mirror of
https://github.com/namibia/openvpn-install.git
synced 2025-01-10 22:10:49 +00:00
Rewrite README
This commit is contained in:
parent
e920f7fbc2
commit
0a5c3c1401
115
README.md
115
README.md
@ -1,30 +1,25 @@
|
|||||||
# OpenVPN-install
|
# openvpn-install
|
||||||
|
|
||||||
OpenVPN installer for Debian, Ubuntu, Fedora, CentOS and Arch Linux.
|
OpenVPN installer for Debian, Ubuntu, Fedora and CentOS.
|
||||||
|
|
||||||
This script will let you setup your own secure VPN server in just a few minutes.
|
This script will let you setup your own secure VPN server in just a few minutes.
|
||||||
|
|
||||||
Here is a preview of the installer :
|
|
||||||
|
|
||||||
![previw_1](https://lut.im/IzjFrfhM18/DY8KD91W0uMhEgLp.png)
|
|
||||||
![preview_2](https://lut.im/eODTn8Sa9y/euCqh0wzXwlz3UNs.png)
|
|
||||||
|
|
||||||
## Usage
|
## Usage
|
||||||
|
|
||||||
**You have to enable the TUN module otherwise OpenVPN won't work.** Ask your host if you don't know how to do it. If the TUN module is not enabled, the script will warn you and exit.
|
|
||||||
|
|
||||||
You can get a cheap VPS to run this script for $3.50/month worldwide at [Vultr](https://goo.gl/Xyd1Sc) or 3€/month for unlimited bandwidth in France at [PulseHeberg](https://goo.gl/76yqW5).
|
|
||||||
|
|
||||||
First, get the script and make it executable :
|
First, get the script and make it executable :
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
wget https://raw.githubusercontent.com/Angristan/OpenVPN-install/master/openvpn-install.sh
|
wget https://raw.githubusercontent.com/Angristan/openvpn-install/master/openvpn-install.sh
|
||||||
chmod +x openvpn-install.sh
|
chmod +x openvpn-install.sh
|
||||||
```
|
```
|
||||||
|
|
||||||
Then run it :
|
Then run it :
|
||||||
|
|
||||||
`./openvpn-install.sh`
|
```sh
|
||||||
|
./openvpn-install.sh
|
||||||
|
```
|
||||||
|
|
||||||
|
You need to run the script as root and have the TUN module enabled.
|
||||||
|
|
||||||
The first time you run it, you'll have to follow the assistant and answer a few questions to setup your VPN server.
|
The first time you run it, you'll have to follow the assistant and answer a few questions to setup your VPN server.
|
||||||
|
|
||||||
@ -34,25 +29,24 @@ When OpenVPN is installed, you can run the script again, and you will get the ch
|
|||||||
- Remove a client
|
- Remove a client
|
||||||
- Uninstall OpenVPN
|
- Uninstall OpenVPN
|
||||||
|
|
||||||
![preview_3](https://i.imgur.com/AlW9g7t.png)
|
|
||||||
|
|
||||||
In your home directory, you will have `.ovpn` files. These are the client configuration files. Download them from your server and connect using your prefered OpenVPN client.
|
In your home directory, you will have `.ovpn` files. These are the client configuration files. Download them from your server and connect using your prefered OpenVPN client.
|
||||||
|
|
||||||
## The fork
|
## Features
|
||||||
|
|
||||||
This script is based on the great work of [Nyr and its contributors](https://github.com/Nyr/openvpn-install).
|
- Installs and configures a ready-to-use OpenVPN server
|
||||||
|
- Iptables rules and forwarding managed in a seamless way
|
||||||
I made it because I wanted to have a more secured OpenVPN out-of-the-box. It works like the original script, but is more focused on privacy and especially better encryption. Nyr's original script uses mainly default parameters regarding encryption, and some of them are insecure. See [#encryption](#encryption).
|
- If needed, the script can cleanly remove OpenVPN, including configuration and iptables rules
|
||||||
|
- Customizable encryption settings, enhanced default settings
|
||||||
Also, Nyr and myself clearly have not the same point of view regarding this script, that's why it's a fork.
|
- Varitey of DNS resolvers to be pushed to the clients
|
||||||
|
- Choice to use a self-hosted resolver with Unbound (supports already existing Unboud installations)
|
||||||
The only drawback is that you need to use a recent version of OpenVPN, because some parameters that requires TLS 1.2 are only available since OpenVPN 2.3.3. Therefore I restrain the compatibility of this script to a few but widely used GNU/Linux distributions, to get a recent version of OpenVPN from trusted third-party repositories, if needed. That is not a complete drawback tough, because it means that you can have the latest version with all the new features and security fixes. See [compatibility](#compatibility).
|
- Choice between TCP and UDP
|
||||||
|
- NATed IPv6 support
|
||||||
On the client-side, it's less problematic, but if you want to use an OpenVPN server installed with this script with an old client (\<2.3.3), it won't work. However I don't see why you would use an outdated client.
|
- Compression disabled to prevent VORACLE
|
||||||
|
- Unprivileged mode: run as `nobody`/`nogroup`
|
||||||
**TL;DR**, this script is relatively secure, and you can just press enter in the setup.
|
- Block DNS leaks on Windows 10
|
||||||
|
- Randomized server certificate name
|
||||||
**[A Pull Request](https://github.com/Angristan/OpenVPN-install/pull/96) is currently being worked on to implement the latest OpenVPN 2.4 features.**
|
- Choice to protect clients with a password (private key encryption)
|
||||||
|
- Many other little things!
|
||||||
|
|
||||||
## Compatibility
|
## Compatibility
|
||||||
|
|
||||||
@ -67,49 +61,30 @@ The script supports these OS and architectures:
|
|||||||
- **Fedora 28** (amd64)
|
- **Fedora 28** (amd64)
|
||||||
- **CentOS 7** (i386, amd64, arm64)
|
- **CentOS 7** (i386, amd64, arm64)
|
||||||
|
|
||||||
(It should also work on Debian unstable/testing and Ubuntu beta).
|
To be noted:
|
||||||
|
|
||||||
The script requires `systemd`.
|
- It should also work on Debian unstable/testing and Ubuntu beta.
|
||||||
|
- The script requires `systemd`.
|
||||||
|
- The script is regularly tested against `amd64` only.
|
||||||
|
|
||||||
## Features
|
## Fork
|
||||||
|
|
||||||
This fork includes the following features :
|
This script is based on the great work of [Nyr and its contributors](https://github.com/Nyr/openvpn-install).
|
||||||
|
|
||||||
- Every feature of the [original script](https://github.com/Nyr/openvpn-install)
|
Since 2016, the two scripts have diverged and are not alike anymore, especially under the hood. The main goal of the script was enhanced security. But since then, the script has been completely rewritten and a lot a features have been added. The script is only comptaible with recent distributions though, so if you need to use a very old server or client, I advise using Nyr's script.
|
||||||
- Better encryption, see below
|
|
||||||
- Better DNS resolvers, see below
|
|
||||||
- Choice between TCP and UDP (UDP is still recommended)
|
|
||||||
- IPv6 (NATed) support
|
|
||||||
- Run server in unprivileged mode, reducing risks to the system
|
|
||||||
- [Block DNS leak on Windows 10](https://community.openvpn.net/openvpn/ticket/605)
|
|
||||||
- No compression, as [compression is a vector for oracle attacks, e.g. CRIME or BREACH](https://github.com/BetterCrypto/Applied-Crypto-Hardening/pull/91#issuecomment-75388575)
|
|
||||||
- [Arch Linux support](https://github.com/Angristan/OpenVPN-install/pull/2)
|
|
||||||
- Up-to-date OpenVPN thanks to [EPEL](http://fedoraproject.org/wiki/EPEL) for CentOS and [swupdate.openvpn.net](https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos) for Ubuntu and Debian. These are third-party yet trusted repositories.
|
|
||||||
- Randomized certificate name
|
|
||||||
- The ability to create passwordless clients and clients protected with a password
|
|
||||||
- Other improvements !
|
|
||||||
|
|
||||||
## DNS
|
|
||||||
|
|
||||||
The script will ask you which DNS resolvers you want to use when connected to the VPN.
|
|
||||||
|
|
||||||
Here are the possibilities :
|
|
||||||
|
|
||||||
- Current system resolvers, those that are in `/etc/resolv.conf`
|
|
||||||
- Self-hosted resolver thanks to Unbound
|
|
||||||
- [Cloudflare](https://1.1.1.1/), recommended, fastest resolvers available (Anycast servers)
|
|
||||||
- [Quad9](https://www.quad9.net), recommended, security and privacy oriented, fast worldwide (Anycast servers)
|
|
||||||
- [FDN's DNS Servers](http://www.fdn.fr/actions/dns/), recommended if you're in western europe (France)
|
|
||||||
- [DNS.WATCH DNS Servers](https://dns.watch/index), recommended if you're in western europe (Germany)
|
|
||||||
- [OpenDNS](https://en.wikipedia.org/wiki/OpenDNS), not recommened but fast wordlwide (Anycast servers)
|
|
||||||
- [Google Public DNS](https://en.wikipedia.org/wiki/Google_Public_DNS), not recommended, but fast worldwide (Anycast servers)
|
|
||||||
- [Yandex Basic DNS](https://dns.yandex.com/), not recommended, but fast in Russia
|
|
||||||
- [AdGuard DNS](https://github.com/AdguardTeam/AdguardDNS), located in Russia, blocks ads and trackers
|
|
||||||
|
|
||||||
Any other fast, trustable and neutral servers proposition is welcome.
|
|
||||||
|
|
||||||
## FAQ
|
## FAQ
|
||||||
|
|
||||||
|
**Q:** Which provider do you recommend?
|
||||||
|
|
||||||
|
**A:** I recommend these:
|
||||||
|
|
||||||
|
- [Vultr](https://goo.gl/Xyd1Sc): Worldwide locations, IPv6 support, starting at $3.50/month
|
||||||
|
- [PulseHeberg](https://goo.gl/76yqW5): France, unlimited bandwidth, starting at €3/month
|
||||||
|
- [Digital Ocean](https://goo.gl/qXrNLK): Worldwide locations, IPv6 support, starting at $5/month
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
**Q:** The script has been udpated since I installed OpenVPN. How do I update?
|
**Q:** The script has been udpated since I installed OpenVPN. How do I update?
|
||||||
|
|
||||||
**A:** You can't. Managing updates and new features from the script would require way too much work. Your only solution is to uninstall OpenVPN and reinstall with the updated script.
|
**A:** You can't. Managing updates and new features from the script would require way too much work. Your only solution is to uninstall OpenVPN and reinstall with the updated script.
|
||||||
@ -118,6 +93,12 @@ You can, of course, it's even recommended, update the `openvpn` package with you
|
|||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
|
**Q:** How do I check for DNS leaks?
|
||||||
|
|
||||||
|
**A:** Go to [dnsleaktest.com](https://dnsleaktest.com/) or [ipleak.net](https://ipleak.net/) with your browser. Only your server's IP should show up.
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
**Q:** IPv6 is not working on my Hetzner VM
|
**Q:** IPv6 is not working on my Hetzner VM
|
||||||
|
|
||||||
**A:** This an issue on their side. See [issue #295](https://github.com/angristan/openvpn-install/issues/295).
|
**A:** This an issue on their side. See [issue #295](https://github.com/angristan/openvpn-install/issues/295).
|
||||||
@ -264,10 +245,6 @@ SHA-1 is not safe anymore, so I use SHA-256 which is safe and widely used.
|
|||||||
|
|
||||||
TLS-Auth is not enabled by default by OpenVPN, but it is in this script.
|
TLS-Auth is not enabled by default by OpenVPN, but it is in this script.
|
||||||
|
|
||||||
## Check for DNS leaks
|
|
||||||
|
|
||||||
Go to [dnsleaktest.com](https://dnsleaktest.com/) or [ipleak.net](https://ipleak.net/) with your browser. Only your server's IP should show up.
|
|
||||||
|
|
||||||
## Say thanks
|
## Say thanks
|
||||||
|
|
||||||
You can [say thanks](https://saythanks.io/to/Angristan) if you want!
|
You can [say thanks](https://saythanks.io/to/Angristan) if you want!
|
||||||
|
@ -1,9 +1,7 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
# Secure OpenVPN server installer for Debian, Ubuntu, CentOS and Fedora
|
# Secure OpenVPN server installer for Debian, Ubuntu, CentOS and Fedora
|
||||||
# https://github.com/Angristan/OpenVPN-install
|
# https://github.com/angristan/openvpn-install
|
||||||
|
|
||||||
# Functions
|
|
||||||
|
|
||||||
function isRoot () {
|
function isRoot () {
|
||||||
if [ "$EUID" -ne 0 ]; then
|
if [ "$EUID" -ne 0 ]; then
|
||||||
@ -597,7 +595,7 @@ $CIPHER
|
|||||||
tls-client
|
tls-client
|
||||||
tls-version-min 1.2
|
tls-version-min 1.2
|
||||||
tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
|
tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
|
||||||
setenv opt block-outside-dns
|
setenv opt block-outside-dns # Prevent Windows 10 DNS leak
|
||||||
verb 3" >> /etc/openvpn/client-template.txt
|
verb 3" >> /etc/openvpn/client-template.txt
|
||||||
|
|
||||||
# Generate the custom client.ovpn
|
# Generate the custom client.ovpn
|
||||||
@ -833,8 +831,6 @@ function manageMenu () {
|
|||||||
esac
|
esac
|
||||||
}
|
}
|
||||||
|
|
||||||
# Main
|
|
||||||
|
|
||||||
# Check for root, TUN, OS...
|
# Check for root, TUN, OS...
|
||||||
initialCheck
|
initialCheck
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user