From 5844a8440f05bc751873a7c5ccde7660c7653fd2 Mon Sep 17 00:00:00 2001
From: angristan <angristan@pm.me>
Date: Sun, 30 Jun 2019 23:06:33 +0200
Subject: [PATCH] Add support for Debian 10

Fix #439
---
 README.md          |  7 ++++---
 Vagrantfile        |  1 +
 openvpn-install.sh | 20 ++++++++++----------
 3 files changed, 15 insertions(+), 13 deletions(-)

diff --git a/README.md b/README.md
index 9fa3f59..b2c07ef 100644
--- a/README.md
+++ b/README.md
@@ -100,6 +100,7 @@ The script supports these OS and architectures:
 |   CentOS 7   |   ❔  |  ✅  |   ❌   |   ✅  |
 |   Debian 8   |   ✅  |  ✅  |   ❌   |   ❌  |
 |   Debian 9   |   ❌  |  ✅  |   ✅   |   ✅  |
+|   Debian 10  |   ❔  |  ✅  |   ❔   |   ❔  |
 |   Fedora 27  |   ❔  |  ✅  |   ❔   |   ❔  |
 |   Fedora 28  |   ❔  |  ✅  |   ❔   |   ❔  |
 | Ubuntu 16.04 |   ✅  |  ✅  |   ❌   |   ❌  |
@@ -264,7 +265,7 @@ It defaults to `prime256v1`.
 From the OpenVPN wiki, about `--auth`:
 
 > Authenticate data channel packets and (if enabled) tls-auth control channel packets with HMAC using message digest algorithm alg. (The default is SHA1 ). HMAC is a commonly used message authentication algorithm (MAC) that uses a data string, a secure hash algorithm, and a key, to produce a digital signature.
-> 
+>
 > If an AEAD cipher mode (e.g. GCM) is chosen, the specified --auth algorithm is ignored for the data channel, and the authentication method of the AEAD cipher is used instead. Note that alg still specifies the digest used for tls-auth.
 
 SHA1 [isn't safe anymore](https://en.wikipedia.org/wiki/SHA-1#Attacks).
@@ -282,13 +283,13 @@ It defaults to `SHA256`.
 From the OpenVPN wiki, about `tls-auth`:
 
 > Add an additional layer of HMAC authentication on top of the TLS control channel to mitigate DoS attacks and attacks on the TLS stack.
-> 
+>
 > In a nutshell, --tls-auth enables a kind of "HMAC firewall" on OpenVPN's TCP/UDP port, where TLS control channel packets bearing an incorrect HMAC signature can be dropped immediately without response.
 
 About `tls-crypt`:
 
 > Encrypt and authenticate all control channel packets with the key from keyfile. (See --tls-auth for more background.)
-> 
+>
 > Encrypting (and authenticating) control channel packets:
 > - provides more privacy by hiding the certificate used for the TLS connection,
 > - makes it harder to identify OpenVPN traffic as such,
diff --git a/Vagrantfile b/Vagrantfile
index b2a7847..4dd0973 100644
--- a/Vagrantfile
+++ b/Vagrantfile
@@ -5,6 +5,7 @@ autostart_machines = ENV['VAGRANT_AUTOSTART'] == 'true' || false
 # else, run `vagrant up <hostname>`
 
 machines = [
+  { hostname: 'debian-10', box: 'debian/stretch64' },
   { hostname: 'debian-9', box: 'debian/stretch64' },
   { hostname: 'debian-8', box: 'debian/jessie64' },
   { hostname: 'ubuntu-1604', box: 'ubuntu/bionic64' },
diff --git a/openvpn-install.sh b/openvpn-install.sh
index 99e7bca..08daa7c 100755
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@@ -21,7 +21,7 @@ function checkOS () {
 		source /etc/os-release
 
 		if [[ "$ID" == "debian" ]]; then
-			if [[ ! $VERSION_ID =~ (8|9) ]]; then
+			if [[ ! $VERSION_ID =~ (8|9|10) ]]; then
 				echo "⚠️ Your version of Debian is not supported."
 				echo ""
 				echo "However, if you're using Debian >= 9 or unstable/testing then you can continue."
@@ -128,7 +128,7 @@ prefetch: yes' >> /etc/unbound/unbound.conf
 			curl -o /etc/unbound/root.hints https://www.internic.net/domain/named.cache
 
 			mv /etc/unbound/unbound.conf /etc/unbound/unbound.conf.old
-			
+
 			echo 'server:
 	use-syslog: yes
 	do-daemonize: no
@@ -650,10 +650,10 @@ function installOpenVPN () {
 		# ECDH keys are generated on-the-fly so we don't need to generate them beforehand
 		openssl dhparam -out dh.pem $DH_KEY_SIZE
 	fi
-	
+
 	./easyrsa build-server-full "$SERVER_NAME" nopass
 	EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
-	
+
 	case $TLS_SIG in
 		1)
 			# Generate tls-crypt key
@@ -664,13 +664,13 @@ function installOpenVPN () {
 			openvpn --genkey --secret /etc/openvpn/tls-auth.key
 		;;
 	esac
-	
+
 	# Move all the generated files
 	cp pki/ca.crt pki/private/ca.key "pki/issued/$SERVER_NAME.crt" "pki/private/$SERVER_NAME.key" /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn
 	if [[ $DH_TYPE == "2" ]]; then
 		cp dh.pem /etc/openvpn
 	fi
-	
+
 	# Make cert revocation list readable for non-root
 	chmod 644 /etc/openvpn/crl.pem
 
@@ -781,7 +781,7 @@ push "redirect-gateway ipv6"' >> /etc/openvpn/server.conf
 	echo "crl-verify crl.pem
 ca ca.crt
 cert $SERVER_NAME.crt
-key $SERVER_NAME.key 
+key $SERVER_NAME.key
 auth $HMAC_ALG
 cipher $CIPHER
 ncp-ciphers $CIPHER
@@ -815,7 +815,7 @@ verb 3" >> /etc/openvpn/server.conf
 	if [[ "$OS" = 'arch' || "$OS" = 'fedora' ]]; then
 		# Don't modify package-provided service
 		cp /usr/lib/systemd/system/openvpn-server@.service /etc/systemd/system/openvpn-server@.service
-		
+
 		# Workaround to fix OpenVPN service on OpenVZ
 		sed -i 's|LimitNPROC|#LimitNPROC|' /etc/systemd/system/openvpn-server@.service
 		# Another workaround to keep using /etc/openvpn/
@@ -836,12 +836,12 @@ verb 3" >> /etc/openvpn/server.conf
 	else
 		# Don't modify package-provided service
 		cp /lib/systemd/system/openvpn\@.service /etc/systemd/system/openvpn\@.service
-		
+
 		# Workaround to fix OpenVPN service on OpenVZ
 		sed -i 's|LimitNPROC|#LimitNPROC|' /etc/systemd/system/openvpn\@.service
 		# Another workaround to keep using /etc/openvpn/
 		sed -i 's|/etc/openvpn/server|/etc/openvpn|' /etc/systemd/system/openvpn\@.service
-		
+
 		systemctl daemon-reload
 		systemctl restart openvpn@server
 		systemctl enable openvpn@server