diff --git a/README.md b/README.md index f2a6324..c8e5165 100644 --- a/README.md +++ b/README.md @@ -42,8 +42,8 @@ If you have any question, head to the [FAQ](#faq) first. - If needed, the script can cleanly remove OpenVPN, including configuration and iptables rules - Customisable encryption settings, enhanced default settings (see [Security and Encryption](#security-and-encryption) below) - OpenVPN 2.4 features, mainly encryption improvements (see [Security and Encryption](#security-and-encryption) below) -- Varietey of DNS resolvers to be pushed to the clients -- Choice to use a self-hosted resolver with Unbound (supports already existing Unboud installations) +- Variety of DNS resolvers to be pushed to the clients +- Choice to use a self-hosted resolver with Unbound (supports already existing Unbound installations) - Choice between TCP and UDP - NATed IPv6 support - Compression disabled by default to prevent VORACLE. LZ4 and LZ0 algorithms available otherwise. @@ -122,7 +122,7 @@ You can, of course, it's even recommended, update the `openvpn` package with you **A:** Please review your threat models. Even if this script has security in mind and uses state-of-the-art encryption, you shouldn't be using a VPN if you want to hide from the NSA. --- +--- **Q:** Is there an OpenVPN documentation? @@ -161,7 +161,7 @@ If you want more information about an option mentioned below, head to the [OpenV Most of OpenVPN's encryption-related stuff is managed by [Easy-RSA](https://github.com/OpenVPN/easy-rsa). Defaults parameters are in the [vars.example](https://github.com/OpenVPN/easy-rsa/blob/v3.0.6/easyrsa3/vars.example) file. ### Compression -By default, OpenVPN doesn't enable compression. This script provides support for LZ0 and LZ4 algorthms, the latter being more efficient. +By default, OpenVPN doesn't enable compression. This script provides support for LZ0 and LZ4 algorithms, the latter being more efficient. However, it is discouraged to use compression since it since the [VORACLE attack](https://protonvpn.com/blog/voracle-attack/) makes use of it. @@ -190,7 +190,7 @@ OpenVPN uses `SHA-256` as the signature hash by default, and so does the script. ### Data channel -By default, OpenVPN uses `BF-CBC` as the data channel cipher. Blowfish is an old (1993) and weak alogorithm. Even the official OpenVPN documentation admits it. +By default, OpenVPN uses `BF-CBC` as the data channel cipher. Blowfish is an old (1993) and weak algorithm. Even the official OpenVPN documentation admits it. > The default is BF-CBC, an abbreviation for Blowfish in Cipher Block Chaining mode. > @@ -219,7 +219,7 @@ The script supports the following ciphers: And defaults to `AES-128-GCM`. -OpenVPN 2.4 added a feature called "NCP": *Negociable Crypto Parameters*. It means you can provide a cipher suite like with HTTPS. It is set to `AES-256-GCM:AES-128-GCM` by default and overrides the `--cipher` parameter when used with an OpenVPN 2.4 client. For the sake of simplicity, the script set both the `--cipher` and `--ncp-cipher` to the cipher chosen above. +OpenVPN 2.4 added a feature called "NCP": *Negotiable Crypto Parameters*. It means you can provide a cipher suite like with HTTPS. It is set to `AES-256-GCM:AES-128-GCM` by default and overrides the `--cipher` parameter when used with an OpenVPN 2.4 client. For the sake of simplicity, the script set both the `--cipher` and `--ncp-cipher` to the cipher chosen above. ### Control channel @@ -298,6 +298,6 @@ You can [say thanks](https://saythanks.io/to/Angristan) if you want! ## Credits & Licence -Many thanks to the [contributors](https://github.com/Angristan/OpenVPN-install/graphs/contributors) and Nyr's orginal work. +Many thanks to the [contributors](https://github.com/Angristan/OpenVPN-install/graphs/contributors) and Nyr's original work. This project is under the [MIT Licence](https://raw.githubusercontent.com/Angristan/openvpn-install/master/LICENSE) diff --git a/openvpn-install.sh b/openvpn-install.sh index 9ce2043..df5e55e 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -248,7 +248,7 @@ function installQuestions () { esac echo "" echo "What protocol do you want OpenVPN to use?" - echo "UDP is faster. Unless it is not available, you shoudn't use TCP." + echo "UDP is faster. Unless it is not available, you shouldn't use TCP." echo " 1) UDP" echo " 2) TCP" until [[ "$PROTOCOL_CHOICE" =~ ^[1-2]$ ]]; do @@ -326,7 +326,7 @@ function installQuestions () { read -rp "Customize encryption settings? [y/n]: " -e -i n CUSTOMIZE_ENC done if [[ $CUSTOMIZE_ENC == "n" ]];then - # Use default, sane and fast paramters + # Use default, sane and fast parameters CIPHER="AES-128-GCM" CERT_TYPE="1" # ECDSA CERT_CURVE="prime256v1" @@ -368,7 +368,7 @@ function installQuestions () { ;; esac echo "" - echo "Choose what kind of certificate you want to use." + echo "Choose what kind of certificate you want to use:" echo " 1) ECDSA (recommended)" echo " 2) RSA" until [[ $CERT_TYPE =~ ^[1-2]$ ]]; do @@ -453,7 +453,7 @@ function installQuestions () { ;; esac echo "" - echo "Choose what kind of Diffie-Hellman key you want to use." + echo "Choose what kind of Diffie-Hellman key you want to use:" echo " 1) ECDH (recommended)" echo " 2) DH" until [[ $DH_TYPE =~ [1-2] ]]; do @@ -462,7 +462,7 @@ function installQuestions () { case $DH_TYPE in 1) echo "" - echo "Choose which curve you want to use for the ECDH key" + echo "Choose which curve you want to use for the ECDH key:" echo " 1) prime256v1 (recommended)" echo " 2) secp384r1" echo " 3) secp521r1" @@ -539,7 +539,7 @@ function installQuestions () { fi echo "" echo "Okay, that was all I needed. We are ready to setup your OpenVPN server now." - echo "You will be able to generate a client at the end of the installtion." + echo "You will be able to generate a client at the end of the installation." read -n1 -r -p "Press any key to continue..." }