From 77301f9a9df2e812aaf0baabc7297f2859ffe8df Mon Sep 17 00:00:00 2001 From: Angristan Date: Sun, 20 Nov 2016 15:29:23 +0100 Subject: [PATCH] Some clarification --- README.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index c60fd9f..2474362 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,5 @@ ##openvpn-install -OpenVPN [road warrior](http://en.wikipedia.org/wiki/Road_warrior_%28computing%29) installer for Debian, Ubuntu and CentOS. +Secure OpenVPN installer for Debian, Ubuntu and CentOS. This script will let you setup your own secure VPN server in no more than a minute. @@ -7,19 +7,20 @@ This script will let you setup your own secure VPN server in no more than a minu ##Fork -This script is based on the great work of [Nyr and its contributors](https://github.com/Nyr/openvpn-install), big thanks to them. +This script is based on the great work of [Nyr and its contributors](https://github.com/Nyr/openvpn-install). -I made it because I wanted to have a more secured OpenVPN out-of-the-box. It works like the original script, but is more focused on privacy and espicially better encryption. Nyr's original script uses mainly default parameters regarding encryption, but you can do a lot better with the latest versions of OpenVPN and have nearly state-of-the-art encryption. +I made it because I wanted to have a more secured OpenVPN out-of-the-box. It works like the original script, but is more focused on privacy and espicially better encryption. Nyr's original script uses mainly default parameters regarding encryption, which are not *bad*, but you can do a lot better with the latest versions of OpenVPN and have nearly state-of-the-art encryption. -The only drawback is that you need to use a recent version of OpenVPN. Therefore I restrain the compatibility of this script to a few but widely used GNU/Linux distributions, to get a recent version of OpenVPN from trusted third-party repositories. +Also, Nyr and myself clearly have not the same point of view regarding this script, that's why it's a fork. -I you want to use an OpenVPN server installed with this script with an old client (>2.3), it won't be compatible. If you can't upgrade your client, use Nyr's script. +The only drawback is that you need to use a recent version of OpenVPN, because some options are only availble since OpenVPN 2.3.3. Therefore I restrain the compatibility of this script to a few but widely used GNU/Linux distributions, to get a recent version of OpenVPN from trusted third-party repositories, if needed. + +On the client-side, it's less problematic, but if you want to use an OpenVPN server installed with this script with an old client (\<2.3.3), it won't work. If you can't upgrade your client (which is a security problem), use Nyr's script. ### Features This fork includes the following features : - Every feature of the [original script](https://github.com/Nyr/openvpn-install) -- No logs - No comp-lzo [compression is a vector for oracle attacks, e.g. CRIME or BREACH](https://github.com/BetterCrypto/Applied-Crypto-Hardening/pull/91#issuecomment-75388575) - Better encryption (see below) - Avoid DNS leak @@ -30,7 +31,6 @@ This fork includes the following features : - Run server in unprivileged mode, reducing risks to the system - TLS-auth to help [thwart DoS attacks](https://openvpn.net/index.php/open-source/documentation/howto.html#security) and provide a 2nd line of defense to the TLS channel. - [FDN's DNS Servers](http://www.fdn.fr/actions/dns/) -- Nearest [OpenNIC DNS Servers](https://www.opennicproject.org/) - [DNS.WATCH DNS Servers](https://dns.watch/index) - Up-to-date OpenVPN (2.3.11) thanks to [EPEL](http://fedoraproject.org/wiki/EPEL) and [swupdate.openvpn.net](https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos) - Support for either SNAT or MASQUERADE for forwarding