From a7e54a47ce74c598fceea0bbd9b95c5ed1f8a70e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 1 Aug 2022 03:00:54 +0000 Subject: [PATCH 01/38] build(deps): bump appleboy/ssh-action from 0.1.4 to 0.1.5 Bumps [appleboy/ssh-action](https://github.com/appleboy/ssh-action) from 0.1.4 to 0.1.5. - [Release notes](https://github.com/appleboy/ssh-action/releases) - [Commits](https://github.com/appleboy/ssh-action/compare/v0.1.4...v0.1.5) --- updated-dependencies: - dependency-name: appleboy/ssh-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- .github/workflows/test.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index a0b796e8..bd28f79b 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -50,7 +50,7 @@ jobs: - name: Setup remote server (Debian/Ubuntu) if: steps.server_os.outputs.value == 'debian' || steps.server_os.outputs.value == 'ubuntu' - uses: appleboy/ssh-action@v0.1.4 + uses: appleboy/ssh-action@v0.1.5 with: host: ${{ steps.server_ip.outputs.value }} username: root @@ -59,7 +59,7 @@ jobs: - name: Setup remote server (Fedora) if: steps.server_os.outputs.value == 'fedora' - uses: appleboy/ssh-action@v0.1.4 + uses: appleboy/ssh-action@v0.1.5 with: host: ${{ steps.server_ip.outputs.value }} username: root @@ -68,7 +68,7 @@ jobs: - name: Setup remote server (CentOS) if: steps.server_os.outputs.value == 'centos' - uses: appleboy/ssh-action@v0.1.4 + uses: appleboy/ssh-action@v0.1.5 with: host: ${{ steps.server_ip.outputs.value }} username: root @@ -76,7 +76,7 @@ jobs: script: set -x && yum install -y git - name: Download repo and checkout current commit - uses: appleboy/ssh-action@v0.1.4 + uses: appleboy/ssh-action@v0.1.5 with: host: ${{ steps.server_ip.outputs.value }} username: root @@ -84,7 +84,7 @@ jobs: script: set -x && git clone https://github.com/angristan/openvpn-install.git && cd openvpn-install && git checkout ${{ github.event.pull_request.head.sha }} - name: Run openvpn-install.sh in headless mode - uses: appleboy/ssh-action@v0.1.4 + uses: appleboy/ssh-action@v0.1.5 with: host: ${{ steps.server_ip.outputs.value }} username: root From 83111c58e787313ebc3a1e85b782aa6c2286abba Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 1 Nov 2022 03:00:50 +0000 Subject: [PATCH 02/38] build(deps): bump actions/checkout from 3.0.2 to 3.1.0 Bumps [actions/checkout](https://github.com/actions/checkout) from 3.0.2 to 3.1.0. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v3.0.2...v3.1.0) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/lint.yml | 2 +- .github/workflows/test.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index ea697590..b53d67fc 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -7,7 +7,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout Code - uses: actions/checkout@v3.0.2 + uses: actions/checkout@v3.1.0 - name: Lint Code Base uses: github/super-linter@v4.1.0 env: diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index bd28f79b..22af6881 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -20,7 +20,7 @@ jobs: - centos-7-x64 - centos-stream-8-x64 steps: - - uses: actions/checkout@v3.0.2 + - uses: actions/checkout@v3.1.0 - name: Setup doctl uses: digitalocean/action-doctl@v2 From 0de56f8f335c74ad7de99c6165d1a8bc1d2e3149 Mon Sep 17 00:00:00 2001 From: Padraig Doran Date: Mon, 21 Nov 2022 18:12:46 +0000 Subject: [PATCH 03/38] Use --genkey secret filename instead (#1059) Fix for: WARNING: Using --genkey --secret filename is DEPRECATED. Use --genkey secret filename instead. https://community.openvpn.net/openvpn/wiki/DeprecatedOptions#Option:--secret Status Removed Deprecated in: OpenVPN v2.4 Removed in: OpenVPN v2.5 Affects: --genkey Result if used: User Warning printed Replaced by: secret (No leading double dash) Examples: Use --genkey secret filename Notes: --- openvpn-install.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 64d8ed09..c9059762 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -742,11 +742,11 @@ function installOpenVPN() { case $TLS_SIG in 1) # Generate tls-crypt key - openvpn --genkey --secret /etc/openvpn/tls-crypt.key + openvpn --genkey secret /etc/openvpn/tls-crypt.key ;; 2) # Generate tls-auth key - openvpn --genkey --secret /etc/openvpn/tls-auth.key + openvpn --genkey secret /etc/openvpn/tls-auth.key ;; esac else From d3751457ab6fb4e012764ed2d47ab9ab279f9675 Mon Sep 17 00:00:00 2001 From: Stanislas Date: Mon, 21 Nov 2022 19:15:22 +0100 Subject: [PATCH 04/38] Remove Debian 9 in e2e tests as it has been removed by DO --- .github/workflows/test.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 22af6881..d030f081 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -11,7 +11,6 @@ jobs: strategy: matrix: os-image: - - debian-9-x64 - debian-10-x64 - debian-11-x64 - ubuntu-18-04-x64 From 86a6d2d3e7715fac982657826202518d29e8af95 Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Mon, 21 Nov 2022 19:33:24 +0100 Subject: [PATCH 05/38] Revert "Use --genkey secret filename instead (#1059)" This reverts commit 0de56f8f335c74ad7de99c6165d1a8bc1d2e3149. --- openvpn-install.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index c9059762..64d8ed09 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -742,11 +742,11 @@ function installOpenVPN() { case $TLS_SIG in 1) # Generate tls-crypt key - openvpn --genkey secret /etc/openvpn/tls-crypt.key + openvpn --genkey --secret /etc/openvpn/tls-crypt.key ;; 2) # Generate tls-auth key - openvpn --genkey secret /etc/openvpn/tls-auth.key + openvpn --genkey --secret /etc/openvpn/tls-auth.key ;; esac else From d629791a95e308171ec003424fc7c197bb9b1e0c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 3 Jan 2023 14:05:14 +0100 Subject: [PATCH 06/38] build(deps): bump actions/checkout from 3.1.0 to 3.2.0 (#1075) Bumps [actions/checkout](https://github.com/actions/checkout) from 3.1.0 to 3.2.0. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v3.1.0...v3.2.0) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/lint.yml | 2 +- .github/workflows/test.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index b53d67fc..7301cdf0 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -7,7 +7,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout Code - uses: actions/checkout@v3.1.0 + uses: actions/checkout@v3.2.0 - name: Lint Code Base uses: github/super-linter@v4.1.0 env: diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index d030f081..a869a1c6 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -19,7 +19,7 @@ jobs: - centos-7-x64 - centos-stream-8-x64 steps: - - uses: actions/checkout@v3.1.0 + - uses: actions/checkout@v3.2.0 - name: Setup doctl uses: digitalocean/action-doctl@v2 From 638b51168a9726be3d72253abcd18a0ed3cd6878 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 3 Jan 2023 14:05:27 +0100 Subject: [PATCH 07/38] build(deps): bump appleboy/ssh-action from 0.1.5 to 0.1.6 (#1074) Bumps [appleboy/ssh-action](https://github.com/appleboy/ssh-action) from 0.1.5 to 0.1.6. - [Release notes](https://github.com/appleboy/ssh-action/releases) - [Commits](https://github.com/appleboy/ssh-action/compare/v0.1.5...v0.1.6) --- updated-dependencies: - dependency-name: appleboy/ssh-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/test.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index a869a1c6..af955720 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -49,7 +49,7 @@ jobs: - name: Setup remote server (Debian/Ubuntu) if: steps.server_os.outputs.value == 'debian' || steps.server_os.outputs.value == 'ubuntu' - uses: appleboy/ssh-action@v0.1.5 + uses: appleboy/ssh-action@v0.1.6 with: host: ${{ steps.server_ip.outputs.value }} username: root @@ -58,7 +58,7 @@ jobs: - name: Setup remote server (Fedora) if: steps.server_os.outputs.value == 'fedora' - uses: appleboy/ssh-action@v0.1.5 + uses: appleboy/ssh-action@v0.1.6 with: host: ${{ steps.server_ip.outputs.value }} username: root @@ -67,7 +67,7 @@ jobs: - name: Setup remote server (CentOS) if: steps.server_os.outputs.value == 'centos' - uses: appleboy/ssh-action@v0.1.5 + uses: appleboy/ssh-action@v0.1.6 with: host: ${{ steps.server_ip.outputs.value }} username: root @@ -75,7 +75,7 @@ jobs: script: set -x && yum install -y git - name: Download repo and checkout current commit - uses: appleboy/ssh-action@v0.1.5 + uses: appleboy/ssh-action@v0.1.6 with: host: ${{ steps.server_ip.outputs.value }} username: root @@ -83,7 +83,7 @@ jobs: script: set -x && git clone https://github.com/angristan/openvpn-install.git && cd openvpn-install && git checkout ${{ github.event.pull_request.head.sha }} - name: Run openvpn-install.sh in headless mode - uses: appleboy/ssh-action@v0.1.5 + uses: appleboy/ssh-action@v0.1.6 with: host: ${{ steps.server_ip.outputs.value }} username: root From 8e427ee9c2ec47487fe12d0f11a2ff8ef0264c6f Mon Sep 17 00:00:00 2001 From: Stanislas Date: Tue, 3 Jan 2023 14:06:19 +0100 Subject: [PATCH 08/38] Delete .github/ISSUE_TEMPLATE directory --- .github/ISSUE_TEMPLATE/bug.yml | 74 ----------------------- .github/ISSUE_TEMPLATE/feature-request.md | 21 ------- 2 files changed, 95 deletions(-) delete mode 100644 .github/ISSUE_TEMPLATE/bug.yml delete mode 100644 .github/ISSUE_TEMPLATE/feature-request.md diff --git a/.github/ISSUE_TEMPLATE/bug.yml b/.github/ISSUE_TEMPLATE/bug.yml deleted file mode 100644 index 0eacdc94..00000000 --- a/.github/ISSUE_TEMPLATE/bug.yml +++ /dev/null @@ -1,74 +0,0 @@ -name: Bug Report -description: File a bug report -title: "[Bug]: " -body: - - type: markdown - attributes: - value: | - Thanks for taking the time to fill out this bug report! - - **PLEASE** prioritise these communities before opening an issue. - - https://forums.openvpn.net - - https://stackoverflow.com/questions/tagged/openvpn - - https://github.com/angristan/openvpn-install/discussions - - ⚠️ **ANY ISSUE THAT IS NOT CLEARLY A BUG REPORT WILL BE CLOSED AND/OR CONVERTED TO A DISCUSSION.** - - - type: checkboxes - id: pre - attributes: - label: Make sure your check these beforehand! - description: Search before opening an issue. - options: - - label: Issues - https://github.com/angristan/openvpn-install/issues - required: true - - label: README and FAQ - https://github.com/angristan/openvpn-install - required: true - - label: Wiki - https://github.com/angristan/openvpn-install/wiki - required: true - - label: Discussions - https://github.com/angristan/openvpn-install/discussions - required: true - - - type: input - id: server - attributes: - label: Server OS - description: What OS is the OpenVPN server running on? - placeholder: Debian 10 - validations: - required: false - - - type: input - id: openvpn - attributes: - label: OpenVPN version - description: What OpenVPN version is running on your server? - placeholder: 2.5.0 - validations: - required: false - - - type: input - id: client - attributes: - label: Client - description: What OS and client are you using? Please specify the versions. - placeholder: Viscosity 1.10.1 on macOS 12.1 - validations: - required: false - - - type: textarea - id: issue - attributes: - label: What is the bug? - description: Also tell us, what did you expect to happen? - placeholder: Tell us what you see! - value: "A bug happened!" - validations: - required: true - - - type: textarea - id: logs - attributes: - label: Relevant log output - description: Please copy and paste any relevant log output. This will be automatically formatted into code, so no need for backticks. - render: shell diff --git a/.github/ISSUE_TEMPLATE/feature-request.md b/.github/ISSUE_TEMPLATE/feature-request.md deleted file mode 100644 index dcc367dc..00000000 --- a/.github/ISSUE_TEMPLATE/feature-request.md +++ /dev/null @@ -1,21 +0,0 @@ ---- -name: Feature request -about: Suggest an idea for this project -title: "" -labels: "" -assignees: "" ---- - -**Checklist** - -- [ ] I read the [README](https://github.com/angristan/openvpn-install/blob/master/README.md) -- [ ] I read the [FAQ](https://github.com/angristan/openvpn-install/blob/master/FAQ.md) -- [ ] I searched the [issues](https://github.com/angristan/openvpn-install/issues?q=is%3Aissue+) -- [ ] My issue is about the script, and not OpenVPN itself - - From 039ebaafe1ab862b9a362df3456b57d25cac961e Mon Sep 17 00:00:00 2001 From: xumia <59720581+xumia@users.noreply.github.com> Date: Tue, 3 Jan 2023 21:06:59 +0800 Subject: [PATCH 09/38] Fix the wrong client config when the certificate contains END string (#1067) --- openvpn-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 64d8ed09..4bdc5876 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -1125,7 +1125,7 @@ function newClient() { echo "" echo "" - awk '/BEGIN/,/END/' "/etc/openvpn/easy-rsa/pki/issued/$CLIENT.crt" + awk '/BEGIN/,/END CERTIFICATE/' "/etc/openvpn/easy-rsa/pki/issued/$CLIENT.crt" echo "" echo "" From 9b5361d32d3677ee8c4c6ad1bcf0991b92772010 Mon Sep 17 00:00:00 2001 From: Christian Ramelow Date: Tue, 3 Jan 2023 14:09:37 +0100 Subject: [PATCH 10/38] Adds the `--no-same-owner` flag to tar command (#1070) Close #1069 --- openvpn-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 4bdc5876..090c7a0b 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -705,7 +705,7 @@ function installOpenVPN() { local version="3.0.7" wget -O ~/easy-rsa.tgz https://github.com/OpenVPN/easy-rsa/releases/download/v${version}/EasyRSA-${version}.tgz mkdir -p /etc/openvpn/easy-rsa - tar xzf ~/easy-rsa.tgz --strip-components=1 --directory /etc/openvpn/easy-rsa + tar xzf ~/easy-rsa.tgz --strip-components=1 --no-same-owner --directory /etc/openvpn/easy-rsa rm -f ~/easy-rsa.tgz cd /etc/openvpn/easy-rsa/ || return From 4ee44c8e468a9a7c7e6ea7fb9f0bb839e74bb73c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20St=C3=A1rek?= Date: Fri, 6 Jan 2023 21:33:54 +0100 Subject: [PATCH 11/38] Use DNS fallback to ifconfig.co (#1066) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Jan Stárek --- openvpn-install.sh | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 090c7a0b..434b7072 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -627,9 +627,13 @@ function installOpenVPN() { # Behind NAT, we'll default to the publicly reachable IPv4/IPv6. if [[ $IPV6_SUPPORT == "y" ]]; then - PUBLIC_IP=$(curl --retry 5 --retry-connrefused https://ifconfig.co) + if ! PUBLIC_IP=$(curl -f --retry 5 --retry-connrefused https://ifconfig.co) ; then + PUBLIC_IP=$(dig -6 TXT +short o-o.myaddr.l.google.com @ns1.google.com | tr -d '"') + fi else - PUBLIC_IP=$(curl --retry 5 --retry-connrefused -4 https://ifconfig.co) + if ! PUBLIC_IP=$(curl -f --retry 5 --retry-connrefused -4 https://ifconfig.co) ; then + PUBLIC_IP=$(dig -4 TXT +short o-o.myaddr.l.google.com @ns1.google.com | tr -d '"') + fi fi ENDPOINT=${ENDPOINT:-$PUBLIC_IP} fi From 2a57e89489974e9ace314283248a918aed8d2dd4 Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Fri, 6 Jan 2023 21:39:02 +0100 Subject: [PATCH 12/38] Public IP detection: change provider Close #1076 #924 #1039 #925 --- openvpn-install.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 434b7072..7c6f741a 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -627,11 +627,11 @@ function installOpenVPN() { # Behind NAT, we'll default to the publicly reachable IPv4/IPv6. if [[ $IPV6_SUPPORT == "y" ]]; then - if ! PUBLIC_IP=$(curl -f --retry 5 --retry-connrefused https://ifconfig.co) ; then + if ! PUBLIC_IP=$(curl -f --retry 5 --retry-connrefused https://ip.seeip.org); then PUBLIC_IP=$(dig -6 TXT +short o-o.myaddr.l.google.com @ns1.google.com | tr -d '"') fi else - if ! PUBLIC_IP=$(curl -f --retry 5 --retry-connrefused -4 https://ifconfig.co) ; then + if ! PUBLIC_IP=$(curl -f --retry 5 --retry-connrefused -4 https://ip.seeip.org); then PUBLIC_IP=$(dig -4 TXT +short o-o.myaddr.l.google.com @ns1.google.com | tr -d '"') fi fi From 38d3bf9afa0733245a6b2eb7e149aaed54cddc67 Mon Sep 17 00:00:00 2001 From: s7r Date: Wed, 18 Jan 2023 22:05:09 +0000 Subject: [PATCH 13/38] Update FAQ with IPv6 prefix policies for ULA addresses (#1083) * Update FAQ with IPv6 prefix policies for ULA addresses Most operating systems will prefer IPv4 rather than IPv6 ULA, which defeats the purpose of redirect-gateway ipv6. It's nothing the script can do to automate this. --- FAQ.md | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/FAQ.md b/FAQ.md index 825a9ba6..5acd78b7 100644 --- a/FAQ.md +++ b/FAQ.md @@ -151,3 +151,25 @@ route 10.0.0.0 255.0.0.0 ``` So for example - here it would route all traffic of `10.0.0.0/8` to the vpn. And the rest through the internet. + +--- + +**Q:** I have enabled IPv6 and my VPN client gets an IPv6 address. Why do I reach the websites or other dual-stacked destionations via IPv4 only? + +**A:** This is because inside the tunnel you don't get a publicly routable IPv6 address, instead you get an ULA (Unlique Local Lan) address. Operating systems don't prefer this all the time. You can fix this in your operating system policies as it's unrelated to the VPN itself: + +Windows (commands needs to run cmd.exe as Administrator): + +``` +netsh interface ipv6 add prefixpolicy fd00::/8 3 1 +``` + +Linux: + +edit `/etc/gai.conf` and uncomment the following line and also change its value to `1`: + +``` +label fc00::/7 1 +``` + +This will not work properly unless you add you your VPN server `server.conf` one or two lines to push at least 1 (one) IPv6 DNS server. Most providers have IPv6 servers as well, add two more lines of `push "dhcp-option DNS "` From 48f8c16d3a95a980329cf41b33f8f9e1605f8839 Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Sat, 21 Jan 2023 23:00:23 +0100 Subject: [PATCH 14/38] Add issue and PR templates --- .github/issue_template.md | 10 ++++++++++ .github/pull_request_template.md | 8 ++++++++ 2 files changed, 18 insertions(+) create mode 100644 .github/issue_template.md create mode 100644 .github/pull_request_template.md diff --git a/.github/issue_template.md b/.github/issue_template.md new file mode 100644 index 00000000..4d38a8db --- /dev/null +++ b/.github/issue_template.md @@ -0,0 +1,10 @@ + diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md new file mode 100644 index 00000000..d26ab9b6 --- /dev/null +++ b/.github/pull_request_template.md @@ -0,0 +1,8 @@ + From 2d0eca1a1d16e796be1b8338bc52f768b5b0a305 Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Sat, 21 Jan 2023 23:06:44 +0100 Subject: [PATCH 15/38] Update issue/PR template + contributing guidelines --- .github/issue_template.md | 13 ++++++------- .github/pull_request_template.md | 11 +++++------ README.md | 4 ++++ 3 files changed, 15 insertions(+), 13 deletions(-) diff --git a/.github/issue_template.md b/.github/issue_template.md index 4d38a8db..adfdb1ae 100644 --- a/.github/issue_template.md +++ b/.github/issue_template.md @@ -1,10 +1,9 @@ diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index d26ab9b6..43bed858 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -1,8 +1,7 @@ diff --git a/README.md b/README.md index 4e81f281..9fa1c18a 100644 --- a/README.md +++ b/README.md @@ -192,6 +192,10 @@ Solutions that provision a ready to use OpenVPN server based on this script in o ## Contributing +## Discuss changes + +Please open an issue before submitting a PR if you want to discuss a change, especially if it's a big one. + ### Code formatting We use [shellcheck](https://github.com/koalaman/shellcheck) and [shfmt](https://github.com/mvdan/sh) to enforce bash styling guidelines and good practices. They are executed for each commit / PR with GitHub Actions, so you can check the configuration [here](https://github.com/angristan/openvpn-install/blob/master/.github/workflows/push.yml). From 580c617d9844fbba82eb0f3fb92bfe5289781102 Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Sat, 21 Jan 2023 23:18:52 +0100 Subject: [PATCH 16/38] Update issue template --- .github/issue_template.md | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/issue_template.md b/.github/issue_template.md index adfdb1ae..2166d424 100644 --- a/.github/issue_template.md +++ b/.github/issue_template.md @@ -5,5 +5,6 @@ 💡 It helps keep the issue tracker clean and focused on bugs and feature requests. 🙏 Please include as much information as possible, and make sure you're running the latest version of the script. +✍️ Please state the Linux distribution you're using and its version, as well as the OpenVPN version. ✋ For feature requests, remember that this script is meant to be simple and easy to use. If you want to add a lot of options, it's better to fork the project. ---> From 64cbbce0b7fd6c324c0d08c32ee961b9e8246f07 Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Sat, 21 Jan 2023 23:40:01 +0100 Subject: [PATCH 17/38] Add OpenVPN 2.5 notice to README --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index 9fa1c18a..7dbba891 100644 --- a/README.md +++ b/README.md @@ -202,6 +202,9 @@ We use [shellcheck](https://github.com/koalaman/shellcheck) and [shfmt](https:// ## Security and Encryption +> **Warning** +> This has not been updated for OpenVPN 2.5 and later. + OpenVPN's default settings are pretty weak regarding encryption. This script aims to improve that. OpenVPN 2.4 was a great update regarding encryption. It added support for ECDSA, ECDH, AES GCM, NCP and tls-crypt. From 0ac1bf4f51716516d2817998fbbda005c616a09d Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Sat, 21 Jan 2023 23:41:03 +0100 Subject: [PATCH 18/38] Format markdown table in readme --- README.md | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index 7dbba891..f38c0d3a 100644 --- a/README.md +++ b/README.md @@ -118,17 +118,17 @@ The script supports these OS and architectures: | | i386 | amd64 | armhf | arm64 | | --------------- | ---- | ----- | ----- | ----- | -| Amazon Linux 2 | ❔ | ✅ | ❔ | ❔ | -| Arch Linux | ❔ | ✅ | ❔ | ✅ | -| CentOS 7 | ✅ | ✅ | ✅ | ✅ | -| CentOS 8 | ❌ | ✅ | ❌ | ✅ | -| Debian >= 9 | ✅ | ✅ | ✅ | ✅ | -| Fedora >= 27 | ❔ | ✅ | ❔ | ❔ | -| Ubuntu 16.04 | ✅ | ✅ | ❌ | ❌ | -| Ubuntu >= 18.04 | ✅ | ✅ | ✅ | ✅ | -| Oracle Linux 8 | ❌ | ✅ | ❌ | ❔ | -| Rocky Linux 8 | ❔ | ✅ | ❔ | ❔ | -| AlmaLinux 8 | ❌ | ✅ | ❌ | ❔ | +| Amazon Linux 2 | ❔ | ✅ | ❔ | ❔ | +| Arch Linux | ❔ | ✅ | ❔ | ✅ | +| CentOS 7 | ✅ | ✅ | ✅ | ✅ | +| CentOS 8 | ❌ | ✅ | ❌ | ✅ | +| Debian >= 9 | ✅ | ✅ | ✅ | ✅ | +| Fedora >= 27 | ❔ | ✅ | ❔ | ❔ | +| Ubuntu 16.04 | ✅ | ✅ | ❌ | ❌ | +| Ubuntu >= 18.04 | ✅ | ✅ | ✅ | ✅ | +| Oracle Linux 8 | ❌ | ✅ | ❌ | ❔ | +| Rocky Linux 8 | ❔ | ✅ | ❔ | ❔ | +| AlmaLinux 8 | ❌ | ✅ | ❌ | ❔ | To be noted: From ca8d58d5f0090a8c43a2e1a3b6577263843ef88a Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Sun, 22 Jan 2023 00:06:05 +0100 Subject: [PATCH 19/38] Fix checkout in test workflow --- .github/workflows/test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index af955720..b9b77472 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -80,7 +80,7 @@ jobs: host: ${{ steps.server_ip.outputs.value }} username: root key: ${{ secrets.SSH_KEY }} - script: set -x && git clone https://github.com/angristan/openvpn-install.git && cd openvpn-install && git checkout ${{ github.event.pull_request.head.sha }} + script: set -x && git clone https://github.com/angristan/openvpn-install.git && cd openvpn-install && git checkout ${{ github.sha }} - name: Run openvpn-install.sh in headless mode uses: appleboy/ssh-action@v0.1.6 From 2f76bb5e40f6f41a5bb2928379499b74da93f653 Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Sun, 22 Jan 2023 00:06:51 +0100 Subject: [PATCH 20/38] Update easy-rsa to 3.1.2 and fix compatibility with Ubuntu 22.04 Based on this patch by @zerodivisi0n: https://github.com/angristan/openvpn-install/issues/1000#issuecomment-1283484772 --- .github/workflows/test.yml | 1 + openvpn-install.sh | 12 +++++------- 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index b9b77472..4270574f 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -15,6 +15,7 @@ jobs: - debian-11-x64 - ubuntu-18-04-x64 - ubuntu-20-04-x64 + - ubuntu-22-04-x64 - fedora-35-x64 - centos-7-x64 - centos-stream-8-x64 diff --git a/openvpn-install.sh b/openvpn-install.sh index 7c6f741a..6bb39c59 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -706,7 +706,7 @@ function installOpenVPN() { # Install the latest version of easy-rsa from source, if not already installed. if [[ ! -d /etc/openvpn/easy-rsa/ ]]; then - local version="3.0.7" + local version="3.1.2" wget -O ~/easy-rsa.tgz https://github.com/OpenVPN/easy-rsa/releases/download/v${version}/EasyRSA-${version}.tgz mkdir -p /etc/openvpn/easy-rsa tar xzf ~/easy-rsa.tgz --strip-components=1 --no-same-owner --directory /etc/openvpn/easy-rsa @@ -729,18 +729,16 @@ function installOpenVPN() { SERVER_NAME="server_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)" echo "$SERVER_NAME" >SERVER_NAME_GENERATED - echo "set_var EASYRSA_REQ_CN $SERVER_CN" >>vars - # Create the PKI, set up the CA, the DH params and the server certificate ./easyrsa init-pki - ./easyrsa --batch build-ca nopass + ./easyrsa --batch --req-cn="$SERVER_CN" build-ca nopass if [[ $DH_TYPE == "2" ]]; then # ECDH keys are generated on-the-fly so we don't need to generate them beforehand openssl dhparam -out dh.pem $DH_KEY_SIZE fi - ./easyrsa build-server-full "$SERVER_NAME" nopass + ./easyrsa --batch build-server-full "$SERVER_NAME" nopass EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl case $TLS_SIG in @@ -1087,11 +1085,11 @@ function newClient() { cd /etc/openvpn/easy-rsa/ || return case $PASS in 1) - ./easyrsa build-client-full "$CLIENT" nopass + ./easyrsa --batch build-client-full "$CLIENT" nopass ;; 2) echo "⚠️ You will be asked for the client password below ⚠️" - ./easyrsa build-client-full "$CLIENT" + ./easyrsa --batch build-client-full "$CLIENT" ;; esac echo "Client $CLIENT added." From d2556ff235e9daa5fa10245050c4432f03a0258f Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Sun, 22 Jan 2023 00:57:26 +0100 Subject: [PATCH 21/38] Add support for CentOS 9 + update supported distributions --- .github/workflows/test.yml | 4 ++++ README.md | 35 ++++++++++++++++++----------------- openvpn-install.sh | 2 +- 3 files changed, 23 insertions(+), 18 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 4270574f..4473eed3 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -17,8 +17,12 @@ jobs: - ubuntu-20-04-x64 - ubuntu-22-04-x64 - fedora-35-x64 + # - fedora-36-x64 + # - fedora-37-x64 + # dnf is broken: https://ask.fedoraproject.org/t/dnf-operations-use-large-amount-of-ram-and-may-fail-in-low-memory-environments/26427 - centos-7-x64 - centos-stream-8-x64 + - centos-stream-9-x64 steps: - uses: actions/checkout@v3.2.0 diff --git a/README.md b/README.md index f38c0d3a..393b702f 100644 --- a/README.md +++ b/README.md @@ -114,27 +114,28 @@ export PASS="1" ## Compatibility -The script supports these OS and architectures: - -| | i386 | amd64 | armhf | arm64 | -| --------------- | ---- | ----- | ----- | ----- | -| Amazon Linux 2 | ❔ | ✅ | ❔ | ❔ | -| Arch Linux | ❔ | ✅ | ❔ | ✅ | -| CentOS 7 | ✅ | ✅ | ✅ | ✅ | -| CentOS 8 | ❌ | ✅ | ❌ | ✅ | -| Debian >= 9 | ✅ | ✅ | ✅ | ✅ | -| Fedora >= 27 | ❔ | ✅ | ❔ | ❔ | -| Ubuntu 16.04 | ✅ | ✅ | ❌ | ❌ | -| Ubuntu >= 18.04 | ✅ | ✅ | ✅ | ✅ | -| Oracle Linux 8 | ❌ | ✅ | ❌ | ❔ | -| Rocky Linux 8 | ❔ | ✅ | ❔ | ❔ | -| AlmaLinux 8 | ❌ | ✅ | ❌ | ❔ | +The script supports these Linux distributions: + +| | Support | +| ------------------ | ------- | +| AlmaLinux 8 | ✅ | +| Amazon Linux 2 | ✅ | +| Arch Linux | ✅ | +| CentOS 7 | ✅ 🤖 | +| CentOS Stream >= 8 | ✅ 🤖 | +| Debian >= 10 | ✅ 🤖 | +| Fedora >= 35 | ✅ 🤖 | +| Oracle Linux 8 | ✅ | +| Rocky Linux 8 | ✅ | +| Ubuntu >= 18.04 | ✅ 🤖 | To be noted: -- It should work on Debian 8+ and Ubuntu 16.04+. But versions not in the table above are not officially supported. +- The script is regularly tested against the distributions marked with a 🤖 only. + - It's only test on `amd64` architecture. +- It should work on older versions such as Debian 8+, Ubuntu 16.04+ and previous Fedora releases. But versions not in the table above are not officially supported. + - It should also support versions between the LTS versions, but these are not tested. - The script requires `systemd`. -- The script is regularly tested against `amd64` only. ## Fork diff --git a/openvpn-install.sh b/openvpn-install.sh index 6bb39c59..c47e08f7 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -57,7 +57,7 @@ function checkOS() { fi if [[ $ID == "centos" || $ID == "rocky" || $ID == "almalinux" ]]; then OS="centos" - if [[ ! $VERSION_ID =~ (7|8) ]]; then + if [[ $VERSION_ID -lt 7 ]]; then echo "⚠️ Your version of CentOS is not supported." echo "" echo "The script only support CentOS 7 and CentOS 8." From 33fe6af1315cf1f5a43397bf65341e683deac463 Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Sun, 22 Jan 2023 01:55:06 +0100 Subject: [PATCH 22/38] Update cloud providers --- README.md | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 393b702f..b856e958 100644 --- a/README.md +++ b/README.md @@ -151,10 +151,9 @@ More Q&A in [FAQ.md](FAQ.md). **A:** I recommend these: -- [Vultr](https://www.vultr.com/?ref=8537055-6G): Worldwide locations, IPv6 support, starting at \$3.50/month -- [Hetzner](https://hetzner.cloud/?ref=ywtlvZsjgeDq): Germany, IPv6, 20 TB of traffic, starting at €3/month -- [Digital Ocean](https://goo.gl/qXrNLK): Worldwide locations, IPv6 support, starting at \$5/month -- [PulseHeberg](https://goo.gl/76yqW5): France, unlimited bandwidth, starting at €3/month +- [Vultr](https://www.vultr.com/?ref=8948982-8H): Worldwide locations, IPv6 support, starting at \$5/month +- [Hetzner](https://hetzner.cloud/?ref=ywtlvZsjgeDq): Germany, Finland and USA. IPv6, 20 TB of traffic, starting at 4.5€/month +- [Digital Ocean](https://m.do.co/c/ed0ba143fe53): Worldwide locations, IPv6 support, starting at \$4/month --- From d096f7a3a24063cade1c9b0c0a4cb4d0e1aea457 Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Sun, 22 Jan 2023 16:42:48 +0100 Subject: [PATCH 23/38] Add star history --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index b856e958..d3e30372 100644 --- a/README.md +++ b/README.md @@ -353,3 +353,7 @@ You can [say thanks](https://saythanks.io/to/angristan) if you want! Many thanks to the [contributors](https://github.com/Angristan/OpenVPN-install/graphs/contributors) and Nyr's original work. This project is under the [MIT Licence](https://raw.githubusercontent.com/Angristan/openvpn-install/master/LICENSE) + +## Star History + +[![Star History Chart](https://api.star-history.com/svg?repos=angristan/openvpn-install&type=Date)](https://star-history.com/#angristan/openvpn-install&Date) From 80feebed16b3baa5979f764ee3272443f2fe08e6 Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Sun, 22 Jan 2023 16:43:13 +0100 Subject: [PATCH 24/38] Remove visitors badge --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index d3e30372..fba65c8d 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,6 @@ ![Test](https://github.com/angristan/openvpn-install/workflows/Test/badge.svg) ![Lint](https://github.com/angristan/openvpn-install/workflows/Lint/badge.svg) -![visitors](https://visitor-badge.glitch.me/badge?page_id=angristan.openvpn-install) [![Say Thanks!](https://img.shields.io/badge/Say%20Thanks-!-1EAEDB.svg)](https://saythanks.io/to/angristan) OpenVPN installer for Debian, Ubuntu, Fedora, CentOS, Arch Linux, Oracle Linux, Rocky Linux and AlmaLinux. From 1a249c621d63aa16f95b59673df8ae5c64d3c002 Mon Sep 17 00:00:00 2001 From: Stanislas Date: Mon, 20 Nov 2023 21:14:04 +0100 Subject: [PATCH 25/38] ci: test workflow server images update (#1183) * test ci * remove ubuntu 18.04 * remove fedora 35 and add 37 38 * disable centos stream 9, add debian 12 --- .github/workflows/test.yml | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 4473eed3..71ea00a5 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -2,6 +2,7 @@ on: push: branches: - master + - ci name: Test jobs: @@ -13,16 +14,14 @@ jobs: os-image: - debian-10-x64 - debian-11-x64 - - ubuntu-18-04-x64 + - debian-12-x64 - ubuntu-20-04-x64 - ubuntu-22-04-x64 - - fedora-35-x64 - # - fedora-36-x64 - # - fedora-37-x64 - # dnf is broken: https://ask.fedoraproject.org/t/dnf-operations-use-large-amount-of-ram-and-may-fail-in-low-memory-environments/26427 + - fedora-37-x64 + - fedora-38-x64 - centos-7-x64 - centos-stream-8-x64 - - centos-stream-9-x64 + # - centos-stream-9-x64 # yum oomkill steps: - uses: actions/checkout@v3.2.0 From 651e36c6cb0359ab7f4e699e2c71d3917acba69c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Salbe=C3=AF?= Date: Mon, 20 Nov 2023 21:19:13 +0100 Subject: [PATCH 26/38] Fix syntax error on Rocky Linux version check (#1182) Co-authored-by: David Salbei --- openvpn-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index c47e08f7..06ad608a 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -57,7 +57,7 @@ function checkOS() { fi if [[ $ID == "centos" || $ID == "rocky" || $ID == "almalinux" ]]; then OS="centos" - if [[ $VERSION_ID -lt 7 ]]; then + if [[ ${VERSION_ID%.*} -lt 7 ]]; then echo "⚠️ Your version of CentOS is not supported." echo "" echo "The script only support CentOS 7 and CentOS 8." From 5a4b31bd0d711da5df5febc944167b3cdb0a28bf Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Mon, 20 Nov 2023 21:21:51 +0100 Subject: [PATCH 27/38] Fix typo in README --- README.md | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index fba65c8d..dd83d6a7 100644 --- a/README.md +++ b/README.md @@ -117,21 +117,21 @@ The script supports these Linux distributions: | | Support | | ------------------ | ------- | -| AlmaLinux 8 | ✅ | -| Amazon Linux 2 | ✅ | -| Arch Linux | ✅ | -| CentOS 7 | ✅ 🤖 | -| CentOS Stream >= 8 | ✅ 🤖 | -| Debian >= 10 | ✅ 🤖 | -| Fedora >= 35 | ✅ 🤖 | -| Oracle Linux 8 | ✅ | -| Rocky Linux 8 | ✅ | -| Ubuntu >= 18.04 | ✅ 🤖 | +| AlmaLinux 8 | ✅ | +| Amazon Linux 2 | ✅ | +| Arch Linux | ✅ | +| CentOS 7 | ✅ 🤖 | +| CentOS Stream >= 8 | ✅ 🤖 | +| Debian >= 10 | ✅ 🤖 | +| Fedora >= 35 | ✅ 🤖 | +| Oracle Linux 8 | ✅ | +| Rocky Linux 8 | ✅ | +| Ubuntu >= 18.04 | ✅ 🤖 | To be noted: - The script is regularly tested against the distributions marked with a 🤖 only. - - It's only test on `amd64` architecture. + - It's only tested on `amd64` architecture. - It should work on older versions such as Debian 8+, Ubuntu 16.04+ and previous Fedora releases. But versions not in the table above are not officially supported. - It should also support versions between the LTS versions, but these are not tested. - The script requires `systemd`. From 6a127fa2b633508528ed21ed754f8c1dcb973d71 Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Thu, 16 May 2024 20:02:01 +0200 Subject: [PATCH 28/38] Enable manual trigger of actions --- .github/workflows/lint.yml | 2 +- .github/workflows/test.yml | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 7301cdf0..3b75f34c 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -1,4 +1,4 @@ -on: [push, pull_request] +on: [push, pull_request, workflow_dispatch] name: Lint diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 71ea00a5..07f0a125 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -3,6 +3,7 @@ on: branches: - master - ci + workflow_dispatch: name: Test jobs: From 305e9868cfc608ff547aed2a022d927df0c12d8e Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Thu, 16 May 2024 20:08:12 +0200 Subject: [PATCH 29/38] CI: update linux distributions used in end-to-end tests --- .github/workflows/test.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 07f0a125..d014be96 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -18,8 +18,8 @@ jobs: - debian-12-x64 - ubuntu-20-04-x64 - ubuntu-22-04-x64 - - fedora-37-x64 - - fedora-38-x64 + - ubuntu-24-04-x64 + - fedora-39-x64 - centos-7-x64 - centos-stream-8-x64 # - centos-stream-9-x64 # yum oomkill From a2725d61a35eb97405af0df0ecfcb45dca372326 Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Thu, 16 May 2024 20:13:47 +0200 Subject: [PATCH 30/38] CI: update actions/checkout to v4 --- .github/workflows/lint.yml | 2 +- .github/workflows/test.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 3b75f34c..d1c6650d 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -7,7 +7,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout Code - uses: actions/checkout@v3.2.0 + uses: actions/checkout@v4 - name: Lint Code Base uses: github/super-linter@v4.1.0 env: diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index d014be96..20cd584a 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -24,7 +24,7 @@ jobs: - centos-stream-8-x64 # - centos-stream-9-x64 # yum oomkill steps: - - uses: actions/checkout@v3.2.0 + - uses: actions/checkout@v4 - name: Setup doctl uses: digitalocean/action-doctl@v2 From 0cc002e17dbb54bb3703469b15db085f48e9e8bc Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Thu, 16 May 2024 20:33:32 +0200 Subject: [PATCH 31/38] CI: wait for dpkg lock in debian/ubuntu setup step --- .github/workflows/test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 20cd584a..c73a5538 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -59,7 +59,7 @@ jobs: host: ${{ steps.server_ip.outputs.value }} username: root key: ${{ secrets.SSH_KEY }} - script: set -x && apt-get update && apt-get install -y git + script: set -x && apt-get -o DPkg::Lock::Timeout=120 update && apt-get install -y git - name: Setup remote server (Fedora) if: steps.server_os.outputs.value == 'fedora' From 67701fac77d4d716cf2f4be8ac2c59db0e91f952 Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Thu, 16 May 2024 20:37:23 +0200 Subject: [PATCH 32/38] CI: wait for dpkg lock in debian/ubuntu setup step --- .github/workflows/test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index c73a5538..ef3f6669 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -59,7 +59,7 @@ jobs: host: ${{ steps.server_ip.outputs.value }} username: root key: ${{ secrets.SSH_KEY }} - script: set -x && apt-get -o DPkg::Lock::Timeout=120 update && apt-get install -y git + script: set -x && apt-get update && apt-get -o DPkg::Lock::Timeout=120 install -y git - name: Setup remote server (Fedora) if: steps.server_os.outputs.value == 'fedora' From a189535563f1b48605115643585e036cd5631ac1 Mon Sep 17 00:00:00 2001 From: Stanislas Date: Fri, 12 Jul 2024 18:16:19 +0200 Subject: [PATCH 33/38] Set client and server certificates validity to 10 years (#1235) Prevent #974 --- openvpn-install.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 06ad608a..6c6a6474 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -731,14 +731,14 @@ function installOpenVPN() { # Create the PKI, set up the CA, the DH params and the server certificate ./easyrsa init-pki - ./easyrsa --batch --req-cn="$SERVER_CN" build-ca nopass + EASYRSA_CA_EXPIRE=3650 ./easyrsa --batch --req-cn="$SERVER_CN" build-ca nopass if [[ $DH_TYPE == "2" ]]; then # ECDH keys are generated on-the-fly so we don't need to generate them beforehand openssl dhparam -out dh.pem $DH_KEY_SIZE fi - ./easyrsa --batch build-server-full "$SERVER_NAME" nopass + EASYRSA_CERT_EXPIRE=3650 ./easyrsa --batch build-server-full "$SERVER_NAME" nopass EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl case $TLS_SIG in @@ -1085,11 +1085,11 @@ function newClient() { cd /etc/openvpn/easy-rsa/ || return case $PASS in 1) - ./easyrsa --batch build-client-full "$CLIENT" nopass + EASYRSA_CERT_EXPIRE=3650 ./easyrsa --batch build-client-full "$CLIENT" nopass ;; 2) echo "⚠️ You will be asked for the client password below ⚠️" - ./easyrsa --batch build-client-full "$CLIENT" + EASYRSA_CERT_EXPIRE=3650 ./easyrsa --batch build-client-full "$CLIENT" ;; esac echo "Client $CLIENT added." From 2ce1ee765eaef88f955ee3ba27ea42f6e085d8a7 Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Fri, 12 Jul 2024 18:19:53 +0200 Subject: [PATCH 34/38] Remove centos-stream-8-x64 from test workflow Not available on DO anymore --- .github/workflows/test.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index ef3f6669..ab3ecf5b 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -21,7 +21,6 @@ jobs: - ubuntu-24-04-x64 - fedora-39-x64 - centos-7-x64 - - centos-stream-8-x64 # - centos-stream-9-x64 # yum oomkill steps: - uses: actions/checkout@v4 From 56660eefeb31293ef4c1a6c5c1e2984d874122d1 Mon Sep 17 00:00:00 2001 From: xiahare <45806405+xiahare@users.noreply.github.com> Date: Thu, 7 Nov 2024 11:39:28 -0800 Subject: [PATCH 35/38] Fix public IP detection: ip.seeip.org has been changed to api.seeip.org (#1252) --- openvpn-install.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 6c6a6474..d9397b16 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -627,11 +627,11 @@ function installOpenVPN() { # Behind NAT, we'll default to the publicly reachable IPv4/IPv6. if [[ $IPV6_SUPPORT == "y" ]]; then - if ! PUBLIC_IP=$(curl -f --retry 5 --retry-connrefused https://ip.seeip.org); then + if ! PUBLIC_IP=$(curl -f --retry 5 --retry-connrefused https://api.seeip.org); then PUBLIC_IP=$(dig -6 TXT +short o-o.myaddr.l.google.com @ns1.google.com | tr -d '"') fi else - if ! PUBLIC_IP=$(curl -f --retry 5 --retry-connrefused -4 https://ip.seeip.org); then + if ! PUBLIC_IP=$(curl -f --retry 5 --retry-connrefused -4 https://api.seeip.org); then PUBLIC_IP=$(dig -4 TXT +short o-o.myaddr.l.google.com @ns1.google.com | tr -d '"') fi fi From 0d58ddcb8c5c3c096416a4b059972451f88ed369 Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Thu, 7 Nov 2024 20:46:47 +0100 Subject: [PATCH 36/38] Update distribution matrix for end-to-end tests --- .github/workflows/test.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index ab3ecf5b..198ff235 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -13,13 +13,12 @@ jobs: strategy: matrix: os-image: - - debian-10-x64 - debian-11-x64 - debian-12-x64 - - ubuntu-20-04-x64 - ubuntu-22-04-x64 - ubuntu-24-04-x64 - fedora-39-x64 + - fedora-40-x64 - centos-7-x64 # - centos-stream-9-x64 # yum oomkill steps: From dc114f324374b15c337674bedc986e4f6248f08e Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Thu, 7 Nov 2024 20:49:42 +0100 Subject: [PATCH 37/38] Update distribution matrix for end-to-end tests --- .github/workflows/test.yml | 1 - README.md | 20 ++++++++++---------- 2 files changed, 10 insertions(+), 11 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 198ff235..5579a114 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -19,7 +19,6 @@ jobs: - ubuntu-24-04-x64 - fedora-39-x64 - fedora-40-x64 - - centos-7-x64 # - centos-stream-9-x64 # yum oomkill steps: - uses: actions/checkout@v4 diff --git a/README.md b/README.md index dd83d6a7..0f3a5399 100644 --- a/README.md +++ b/README.md @@ -117,16 +117,16 @@ The script supports these Linux distributions: | | Support | | ------------------ | ------- | -| AlmaLinux 8 | ✅ | -| Amazon Linux 2 | ✅ | -| Arch Linux | ✅ | -| CentOS 7 | ✅ 🤖 | -| CentOS Stream >= 8 | ✅ 🤖 | -| Debian >= 10 | ✅ 🤖 | -| Fedora >= 35 | ✅ 🤖 | -| Oracle Linux 8 | ✅ | -| Rocky Linux 8 | ✅ | -| Ubuntu >= 18.04 | ✅ 🤖 | +| AlmaLinux 8 | ✅ | +| Amazon Linux 2 | ✅ | +| Arch Linux | ✅ | +| CentOS 7 | ✅ | +| CentOS Stream >= 8 | ✅ 🤖 | +| Debian >= 10 | ✅ 🤖 | +| Fedora >= 35 | ✅ 🤖 | +| Oracle Linux 8 | ✅ | +| Rocky Linux 8 | ✅ | +| Ubuntu >= 18.04 | ✅ 🤖 | To be noted: From e1f19e0f246c4e429dbf32bdf0a0a507d8ac194b Mon Sep 17 00:00:00 2001 From: Raphael Pinto Date: Thu, 7 Nov 2024 19:55:14 +0000 Subject: [PATCH 38/38] Fix Public IP detection - Fix issue when seeip.org is unreachable #1241 (#1243) The script does work when seeip.org is unreachable, so I changed the policy to define the public IP. It solves the issue #1241 * Timeout limit on each try to solve the IP to avoid long waits; * Extra public IP providers as failovers; * the script only will try to solve an IP if the ENDPOINT is empty; Co-authored-by: Stanislas --- openvpn-install.sh | 58 ++++++++++++++++++++++++++++++++++++---------- 1 file changed, 46 insertions(+), 12 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index d9397b16..a0e04a49 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -216,6 +216,45 @@ access-control: fd42:42:42:42::/112 allow' >>/etc/unbound/openvpn.conf systemctl restart unbound } +function resolvePublicIP() { + # IP version flags, we'll use as default the IPv4 + CURL_IP_VERSION_FLAG="-4" + DIG_IP_VERSION_FLAG="-4" + + # Behind NAT, we'll default to the publicly reachable IPv4/IPv6. + if [[ $IPV6_SUPPORT == "y" ]]; then + CURL_IP_VERSION_FLAG="" + DIG_IP_VERSION_FLAG="-6" + fi + + # If there is no public ip yet, we'll try to solve it using: https://api.seeip.org + if [[ -z $PUBLIC_IP ]]; then + PUBLIC_IP=$(curl -f -m 5 -sS --retry 2 --retry-connrefused "$CURL_IP_VERSION_FLAG" https://api.seeip.org 2>/dev/null) + fi + + # If there is no public ip yet, we'll try to solve it using: https://ifconfig.me + if [[ -z $PUBLIC_IP ]]; then + PUBLIC_IP=$(curl -f -m 5 -sS --retry 2 --retry-connrefused "$CURL_IP_VERSION_FLAG" https://ifconfig.me 2>/dev/null) + fi + + # If there is no public ip yet, we'll try to solve it using: https://api.ipify.org + if [[ -z $PUBLIC_IP ]]; then + PUBLIC_IP=$(curl -f -m 5 -sS --retry 2 --retry-connrefused "$CURL_IP_VERSION_FLAG" https://api.ipify.org 2>/dev/null) + fi + + # If there is no public ip yet, we'll try to solve it using: ns1.google.com + if [[ -z $PUBLIC_IP ]]; then + PUBLIC_IP=$(dig $DIG_IP_VERSION_FLAG TXT +short o-o.myaddr.l.google.com @ns1.google.com | tr -d '"') + fi + + if [[ -z $PUBLIC_IP ]]; then + echo >&2 echo "Couldn't solve the public IP" + exit 1 + fi + + echo "$PUBLIC_IP" +} + function installQuestions() { echo "Welcome to the OpenVPN installer!" echo "The git repository is available at: https://github.com/angristan/openvpn-install" @@ -244,9 +283,12 @@ function installQuestions() { echo "It seems this server is behind NAT. What is its public IPv4 address or hostname?" echo "We need it for the clients to connect to the server." - PUBLICIP=$(curl -s https://api.ipify.org) + if [[ -z $ENDPOINT ]]; then + DEFAULT_ENDPOINT=$(resolvePublicIP) + fi + until [[ $ENDPOINT != "" ]]; do - read -rp "Public IPv4 address or hostname: " -e -i "$PUBLICIP" ENDPOINT + read -rp "Public IPv4 address or hostname: " -e -i "$DEFAULT_ENDPOINT" ENDPOINT done fi @@ -625,17 +667,9 @@ function installOpenVPN() { PASS=${PASS:-1} CONTINUE=${CONTINUE:-y} - # Behind NAT, we'll default to the publicly reachable IPv4/IPv6. - if [[ $IPV6_SUPPORT == "y" ]]; then - if ! PUBLIC_IP=$(curl -f --retry 5 --retry-connrefused https://api.seeip.org); then - PUBLIC_IP=$(dig -6 TXT +short o-o.myaddr.l.google.com @ns1.google.com | tr -d '"') - fi - else - if ! PUBLIC_IP=$(curl -f --retry 5 --retry-connrefused -4 https://api.seeip.org); then - PUBLIC_IP=$(dig -4 TXT +short o-o.myaddr.l.google.com @ns1.google.com | tr -d '"') - fi + if [[ -z $ENDPOINT ]]; then + ENDPOINT=$(resolvePublicIP) fi - ENDPOINT=${ENDPOINT:-$PUBLIC_IP} fi # Run setup questions first, and set other variables if auto-install