octoleo/openvpn-install
1
1
Fork 0
mirror of https://github.com/namibia/openvpn-install.git synced 2024-11-18 02:05:12 +00:00
Code Issues Releases Activity
421d69e92d
openvpn-install/README.md
Angristan 421d69e92d Arch Linux + other changes
2016-11-26 17:20:56 +01:00

98 lines
4.4 KiB
Markdown
Raw Blame History

##openvpn-install
Secure OpenVPN installer for Debian, Ubuntu, ArchLinux and CentOS.
This script will let you setup your own secure VPN server in no more than a minute.
![](https://lut.im/xtTrl1R4if/j3j16qgomoL9JH9B)
##Fork
This script is based on the great work of [Nyr and its contributors](https://github.com/Nyr/openvpn-install).
I made it because I wanted to have a more secured OpenVPN out-of-the-box. It works like the original script, but is more focused on privacy and espicially better encryption. Nyr's original script uses mainly default parameters regarding encryption, which are not *bad*, but you can do a lot better with the latest versions of OpenVPN and have nearly state-of-the-art encryption.
Also, Nyr and myself clearly have not the same point of view regarding this script, that's why it's a fork.
The only drawback is that you need to use a recent version of OpenVPN, because some options are only availble since OpenVPN 2.3.3. Therefore I restrain the compatibility of this script to a few but widely used GNU/Linux distributions, to get a recent version of OpenVPN from trusted third-party repositories, if needed.
On the client-side, it's less problematic, but if you want to use an OpenVPN server installed with this script with an old client (\<2.3.3), it won't work. If you can't upgrade your client (which is a security problem), use Nyr's script.
### Features
This fork includes the following features :
- Every feature of the [original script](https://github.com/Nyr/openvpn-install)
- Choice for UDP or TCP (UDP is still recommended)
- TLS 1.2 only
- Strong ciphers, DH keys and certificates keys. (see [variants](#variants)
- AES-256-CBC and SHA-512 encryption (instead of BF-128-CBC and SHA1)
- TLS-auth support : it adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification thus allowing an additional level of security above and beyond that provided by SSL/TLS. [source](https://openvpn.net/index.php/open-source/documentation/howto.html#security)
- Run server in unprivileged mode, reducing risks to the system
- [Avoid DNS leak on Windows 10](https://community.openvpn.net/openvpn/ticket/605)
- No comp-lzo [compression is a vector for oracle attacks, e.g. CRIME or BREACH](https://github.com/BetterCrypto/Applied-Crypto-Hardening/pull/91#issuecomment-75388575)
- [Arch Linux support](
- [FDN's DNS Servers](http://www.fdn.fr/actions/dns/)
- [DNS.WATCH DNS Servers](https://dns.watch/index)
- Up-to-date OpenVPN (2.3.11) thanks to [EPEL](http://fedoraproject.org/wiki/EPEL) and [swupdate.openvpn.net](https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos)
- Other improvements
## Variants
When you lauch the script you will be asked to choose a mode. Both will work the same way, but *slow* has higher encryption settings, so it may slow down your connection and take more time to install.
If you're just using your VPN at home, you may choose "fast". But if you're often using public Wi-Fi or traveling a lot, you choose use *slow*.
FYI, "fast" is still more secured than default OpenVPN settings.
### Slow (high encryption)
Features :
- 4096 bits RSA private key
- 4096 bits Diffie-Hellman key
- 256 bits AES-GCM
- SHA-384 RSA certificate
### Fast (lower encryption)
Features :
- 2048 bits RSA private key
- 2048 bits Diffie-Hellman key
- 128 bits AES-GCM
- SHA-256 RSA certificate
## Compatibility
The script is made to work on these OS :
- Debian 7
- Debian 8
- Ubuntu 12.04 LTS
- Ubuntu 14.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 16.10
- CentOS 6
- CentOS 7
- Arch Linux
##Installation
**You have to enable the TUN module otherwise OpenVPN won't work.** Ask your host if you don't know how to do it. If the TUN module is not enabled, the script will tell you.
Run the script and follow the assistant:
```
wget https://raw.githubusercontent.com/Angristan/OpenVPN-install/master/openvpn-install.sh
chmod +x openvpn-install.sh
./openvpn-install.sh
```
Once it ends, you can run it again to add more users, remove some of them or even completely uninstall OpenVPN.
![](https://lut.im/Z8xfJ8WqyO/3JoPmJK8VRp6zwOE)
You can get a cheap VPS for 3€/month at [PulseHeberg](https://goo.gl/oBhgaj).
## Credits & Licence
Thanks to the [contributors](https://github.com/Angristan/OpenVPN-install/graphs/contributors)
[Old repo](https://github.com/Angristan/OpenVPN-install-fork-old)
[MIT Licence](https://raw.githubusercontent.com/Angristan/openvpn-install/master/LICENSE)
View Git Blame Copy Permalink