Aggiorna README.md

Update README.md
2025-06-18 22:54:24 +08:00 · 2025-06-18 20:36:45 +08:00 · 2025-01-15 07:24:30 +00:00 · 2025-01-15 07:22:45 +00:00 · 2025-01-15 07:19:46 +00:00 · 2025-01-06 17:25:26 +01:00
15 changed files with 965 additions and 582 deletions
--- a/.editorconfig
+++ b/.editorconfig
@ -0,0 +1,3 @@
+[*.sh]
+indent_style = tab
+indent_size = 4
--- a/.github/FUNDING.yml
+++ b/.github/FUNDING.yml
@ -1,3 +1,2 @@
-patreon: angristan
-liberapay: angristan
-ko_fi: angristan
+ko_fi: stanislas
+custom: https://coindrop.to/stanislas
--- a/.github/ISSUE_TEMPLATE.md
+++ b/.github/ISSUE_TEMPLATE.md
@ -1,13 +0,0 @@
-<!---
-
-Before opening an issue, please make sure:
-
- You installed OpenVPN with the latest version of the script
- You read the FAQ
- Your issue is about the script, NOT OpenVPN itself
- ⚠ PLEASE Post your OpenVPN version and OS for both the server and the client if needed
-
-FYI, you can execute the script with `bash -x openvpn-install.sh` to enable debug mode.
-
-You can format your comments with Markdown: https://guides.github.com/features/mastering-markdown/
--->
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "monthly"
--- a/.github/issue_template.md
+++ b/.github/issue_template.md
@ -0,0 +1,10 @@
+<!---
+❗️ Please read ❗️
+➡️ If you need help with OpenVPN itself, please use the community forums (https://forums.openvpn.net/) or Stack Overflow (https://stackoverflow.com/questions/tagged/openvpn)
+➡️ For the script, prefer opening a discussion thread for help: https://github.com/angristan/openvpn-install/discussions
+💡 It helps keep the issue tracker clean and focused on bugs and feature requests.
+
+🙏 Please include as much information as possible, and make sure you're running the latest version of the script.
+✍️ Please state the Linux distribution you're using and its version, as well as the OpenVPN version.
+✋ For feature requests, remember that this script is meant to be simple and easy to use. If you want to add a lot of options, it's better to fork the project.
+--->
--- a/.github/linters/.markdown-lint.yml
+++ b/.github/linters/.markdown-lint.yml
@ -0,0 +1 @@
+{ "MD013": null, "MD045": null, "MD040": null, "MD036": null }
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@ -0,0 +1,7 @@
+<!---
+❗️ Please read ❗️
+➡️ Please make sure you've followed the guidelines: https://github.com/angristan/openvpn-install#contributing
+✅ Please make sure your changes are tested and working
+🗣️ Please avoid large PRs, and discuss changes in a GitHub issue first
+✋ If the changes are too big and not in line with the project, they will probably be rejected. Remember that this script is meant to be simple and easy to use.
+--->
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@ -0,0 +1,14 @@
+on: [push, pull_request, workflow_dispatch]
+
+name: Lint
+
+jobs:
+  super-linter:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v4
+      - name: Lint Code Base
+        uses: github/super-linter@v4.1.0
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/push.yml
+++ b/.github/workflows/push.yml
@ -1,11 +0,0 @@
-on: [push, pull_request]
-name: ShellCheck
-jobs:
-  shellcheck:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@master
-    - name: shellcheck
-      uses: ludeeus/action-shellcheck@0.0.1
-      with:
-        args: openvpn-install.sh -e SC1091,SC2164,SC2034,SC1072,SC1073,SC1009
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@ -0,0 +1,97 @@
+on:
+  push:
+    branches:
+      - master
+      - ci
+  workflow_dispatch:
+
+name: Test
+jobs:
+  install:
+    runs-on: ubuntu-latest
+    if: github.repository == 'angristan/openvpn-install' && github.actor == 'angristan'
+    strategy:
+      matrix:
+        os-image:
+          - debian-11-x64
+          - debian-12-x64
+          - ubuntu-22-04-x64
+          - ubuntu-24-04-x64
+          - fedora-39-x64
+          - fedora-40-x64
+          # - centos-stream-9-x64 # yum oomkill
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup doctl
+        uses: digitalocean/action-doctl@v2
+        with:
+          token: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }}
+
+      - name: Create server
+        run: doctl compute droplet create openvpn-action-$GITHUB_RUN_ID-$GITHUB_RUN_NUMBER-${{ matrix.os-image }} --size s-1vcpu-1gb --image ${{ matrix.os-image }} --region lon1 --enable-ipv6 --ssh-keys be:66:76:61:a8:71:93:aa:e3:19:ba:d8:0d:d2:2d:d4 --wait
+
+      - name: Get server ID
+        run: echo ::set-output name=value::$(doctl compute droplet list -o json | jq -r '.[] | select(.name == "'openvpn-action-$GITHUB_RUN_ID-$GITHUB_RUN_NUMBER-${{ matrix.os-image }}'").id')
+        id: server_id
+
+      - name: Move server to dedicated project
+        run: doctl projects resources assign ${{ secrets.DIGITALOCEAN_PROJECT_ID }} --resource=do:droplet:${{ steps.server_id.outputs.value }}
+
+      - name: Wait for server to boot
+        run: sleep 90
+
+      - name: Get server IP
+        run: echo ::set-output name=value::$(doctl compute droplet list -o json | jq -r '.[] | select(.name == "'openvpn-action-$GITHUB_RUN_ID-$GITHUB_RUN_NUMBER-${{ matrix.os-image }}'").networks.v4 | .[] | select(.type == "'public'").ip_address')
+        id: server_ip
+
+      - name: Get server OS
+        run: echo ::set-output name=value::$(echo ${{ matrix.os-image }} | cut -d '-' -f1)
+        id: server_os
+
+      - name: Setup remote server (Debian/Ubuntu)
+        if: steps.server_os.outputs.value == 'debian' || steps.server_os.outputs.value == 'ubuntu'
+        uses: appleboy/ssh-action@v0.1.6
+        with:
+          host: ${{ steps.server_ip.outputs.value }}
+          username: root
+          key: ${{ secrets.SSH_KEY }}
+          script: set -x && apt-get update && apt-get -o DPkg::Lock::Timeout=120 install -y git
+
+      - name: Setup remote server (Fedora)
+        if: steps.server_os.outputs.value == 'fedora'
+        uses: appleboy/ssh-action@v0.1.6
+        with:
+          host: ${{ steps.server_ip.outputs.value }}
+          username: root
+          key: ${{ secrets.SSH_KEY }}
+          script: set -x && dnf install -y git
+
+      - name: Setup remote server (CentOS)
+        if: steps.server_os.outputs.value == 'centos'
+        uses: appleboy/ssh-action@v0.1.6
+        with:
+          host: ${{ steps.server_ip.outputs.value }}
+          username: root
+          key: ${{ secrets.SSH_KEY }}
+          script: set -x && yum install -y git
+
+      - name: Download repo and checkout current commit
+        uses: appleboy/ssh-action@v0.1.6
+        with:
+          host: ${{ steps.server_ip.outputs.value }}
+          username: root
+          key: ${{ secrets.SSH_KEY }}
+          script: set -x && git clone https://github.com/angristan/openvpn-install.git && cd openvpn-install && git checkout ${{ github.sha }}
+
+      - name: Run openvpn-install.sh in headless mode
+        uses: appleboy/ssh-action@v0.1.6
+        with:
+          host: ${{ steps.server_ip.outputs.value }}
+          username: root
+          key: ${{ secrets.SSH_KEY }}
+          script: 'set -x && AUTO_INSTALL=y bash -x ~/openvpn-install/openvpn-install.sh && ps aux | grep openvpn | grep -v grep > /dev/null 2>&1 && echo "Success: OpenVPN is running" && exit 0 || echo "Failure: OpenVPN is not running" && exit 1'
+
+      - name: Delete server
+        run: doctl compute droplet delete -f openvpn-action-$GITHUB_RUN_ID-$GITHUB_RUN_NUMBER-${{ matrix.os-image }}
+        if: always()
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +0,0 @@
-.vagrant/
-*.log
--- a/FAQ.md
+++ b/FAQ.md
@ -10,7 +10,46 @@ You can, of course, it's even recommended, update the `openvpn` package with you

 **Q:** How do I check for DNS leaks?

-**A:** Go to [dnsleaktest.com](https://dnsleaktest.com/) or [ipleak.net](https://ipleak.net/) with your browser. Only your server's IP should show up.
+**A:** Go to [browserleaks.com](https://browserleaks.com/dns) or [ipleak.net](https://ipleak.net/) (both perform IPv4 and IPv6 check) with your browser. Your IP should not show up (test without and without the VPN). The DNS servers should be the ones you selected during the setup, not your IP address nor your ISP's DNS servers' addresses.
+
+---
+
+**Q:** How do I fix DNS leaks?
+
+**A:** On Windows 10 DNS leaks are blocked by default with the `block-outside-dns` option.
+On Linux you need to add these lines to your `.ovpn` file based on your Distribution.
+
+Debian 9, 10 and Ubuntu 16.04, 18.04
+
+```
+script-security 2
+up /etc/openvpn/update-resolv-conf
+down /etc/openvpn/update-resolv-conf
+```
+
+Centos 6, 7
+
+```
+script-security 2
+up /usr/share/doc/openvpn-2.4.8/contrib/pull-resolv-conf/client.up
+down /usr/share/doc/openvpn-2.4.8/contrib/pull-resolv-conf/client.down
+```
+
+Centos 8, Fedora 30, 31
+
+```
+script-security 2
+up /usr/share/doc/openvpn/contrib/pull-resolv-conf/client.up
+down /usr/share/doc/openvpn/contrib/pull-resolv-conf/client.down
+```
+
+Arch Linux
+
+```
+script-security 2
+up /usr/share/openvpn/contrib/pull-resolv-conf/client.up
+down /usr/share/openvpn/contrib/pull-resolv-conf/client.down
+```

 ---

@ -30,18 +69,107 @@ If your client is <2.3.3, remove `tls-version-min 1.2` from your `/etc/openvpn/s

 **Q:** IPv6 is not working on my Hetzner VM

-**A:** This an issue on their side. See https://angristan.xyz/fix-ipv6-hetzner-cloud/
+**A:** This an issue on their side. See <https://angristan.xyz/fix-ipv6-hetzner-cloud/>

 ---

 **Q:** DNS is not working on my Linux client

-**A:** Make sure the `resolvconf` package is installed. If it does not solve the issue, look at https://wiki.archlinux.org/index.php/OpenVPN#Update_systemd-resolved_script
+**A:** See "How do I fix DNS leaks?" question

 ---

-**Q:** How to setup openVPN in a LXC container? (f.e. Proxmox)
+**Q:** What syctl and iptables changes are made by the script?

-**A:** See https://github.com/Nyr/openvpn-install/wiki/How-to-setup-openVPN-in-a-LXC-container-(f.e.-Proxmox)
+**A:** Iptables rules are saved at `/etc/iptables/add-openvpn-rules.sh` and `/etc/iptables/rm-openvpn-rules.sh`. They are managed by the service `/etc/systemd/system/iptables-openvpn.service`
+
+Sysctl options are at `/etc/sysctl.d/20-openvpn.conf`

 ---
+
+**Q:** How can I access other clients connected to the same OpenVPN server?
+
+**A:** Add `client-to-client` to your `server.conf`
+
+---
+
+**Q:** My router can't connect
+
+**A:**
+
+- `Options error: No closing quotation (") in config.ovpn:46` :
+
+  type `yes` when asked to customize encryption settings and choose `tls-auth`
+
+- `Options error: Unrecognized option or missing parameter(s) in config.ovpn:36: tls-version-min (2.3.2)` :
+
+  see question "Can I use an OpenVPN 2.3 client?"
+
+---
+
+**Q:** How can I access computers the OpenVPN server's remote LAN?
+
+**A:** Add a route with the subnet of the remote network to `/etc/openvpn/server.conf` and restart openvpn. Example: `push "route 192.168.1.0 255.255.255.0"` if the server's LAN is `192.168.1.0/24`
+
+---
+
+**Q:** How can I add multiple users in one go?
+
+**A:** Here is a sample bash script to achieve this:
+
+```sh
+userlist=(user1 user2 user3)
+
+for i in ${userlist[@]};do
+   MENU_OPTION=1 CLIENT=$i PASS=1 ./openvpn-install.sh
+done
+```
+
+From a list in a text file:
+
+```sh
+while read USER
+    do MENU_OPTION="1" CLIENT="$USER" PASS="1" ./openvpn-install.sh
+done < users.txt
+```
+
+---
+
+**Q:** How do I change the default `.ovpn` file created for future clients?
+
+**A:** You can edit the template out of which `.ovpn` files are created by editing `/etc/openvpn/client-template.txt`
+
+---
+
+**Q:** For my clients - I want to set my internal network to pass through the VPN and the rest to go through my internet?
+
+**A:** You would need to edit the `.ovpn` file. You can edit the template out of which those files are created by editing `/etc/openvpn/client-template.txt` file and adding
+
+```sh
+route-nopull
+route 10.0.0.0 255.0.0.0
+```
+
+So for example - here it would route all traffic of `10.0.0.0/8` to the vpn. And the rest through the internet.
+
+---
+
+**Q:** I have enabled IPv6 and my VPN client gets an IPv6 address. Why do I reach the websites or other dual-stacked destionations via IPv4 only?
+
+**A:** This is because inside the tunnel you don't get a publicly routable IPv6 address, instead you get an ULA (Unlique Local Lan) address. Operating systems don't prefer this all the time. You can fix this in your operating system policies as it's unrelated to the VPN itself:
+
+Windows (commands needs to run cmd.exe as Administrator):
+
+```
+netsh interface ipv6 add prefixpolicy fd00::/8 3 1
+```
+
+Linux:
+
+edit `/etc/gai.conf` and uncomment the following line and also change its value to `1`:
+
+```
+label fc00::/7      1
+```
+
+This will not work properly unless you add you your VPN server `server.conf` one or two lines to push at least 1 (one) IPv6 DNS server. Most providers have IPv6 servers as well, add two more lines of `push "dhcp-option DNS <IPv6>"`
--- a/README.md
+++ b/README.md
@ -1,11 +1,78 @@
+# openvpn-install Fabio
+## Usage
+
+First, get the script and make it executable:
+```bash
+curl -O https://forgit.patachina.it/Fabio/openvpn-install/raw/branch/master/openvpn-install.sh
+chmod +x openvpn-install.sh
+```
+Then run it:
+
+```sh
+./openvpn-install.sh
+```
+The first time you run it, you'll have to follow the assistant and answer a few questions to setup your VPN server.
+
+When OpenVPN is installed, you can run the script again, and you will get the choice to:
+
+Add a client
+Remove a client
+Uninstall OpenVPN
+In your home directory, you will have .ovpn files. These are the client configuration files. Download them from your server and connect using your favorite OpenVPN client.
+
+if you change the port this installer change only the server if you use different port in your router port forwarder you have to change .opvn file and modify the port 1194 using the new
+
+## Example:
+
+   in the OpenVPN use for example port 51194 and public router IP git.patachina.duckdns.org and local IP 192.168.1.4 you have to change also .ovpn file changing 1194 to 51194. In your router open a channel port forwarder with "external port 51194 and local 192.168.1.4 with port 51194"
+   
+   Otherwise if you don't change .ovpn you have to set router open a channel port forwarder with "external port 1194 and local 192.168.1.4 with port 51194"
+   
+## How run
+```bash
+./openvpn-install.sh
+Welcome to OpenVPN-install!
+The git repository is available at: https://github.com/angristan/openvpn-install
+It seems like OpenVPN is already installed.
+What would you like to do?
+   1) Add a new user
+   2) Revoke an existing user
+   3) Remove OpenVPN
+   4) Exit
+Select an option [1-4]:
+```
+
 # openvpn-install

-OpenVPN installer for Debian, Ubuntu, Fedora, CentOS and Arch Linux.
+![Test](https://github.com/angristan/openvpn-install/workflows/Test/badge.svg)
+![Lint](https://github.com/angristan/openvpn-install/workflows/Lint/badge.svg)
+[![Say Thanks!](https://img.shields.io/badge/Say%20Thanks-!-1EAEDB.svg)](https://saythanks.io/to/angristan)
+
+OpenVPN installer for Debian, Ubuntu, Fedora, CentOS, Arch Linux, Oracle Linux, Rocky Linux and AlmaLinux.

 This script will let you setup your own secure VPN server in just a few seconds.

 You can also check out [wireguard-install](https://github.com/angristan/wireguard-install), a simple installer for a simpler, safer, faster and more modern VPN protocol.

+## What is this?
+
+This script is meant to be run on your own server, whether it's a VPS or a dedicated server, or even a computer at home.
+
+Once set up, you will be able to generate client configuration files for every device you want to connect.
+
+Each client will be able to route its internet traffic through the server, fully encrypted.
+
+```mermaid
+graph LR
+  A[Phone] --> VPN
+  B[Laptop] --> VPN
+  C[Computer] --> VPN
+
+  VPN[OpenVPN Server]
+
+  VPN -->|Encrypted Traffic| I[Internet]
+```
+
 ## Usage

 First, get the script and make it executable:
@ -33,15 +100,14 @@ When OpenVPN is installed, you can run the script again, and you will get the ch

 In your home directory, you will have `.ovpn` files. These are the client configuration files. Download them from your server and connect using your favorite OpenVPN client.

-If you have any question, head to the [FAQ](#faq) first. Please read everything before opening an issue.
-
-**PLEASE do net send me emails or private messages asking for help.** The only place to get help is the issues. Other people may be able to help and in the future, other users may also run into the same issue as you. My time is not available for free just for you, you're not special.
+If you have any question, head to the [FAQ](#faq) first. And if you need help, you can open a [discussion](https://github.com/angristan/openvpn-install/discussions). Please search existing issues and dicussions first.

 ### Headless install

 It's also possible to run the script headless, e.g. without waiting for user input, in an automated manner.

 Example usage:
+
 ```bash
 AUTO_INSTALL=y ./openvpn-install.sh

@ -72,11 +138,14 @@ Other variables can be set depending on your choice (encryption, compression). Y

 Password-protected clients are not supported by the headless installation method since user input is expected by Easy-RSA.

+The headless install is more-or-less idempotent, in that it has been made safe to run multiple times with the same parameters, e.g. by a state provisioner like Ansible/Terraform/Salt/Chef/Puppet. It will only install and regenerate the Easy-RSA PKI if it doesn't already exist, and it will only install OpenVPN and other upstream dependencies if OpenVPN isn't already installed. It will recreate all local config and re-generate the client file on each headless run.
+
 ### Headless User Addition

 It's also possible to automate the addition of a new user. Here, the key is to provide the (string) value of the `MENU_OPTION` variable along with the remaining mandatory variables before invoking the script.

 The following Bash script adds a new user `foo` to an existing OpenVPN configuration
+
 ```bash
 #!/bin/bash
 export MENU_OPTION="1"
@ -105,28 +174,28 @@ export PASS="1"

 ## Compatibility

-The script supports these OS and architectures:
+The script supports these Linux distributions:

-|                | i386 | amd64 | armhf | arm64 |
-| -------------- | ---- | ----- | ----- | ----- |
-| Amazon Linux 2 |  ❔  |  ✅  |   ❔  |   ❔  |
-|  Arch Linux    |  ❔  |  ✅  |   ❔  |   ✅  |
-|   Centos 8     |  ❌  |  ✅  |   ❔  |   ❔  |
-|   CentOS 7     |  ❔  |  ✅  |   ❌  |   ✅  |
-|   Debian 8     |  ✅  |  ✅  |   ❌  |   ❌  |
-|   Debian 9     |  ❌  |  ✅  |   ✅  |   ✅  |
-|   Debian 10    |  ❔  |  ✅  |   ✅  |   ❔  |
-|   Fedora 27    |  ❔  |  ✅  |   ❔  |   ❔  |
-|   Fedora 28    |  ❔  |  ✅  |   ❔  |   ❔  |
-| Ubuntu 16.04   |  ✅  |  ✅  |   ❌  |   ❌  |
-| Ubuntu 18.04   |  ❌  |  ✅  |   ✅  |   ✅  |
-| Ubuntu 19.04   |  ❌  |  ✅  |   ✅  |   ✅  |
+|                    | Support |
+| ------------------ | ------- |
+| AlmaLinux 8        | ✅       |
+| Amazon Linux 2     | ✅       |
+| Arch Linux         | ✅       |
+| CentOS 7           | ✅       |
+| CentOS Stream >= 8 | ✅ 🤖     |
+| Debian >= 10       | ✅ 🤖     |
+| Fedora >= 35       | ✅ 🤖     |
+| Oracle Linux 8     | ✅       |
+| Rocky Linux 8      | ✅       |
+| Ubuntu >= 18.04    | ✅ 🤖     |

 To be noted:

- It should work on Debian 8+ and Ubuntu 16.04+. But versions not in the table above are not officially supported.
+- The script is regularly tested against the distributions marked with a 🤖 only.
+  - It's only tested on `amd64` architecture.
+- It should work on older versions such as Debian 8+, Ubuntu 16.04+ and previous Fedora releases. But versions not in the table above are not officially supported.
+  - It should also support versions between the LTS versions, but these are not tested.
 - The script requires `systemd`.
- The script is regularly tested against `amd64` only.

 ## Fork

@ -142,9 +211,9 @@ More Q&A in [FAQ.md](FAQ.md).

 **A:** I recommend these:

- [Vultr](https://goo.gl/Xyd1Sc): Worldwide locations, IPv6 support, starting at $3.50/month
- [PulseHeberg](https://goo.gl/76yqW5): France, unlimited bandwidth, starting at €3/month
- [Digital Ocean](https://goo.gl/qXrNLK): Worldwide locations, IPv6 support, starting at $5/month
+- [Vultr](https://www.vultr.com/?ref=8948982-8H): Worldwide locations, IPv6 support, starting at \$5/month
+- [Hetzner](https://hetzner.cloud/?ref=ywtlvZsjgeDq): Germany, Finland and USA. IPv6, 20 TB of traffic, starting at 4.5€/month
+- [Digital Ocean](https://m.do.co/c/ed0ba143fe53): Worldwide locations, IPv6 support, starting at \$4/month

 ---

@ -154,7 +223,7 @@ More Q&A in [FAQ.md](FAQ.md).

 - Windows: [The official OpenVPN community client](https://openvpn.net/index.php/download/community-downloads.html).
 - Linux: The `openvpn` package from your distribution. There is an [official APT repository](https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos) for Debian/Ubuntu based distributions.
- macOS: [Tunnelblick](https://tunnelblick.net/), [Viscosity](https://www.sparklabs.com/viscosity/).
+- macOS: [Tunnelblick](https://tunnelblick.net/), [Viscosity](https://www.sparklabs.com/viscosity/), [OpenVPN for Mac](https://openvpn.net/client-connect-vpn-for-mac-os/).
 - Android: [OpenVPN for Android](https://play.google.com/store/apps/details?id=de.blinkt.openvpn).
 - iOS: [The official OpenVPN Connect client](https://itunes.apple.com/us/app/openvpn-connect/id590379981).

@ -179,22 +248,36 @@ More Q&A in [FAQ.md](FAQ.md).
 Solutions that provision a ready to use OpenVPN server based on this script in one go are available for:

 - AWS using Terraform at [`openvpn-terraform-install`](https://github.com/dumrauf/openvpn-terraform-install)
+- Terraform AWS module [`openvpn-ephemeral`](https://registry.terraform.io/modules/paulmarsicloud/openvpn-ephemeral/aws/latest)

+## Contributing
+
+## Discuss changes
+
+Please open an issue before submitting a PR if you want to discuss a change, especially if it's a big one.
+
+### Code formatting
+
+We use [shellcheck](https://github.com/koalaman/shellcheck) and [shfmt](https://github.com/mvdan/sh) to enforce bash styling guidelines and good practices. They are executed for each commit / PR with GitHub Actions, so you can check the configuration [here](https://github.com/angristan/openvpn-install/blob/master/.github/workflows/push.yml).

 ## Security and Encryption

+> **Warning**
+> This has not been updated for OpenVPN 2.5 and later.
+
 OpenVPN's default settings are pretty weak regarding encryption. This script aims to improve that.

 OpenVPN 2.4 was a great update regarding encryption. It added support for ECDSA, ECDH, AES GCM, NCP and tls-crypt.

 If you want more information about an option mentioned below, head to the [OpenVPN manual](https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage). It is very complete.

-Most of OpenVPN's encryption-related stuff is managed by [Easy-RSA](https://github.com/OpenVPN/easy-rsa). Defaults parameters are in the [vars.example](https://github.com/OpenVPN/easy-rsa/blob/v3.0.6/easyrsa3/vars.example) file.
+Most of OpenVPN's encryption-related stuff is managed by [Easy-RSA](https://github.com/OpenVPN/easy-rsa). Defaults parameters are in the [vars.example](https://github.com/OpenVPN/easy-rsa/blob/v3.0.7/easyrsa3/vars.example) file.
+
 ### Compression

 By default, OpenVPN doesn't enable compression. This script provides support for LZ0 and LZ4 (v1/v2) algorithms, the latter being more efficient.

-However, it is discouraged to use compression since it since the [VORACLE attack](https://protonvpn.com/blog/voracle-attack/) makes use of it.
+However, it is discouraged to use compression since the [VORACLE attack](https://protonvpn.com/blog/voracle-attack/) makes use of it.

 ### TLS version

@ -225,13 +308,12 @@ By default, OpenVPN uses `BF-CBC` as the data channel cipher. Blowfish is an old

 > The default is BF-CBC, an abbreviation for Blowfish in Cipher Block Chaining mode.
 >
-> Using BF-CBC is no longer recommended, because of its 64-bit block size. This small block size allows attacks based on collisions, as demonstrated by SWEET32. See https://community.openvpn.net/openvpn/wiki/SWEET32 for details.
-
->Security researchers at INRIA published an attack on 64-bit block ciphers, such as 3DES and Blowfish. They show that they are able to recover plaintext when the same data is sent often enough, and show how they can use cross-site scripting vulnerabilities to send data of interest often enough. This works over HTTPS, but also works for HTTP-over-OpenVPN. See https://sweet32.info/ for a much better and more elaborate explanation.
+> Using BF-CBC is no longer recommended, because of its 64-bit block size. This small block size allows attacks based on collisions, as demonstrated by SWEET32. See <https://community.openvpn.net/openvpn/wiki/SWEET32> for details.
+> Security researchers at INRIA published an attack on 64-bit block ciphers, such as 3DES and Blowfish. They show that they are able to recover plaintext when the same data is sent often enough, and show how they can use cross-site scripting vulnerabilities to send data of interest often enough. This works over HTTPS, but also works for HTTP-over-OpenVPN. See <https://sweet32.info/> for a much better and more elaborate explanation.
 >
 > OpenVPN's default cipher, BF-CBC, is affected by this attack.

-Indeed, AES is today's standard. It's the fastest and more secure cipher available today. [SEED](https://en.wikipedia.org/wiki/SEED) and [Camellia](https://en.wikipedia.org/wiki/Camellia_(cipher)) are not vulnerable to date but are slower than AES and relatively less trusted.
+Indeed, AES is today's standard. It's the fastest and more secure cipher available today. [SEED](https://en.wikipedia.org/wiki/SEED) and [Camellia](<https://en.wikipedia.org/wiki/Camellia_(cipher)>) are not vulnerable to date but are slower than AES and relatively less trusted.

 > Of the currently supported ciphers, OpenVPN currently recommends using AES-256-CBC or AES-128-CBC. OpenVPN 2.4 and newer will also support GCM. For 2.4+, we recommend using AES-256-GCM or AES-128-GCM.

@ -250,7 +332,7 @@ The script supports the following ciphers:

 And defaults to `AES-128-GCM`.

-OpenVPN 2.4 added a feature called "NCP": *Negotiable Crypto Parameters*. It means you can provide a cipher suite like with HTTPS. It is set to `AES-256-GCM:AES-128-GCM` by default and overrides the `--cipher` parameter when used with an OpenVPN 2.4 client. For the sake of simplicity, the script set both the `--cipher` and `--ncp-cipher` to the cipher chosen above.
+OpenVPN 2.4 added a feature called "NCP": _Negotiable Crypto Parameters_. It means you can provide a cipher suite like with HTTPS. It is set to `AES-256-GCM:AES-128-GCM` by default and overrides the `--cipher` parameter when used with an OpenVPN 2.4 client. For the sake of simplicity, the script set both the `--cipher` and `--ncp-cipher` to the cipher chosen above.

 ### Control channel

@ -311,6 +393,7 @@ About `tls-crypt`:
 > Encrypt and authenticate all control channel packets with the key from keyfile. (See --tls-auth for more background.)
 >
 > Encrypting (and authenticating) control channel packets:
+>
 > - provides more privacy by hiding the certificate used for the TLS connection,
 > - makes it harder to identify OpenVPN traffic as such,
 > - provides "poor-man's" post-quantum security, against attackers who will never know the pre-shared key (i.e. no forward secrecy).
@ -323,12 +406,14 @@ The script supports both and uses `tls-crypt` by default.

 ## Say thanks

-*Sadly saythanks.io doesn't exist anymore... Thanks for the dozens of messages! It's really meaninful to me.*
-
-*Still want to help? Check the "sponsor" button at the top of the page!*
+You can [say thanks](https://saythanks.io/to/angristan) if you want!

 ## Credits & Licence

 Many thanks to the [contributors](https://github.com/Angristan/OpenVPN-install/graphs/contributors) and Nyr's original work.

 This project is under the [MIT Licence](https://raw.githubusercontent.com/Angristan/openvpn-install/master/LICENSE)
+
+## Star History
+
+[![Star History Chart](https://api.star-history.com/svg?repos=angristan/openvpn-install&type=Date)](https://star-history.com/#angristan/openvpn-install&Date)
--- a/35
+++ b/35
@ -1,35 +0,0 @@
-# This Vagrantfile is used to test the script
-
-# To run the script on all machines, export VAGRANT_AUTOSTART=true
-autostart_machines = ENV['VAGRANT_AUTOSTART'] == 'true' || false
-# else, run `vagrant up <hostname>`
-
-machines = [
-  { hostname: 'debian-10', box: 'debian/stretch64' },
-  { hostname: 'debian-9', box: 'debian/stretch64' },
-  { hostname: 'debian-8', box: 'debian/jessie64' },
-  { hostname: 'ubuntu-1604', box: 'ubuntu/bionic64' },
-  { hostname: 'ubuntu-1804', box: 'ubuntu/xenial64' },
-  { hostname: 'centos-7', box: 'centos/7' },
-  { hostname: 'fedora-29', box: 'fedora/29-cloud-base' },
-  { hostname: 'fedora-28', box: 'fedora/28-cloud-base' },
-  { hostname: 'archlinux', box: 'archlinux/archlinux' }
-]
-
-Vagrant.configure('2') do |config|
-  machines.each do |machine|
-    config.vm.provider 'virtualbox' do |v|
-      v.memory = 1024
-      v.cpus = 2
-    end
-    config.vm.define machine[:hostname], autostart: autostart_machines do |machineconfig|
-      machineconfig.vm.hostname = machine[:hostname]
-      machineconfig.vm.box = machine[:box]
-
-      machineconfig.vm.provision 'shell', inline: <<-SHELL
-        AUTO_INSTALL=y /vagrant/openvpn-install.sh
-        ps aux | grep openvpn | grep -v grep > /dev/null 2>&1 && echo "Success: OpenVPN is running" && exit 0 || echo "Failure: OpenVPN is not running" && exit 1
-      SHELL
-    end
-  end
-end
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@ -1,6 +1,7 @@
 #!/bin/bash
+# shellcheck disable=SC1091,SC2164,SC2034,SC1072,SC1073,SC1009

-# Secure OpenVPN server installer for Debian, Ubuntu, CentOS, Amazon Linux 2, Fedora and Arch Linux
+# Secure OpenVPN server installer for Debian, Ubuntu, CentOS, Amazon Linux 2, Fedora, Oracle Linux 8, Arch Linux, Rocky Linux and AlmaLinux.
 # https://github.com/angristan/openvpn-install

 function isRoot() {
@ -18,58 +19,64 @@ function tunAvailable () {
 function checkOS() {
 	if [[ -e /etc/debian_version ]]; then
 		OS="debian"
-		# shellcheck disable=SC1091
 		source /etc/os-release

-		if [[ "$ID" == "debian" || "$ID" == "raspbian" ]]; then
-			if [[ ! $VERSION_ID =~ (8|9|10) ]]; then
+		if [[ $ID == "debian" || $ID == "raspbian" ]]; then
+			if [[ $VERSION_ID -lt 9 ]]; then
 				echo "⚠️ Your version of Debian is not supported."
 				echo ""
-				echo "However, if you're using Debian >= 9 or unstable/testing then you can continue."
-				echo "Keep in mind they are not supported, though."
+				echo "However, if you're using Debian >= 9 or unstable/testing then you can continue, at your own risk."
 				echo ""
 				until [[ $CONTINUE =~ (y|n) ]]; do
 					read -rp "Continue? [y/n]: " -e CONTINUE
 				done
-				if [[ "$CONTINUE" == "n" ]]; then
+				if [[ $CONTINUE == "n" ]]; then
 					exit 1
 				fi
 			fi
-		elif [[ "$ID" == "ubuntu" ]];then
+		elif [[ $ID == "ubuntu" ]]; then
 			OS="ubuntu"
-			if [[ ! $VERSION_ID =~ (16.04|18.04|19.04) ]]; then
+			MAJOR_UBUNTU_VERSION=$(echo "$VERSION_ID" | cut -d '.' -f1)
+			if [[ $MAJOR_UBUNTU_VERSION -lt 16 ]]; then
 				echo "⚠️ Your version of Ubuntu is not supported."
 				echo ""
-				echo "However, if you're using Ubuntu > 17 or beta, then you can continue."
-				echo "Keep in mind they are not supported, though."
+				echo "However, if you're using Ubuntu >= 16.04 or beta, then you can continue, at your own risk."
 				echo ""
 				until [[ $CONTINUE =~ (y|n) ]]; do
 					read -rp "Continue? [y/n]: " -e CONTINUE
 				done
-				if [[ "$CONTINUE" == "n" ]]; then
+				if [[ $CONTINUE == "n" ]]; then
 					exit 1
 				fi
 			fi
 		fi
 	elif [[ -e /etc/system-release ]]; then
-		# shellcheck disable=SC1091
 		source /etc/os-release
-		if [[ "$ID" == "fedora" ]]; then
+		if [[ $ID == "fedora" || $ID_LIKE == "fedora" ]]; then
 			OS="fedora"
 		fi
-		if [[ "$ID" == "centos" ]]; then
+		if [[ $ID == "centos" || $ID == "rocky" || $ID == "almalinux" ]]; then
 			OS="centos"
-			if [[ ! $VERSION_ID =~ (7|8) ]]; then
+			if [[ ${VERSION_ID%.*} -lt 7 ]]; then
 				echo "⚠️ Your version of CentOS is not supported."
 				echo ""
-				echo "The script only support CentOS 7."
+				echo "The script only support CentOS 7 and CentOS 8."
 				echo ""
 				exit 1
 			fi
 		fi
-		if [[ "$ID" == "amzn" ]]; then
+		if [[ $ID == "ol" ]]; then
+			OS="oracle"
+			if [[ ! $VERSION_ID =~ (8) ]]; then
+				echo "Your version of Oracle Linux is not supported."
+				echo ""
+				echo "The script only support Oracle Linux 8."
+				exit 1
+			fi
+		fi
+		if [[ $ID == "amzn" ]]; then
 			OS="amzn"
-			if [[ ! $VERSION_ID == "2" ]]; then
+			if [[ $VERSION_ID != "2" ]]; then
 				echo "⚠️ Your version of Amazon Linux is not supported."
 				echo ""
 				echo "The script only support Amazon Linux 2."
@ -80,7 +87,7 @@ function checkOS () {
 	elif [[ -e /etc/arch-release ]]; then
 		OS=arch
 	else
-		echo "Looks like you aren't running this installer on a Debian, Ubuntu, Fedora, CentOS, Amazon Linux 2 or Arch Linux system"
+		echo "Looks like you aren't running this installer on a Debian, Ubuntu, Fedora, CentOS, Amazon Linux 2, Oracle Linux 8 or Arch Linux system"
 		exit 1
 	fi
 }
@ -98,9 +105,10 @@ function initialCheck () {
 }

 function installUnbound() {
+	# If Unbound isn't installed, install it
 	if [[ ! -e /etc/unbound/unbound.conf ]]; then

-		if [[ "$OS" =~ (debian|ubuntu) ]]; then
+		if [[ $OS =~ (debian|ubuntu) ]]; then
 			apt-get install -y unbound

 			# Configuration
@ -111,7 +119,7 @@ hide-version: yes
 use-caps-for-id: yes
 prefetch: yes' >>/etc/unbound/unbound.conf

-		elif [[ "$OS" =~ (centos|amzn) ]]; then
+		elif [[ $OS =~ (centos|amzn|oracle) ]]; then
 			yum install -y unbound

 			# Configuration
@ -121,7 +129,7 @@ prefetch: yes' >> /etc/unbound/unbound.conf
 			sed -i 's|# hide-version: no|hide-version: yes|' /etc/unbound/unbound.conf
 			sed -i 's|use-caps-for-id: no|use-caps-for-id: yes|' /etc/unbound/unbound.conf

-		elif [[ "$OS" == "fedora" ]]; then
+		elif [[ $OS == "fedora" ]]; then
 			dnf install -y unbound

 			# Configuration
@ -131,13 +139,15 @@ prefetch: yes' >> /etc/unbound/unbound.conf
 			sed -i 's|# hide-version: no|hide-version: yes|' /etc/unbound/unbound.conf
 			sed -i 's|# use-caps-for-id: no|use-caps-for-id: yes|' /etc/unbound/unbound.conf

-		elif [[ "$OS" == "arch" ]]; then
+		elif [[ $OS == "arch" ]]; then
 			pacman -Syu --noconfirm unbound

 			# Get root servers list
 			curl -o /etc/unbound/root.hints https://www.internic.net/domain/named.cache

+			if [[ ! -f /etc/unbound/unbound.conf.old ]]; then
 				mv /etc/unbound/unbound.conf /etc/unbound/unbound.conf.old
+			fi

 			echo 'server:
 	use-syslog: yes
@ -158,9 +168,16 @@ prefetch: yes' >> /etc/unbound/unbound.conf
 	prefetch: yes' >/etc/unbound/unbound.conf
 		fi

-		if [[ ! "$OS" =~ (fedora|centos|amzn) ]];then
+		# IPv6 DNS for all OS
+		if [[ $IPV6_SUPPORT == 'y' ]]; then
+			echo 'interface: fd42:42:42:42::1
+access-control: fd42:42:42:42::/112 allow' >>/etc/unbound/unbound.conf
+		fi
+
+		if [[ ! $OS =~ (fedora|centos|amzn|oracle) ]]; then
 			# DNS Rebinding fix
 			echo "private-address: 10.0.0.0/8
+private-address: fd42:42:42:42::/112
 private-address: 172.16.0.0/12
 private-address: 192.168.0.0/16
 private-address: 169.254.0.0/16
@ -181,6 +198,7 @@ hide-version: yes
 use-caps-for-id: yes
 prefetch: yes
 private-address: 10.0.0.0/8
+private-address: fd42:42:42:42::/112
 private-address: 172.16.0.0/12
 private-address: 192.168.0.0/16
 private-address: 169.254.0.0/16
@ -188,12 +206,55 @@ private-address: fd00::/8
 private-address: fe80::/10
 private-address: 127.0.0.0/8
 private-address: ::ffff:0:0/96' >/etc/unbound/openvpn.conf
+		if [[ $IPV6_SUPPORT == 'y' ]]; then
+			echo 'interface: fd42:42:42:42::1
+access-control: fd42:42:42:42::/112 allow' >>/etc/unbound/openvpn.conf
+		fi
 	fi

 	systemctl enable unbound
 	systemctl restart unbound
 }

+function resolvePublicIP() {
+	# IP version flags, we'll use as default the IPv4
+	CURL_IP_VERSION_FLAG="-4"
+	DIG_IP_VERSION_FLAG="-4"
+
+	# Behind NAT, we'll default to the publicly reachable IPv4/IPv6.
+	if [[ $IPV6_SUPPORT == "y" ]]; then
+		CURL_IP_VERSION_FLAG=""
+		DIG_IP_VERSION_FLAG="-6"
+	fi
+
+	# If there is no public ip yet, we'll try to solve it using: https://api.seeip.org
+	if [[ -z $PUBLIC_IP ]]; then
+		PUBLIC_IP=$(curl -f -m 5 -sS --retry 2 --retry-connrefused "$CURL_IP_VERSION_FLAG" https://api.seeip.org 2>/dev/null)
+	fi
+
+	# If there is no public ip yet, we'll try to solve it using: https://ifconfig.me
+	if [[ -z $PUBLIC_IP ]]; then
+		PUBLIC_IP=$(curl -f -m 5 -sS --retry 2 --retry-connrefused "$CURL_IP_VERSION_FLAG" https://ifconfig.me 2>/dev/null)
+	fi
+
+	# If there is no public ip yet, we'll try to solve it using: https://api.ipify.org
+	if [[ -z $PUBLIC_IP ]]; then
+		PUBLIC_IP=$(curl -f -m 5 -sS --retry 2 --retry-connrefused "$CURL_IP_VERSION_FLAG" https://api.ipify.org 2>/dev/null)
+	fi
+
+	# If there is no public ip yet, we'll try to solve it using: ns1.google.com
+	if [[ -z $PUBLIC_IP ]]; then
+		PUBLIC_IP=$(dig $DIG_IP_VERSION_FLAG TXT +short o-o.myaddr.l.google.com @ns1.google.com | tr -d '"')
+	fi
+
+	if [[ -z $PUBLIC_IP ]]; then
+		echo >&2 echo "Couldn't solve the public IP"
+		exit 1
+	fi
+
+	echo "$PUBLIC_IP"
+}
+
 function installQuestions() {
 	echo "Welcome to the OpenVPN installer!"
 	echo "The git repository is available at: https://github.com/angristan/openvpn-install"
@ -206,7 +267,12 @@ function installQuestions () {
 	echo "Unless your server is behind NAT, it should be your public IPv4 address."

 	# Detect public IPv4 address and pre-fill for the user
-	IP=$(ip addr | grep 'inet' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1)
+	IP=$(ip -4 addr | sed -ne 's|^.* inet \([^/]*\)/.* scope global.*$|\1|p' | head -1)
+
+	if [[ -z $IP ]]; then
+		# Detect public IPv6 address
+		IP=$(ip -6 addr | sed -ne 's|^.* inet6 \([^/]*\)/.* scope global.*$|\1|p' | head -1)
+	fi
 	APPROVE_IP=${APPROVE_IP:-n}
 	if [[ $APPROVE_IP =~ n ]]; then
 		read -rp "IP address: " -e -i "$IP" IP
@ -216,8 +282,13 @@ function installQuestions () {
 		echo ""
 		echo "It seems this server is behind NAT. What is its public IPv4 address or hostname?"
 		echo "We need it for the clients to connect to the server."
-		until [[ "$ENDPOINT" != "" ]]; do
-			read -rp "Public IPv4 address or hostname: " -e ENDPOINT
+
+		if [[ -z $ENDPOINT ]]; then
+			DEFAULT_ENDPOINT=$(resolvePublicIP)
+		fi
+
+		until [[ $ENDPOINT != "" ]]; do
+			read -rp "Public IPv4 address or hostname: " -e -i "$DEFAULT_ENDPOINT" ENDPOINT
 		done
 	fi

@ -247,7 +318,7 @@ function installQuestions () {
 	echo "   1) Default: 1194"
 	echo "   2) Custom"
 	echo "   3) Random [49152-65535]"
-	until [[ "$PORT_CHOICE" =~ ^[1-3]$ ]]; do
+	until [[ $PORT_CHOICE =~ ^[1-3]$ ]]; do
 		read -rp "Port choice [1-3]: " -e -i 1 PORT_CHOICE
 	done
 	case $PORT_CHOICE in
@ -255,7 +326,7 @@ function installQuestions () {
 		PORT="1194"
 		;;
 	2)
-			until [[ "$PORT" =~ ^[0-9]+$ ]] && [ "$PORT" -ge 1 ] && [ "$PORT" -le 65535 ]; do
+		until [[ $PORT =~ ^[0-9]+$ ]] && [ "$PORT" -ge 1 ] && [ "$PORT" -le 65535 ]; do
 			read -rp "Custom port [1-65535]: " -e -i 1194 PORT
 		done
 		;;
@ -270,7 +341,7 @@ function installQuestions () {
 	echo "UDP is faster. Unless it is not available, you shouldn't use TCP."
 	echo "   1) UDP"
 	echo "   2) TCP"
-	until [[ "$PROTOCOL_CHOICE" =~ ^[1-2]$ ]]; do
+	until [[ $PROTOCOL_CHOICE =~ ^[1-2]$ ]]; do
 		read -rp "Protocol [1-2]: " -e -i 1 PROTOCOL_CHOICE
 	done
 	case $PROTOCOL_CHOICE in
@ -296,8 +367,8 @@ function installQuestions () {
 	echo "   11) AdGuard DNS (Anycast: worldwide)"
 	echo "   12) NextDNS (Anycast: worldwide)"
 	echo "   13) Custom"
-	until [[ "$DNS" =~ ^[0-9]+$ ]] && [ "$DNS" -ge 1 ] && [ "$DNS" -le 13 ]; do
-		read -rp "DNS [1-12]: " -e -i 3 DNS
+	until [[ $DNS =~ ^[0-9]+$ ]] && [ "$DNS" -ge 1 ] && [ "$DNS" -le 13 ]; do
+		read -rp "DNS [1-12]: " -e -i 11 DNS
 		if [[ $DNS == 2 ]] && [[ -e /etc/unbound/unbound.conf ]]; then
 			echo ""
 			echo "Unbound is already installed."
@ -315,19 +386,19 @@ function installQuestions () {
 				unset CONTINUE
 			fi
 		elif [[ $DNS == "13" ]]; then
-				until [[ "$DNS1" =~ ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ ]]; do
+			until [[ $DNS1 =~ ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ ]]; do
 				read -rp "Primary DNS: " -e DNS1
 			done
-				until [[ "$DNS2" =~ ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ ]]; do
+			until [[ $DNS2 =~ ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ ]]; do
 				read -rp "Secondary DNS (optional): " -e DNS2
-					if [[ "$DNS2" == "" ]]; then
+				if [[ $DNS2 == "" ]]; then
 					break
 				fi
 			done
 		fi
 	done
 	echo ""
-	echo "Do you want to use compression? It is not recommended since the VORACLE attack make use of it."
+	echo "Do you want to use compression? It is not recommended since the VORACLE attack makes use of it."
 	until [[ $COMPRESSION_ENABLED =~ (y|n) ]]; do
 		read -rp"Enable compression? [y/n]: " -e -i n COMPRESSION_ENABLED
 	done
@ -379,7 +450,7 @@ function installQuestions () {
 		echo "   4) AES-128-CBC"
 		echo "   5) AES-192-CBC"
 		echo "   6) AES-256-CBC"
-		until [[ "$CIPHER_CHOICE" =~ ^[1-6]$ ]]; do
+		until [[ $CIPHER_CHOICE =~ ^[1-6]$ ]]; do
 			read -rp "Cipher [1-6]: " -e -i 1 CIPHER_CHOICE
 		done
 		case $CIPHER_CHOICE in
@ -437,7 +508,7 @@ function installQuestions () {
 			echo "   1) 2048 bits (recommended)"
 			echo "   2) 3072 bits"
 			echo "   3) 4096 bits"
-				until [[ "$RSA_KEY_SIZE_CHOICE" =~ ^[1-3]$ ]]; do
+			until [[ $RSA_KEY_SIZE_CHOICE =~ ^[1-3]$ ]]; do
 				read -rp "RSA key size [1-3]: " -e -i 1 RSA_KEY_SIZE_CHOICE
 			done
 			case $RSA_KEY_SIZE_CHOICE in
@ -522,7 +593,7 @@ function installQuestions () {
 			echo "   1) 2048 bits (recommended)"
 			echo "   2) 3072 bits"
 			echo "   3) 4096 bits"
-				until [[ "$DH_KEY_SIZE_CHOICE" =~ ^[1-3]$ ]]; do
+			until [[ $DH_KEY_SIZE_CHOICE =~ ^[1-3]$ ]]; do
 				read -rp "DH key size [1-3]: " -e -i 1 DH_KEY_SIZE_CHOICE
 			done
 			case $DH_KEY_SIZE_CHOICE in
@ -540,9 +611,9 @@ function installQuestions () {
 		esac
 		echo ""
 		# The "auth" options behaves differently with AEAD ciphers
-		if [[ "$CIPHER" =~ CBC$ ]]; then
+		if [[ $CIPHER =~ CBC$ ]]; then
 			echo "The digest algorithm authenticates data channel packets and tls-auth packets from the control channel."
-		elif [[ "$CIPHER" =~ GCM$ ]]; then
+		elif [[ $CIPHER =~ GCM$ ]]; then
 			echo "The digest algorithm authenticates tls-auth packets from the control channel."
 		fi
 		echo "Which digest algorithm do you want to use for HMAC?"
@ -596,61 +667,69 @@ function installOpenVPN () {
 		PASS=${PASS:-1}
 		CONTINUE=${CONTINUE:-y}

-		# Behind NAT, we'll default to the publicly reachable IPv4.
-		PUBLIC_IPV4=$(curl ifconfig.co)
-		ENDPOINT=${ENDPOINT:-$PUBLIC_IPV4}
+		if [[ -z $ENDPOINT ]]; then
+			ENDPOINT=$(resolvePublicIP)
+		fi
 	fi

-	# Run setup questions first, and set other variales if auto-install
+	# Run setup questions first, and set other variables if auto-install
 	installQuestions

 	# Get the "public" interface from the default route
 	NIC=$(ip -4 route ls | grep default | grep -Po '(?<=dev )(\S+)' | head -1)
-	if [[ -z "$NIC" ]] && [[ "$IPV6_SUPPORT" == 'y' ]]; then
+	if [[ -z $NIC ]] && [[ $IPV6_SUPPORT == 'y' ]]; then
 		NIC=$(ip -6 route show default | sed -ne 's/^default .* dev \([^ ]*\) .*$/\1/p')
 	fi

 	# $NIC can not be empty for script rm-openvpn-rules.sh
-        if [[ -z "$NIC" ]]; then
+	if [[ -z $NIC ]]; then
 		echo
 		echo "Can not detect public interface."
 		echo "This needs for setup MASQUERADE."
 		until [[ $CONTINUE =~ (y|n) ]]; do
 			read -rp "Continue? [y/n]: " -e CONTINUE
 		done
-                if [[ "$CONTINUE" == "n" ]]; then
+		if [[ $CONTINUE == "n" ]]; then
 			exit 1
 		fi
 	fi

-	if [[ "$OS" =~ (debian|ubuntu) ]]; then
+	# If OpenVPN isn't installed yet, install it. This script is more-or-less
+	# idempotent on multiple runs, but will only install OpenVPN from upstream
+	# the first time.
+	if [[ ! -e /etc/openvpn/server.conf ]]; then
+		if [[ $OS =~ (debian|ubuntu) ]]; then
 			apt-get update
 			apt-get -y install ca-certificates gnupg
 			# We add the OpenVPN repo to get the latest version.
-		if [[ "$VERSION_ID" == "8" ]]; then
-			echo "deb http://build.openvpn.net/debian/openvpn/stable jessie main" > /etc/apt/sources.list.d/openvpn.list
-			wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
-			apt-get update
-		fi
-		if [[ "$VERSION_ID" == "16.04" ]]; then
+			if [[ $VERSION_ID == "16.04" ]]; then
 				echo "deb http://build.openvpn.net/debian/openvpn/stable xenial main" >/etc/apt/sources.list.d/openvpn.list
 				wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
 				apt-get update
 			fi
 			# Ubuntu > 16.04 and Debian > 8 have OpenVPN >= 2.4 without the need of a third party repository.
 			apt-get install -y openvpn iptables openssl wget ca-certificates curl
-	elif [[ "$OS" == 'centos' ]]; then
+		elif [[ $OS == 'centos' ]]; then
 			yum install -y epel-release
 			yum install -y openvpn iptables openssl wget ca-certificates curl tar 'policycoreutils-python*'
-	elif [[ "$OS" == 'amzn' ]]; then
+		elif [[ $OS == 'oracle' ]]; then
+			yum install -y oracle-epel-release-el8
+			yum-config-manager --enable ol8_developer_EPEL
+			yum install -y openvpn iptables openssl wget ca-certificates curl tar policycoreutils-python-utils
+		elif [[ $OS == 'amzn' ]]; then
 			amazon-linux-extras install -y epel
 			yum install -y openvpn iptables openssl wget ca-certificates curl
-	elif [[ "$OS" == 'fedora' ]]; then
-		dnf install -y openvpn iptables openssl wget ca-certificates curl
-	elif [[ "$OS" == 'arch' ]]; then
+		elif [[ $OS == 'fedora' ]]; then
+			dnf install -y openvpn iptables openssl wget ca-certificates curl policycoreutils-python-utils
+		elif [[ $OS == 'arch' ]]; then
 			# Install required dependencies and upgrade the system
 			pacman --needed --noconfirm -Syu openvpn iptables openssl wget ca-certificates curl
 		fi
+		# An old version of easy-rsa was available by default in some openvpn packages
+		if [[ -d /etc/openvpn/easy-rsa/ ]]; then
+			rm -rf /etc/openvpn/easy-rsa/
+		fi
+	fi

 	# Find out if the machine uses nogroup or nobody for the permissionless group
 	if grep -qs "^nogroup:" /etc/group; then
@ -659,18 +738,13 @@ function installOpenVPN () {
 		NOGROUP=nobody
 	fi

-	# An old version of easy-rsa was available by default in some openvpn packages
-	if [[ -d /etc/openvpn/easy-rsa/ ]]; then
-		rm -rf /etc/openvpn/easy-rsa/
-	fi
-
-	# Install the latest version of easy-rsa from source
-	local version="3.0.6"
-	wget -O ~/EasyRSA-unix-v${version}.tgz https://github.com/OpenVPN/easy-rsa/releases/download/v${version}/EasyRSA-unix-v${version}.tgz
-	tar xzf ~/EasyRSA-unix-v${version}.tgz -C ~/
-	mv ~/EasyRSA-v${version} /etc/openvpn/easy-rsa
-	chown -R root:root /etc/openvpn/easy-rsa/
-	rm -f ~/EasyRSA-unix-v${version}.tgz
+	# Install the latest version of easy-rsa from source, if not already installed.
+	if [[ ! -d /etc/openvpn/easy-rsa/ ]]; then
+		local version="3.1.2"
+		wget -O ~/easy-rsa.tgz https://github.com/OpenVPN/easy-rsa/releases/download/v${version}/EasyRSA-${version}.tgz
+		mkdir -p /etc/openvpn/easy-rsa
+		tar xzf ~/easy-rsa.tgz --strip-components=1 --no-same-owner --directory /etc/openvpn/easy-rsa
+		rm -f ~/easy-rsa.tgz

 		cd /etc/openvpn/easy-rsa/ || return
 		case $CERT_TYPE in
@ -685,24 +759,20 @@ function installOpenVPN () {

 		# Generate a random, alphanumeric identifier of 16 characters for CN and one for server name
 		SERVER_CN="cn_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)"
+		echo "$SERVER_CN" >SERVER_CN_GENERATED
 		SERVER_NAME="server_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)"
-	echo "set_var EASYRSA_REQ_CN $SERVER_CN" >> vars
+		echo "$SERVER_NAME" >SERVER_NAME_GENERATED

 		# Create the PKI, set up the CA, the DH params and the server certificate
 		./easyrsa init-pki
-
-        # Workaround to remove unharmful error until easy-rsa 3.0.7
-        # https://github.com/OpenVPN/easy-rsa/issues/261
-        sed -i 's/^RANDFILE/#RANDFILE/g' pki/openssl-easyrsa.cnf
-
-	./easyrsa --batch build-ca nopass
+		EASYRSA_CA_EXPIRE=3650 ./easyrsa --batch --req-cn="$SERVER_CN" build-ca nopass

 		if [[ $DH_TYPE == "2" ]]; then
 			# ECDH keys are generated on-the-fly so we don't need to generate them beforehand
 			openssl dhparam -out dh.pem $DH_KEY_SIZE
 		fi

-	./easyrsa build-server-full "$SERVER_NAME" nopass
+		EASYRSA_CERT_EXPIRE=3650 ./easyrsa --batch build-server-full "$SERVER_NAME" nopass
 		EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl

 		case $TLS_SIG in
@ -715,6 +785,12 @@ function installOpenVPN () {
 			openvpn --genkey --secret /etc/openvpn/tls-auth.key
 			;;
 		esac
+	else
+		# If easy-rsa is already installed, grab the generated SERVER_NAME
+		# for client configs
+		cd /etc/openvpn/easy-rsa/ || return
+		SERVER_NAME=$(cat SERVER_NAME_GENERATED)
+	fi

 	# Move all the generated files
 	cp pki/ca.crt pki/private/ca.key "pki/issued/$SERVER_NAME.crt" "pki/private/$SERVER_NAME.key" /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn
@ -727,9 +803,9 @@ function installOpenVPN () {

 	# Generate server.conf
 	echo "port $PORT" >/etc/openvpn/server.conf
-	if [[ "$IPV6_SUPPORT" == 'n' ]]; then
+	if [[ $IPV6_SUPPORT == 'n' ]]; then
 		echo "proto $PROTOCOL" >>/etc/openvpn/server.conf
-	elif [[ "$IPV6_SUPPORT" == 'y' ]]; then
+	elif [[ $IPV6_SUPPORT == 'y' ]]; then
 		echo "proto ${PROTOCOL}6" >>/etc/openvpn/server.conf
 	fi

@ -754,12 +830,18 @@ ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf
 			RESOLVCONF='/etc/resolv.conf'
 		fi
 		# Obtain the resolvers from resolv.conf and use them for OpenVPN
-			grep -v '#' $RESOLVCONF | grep 'nameserver' | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read -r line; do
+		sed -ne 's/^nameserver[[:space:]]\+\([^[:space:]]\+\).*$/\1/p' $RESOLVCONF | while read -r line; do
+			# Copy, if it's a IPv4 |or| if IPv6 is enabled, IPv4/IPv6 does not matter
+			if [[ $line =~ ^[0-9.]*$ ]] || [[ $IPV6_SUPPORT == 'y' ]]; then
 				echo "push \"dhcp-option DNS $line\"" >>/etc/openvpn/server.conf
+			fi
 		done
 		;;
 	2) # Self-hosted DNS resolver (Unbound)
 		echo 'push "dhcp-option DNS 10.8.0.1"' >>/etc/openvpn/server.conf
+		if [[ $IPV6_SUPPORT == 'y' ]]; then
+			echo 'push "dhcp-option DNS fd42:42:42:42::1"' >>/etc/openvpn/server.conf
+		fi
 		;;
 	3) # Cloudflare
 		echo 'push "dhcp-option DNS 1.0.0.1"' >>/etc/openvpn/server.conf
@ -794,8 +876,8 @@ ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf
 		echo 'push "dhcp-option DNS 77.88.8.1"' >>/etc/openvpn/server.conf
 		;;
 	11) # AdGuard DNS
-			echo 'push "dhcp-option DNS 176.103.130.130"' >> /etc/openvpn/server.conf
-			echo 'push "dhcp-option DNS 176.103.130.131"' >> /etc/openvpn/server.conf
+		echo 'push "dhcp-option DNS 94.140.14.14"' >>/etc/openvpn/server.conf
+		echo 'push "dhcp-option DNS 94.140.15.15"' >>/etc/openvpn/server.conf
 		;;
 	12) # NextDNS
 		echo 'push "dhcp-option DNS 45.90.28.167"' >>/etc/openvpn/server.conf
@ -803,7 +885,7 @@ ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf
 		;;
 	13) # Custom DNS
 		echo "push \"dhcp-option DNS $DNS1\"" >>/etc/openvpn/server.conf
-		if [[ "$DNS2" != "" ]]; then
+		if [[ $DNS2 != "" ]]; then
 			echo "push \"dhcp-option DNS $DNS2\"" >>/etc/openvpn/server.conf
 		fi
 		;;
@ -811,7 +893,7 @@ ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf
 	echo 'push "redirect-gateway def1 bypass-dhcp"' >>/etc/openvpn/server.conf

 	# IPv6 network settings if needed
-	if [[ "$IPV6_SUPPORT" == 'y' ]]; then
+	if [[ $IPV6_SUPPORT == 'y' ]]; then
 		echo 'server-ipv6 fd42:42:42:42::/112
 tun-ipv6
 push tun-ipv6
@ -832,7 +914,7 @@ push "redirect-gateway ipv6"' >> /etc/openvpn/server.conf

 	case $TLS_SIG in
 	1)
-			echo "tls-crypt tls-crypt.key 0" >> /etc/openvpn/server.conf
+		echo "tls-crypt tls-crypt.key" >>/etc/openvpn/server.conf
 		;;
 	2)
 		echo "tls-auth tls-auth.key 0" >>/etc/openvpn/server.conf
@ -859,9 +941,9 @@ verb 3" >> /etc/openvpn/server.conf
 	mkdir -p /var/log/openvpn

 	# Enable routing
-	echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.d/20-openvpn.conf
-	if [[ "$IPV6_SUPPORT" == 'y' ]]; then
-		echo 'net.ipv6.conf.all.forwarding=1' >> /etc/sysctl.d/20-openvpn.conf
+	echo 'net.ipv4.ip_forward=1' >/etc/sysctl.d/99-openvpn.conf
+	if [[ $IPV6_SUPPORT == 'y' ]]; then
+		echo 'net.ipv6.conf.all.forwarding=1' >>/etc/sysctl.d/99-openvpn.conf
 	fi
 	# Apply sysctl rules
 	sysctl --system
@ -869,14 +951,14 @@ verb 3" >> /etc/openvpn/server.conf
 	# If SELinux is enabled and a custom port was selected, we need this
 	if hash sestatus 2>/dev/null; then
 		if sestatus | grep "Current mode" | grep -qs "enforcing"; then
-			if [[ "$PORT" != '1194' ]]; then
+			if [[ $PORT != '1194' ]]; then
 				semanage port -a -t openvpn_port_t -p "$PROTOCOL" "$PORT"
 			fi
 		fi
 	fi

 	# Finally, restart and enable OpenVPN
-	if [[ "$OS" == 'arch' || "$OS" == 'fedora' || "$OS" == 'centos' ]]; then
+	if [[ $OS == 'arch' || $OS == 'fedora' || $OS == 'centos' || $OS == 'oracle' ]]; then
 		# Don't modify package-provided service
 		cp /usr/lib/systemd/system/openvpn-server@.service /etc/systemd/system/openvpn-server@.service

@ -884,15 +966,11 @@ verb 3" >> /etc/openvpn/server.conf
 		sed -i 's|LimitNPROC|#LimitNPROC|' /etc/systemd/system/openvpn-server@.service
 		# Another workaround to keep using /etc/openvpn/
 		sed -i 's|/etc/openvpn/server|/etc/openvpn|' /etc/systemd/system/openvpn-server@.service
-		# On fedora, the service hardcodes the ciphers. We want to manage the cipher ourselves, so we remove it from the service
-		if [[ "$OS" == "fedora" ]];then
-			sed -i 's|--cipher AES-256-GCM --ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC:BF-CBC||' /etc/systemd/system/openvpn-server@.service
-		fi

 		systemctl daemon-reload
 		systemctl enable openvpn-server@server
 		systemctl restart openvpn-server@server
-	elif [[ "$OS" == "ubuntu" ]] && [[ "$VERSION_ID" == "16.04" ]]; then
+	elif [[ $OS == "ubuntu" ]] && [[ $VERSION_ID == "16.04" ]]; then
 		# On Ubuntu 16.04, we use the package from the OpenVPN repo
 		# This package uses a sysvinit service
 		systemctl enable openvpn
@ -926,11 +1004,12 @@ iptables -I FORWARD 1 -i $NIC -o tun0 -j ACCEPT
 iptables -I FORWARD 1 -i tun0 -o $NIC -j ACCEPT
 iptables -I INPUT 1 -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" >/etc/iptables/add-openvpn-rules.sh

-	if [[ "$IPV6_SUPPORT" == 'y' ]]; then
+	if [[ $IPV6_SUPPORT == 'y' ]]; then
 		echo "ip6tables -t nat -I POSTROUTING 1 -s fd42:42:42:42::/112 -o $NIC -j MASQUERADE
 ip6tables -I INPUT 1 -i tun0 -j ACCEPT
 ip6tables -I FORWARD 1 -i $NIC -o tun0 -j ACCEPT
-ip6tables -I FORWARD 1 -i tun0 -o $NIC -j ACCEPT" >> /etc/iptables/add-openvpn-rules.sh
+ip6tables -I FORWARD 1 -i tun0 -o $NIC -j ACCEPT
+ip6tables -I INPUT 1 -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" >>/etc/iptables/add-openvpn-rules.sh
 	fi

 	# Script to remove rules
@ -941,11 +1020,12 @@ iptables -D FORWARD -i $NIC -o tun0 -j ACCEPT
 iptables -D FORWARD -i tun0 -o $NIC -j ACCEPT
 iptables -D INPUT -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" >/etc/iptables/rm-openvpn-rules.sh

-	if [[ "$IPV6_SUPPORT" == 'y' ]]; then
+	if [[ $IPV6_SUPPORT == 'y' ]]; then
 		echo "ip6tables -t nat -D POSTROUTING -s fd42:42:42:42::/112 -o $NIC -j MASQUERADE
 ip6tables -D INPUT -i tun0 -j ACCEPT
 ip6tables -D FORWARD -i $NIC -o tun0 -j ACCEPT
-ip6tables -D FORWARD -i tun0 -o $NIC -j ACCEPT" >> /etc/iptables/rm-openvpn-rules.sh
+ip6tables -D FORWARD -i tun0 -o $NIC -j ACCEPT
+ip6tables -D INPUT -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" >>/etc/iptables/rm-openvpn-rules.sh
 	fi

 	chmod +x /etc/iptables/add-openvpn-rules.sh
@ -972,16 +1052,16 @@ WantedBy=multi-user.target" > /etc/systemd/system/iptables-openvpn.service
 	systemctl start iptables-openvpn

 	# If the server is behind a NAT, use the correct IP address for the clients to connect to
-	if [[ "$ENDPOINT" != "" ]]; then
+	if [[ $ENDPOINT != "" ]]; then
 		IP=$ENDPOINT
 	fi

 	# client-template.txt is created so we have a template to add further users later
 	echo "client" >/etc/openvpn/client-template.txt
-	if [[ "$PROTOCOL" == 'udp' ]]; then
+	if [[ $PROTOCOL == 'udp' ]]; then
 		echo "proto udp" >>/etc/openvpn/client-template.txt
 		echo "explicit-exit-notify" >>/etc/openvpn/client-template.txt
-	elif [[ "$PROTOCOL" == 'tcp' ]]; then
+	elif [[ $PROTOCOL == 'tcp' ]]; then
 		echo "proto tcp-client" >>/etc/openvpn/client-template.txt
 	fi
 	echo "remote $IP $PORT
@ -998,6 +1078,7 @@ cipher $CIPHER
 tls-client
 tls-version-min 1.2
 tls-cipher $CC_CIPHER
+ignore-unknown-option block-outside-dns
 setenv opt block-outside-dns # Prevent Windows 10 DNS leak
 verb 3" >>/etc/openvpn/client-template.txt

@ -1013,9 +1094,9 @@ fi
 function newClient() {
 	echo ""
 	echo "Tell me a name for the client."
-	echo "Use one word only, no special characters."
+	echo "The name must consist of alphanumeric character. It may also include an underscore or a dash."

-	until [[ "$CLIENT" =~ ^[a-zA-Z0-9_]+$ ]]; do
+	until [[ $CLIENT =~ ^[a-zA-Z0-9_-]+$ ]]; do
 		read -rp "Client name: " -e CLIENT
 	done

@ -1025,27 +1106,43 @@ function newClient () {
 	echo "   1) Add a passwordless client"
 	echo "   2) Use a password for the client"

-	until [[ "$PASS" =~ ^[1-2]$ ]]; do
+	until [[ $PASS =~ ^[1-2]$ ]]; do
 		read -rp "Select an option [1-2]: " -e -i 1 PASS
 	done

+	CLIENTEXISTS=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep -c -E "/CN=$CLIENT\$")
+	if [[ $CLIENTEXISTS == '1' ]]; then
+		echo ""
+		echo "The specified client CN was already found in easy-rsa, please choose another name."
+		exit
+	else
 		cd /etc/openvpn/easy-rsa/ || return
 		case $PASS in
 		1)
-			./easyrsa build-client-full "$CLIENT" nopass
+			EASYRSA_CERT_EXPIRE=3650 ./easyrsa --batch build-client-full "$CLIENT" nopass
 			;;
 		2)
 			echo "⚠️ You will be asked for the client password below ⚠️"
-			./easyrsa build-client-full "$CLIENT"
+			EASYRSA_CERT_EXPIRE=3650 ./easyrsa --batch build-client-full "$CLIENT"
 			;;
 		esac
+		echo "Client $CLIENT added."
+	fi

-	# Home directory of the user, where the client configuration (.ovpn) will be written
-	if [ -e "/home/$CLIENT" ]; then  # if $1 is a user name
-		homeDir="/home/$CLIENT"
-	elif [ "${SUDO_USER}" ]; then # if not, use SUDO_USER
+	# Home directory of the user, where the client configuration will be written
+	if [ -e "/home/${CLIENT}" ]; then
+		# if $1 is a user name
+		homeDir="/home/${CLIENT}"
+	elif [ "${SUDO_USER}" ]; then
+		# if not, use SUDO_USER
+		if [ "${SUDO_USER}" == "root" ]; then
+			# If running sudo as root
+			homeDir="/root"
+		else
 			homeDir="/home/${SUDO_USER}"
-	else # if not SUDO_USER, use /root
+		fi
+	else
+		# if not SUDO_USER, use /root
 		homeDir="/root"
 	fi

@ -1064,7 +1161,7 @@ function newClient () {
 		echo "</ca>"

 		echo "<cert>"
-		awk '/BEGIN/,/END/' "/etc/openvpn/easy-rsa/pki/issued/$CLIENT.crt"
+		awk '/BEGIN/,/END CERTIFICATE/' "/etc/openvpn/easy-rsa/pki/issued/$CLIENT.crt"
 		echo "</cert>"

 		echo "<key>"
@ -1087,7 +1184,7 @@ function newClient () {
 	} >>"$homeDir/$CLIENT.ovpn"

 	echo ""
-	echo "Client $CLIENT added, the configuration file is available at $homeDir/$CLIENT.ovpn."
+	echo "The configuration file has been written to $homeDir/$CLIENT.ovpn."
 	echo "Download the .ovpn file and import it in your OpenVPN client."

 	exit 0
@ -1095,7 +1192,7 @@ function newClient () {

 function revokeClient() {
 	NUMBEROFCLIENTS=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep -c "^V")
-	if [[ "$NUMBEROFCLIENTS" == '0' ]]; then
+	if [[ $NUMBEROFCLIENTS == '0' ]]; then
 		echo ""
 		echo "You have no existing clients!"
 		exit 1
@ -1104,26 +1201,24 @@ function revokeClient () {
 	echo ""
 	echo "Select the existing client certificate you want to revoke"
 	tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | nl -s ') '
-	if [[ "$NUMBEROFCLIENTS" == '1' ]]; then
+	until [[ $CLIENTNUMBER -ge 1 && $CLIENTNUMBER -le $NUMBEROFCLIENTS ]]; do
+		if [[ $CLIENTNUMBER == '1' ]]; then
 			read -rp "Select one client [1]: " CLIENTNUMBER
 		else
 			read -rp "Select one client [1-$NUMBEROFCLIENTS]: " CLIENTNUMBER
 		fi
-
+	done
 	CLIENT=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | sed -n "$CLIENTNUMBER"p)
 	cd /etc/openvpn/easy-rsa/ || return
 	./easyrsa --batch revoke "$CLIENT"
 	EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
-	# Cleanup
-	rm -f "pki/reqs/$CLIENT.req"
-	rm -f "pki/private/$CLIENT.key"
-	rm -f "pki/issued/$CLIENT.crt"
 	rm -f /etc/openvpn/crl.pem
 	cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/crl.pem
 	chmod 644 /etc/openvpn/crl.pem
 	find /home/ -maxdepth 2 -name "$CLIENT.ovpn" -delete
 	rm -f "/root/$CLIENT.ovpn"
 	sed -i "/^$CLIENT,.*/d" /etc/openvpn/ipp.txt
+	cp /etc/openvpn/easy-rsa/pki/index.txt{,.bk}

 	echo ""
 	echo "Certificate for client $CLIENT revoked."
@ -1140,17 +1235,17 @@ function removeUnbound () {
 		read -rp "Do you want to completely remove Unbound? [y/n]: " -e REMOVE_UNBOUND
 	done

-	if [[ "$REMOVE_UNBOUND" == 'y' ]]; then
+	if [[ $REMOVE_UNBOUND == 'y' ]]; then
 		# Stop Unbound
 		systemctl stop unbound

-		if [[ "$OS" =~ (debian|ubuntu) ]]; then
-			apt-get autoremove --purge -y unbound
-		elif [[ "$OS" == 'arch' ]]; then
+		if [[ $OS =~ (debian|ubuntu) ]]; then
+			apt-get remove --purge -y unbound
+		elif [[ $OS == 'arch' ]]; then
 			pacman --noconfirm -R unbound
-		elif [[ "$OS" =~ (centos|amzn) ]]; then
+		elif [[ $OS =~ (centos|amzn|oracle) ]]; then
 			yum remove -y unbound
-		elif [[ "$OS" == 'fedora' ]]; then
+		elif [[ $OS == 'fedora' ]]; then
 			dnf remove -y unbound
 		fi

@ -1167,19 +1262,19 @@ function removeUnbound () {

 function removeOpenVPN() {
 	echo ""
-	# shellcheck disable=SC2034
 	read -rp "Do you really want to remove OpenVPN? [y/n]: " -e -i n REMOVE
-	if [[ "$REMOVE" == 'y' ]]; then
+	if [[ $REMOVE == 'y' ]]; then
 		# Get OpenVPN port from the configuration
 		PORT=$(grep '^port ' /etc/openvpn/server.conf | cut -d " " -f 2)
+		PROTOCOL=$(grep '^proto ' /etc/openvpn/server.conf | cut -d " " -f 2)

 		# Stop OpenVPN
-		if [[ "$OS" =~ (fedora|arch|centos) ]]; then
+		if [[ $OS =~ (fedora|arch|centos|oracle) ]]; then
 			systemctl disable openvpn-server@server
 			systemctl stop openvpn-server@server
 			# Remove customised service
 			rm /etc/systemd/system/openvpn-server@.service
-		elif [[ "$OS" == "ubuntu" ]] && [[ "$VERSION_ID" == "16.04" ]]; then
+		elif [[ $OS == "ubuntu" ]] && [[ $VERSION_ID == "16.04" ]]; then
 			systemctl disable openvpn
 			systemctl stop openvpn
 		else
@ -1201,23 +1296,23 @@ function removeOpenVPN () {
 		# SELinux
 		if hash sestatus 2>/dev/null; then
 			if sestatus | grep "Current mode" | grep -qs "enforcing"; then
-				if [[ "$PORT" != '1194' ]]; then
-					semanage port -d -t openvpn_port_t -p udp "$PORT"
+				if [[ $PORT != '1194' ]]; then
+					semanage port -d -t openvpn_port_t -p "$PROTOCOL" "$PORT"
 				fi
 			fi
 		fi

-		if [[ "$OS" =~ (debian|ubuntu) ]]; then
-			apt-get autoremove --purge -y openvpn
+		if [[ $OS =~ (debian|ubuntu) ]]; then
+			apt-get remove --purge -y openvpn
 			if [[ -e /etc/apt/sources.list.d/openvpn.list ]]; then
 				rm /etc/apt/sources.list.d/openvpn.list
 				apt-get update
 			fi
-		elif [[ "$OS" == 'arch' ]]; then
+		elif [[ $OS == 'arch' ]]; then
 			pacman --noconfirm -R openvpn
-		elif [[ "$OS" =~ (centos|amzn) ]]; then
+		elif [[ $OS =~ (centos|amzn|oracle) ]]; then
 			yum remove -y openvpn
-		elif [[ "$OS" == 'fedora' ]]; then
+		elif [[ $OS == 'fedora' ]]; then
 			dnf remove -y openvpn
 		fi

@ -1226,7 +1321,7 @@ function removeOpenVPN () {
 		find /root/ -maxdepth 1 -name "*.ovpn" -delete
 		rm -rf /etc/openvpn
 		rm -rf /usr/share/doc/openvpn*
-		rm -f /etc/sysctl.d/20-openvpn.conf
+		rm -f /etc/sysctl.d/99-openvpn.conf
 		rm -rf /var/log/openvpn

 		# Unbound
@ -1242,7 +1337,6 @@ function removeOpenVPN () {
 }

 function manageMenu() {
-	clear
 	echo "Welcome to OpenVPN-install!"
 	echo "The git repository is available at: https://github.com/angristan/openvpn-install"
 	echo ""
@ -1253,7 +1347,7 @@ function manageMenu () {
 	echo "   2) Revoke existing user"
 	echo "   3) Remove OpenVPN"
 	echo "   4) Exit"
-	until [[ "$MENU_OPTION" =~ ^[1-4]$ ]]; do
+	until [[ $MENU_OPTION =~ ^[1-4]$ ]]; do
 		read -rp "Select an option [1-4]: " MENU_OPTION
 	done

@ -1277,7 +1371,7 @@ function manageMenu () {
 initialCheck

 # Check if OpenVPN is already installed
-if [[ -e /etc/openvpn/server.conf ]]; then
+if [[ -e /etc/openvpn/server.conf && $AUTO_INSTALL != "y" ]]; then
 	manageMenu
 else
 	installOpenVPN
				`@ -0,0 +1 @@`
				`{ "MD013": null, "MD045": null, "MD040": null, "MD036": null }`