /etc/unbound/openvpn.conf
 	systemctl restart unbound
 	until [[ $REMOVE_UNBOUND =~ (y|n) ]]; do
 		echo ""
@ -1116,17 +1166,17 @@ function removeUnbound () {
 		read -rp "Do you want to completely remove Unbound? [y/n]: " -e REMOVE_UNBOUND
 	done
-	if [[ "$REMOVE_UNBOUND" = 'y' ]]; then
+	if [[ $REMOVE_UNBOUND == 'y' ]]; then
 		# Stop Unbound
 		systemctl stop unbound
-		if [[ "$OS" =~ (debian|ubuntu) ]]; then
+		if [[ $OS =~ (debian|ubuntu) ]]; then
 			apt-get autoremove --purge -y unbound
-		elif [[ "$OS" = 'arch' ]]; then
+		elif [[ $OS == 'arch' ]]; then
 			pacman --noconfirm -R unbound
-		elif [[ "$OS" =~ (centos|amzn) ]]; then
+		elif [[ $OS =~ (centos|amzn) ]]; then
 			yum remove -y unbound
-		elif [[ "$OS" = 'fedora' ]]; then
+		elif [[ $OS == 'fedora' ]]; then
 			dnf remove -y unbound
 		fi
@ -1135,6 +1185,7 @@ function removeUnbound () {
 		echo ""
 		echo "Unbound removed!"
 	else
 		systemctl restart unbound
 		echo ""
 		echo "Unbound wasn't removed."
 	fi
@ -1144,18 +1195,18 @@ function removeOpenVPN () {
 	echo ""
 	# shellcheck disable=SC2034
 	read -rp "Do you really want to remove OpenVPN? [y/n]: " -e -i n REMOVE
-	if [[ "$REMOVE" = 'y' ]]; then
+	if [[ $REMOVE == 'y' ]]; then
 		# Get OpenVPN port from the configuration
 		PORT=$(grep '^port ' /etc/openvpn/server.conf | cut -d " " -f 2)
 		PROTOCOL=$(grep '^proto ' /etc/openvpn/server.conf | cut -d " " -f 2)
 		# Stop OpenVPN
-		if [[ "$OS" =~ (fedora|arch|centos) ]]; then
+		if [[ $OS =~ (fedora|arch|centos) ]]; then
 			systemctl disable openvpn-server@server
 			systemctl stop openvpn-server@server
 			# Remove customised service
 			rm /etc/systemd/system/openvpn-server@.service
-		elif [[ "$OS" == "ubuntu" ]] && [[ "$VERSION_ID" == "16.04" ]]; then
+		elif [[ $OS == "ubuntu" ]] && [[ $VERSION_ID == "16.04" ]]; then
 			systemctl disable openvpn
 			systemctl stop openvpn
 		else
@ -1183,17 +1234,17 @@ function removeOpenVPN () {
 			fi
 		fi
-		if [[ "$OS" =~ (debian|ubuntu) ]]; then
+		if [[ $OS =~ (debian|ubuntu) ]]; then
 			apt-get autoremove --purge -y openvpn
 			if [[ -e /etc/apt/sources.list.d/openvpn.list ]]; then
 				rm /etc/apt/sources.list.d/openvpn.list
 				apt-get update
 			fi
-		elif [[ "$OS" = 'arch' ]]; then
+		elif [[ $OS == 'arch' ]]; then
 			pacman --noconfirm -R openvpn
-		elif [[ "$OS" =~ (centos|amzn) ]]; then
+		elif [[ $OS =~ (centos|amzn) ]]; then
 			yum remove -y openvpn
-		elif [[ "$OS" = 'fedora' ]]; then
+		elif [[ $OS == 'fedora' ]]; then
 			dnf remove -y openvpn
 		fi
@ -1229,7 +1280,7 @@ function manageMenu () {
 	echo "   2) Revoke existing user"
 	echo "   3) Remove OpenVPN"
 	echo "   4) Exit"
-	until [[ "$MENU_OPTION" =~ ^[1-4]$ ]]; do
+	until [[ $MENU_OPTION =~ ^[1-4]$ ]]; do
 		read -rp "Select an option [1-4]: " MENU_OPTION
 	done
@ -1253,7 +1304,7 @@ function manageMenu () {
 initialCheck
 # Check if OpenVPN is already installed
-if [[ -e /etc/openvpn/server.conf ]]; then
+if [[ -e /etc/openvpn/server.conf && $AUTO_INSTALL != "y" ]]; then
 	manageMenu
 else
 	installOpenVPN