Angristan
a2a3bfc605
Added Yandex Basic DNS resolvers
...
https://dns.yandex.com/
Nice for Russia.
2017-06-23 14:30:57 +02:00
Angristan
d712e15795
Support OpenSSL 1.1.0 DH generation
...
Fixes dh.pem gen on Debian 9 and Arch Linux
https://github.com/Angristan/OpenVPN-install/issues/64
https://github.com/Angristan/OpenVPN-install/issues/74
https://www.debian.org/releases/stretch/amd64/release-notes/ch-information.en.html#openssl-issues
2017-06-18 21:12:25 +02:00
Angristan
5d40c041dd
More proper remove
...
openvpn-blacklist isn't installed with Debian 9.
2017-06-18 21:07:15 +02:00
Angristan
823ff21fcc
Add support for Ubuntu 17.04
2017-05-07 23:56:19 +02:00
DrXala
fa9e5235f9
Close Angristan/OpenVPN-install#46
...
This patch is for Angristan/OpenVPN-install#46
2017-04-23 12:43:33 +02:00
Seeder101
89925cbbe8
Update openvpn-install.sh
...
change sould to should and correct adress to address in line 195
2016-12-11 16:03:40 +03:00
Seeder101
e548a61dcc
Update openvpn-install.sh
...
change sould to should
2016-12-11 15:58:06 +03:00
Angristan
316ecfe7f4
Use SHA-256 instead of SHA-384
...
Following 693bd13fa7
2016-12-11 12:11:11 +01:00
Angristan
7a5bb93cbe
AES-256 is not necessarily the most secure cipher
...
Indeed, it it most vulnerable to Timing Attacks : https://en.wikipedia.org/wiki/Length_extension_attack
Also, AES 128 is secure enough for every one, so it's still the recommended cipher.
2016-12-04 17:21:41 +01:00
Angristan
56477bba34
The crypto update 🔐
...
- Removed "fast" and "slow" mode (not a good idea, I prefer to give the choice for the parameters directly)
- Corrected some confusion between the cipher for the data channel and the control channel, my bad.
- using TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 by default for the control channel
- using SHA384 by default for HMAC auth and RSA certificate
- giving the choice for the cipher of the data channel, the size of the DH key and the RSA Key
I will explain all my choices here : https://github.com/Angristan/OpenVPN-install#encryption (likely tomorrow)
2016-11-28 22:13:32 +01:00
Angristan
c03a55f11f
Making sure a correct DNS option is selected
2016-11-27 14:31:25 +01:00
TheKinrar
f76db9f589
Merge branch 'master' of https://github.com/TheKinrar/OpenVPN-install into TheKinrar-master
2016-11-26 16:13:02 +01:00
TheKinrar
f3ff29d6c7
rc.local fix
2016-11-25 18:25:37 +01:00
Angristan
17a9d76ae9
Remove ufw and MASQUERADE support
...
Not useful, badly implemented.
2016-11-25 00:59:03 +01:00
Angristan
218e474f85
Add logs
...
Can be useful.
2016-11-24 23:34:15 +01:00
Angristan
98ca79a9de
Move rc.local and sysctl installation after the confirmation
2016-11-24 20:28:49 +01:00
TheKinrar
358e80b5a6
sysctl fix, again.
2016-11-24 19:37:45 +01:00
TheKinrar
cc657fa459
Fixed rc.local and sysctl.conf files on ArchLinux
2016-11-24 18:07:23 +01:00
TheKinrar
9b261809eb
Automatically enable and start iptables on ArchLinux.
2016-11-22 19:55:17 +01:00
TheKinrar
6e2b5cb439
Added ArchLinux support.
2016-11-21 20:59:00 +01:00
Angristan
80dbca6e63
Add TCP support
...
There is now the choice to use TCP or UDP for OpenVPN protocol. You should always use UDP, but TCP can be useful sometimes : on lossy networks or to bypass some blockage
2016-11-21 19:57:52 +01:00
Angristan
662fe26f5b
I don't know why it wasn't like this from the beginning
2016-11-20 23:09:42 +01:00
Angristan
552709059e
Fix my previous commit
...
My bad.
2016-11-20 22:50:51 +01:00
Angristan
a09ef4868a
The user can choose to continue the installer even if its OS is not supported
...
At its own risk of course. But usefull if using Ubuntu beta or Debian unstable/testing
2016-11-20 22:47:23 +01:00
Angristan
903270be4b
Remove OpenNIC servers
...
Not consistant and can't really be trusted
2016-11-20 15:01:42 +01:00
Angristan
b0f271bc5f
Specify the location of the DNS servers
2016-11-20 14:52:47 +01:00
Angristan
3f58eb781c
Some cleanup
2016-11-20 14:22:08 +01:00
Angristan
7295627e67
Removing support for Ubuntu 15.10
...
Ubuntu 15.10 is not supported anymore since july 2016 : not safe to use it now
2016-10-20 14:33:16 +02:00
Angristan
fce638b552
Add support for Ubuntu 16.10 Yakketi Yak
2016-10-13 22:55:04 +02:00
Angristan
2c9701d477
Better way to enable IP forwarding
...
791c54786c
2016-10-04 17:34:11 +02:00
Angristan
aefb516958
Changed iptables to not lookup hosts
...
56f079289e
2016-10-04 17:31:35 +02:00
Kcchouette
87a191f8a1
Update openvpn-install.sh
2016-09-07 17:41:57 +02:00
Angristan
c8eed87ebd
Fix UFW error
2016-08-18 18:52:58 +02:00
Super-Baleine
a14809e7c3
delete read
2016-07-12 11:07:08 +02:00
Super-Baleine
72ca23e880
let the choice
...
because it's more clean
enhancement
2016-07-12 00:09:39 +02:00
Kcchouette
8550d3474c
fix the dns case error
2016-07-07 13:45:14 +02:00
Angristan
52f4e471bb
Add DNS.WATCH DNS resolvers
2016-06-11 00:32:08 +02:00
jtbr
52cae76873
fix typo
2016-06-10 14:36:22 +02:00
jtbr
b93a3369fb
Avoid inline comments in /etc/default/ufw; place pre-openvpn settings on new line
2016-06-10 14:33:26 +02:00
jtbr
eff3b83fe3
Support old clients that might not recognize blocking
2016-06-03 13:09:00 +02:00
jtbr
4a07541953
uninstall new firewalld rules
2016-05-17 05:55:27 +02:00
jtbr
a420a6cbcd
add firewalld configuration for masquerading and reorganize to ensure firewalld command ordering is safe
2016-05-17 05:44:47 +02:00
jtbr
4f8cad83cf
add ufw rule to allow traffic on chosen udp port
2016-05-17 05:29:31 +02:00
jtbr
e2b9f116d4
Add setup for ufw firewall when using MASQUERADE
2016-05-17 05:04:23 +02:00
jtbr
ff7a7a5c3d
Prevent DNS leaks on windows (v2.3.9+, ignored on other platforms)
2016-05-17 05:03:26 +02:00
jtbr
b910dbb9ec
clarify that the external address can be either an IP or a domain name
2016-05-10 22:50:58 +00:00
jtbr
3c8a6a0469
Merge branch 'master' of https://github.com/jtbr/OpenVPN-install
...
Conflicts:
README.md
openvpn-install.sh
2016-05-10 22:34:51 +00:00
jtbr
ecf2a3ed81
Undo TLS-CIPHER changes in f376ce91
in deference to harvester57's pull request
2016-05-10 22:30:38 +00:00
jtbr
2d39183284
Revert "my personal preferences, and limit 3 simultaneous clients"
...
This reverts commit 804c7aa9ed
.
2016-05-10 22:30:38 +00:00
jtbr
de648aaa83
my personal preferences, and limit 3 simultaneous clients
2016-05-10 22:30:38 +00:00
jtbr
73eb665b82
merging readme changes
2016-05-10 22:29:43 +00:00
jtbr
868eea3477
Support ios openvpn connect using CBC, SHA128 tls-cipher. Update readme.
2016-05-10 22:21:52 +00:00
jtbr
30958ac55e
this time actually fix the quoting issue for ip option 3
2016-05-10 22:21:52 +00:00
jtbr
3e913ea286
enable tls-auth and perfect forwarding secrecy
2016-05-10 22:21:52 +00:00
jtbr
891951fec8
run openvpn unprivileged
2016-05-10 22:21:52 +00:00
jtbr
950e307fbf
fix dns option 3 with single quotes
2016-05-10 22:21:52 +00:00
jtbr
5824365ebc
support either nogroup or nobody for permissionless group
2016-05-07 22:58:18 +02:00
Angristan
2f541b5399
Ubuntu 16.04 compatibility
2016-05-06 20:32:34 +02:00
jtbr
4baf845e36
Undo TLS-CIPHER changes in f376ce91
in deference to harvester57's pull request
2016-04-29 20:00:09 +00:00
jtbr
d87e87036f
Revert "my personal preferences, and limit 3 simultaneous clients"
...
This reverts commit 804c7aa9ed
.
2016-04-20 22:55:25 +00:00
jtbr
804c7aa9ed
my personal preferences, and limit 3 simultaneous clients
2016-04-12 10:16:58 +00:00
jtbr
2fe0fa2062
Allow forwarding using either SNAT or MASQUERADE (as required by some setups)
2016-04-12 10:05:28 +00:00
jtbr
f376ce912f
Support ios openvpn connect using CBC, SHA128 tls-cipher. Update readme.
2016-04-12 09:38:14 +00:00
jtbr
a65523eb1c
this time actually fix the quoting issue for ip option 3
2016-04-10 19:45:33 +02:00
jtbr
b3fb14bcb4
enable tls-auth and perfect forwarding secrecy
2016-04-10 18:53:29 +02:00
jtbr
d844154a45
run openvpn unprivileged
2016-04-10 18:36:15 +02:00
jtbr
01003c88f8
fix dns option 3 with single quotes
2016-04-10 18:26:49 +02:00
Florian STOSSE
9aeb5b7c47
Remove old fix
...
This fix was intended to overcome hardcoded buffers values in old OpenVPN revisions (see https://www.lowendtalk.com/discussion/40099/why-openvpn-is-so-slow-cool-story ). This is not needed anymore, as OpenVPN now use OS buffers (see https://community.openvpn.net/openvpn/ticket/461 and https://community.openvpn.net/openvpn/changeset/c72dbb8b470ab7b25fc74e41aed4212db48a9d2f/ ). It should lead to better performances over fast networks.
Signed-off-by: Florian STOSSE <contact@harvester.fr>
2016-03-22 11:47:24 +01:00
Angristan
6b4c00c394
Clarification for NAT
2016-03-21 21:43:34 +01:00
Angristan
21d8f78f4f
Disable compression
2016-03-21 17:43:48 +01:00
Harvester
bf97d67f26
Revert ciphers
...
My bad !
2016-03-21 17:13:36 +01:00
Harvester
787784058a
Disable compression client-side too
2016-03-21 16:18:18 +01:00
Florian Stosse
064c5bfe4a
Typo
...
OpenVPN doesn't really like the way it was written
2016-03-21 13:30:17 +01:00
Florian Stosse
1a73a20240
Also change tls-cipher for clients
2016-03-21 13:26:37 +01:00
Florian Stosse
b15cd6cf81
Add more than one cipogers to tls-cipher
...
Just in case we need to fallback or downgrade
2016-03-21 13:20:35 +01:00
Florian Stosse
8b89b1743c
Disable compression
...
For a hardened OpenVPN configuration, compression should be disabled : https://github.com/BetterCrypto/Applied-Crypto-Hardening/pull/91#issuecomment-75388575
2016-03-21 13:13:57 +01:00
Angristan
faaa48d372
Fix ca-certificates errors
2016-03-19 22:51:00 +01:00
Angristan
1bf105e809
The BIG update
...
Deleted latest and legacy mode
Use OpenVPN 2.3.10 with custom repo
Add a check at start for Debian/Ubuntu
Fast mode with 2048 bits RSA and DH, 128 bits AES, SHA-256 certificate
Slow mode with 4096 bits RSA and DH, 256 bits AES, SHA-384 certificate
AES-256-CBC and SHA512 for HMAC auth
Add OpenNIC as a DNS option + GeoIP API
Delete NTT and Huricane Electric DNS
Other improvements
2016-03-19 17:41:18 +01:00
Angristan
157c27512a
Combine latest and legacy version
2016-03-15 19:11:35 +01:00
Angristan
4fef7869d9
Fix which bug on CentOS 7 minimal
...
7fb12dc5cb
2016-03-14 21:37:14 +01:00
Angristan
1be02be239
TAP is not needed
2016-03-14 21:22:08 +01:00
Angristan
cbc7abc3dd
Clarifies that it supports Scaleway NATed servers
2016-03-14 18:03:02 +01:00
Angristan
48252378ff
Revert changes
2016-03-13 20:47:18 +01:00
Angristan
f49f187de2
Install which
2016-03-13 19:21:58 +01:00
Angristan
e9d6191925
Set FDN as default DNS
2016-03-13 15:13:46 +01:00
Angristan
f22fbc3cf0
No need to cp vars.example
2016-03-10 13:17:07 +01:00
Angristan
9b8ad887c3
New cipher
2016-03-09 22:59:03 +01:00
Angristan
5bc1d8e37a
Add 4096 bits DH
2016-03-09 21:11:13 +01:00
Angristan
85c466e634
Remove 4096 bits DH
2016-03-09 21:10:41 +01:00
Angristan
a7e89ed0dd
Add 4096 bits DH
2016-03-09 21:08:24 +01:00
Angristan
9146fd5523
Reorder DNS Servers
2016-03-08 23:53:30 +01:00
Angristan
1614923b1a
TLS 1.2 only
2016-03-08 23:15:52 +01:00
Angristan
0ac534115a
Use real encryption : AES-256-CBC
2016-03-08 17:40:22 +01:00
Angristan
6463979cc7
Update openvpn-install.sh
2016-03-08 17:12:09 +01:00
Angristan
efdd53c79f
Remove logs and add FDN's DNS servers
2016-02-29 17:47:01 +01:00
Angristan
8d95e922ce
update from source with latest commits
2016-02-27 10:52:51 +01:00
Angristan
c428975b66
Delete logs
2015-12-25 22:17:51 +01:00
angrysnarl
a1b57a1c31
Fixed rm -rf commands for revoking user certs
2015-12-16 00:15:08 +08:00
Nyr
0df84e4541
Fix #105
2015-12-14 22:36:40 +01:00
Nyr
e58addc2c5
Verify server certificate during easy-rsa download
2015-11-24 23:04:56 +01:00
Nyr
d55effb08c
Update to easy-rsa 3.0.1
2015-11-21 15:35:51 +01:00
Nyr
73da43b872
Merge pull request #88 from ValdikSS/buf
...
Do not allow OpenVPN to set (low) buffer sizes
2015-11-15 19:36:15 +01:00
Nyr
51998f0d56
Merge pull request #87 from ValdikSS/euid
...
Use EUID to check root
2015-11-15 19:35:26 +01:00
ValdikSS
0265fc0e06
Use different exit codes on error
2015-11-15 13:37:22 +03:00
ValdikSS
15a39afd11
Do not allow OpenVPN to set (low) buffer sizes
2015-11-15 13:36:20 +03:00
ValdikSS
2574097eb4
Use EUID to check root
2015-11-15 13:34:19 +03:00
Nyr
d32416561b
Grep for DROP as well as REJECT
2015-10-07 19:57:04 +02:00
Nyr
eb8d8257a0
The BIG commit
...
- Upgrade to easy-rsa 3.0.0
- Firewall support: rules are added for both FirewallD and iptables if
needed.
- Creation of our own configuration files for both the server and
clients.
- Using subnet topology instead of the deprecated net30.
- Removed port 53 question during install: user can just choose that
port during setup.
- Removed internal networking option: this is a road warrior installer
after all.
- Bugfix: the default easy-rsa directory was not correctly deleted if
one was already there.
2015-09-12 21:48:08 +02:00
Nyr
b46a0541dd
Replaced Yandex DNS with Google
...
Yandex DNS is not stable enough, Google was previously missing.
2015-08-05 02:17:24 +02:00
Hyacinthe Cartiaux
91e09dedf1
Remove a useless use of wc
2015-08-01 20:27:30 +02:00
Nyr
7d467d9666
Multiple improvements
...
- Better UX for client certificate revocation: a list of the current
client names is shown to the user
- easy-rsa 2.2.2 now used by default: it’s easier for me to maintain a
single version
2015-07-22 08:02:59 +02:00
Nyr
b778c1aed9
Cosmetic bugfix
2015-06-29 09:23:44 +02:00
Nyr
cf48ecd3b0
Bugfixes
...
- Little fix for Debian Jessie
- Better systemd detection
- Fixed revocation on CentOS
2015-04-28 18:35:54 +02:00
Nyr
68b5ff7e99
Revert "Cleaner port 53 setup"
...
This reverts commit fb036d575b
.
2015-03-10 10:44:47 +01:00
Nyr
fb036d575b
Cleaner port 53 setup
2015-02-16 17:33:22 +01:00
Nyr
fad088013c
CentOS support and other improvements
2015-02-11 19:51:19 +01:00
Nyr
a256194ecb
Add feedback during removal abortion
2015-01-25 20:45:07 +01:00
Nyr
98b39e7354
Added a confirmation dialog before removing
2015-01-21 03:03:14 +01:00
Nyr
6d4af520b8
Bugfix for systems with a non-standard rc.local
2014-11-07 00:53:28 +01:00
Nyr
215140b682
Options for custom DNS and intra-VPN connectivity
2014-11-04 21:57:36 +01:00
Nyr
2174037768
Now using in-line certificates
2014-10-23 03:16:09 +02:00
Nyr
091e487472
Cleanup
2014-10-23 00:19:08 +02:00
Nyr
936a8b8ff0
Removed useless cat
2014-09-25 04:00:32 +02:00
Nyr
091ef01a8b
Bug fix + future bulletproofness
...
- Use always double [[]] blocks (bug fix for the test at line 208 under
some circumstances)
- bash shell is now forced
- All variables are now quoted
2014-09-18 23:34:22 +02:00
Nyr
afb30c44da
Now using resolvers from resolv.conf
...
This will help with some ISPs restricting access to third party DNS
servers like it happens with LowEndSpirit and Torqhost.
2014-05-15 18:20:53 +02:00
Nyr
c72a4d2b5e
Bugfix: port redirect wasn't correctly set when a custom port was in place
2014-03-12 21:14:38 +01:00
Nyr
a69dae3021
Check if the script is running on a Debian-based system before starting
...
Fixed some spacing too
2014-03-12 21:06:57 +01:00
Nyr
6d89279940
Bugfix for systems with multiple IPv4 addresses available
2013-12-20 18:50:30 +01:00
Nyr
ee9750a210
Use Easy-RSA 2.2.2 instead of the master branch with Debian Jessie and Ubuntu Saucy
...
This was needed for Debian Jessie, but using always the latest Easy-RSA
was a bad idea.
I will force Easy-RSA 2.2.2 for now and until Jessie becomes stable.
Then we can probably just use the distro packages instead of Github,
but for now this will work.
2013-12-19 22:09:20 +01:00
Nyr
b30130b506
Bugfixes
...
- easy-rsa was downloaded from Github even on systems where it was available by default.
- easy-rsa.tar.gz is now removed when no longer needed.
2013-10-04 19:04:12 +02:00
Nyr
6c22c657f7
Update openvpn-install.sh
2013-08-22 17:00:53 +02:00
Nyr
2533e2e113
Bugfix: routes not being pushed
2013-08-05 00:58:43 +02:00
Nyr
0eda63842c
Remove temporary files when they are no longer needed
2013-08-04 14:22:02 +02:00
Nyr
31040f475a
2048 bit keys by default and Debian Jessie compatibility
2013-08-04 14:11:38 +02:00
Nyr
730691c8a1
Various bugfixes and improvements
...
- Assisted configuration for servers behind a NAT
- Better IP autodetection
- Fix certificate revocation
2013-07-07 21:28:08 +02:00
Nyr
ce8077f048
Bugfix: better IPv4 autodetection on some IPv6 enabled servers
2013-05-14 22:05:53 +02:00
Nyr
4f631dab20
Bugfix: iptables were incorrectly positioned on /etc/rc.local
2013-05-14 20:59:03 +02:00
Nyr
c0adc8c75b
Added option for client certificate revocation
2013-05-14 17:41:53 +02:00
Nyr
e95049a76a
First commit
2013-05-14 14:04:19 +02:00