From 01003c88f8059f18f33361d8c190484c4c7b08e9 Mon Sep 17 00:00:00 2001
From: jtbr <jtbriggs@gmail.com>
Date: Sun, 10 Apr 2016 18:26:49 +0200
Subject: [PATCH 01/20] fix dns option 3 with single quotes

---
 openvpn-install.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/openvpn-install.sh b/openvpn-install.sh
index 14f3698..364f33c 100644
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@@ -315,8 +315,8 @@ tls-version-min 1.2" > /etc/openvpn/server.conf
 		read ns1 ns2 <<< $(curl -s https://api.opennicproject.org/geoip/ | head -2 | awk '{print $1}')
 		echo -e "nameserver $ns1
 		nameserver $ns2" >> /etc/resolv.conf #Set the DNS servers
-		echo "push "dhcp-option DNS $ns1"" >> /etc/openvpn/server.conf
-		echo "push "dhcp-option DNS $ns2"" >> /etc/openvpn/server.conf
+		echo 'push "dhcp-option DNS $ns1"' >> /etc/openvpn/server.conf
+		echo 'push "dhcp-option DNS $ns2"' >> /etc/openvpn/server.conf
 		;;
 		4) #OpenDNS 
 		echo 'push "dhcp-option DNS 208.67.222.222"' >> /etc/openvpn/server.conf

From d844154a4555dc4e20b46ac33bf34bbece0c5414 Mon Sep 17 00:00:00 2001
From: jtbr <jtbriggs@gmail.com>
Date: Sun, 10 Apr 2016 18:36:15 +0200
Subject: [PATCH 02/20] run openvpn unprivileged

---
 openvpn-install.sh | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/openvpn-install.sh b/openvpn-install.sh
index 364f33c..89ffa7a 100644
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@@ -275,6 +275,8 @@ set_var EASYRSA_DIGEST "sha384"" > vars
 	./easyrsa gen-crl
 	# Move the stuff we need
 	cp pki/ca.crt pki/private/ca.key pki/dh.pem pki/issued/server.crt pki/private/server.key /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn
+	# Make cert revocation list readable for non-root
+	chmod 644 /etc/openvpn/crl.pem
 	# Generate server.conf
 	echo "port $PORT
 proto udp
@@ -283,6 +285,8 @@ ca ca.crt
 cert server.crt
 key server.key
 dh dh.pem
+user nobody
+group nogroup
 topology subnet
 server 10.8.0.0 255.255.255.0
 ifconfig-pool-persist ipp.txt

From b3fb14bcb484fe3e641104b3915c7d54578a6ee2 Mon Sep 17 00:00:00 2001
From: jtbr <jtbriggs@gmail.com>
Date: Sun, 10 Apr 2016 18:53:29 +0200
Subject: [PATCH 03/20] enable tls-auth and perfect forwarding secrecy

---
 openvpn-install.sh | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/openvpn-install.sh b/openvpn-install.sh
index 89ffa7a..661ebf5 100644
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@@ -56,6 +56,10 @@ newclient () {
 	echo "<key>" >> ~/$1.ovpn
 	cat /etc/openvpn/easy-rsa/pki/private/$1.key >> ~/$1.ovpn
 	echo "</key>" >> ~/$1.ovpn
+	echo "key-direction 1" >> ~/$1.ovpn
+	echo "<tls-auth>" >> ~/$1.ovpn
+	cat /etc/openvpn/tls-auth.key >> ~/$1.ovpn
+	echo "</tls-auth>" >> ~/$1.ovpn
 }
 
 
@@ -273,6 +277,8 @@ set_var EASYRSA_DIGEST "sha384"" > vars
 	./easyrsa build-server-full server nopass
 	./easyrsa build-client-full $CLIENT nopass
 	./easyrsa gen-crl
+	# generate tls-auth key
+	openvpn --genkey --secret /etc/openvpn/tls-auth.key
 	# Move the stuff we need
 	cp pki/ca.crt pki/private/ca.key pki/dh.pem pki/issued/server.crt pki/private/server.key /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn
 	# Make cert revocation list readable for non-root
@@ -334,7 +340,9 @@ tls-version-min 1.2" > /etc/openvpn/server.conf
 	echo "keepalive 10 120
 persist-key
 persist-tun
-crl-verify crl.pem" >> /etc/openvpn/server.conf
+crl-verify crl.pem
+tls-server
+tls-auth tls-auth.key 0" >> /etc/openvpn/server.conf
 	# Enable net.ipv4.ip_forward for the system
 	if [[ "$OS" = 'debian' ]]; then
 		sed -i 's|#net.ipv4.ip_forward=1|net.ipv4.ip_forward=1|' /etc/sysctl.conf
@@ -425,7 +433,8 @@ persist-tun
 remote-cert-tls server
 cipher AES-256-CBC
 auth SHA512
-tls-version-min 1.2" > /etc/openvpn/client-common.txt
+tls-version-min 1.2
+tls-client" > /etc/openvpn/client-common.txt
 	if [[ "$VARIANT" = '1' ]]; then
 		# If the user selected the fast, less hardened version
 		# Or if the user selected a non-existant variant, we fallback to fast

From a65523eb1c289d5434212b987a530dc152924663 Mon Sep 17 00:00:00 2001
From: jtbr <jtbriggs@gmail.com>
Date: Sun, 10 Apr 2016 19:45:33 +0200
Subject: [PATCH 04/20] this time actually fix the quoting issue for ip option
 3

---
 openvpn-install.sh | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/openvpn-install.sh b/openvpn-install.sh
index 661ebf5..1e3a87d 100644
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@@ -323,10 +323,8 @@ tls-version-min 1.2" > /etc/openvpn/server.conf
 		3) #OpenNIC
 		#Getting the nearest OpenNIC servers using the geoip API
 		read ns1 ns2 <<< $(curl -s https://api.opennicproject.org/geoip/ | head -2 | awk '{print $1}')
-		echo -e "nameserver $ns1
-		nameserver $ns2" >> /etc/resolv.conf #Set the DNS servers
-		echo 'push "dhcp-option DNS $ns1"' >> /etc/openvpn/server.conf
-		echo 'push "dhcp-option DNS $ns2"' >> /etc/openvpn/server.conf
+		echo "push \"dhcp-option DNS $ns1\"" >> /etc/openvpn/server.conf
+		echo "push \"dhcp-option DNS $ns2\"" >> /etc/openvpn/server.conf
 		;;
 		4) #OpenDNS 
 		echo 'push "dhcp-option DNS 208.67.222.222"' >> /etc/openvpn/server.conf

From f376ce912f3aec0d0537228e38d9cad40bb8d824 Mon Sep 17 00:00:00 2001
From: jtbr <jtbr@github>
Date: Tue, 12 Apr 2016 09:38:14 +0000
Subject: [PATCH 05/20] Support ios openvpn connect using CBC, SHA128
 tls-cipher. Update readme.

---
 README.md          | 9 ++++++---
 openvpn-install.sh | 5 +++--
 2 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/README.md b/README.md
index f049bb1..6205db2 100644
--- a/README.md
+++ b/README.md
@@ -10,6 +10,9 @@ This fork includes :
 - Better encryption (see below)
 - TLS 1.2 only
 - AES-256-CBC and SHA-512 for HMAC (instead of BF-128-CBC and SHA1)
+- Run server in unprivileged mode, reducing risks to the system
+- TLS-auth to help [thwart DoS attacks](https://openvpn.net/index.php/open-source/documentation/howto.html#security) and provide a 2nd line of defense to the TLS channel.
+- [Perfect forward secrecy](http://en.wikipedia.org/wiki/Forward_secrecy)
 - [FDN's DNS Servers](http://www.fdn.fr/actions/dns/)
 - Nearest [OpenNIC DNS Servers](https://www.opennicproject.org/)
 - Up-to-date OpenVPN (2.3.10) thanks to [EPEL](http://fedoraproject.org/wiki/EPEL) and [swupdate.openvpn.net](https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos)
@@ -30,12 +33,12 @@ Features :
 - 256 bits AES-GCM
 - SHA-384 RSA certificate
 
-### Fast (lower encryption)
+### Fast (lower encryption, supports openvpn connect [ios/android] clients)
 Features :
 - 2048 bits RSA private key
 - 2048 bits Diffie-Hellman key
-- 128 bits AES-GCM
-- SHA-256 RSA certificate
+- 128 bits AES-CBC
+- SHA-128 RSA certificate
 
 ## Compatibility
 
diff --git a/openvpn-install.sh b/openvpn-install.sh
index 1e3a87d..d4f2b30 100644
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@@ -302,7 +302,8 @@ tls-version-min 1.2" > /etc/openvpn/server.conf
 	if [[ "$VARIANT" = '1' ]]; then
 		# If the user selected the fast, less hardened version
 		# Or if the user selected a non-existant variant, we fallback to fast
-		echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256" >> /etc/openvpn/server.conf
+		# iOS OpenVPN connect doesn't support GCM or SHA256, use next best
+		echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-CBC-SHA" >> /etc/openvpn/server.conf
 	elif [[ "$VARIANT" = '2' ]]; then
 		# If the user selected the relatively slow, ultra hardened version
 		echo "tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384" >> /etc/openvpn/server.conf
@@ -436,7 +437,7 @@ tls-client" > /etc/openvpn/client-common.txt
 	if [[ "$VARIANT" = '1' ]]; then
 		# If the user selected the fast, less hardened version
 		# Or if the user selected a non-existant variant, we fallback to fast
-		echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256" >> /etc/openvpn/client-common.txt
+		echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-CBC-SHA" >> /etc/openvpn/client-common.txt
 	elif [[ "$VARIANT" = '2' ]]; then
 		# If the user selected the relatively slow, ultra hardened version
 		echo "tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384" >> /etc/openvpn/client-common.txt

From 2fe0fa2062428cdcdb29f59588af7b165fc3694d Mon Sep 17 00:00:00 2001
From: jtbr <jtbr@github>
Date: Tue, 12 Apr 2016 10:05:28 +0000
Subject: [PATCH 06/20] Allow forwarding using either SNAT or MASQUERADE (as
 required by some setups)

---
 README.md          |  1 +
 openvpn-install.sh | 23 +++++++++++++++++------
 2 files changed, 18 insertions(+), 6 deletions(-)

diff --git a/README.md b/README.md
index 6205db2..02695af 100644
--- a/README.md
+++ b/README.md
@@ -16,6 +16,7 @@ This fork includes :
 - [FDN's DNS Servers](http://www.fdn.fr/actions/dns/)
 - Nearest [OpenNIC DNS Servers](https://www.opennicproject.org/)
 - Up-to-date OpenVPN (2.3.10) thanks to [EPEL](http://fedoraproject.org/wiki/EPEL) and [swupdate.openvpn.net](https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos)
+- Support for either SNAT or MASQUERADE for forwarding
 - Every feature of the [original script](https://github.com/Nyr/openvpn-install) (I check periodically to sync the latest commits from source)
 
 ## Variants
diff --git a/openvpn-install.sh b/openvpn-install.sh
index d4f2b30..c390bfb 100644
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@@ -145,7 +145,7 @@ if [[ -e /etc/openvpn/server.conf ]]; then
 					sed -i "/iptables -I FORWARD -s 10.8.0.0\/24 -j ACCEPT/d" $RCLOCAL
 					sed -i "/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT/d" $RCLOCAL
 				fi
-				sed -i '/iptables -t nat -A POSTROUTING -s 10.8.0.0\/24 -j SNAT --to /d' $RCLOCAL
+				sed -i '/iptables -t nat -A POSTROUTING -s 10.8.0.0\/24 /d' $RCLOCAL
 				if hash sestatus 2>/dev/null; then
 					if sestatus | grep "Current mode" | grep -qs "enforcing"; then
 						if [[ "$PORT" != '1194' ]]; then
@@ -204,6 +204,14 @@ else
 	echo "   5) Google"
 	read -p "DNS [1-6]: " -e -i 2 DNS
 	echo ""
+	echo "Some setups (e.g. Amazon Web Services), require use of MASQUERADE rather than SNAT"
+	echo "Which forwarding method do you want to use [if unsure, leave as default]?"
+	echo "   1) SNAT (default)"
+	echo "   2) MASQUERADE"
+	while [[ $FORWARD_TYPE !=  "1" && $FORWARD_TYPE != "2" ]]; do
+		read -p "Forwarding type: " -e -i 1 FORWARD_TYPE
+	done
+	echo ""
 	echo "Finally, tell me your name for the client cert"
 	echo "Please, use one word only, no special characters"
 	read -p "Client name: " -e -i client CLIENT
@@ -301,8 +309,7 @@ auth SHA512
 tls-version-min 1.2" > /etc/openvpn/server.conf
 	if [[ "$VARIANT" = '1' ]]; then
 		# If the user selected the fast, less hardened version
-		# Or if the user selected a non-existant variant, we fallback to fast
-		# iOS OpenVPN connect doesn't support GCM or SHA256, use next best
+		# iOS OpenVPN connect doesn't support GCM or SHA256; use next best
 		echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-CBC-SHA" >> /etc/openvpn/server.conf
 	elif [[ "$VARIANT" = '2' ]]; then
 		# If the user selected the relatively slow, ultra hardened version
@@ -356,8 +363,13 @@ tls-auth tls-auth.key 0" >> /etc/openvpn/server.conf
 	# Avoid an unneeded reboot
 	echo 1 > /proc/sys/net/ipv4/ip_forward
 	# Set NAT for the VPN subnet
-	iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP
-	sed -i "1 a\iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP" $RCLOCAL
+	if [[ "$FORWARD_TYPE" = '1' ]]; then
+		iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP
+		sed -i "1 a\iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP" $RCLOCAL
+	else
+		iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
+		sed -i "1 a\iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE" $RCLOCAL
+	fi
 	if pgrep firewalld; then
 		# We don't use --add-service=openvpn because that would only work with
 		# the default port. Using both permanent and not permanent rules to
@@ -436,7 +448,6 @@ tls-version-min 1.2
 tls-client" > /etc/openvpn/client-common.txt
 	if [[ "$VARIANT" = '1' ]]; then
 		# If the user selected the fast, less hardened version
-		# Or if the user selected a non-existant variant, we fallback to fast
 		echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-CBC-SHA" >> /etc/openvpn/client-common.txt
 	elif [[ "$VARIANT" = '2' ]]; then
 		# If the user selected the relatively slow, ultra hardened version

From 804c7aa9ed91433a83749c64ad2ec47f22fc968f Mon Sep 17 00:00:00 2001
From: jtbr <jtbr@github>
Date: Tue, 12 Apr 2016 10:16:58 +0000
Subject: [PATCH 07/20] my personal preferences, and limit 3 simultaneous
 clients

---
 openvpn-install.sh | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/openvpn-install.sh b/openvpn-install.sh
index c390bfb..8971360 100644
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@@ -348,7 +348,10 @@ persist-key
 persist-tun
 crl-verify crl.pem
 tls-server
-tls-auth tls-auth.key 0" >> /etc/openvpn/server.conf
+tls-auth tls-auth.key 0
+status openvpn-status.log
+max-clients 3
+verb 3" >> /etc/openvpn/server.conf
 	# Enable net.ipv4.ip_forward for the system
 	if [[ "$OS" = 'debian' ]]; then
 		sed -i 's|#net.ipv4.ip_forward=1|net.ipv4.ip_forward=1|' /etc/sysctl.conf
@@ -445,7 +448,8 @@ remote-cert-tls server
 cipher AES-256-CBC
 auth SHA512
 tls-version-min 1.2
-tls-client" > /etc/openvpn/client-common.txt
+tls-client
+verb 3" > /etc/openvpn/client-common.txt
 	if [[ "$VARIANT" = '1' ]]; then
 		# If the user selected the fast, less hardened version
 		echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-CBC-SHA" >> /etc/openvpn/client-common.txt

From d87e87036f276234a26bfd49c81caa7648bba349 Mon Sep 17 00:00:00 2001
From: jtbr <jtbr@github>
Date: Wed, 20 Apr 2016 22:55:25 +0000
Subject: [PATCH 08/20] Revert "my personal preferences, and limit 3
 simultaneous clients"

This reverts commit 804c7aa9ed91433a83749c64ad2ec47f22fc968f.
---
 openvpn-install.sh | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/openvpn-install.sh b/openvpn-install.sh
index 8971360..c390bfb 100644
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@@ -348,10 +348,7 @@ persist-key
 persist-tun
 crl-verify crl.pem
 tls-server
-tls-auth tls-auth.key 0
-status openvpn-status.log
-max-clients 3
-verb 3" >> /etc/openvpn/server.conf
+tls-auth tls-auth.key 0" >> /etc/openvpn/server.conf
 	# Enable net.ipv4.ip_forward for the system
 	if [[ "$OS" = 'debian' ]]; then
 		sed -i 's|#net.ipv4.ip_forward=1|net.ipv4.ip_forward=1|' /etc/sysctl.conf
@@ -448,8 +445,7 @@ remote-cert-tls server
 cipher AES-256-CBC
 auth SHA512
 tls-version-min 1.2
-tls-client
-verb 3" > /etc/openvpn/client-common.txt
+tls-client" > /etc/openvpn/client-common.txt
 	if [[ "$VARIANT" = '1' ]]; then
 		# If the user selected the fast, less hardened version
 		echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-CBC-SHA" >> /etc/openvpn/client-common.txt

From 4baf845e36960c06d5e0aa511813c7b559c1f2dc Mon Sep 17 00:00:00 2001
From: jtbr <jtbr@github>
Date: Fri, 29 Apr 2016 20:00:09 +0000
Subject: [PATCH 09/20] Undo TLS-CIPHER changes in f376ce91 in deference to
 harvester57's pull request

---
 README.md          | 7 +++----
 openvpn-install.sh | 5 ++---
 2 files changed, 5 insertions(+), 7 deletions(-)

diff --git a/README.md b/README.md
index 02695af..26521cc 100644
--- a/README.md
+++ b/README.md
@@ -12,7 +12,6 @@ This fork includes :
 - AES-256-CBC and SHA-512 for HMAC (instead of BF-128-CBC and SHA1)
 - Run server in unprivileged mode, reducing risks to the system
 - TLS-auth to help [thwart DoS attacks](https://openvpn.net/index.php/open-source/documentation/howto.html#security) and provide a 2nd line of defense to the TLS channel.
-- [Perfect forward secrecy](http://en.wikipedia.org/wiki/Forward_secrecy)
 - [FDN's DNS Servers](http://www.fdn.fr/actions/dns/)
 - Nearest [OpenNIC DNS Servers](https://www.opennicproject.org/)
 - Up-to-date OpenVPN (2.3.10) thanks to [EPEL](http://fedoraproject.org/wiki/EPEL) and [swupdate.openvpn.net](https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos)
@@ -34,12 +33,12 @@ Features :
 - 256 bits AES-GCM
 - SHA-384 RSA certificate
 
-### Fast (lower encryption, supports openvpn connect [ios/android] clients)
+### Fast (lower encryption)
 Features :
 - 2048 bits RSA private key
 - 2048 bits Diffie-Hellman key
-- 128 bits AES-CBC
-- SHA-128 RSA certificate
+- 128 bits AES-GCM
+- SHA-256 RSA certificate
 
 ## Compatibility
 
diff --git a/openvpn-install.sh b/openvpn-install.sh
index c390bfb..1222024 100644
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@@ -309,8 +309,7 @@ auth SHA512
 tls-version-min 1.2" > /etc/openvpn/server.conf
 	if [[ "$VARIANT" = '1' ]]; then
 		# If the user selected the fast, less hardened version
-		# iOS OpenVPN connect doesn't support GCM or SHA256; use next best
-		echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-CBC-SHA" >> /etc/openvpn/server.conf
+		echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256" >> /etc/openvpn/server.conf
 	elif [[ "$VARIANT" = '2' ]]; then
 		# If the user selected the relatively slow, ultra hardened version
 		echo "tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384" >> /etc/openvpn/server.conf
@@ -448,7 +447,7 @@ tls-version-min 1.2
 tls-client" > /etc/openvpn/client-common.txt
 	if [[ "$VARIANT" = '1' ]]; then
 		# If the user selected the fast, less hardened version
-		echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-CBC-SHA" >> /etc/openvpn/client-common.txt
+		echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256" >> /etc/openvpn/client-common.txt
 	elif [[ "$VARIANT" = '2' ]]; then
 		# If the user selected the relatively slow, ultra hardened version
 		echo "tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384" >> /etc/openvpn/client-common.txt

From 5824365ebc9bd59072991a809066d9949fc09e0d Mon Sep 17 00:00:00 2001
From: jtbr <jtbriggs@gmail.com>
Date: Sat, 7 May 2016 22:58:18 +0200
Subject: [PATCH 10/20] support either nogroup or nobody for permissionless
 group

---
 openvpn-install.sh | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/openvpn-install.sh b/openvpn-install.sh
index 1222024..7761112 100644
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@@ -253,6 +253,12 @@ else
 		yum install epel-release -y
 		yum install openvpn iptables openssl wget ca-certificates curl -y
 	fi
+	# find out if the machine uses nogroup or nobody for the permissionless group
+	if grep -qs "^nogroup:" /etc/group; then
+	        NOGROUP=nogroup
+	else
+        	NOGROUP=nobody
+	fi
 	
 	# An old version of easy-rsa was available by default in some openvpn packages
 	if [[ -d /etc/openvpn/easy-rsa/ ]]; then
@@ -300,7 +306,7 @@ cert server.crt
 key server.key
 dh dh.pem
 user nobody
-group nogroup
+group $NOGROUP
 topology subnet
 server 10.8.0.0 255.255.255.0
 ifconfig-pool-persist ipp.txt

From 950e307fbfeb7a43b125f0434d586da5c4233435 Mon Sep 17 00:00:00 2001
From: jtbr <jtbriggs@gmail.com>
Date: Sun, 10 Apr 2016 18:26:49 +0200
Subject: [PATCH 11/20] fix dns option 3 with single quotes

---
 openvpn-install.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/openvpn-install.sh b/openvpn-install.sh
index 0984f41..3940ab5 100644
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@@ -315,8 +315,8 @@ tls-version-min 1.2" > /etc/openvpn/server.conf
 		read ns1 ns2 <<< $(curl -s https://api.opennicproject.org/geoip/ | head -2 | awk '{print $1}')
 		echo -e "nameserver $ns1
 		nameserver $ns2" >> /etc/resolv.conf #Set the DNS servers
-		echo "push "dhcp-option DNS $ns1"" >> /etc/openvpn/server.conf
-		echo "push "dhcp-option DNS $ns2"" >> /etc/openvpn/server.conf
+		echo 'push "dhcp-option DNS $ns1"' >> /etc/openvpn/server.conf
+		echo 'push "dhcp-option DNS $ns2"' >> /etc/openvpn/server.conf
 		;;
 		4) #OpenDNS 
 		echo 'push "dhcp-option DNS 208.67.222.222"' >> /etc/openvpn/server.conf

From 891951fec81fb3c1c391a64cd34a36d14298d24b Mon Sep 17 00:00:00 2001
From: jtbr <jtbriggs@gmail.com>
Date: Sun, 10 Apr 2016 18:36:15 +0200
Subject: [PATCH 12/20] run openvpn unprivileged

---
 openvpn-install.sh | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/openvpn-install.sh b/openvpn-install.sh
index 3940ab5..7a268dd 100644
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@@ -275,6 +275,8 @@ set_var EASYRSA_DIGEST "sha384"" > vars
 	./easyrsa gen-crl
 	# Move the stuff we need
 	cp pki/ca.crt pki/private/ca.key pki/dh.pem pki/issued/server.crt pki/private/server.key /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn
+	# Make cert revocation list readable for non-root
+	chmod 644 /etc/openvpn/crl.pem
 	# Generate server.conf
 	echo "port $PORT
 proto udp
@@ -283,6 +285,8 @@ ca ca.crt
 cert server.crt
 key server.key
 dh dh.pem
+user nobody
+group nogroup
 topology subnet
 server 10.8.0.0 255.255.255.0
 ifconfig-pool-persist ipp.txt

From 3e913ea286dc364fd231896ba836f758eb38886f Mon Sep 17 00:00:00 2001
From: jtbr <jtbriggs@gmail.com>
Date: Sun, 10 Apr 2016 18:53:29 +0200
Subject: [PATCH 13/20] enable tls-auth and perfect forwarding secrecy

---
 openvpn-install.sh | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/openvpn-install.sh b/openvpn-install.sh
index 7a268dd..edeea51 100644
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@@ -56,6 +56,10 @@ newclient () {
 	echo "<key>" >> ~/$1.ovpn
 	cat /etc/openvpn/easy-rsa/pki/private/$1.key >> ~/$1.ovpn
 	echo "</key>" >> ~/$1.ovpn
+	echo "key-direction 1" >> ~/$1.ovpn
+	echo "<tls-auth>" >> ~/$1.ovpn
+	cat /etc/openvpn/tls-auth.key >> ~/$1.ovpn
+	echo "</tls-auth>" >> ~/$1.ovpn
 }
 
 
@@ -273,6 +277,8 @@ set_var EASYRSA_DIGEST "sha384"" > vars
 	./easyrsa build-server-full server nopass
 	./easyrsa build-client-full $CLIENT nopass
 	./easyrsa gen-crl
+	# generate tls-auth key
+	openvpn --genkey --secret /etc/openvpn/tls-auth.key
 	# Move the stuff we need
 	cp pki/ca.crt pki/private/ca.key pki/dh.pem pki/issued/server.crt pki/private/server.key /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn
 	# Make cert revocation list readable for non-root
@@ -334,7 +340,9 @@ tls-version-min 1.2" > /etc/openvpn/server.conf
 	echo "keepalive 10 120
 persist-key
 persist-tun
-crl-verify crl.pem" >> /etc/openvpn/server.conf
+crl-verify crl.pem
+tls-server
+tls-auth tls-auth.key 0" >> /etc/openvpn/server.conf
 	# Enable net.ipv4.ip_forward for the system
 	if [[ "$OS" = 'debian' ]]; then
 		sed -i 's|#net.ipv4.ip_forward=1|net.ipv4.ip_forward=1|' /etc/sysctl.conf
@@ -425,7 +433,8 @@ persist-tun
 remote-cert-tls server
 cipher AES-256-CBC
 auth SHA512
-tls-version-min 1.2" > /etc/openvpn/client-common.txt
+tls-version-min 1.2
+tls-client" > /etc/openvpn/client-common.txt
 	if [[ "$VARIANT" = '1' ]]; then
 		# If the user selected the fast, less hardened version
 		# Or if the user selected a non-existant variant, we fallback to fast

From 30958ac55edc8c4f580716665c7c01b34b644f16 Mon Sep 17 00:00:00 2001
From: jtbr <jtbriggs@gmail.com>
Date: Sun, 10 Apr 2016 19:45:33 +0200
Subject: [PATCH 14/20] this time actually fix the quoting issue for ip option
 3

---
 openvpn-install.sh | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/openvpn-install.sh b/openvpn-install.sh
index edeea51..78a61f5 100644
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@@ -323,10 +323,8 @@ tls-version-min 1.2" > /etc/openvpn/server.conf
 		3) #OpenNIC
 		#Getting the nearest OpenNIC servers using the geoip API
 		read ns1 ns2 <<< $(curl -s https://api.opennicproject.org/geoip/ | head -2 | awk '{print $1}')
-		echo -e "nameserver $ns1
-		nameserver $ns2" >> /etc/resolv.conf #Set the DNS servers
-		echo 'push "dhcp-option DNS $ns1"' >> /etc/openvpn/server.conf
-		echo 'push "dhcp-option DNS $ns2"' >> /etc/openvpn/server.conf
+		echo "push \"dhcp-option DNS $ns1\"" >> /etc/openvpn/server.conf
+		echo "push \"dhcp-option DNS $ns2\"" >> /etc/openvpn/server.conf
 		;;
 		4) #OpenDNS 
 		echo 'push "dhcp-option DNS 208.67.222.222"' >> /etc/openvpn/server.conf

From 868eea34770bd23f26b22b3ad4af59bd854c9f96 Mon Sep 17 00:00:00 2001
From: jtbr <jtbr@github>
Date: Tue, 12 Apr 2016 09:38:14 +0000
Subject: [PATCH 15/20] Support ios openvpn connect using CBC, SHA128
 tls-cipher. Update readme.

---
 README.md          | 9 ++++++---
 openvpn-install.sh | 5 +++--
 2 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/README.md b/README.md
index 9015da3..2929311 100644
--- a/README.md
+++ b/README.md
@@ -10,6 +10,9 @@ This fork includes :
 - Better encryption (see below)
 - TLS 1.2 only
 - AES-256-CBC and SHA-512 for HMAC (instead of BF-128-CBC and SHA1)
+- Run server in unprivileged mode, reducing risks to the system
+- TLS-auth to help [thwart DoS attacks](https://openvpn.net/index.php/open-source/documentation/howto.html#security) and provide a 2nd line of defense to the TLS channel.
+- [Perfect forward secrecy](http://en.wikipedia.org/wiki/Forward_secrecy)
 - [FDN's DNS Servers](http://www.fdn.fr/actions/dns/)
 - Nearest [OpenNIC DNS Servers](https://www.opennicproject.org/)
 - Up-to-date OpenVPN (2.3.11) thanks to [EPEL](http://fedoraproject.org/wiki/EPEL) and [swupdate.openvpn.net](https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos)
@@ -30,12 +33,12 @@ Features :
 - 256 bits AES-GCM
 - SHA-384 RSA certificate
 
-### Fast (lower encryption)
+### Fast (lower encryption, supports openvpn connect [ios/android] clients)
 Features :
 - 2048 bits RSA private key
 - 2048 bits Diffie-Hellman key
-- 128 bits AES-GCM
-- SHA-256 RSA certificate
+- 128 bits AES-CBC
+- SHA-128 RSA certificate
 
 ## Compatibility
 
diff --git a/openvpn-install.sh b/openvpn-install.sh
index 78a61f5..4135fcf 100644
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@@ -302,7 +302,8 @@ tls-version-min 1.2" > /etc/openvpn/server.conf
 	if [[ "$VARIANT" = '1' ]]; then
 		# If the user selected the fast, less hardened version
 		# Or if the user selected a non-existant variant, we fallback to fast
-		echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256" >> /etc/openvpn/server.conf
+		# iOS OpenVPN connect doesn't support GCM or SHA256, use next best
+		echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-CBC-SHA" >> /etc/openvpn/server.conf
 	elif [[ "$VARIANT" = '2' ]]; then
 		# If the user selected the relatively slow, ultra hardened version
 		echo "tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384" >> /etc/openvpn/server.conf
@@ -436,7 +437,7 @@ tls-client" > /etc/openvpn/client-common.txt
 	if [[ "$VARIANT" = '1' ]]; then
 		# If the user selected the fast, less hardened version
 		# Or if the user selected a non-existant variant, we fallback to fast
-		echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256" >> /etc/openvpn/client-common.txt
+		echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-CBC-SHA" >> /etc/openvpn/client-common.txt
 	elif [[ "$VARIANT" = '2' ]]; then
 		# If the user selected the relatively slow, ultra hardened version
 		echo "tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384" >> /etc/openvpn/client-common.txt

From 73eb665b822a25950859ab724456431b81b1b33b Mon Sep 17 00:00:00 2001
From: jtbr <jtbr@github>
Date: Tue, 10 May 2016 22:29:43 +0000
Subject: [PATCH 16/20] merging readme changes

---
 README.md          |  1 +
 openvpn-install.sh | 23 +++++++++++++++++------
 2 files changed, 18 insertions(+), 6 deletions(-)

diff --git a/README.md b/README.md
index 2929311..af65106 100644
--- a/README.md
+++ b/README.md
@@ -16,6 +16,7 @@ This fork includes :
 - [FDN's DNS Servers](http://www.fdn.fr/actions/dns/)
 - Nearest [OpenNIC DNS Servers](https://www.opennicproject.org/)
 - Up-to-date OpenVPN (2.3.11) thanks to [EPEL](http://fedoraproject.org/wiki/EPEL) and [swupdate.openvpn.net](https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos)
+- Support for either SNAT or MASQUERADE for forwarding
 - Every feature of the [original script](https://github.com/Nyr/openvpn-install) (I check periodically to sync the latest commits from source)
 
 ## Variants
diff --git a/openvpn-install.sh b/openvpn-install.sh
index 4135fcf..ee21c50 100644
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@@ -145,7 +145,7 @@ if [[ -e /etc/openvpn/server.conf ]]; then
 					sed -i "/iptables -I FORWARD -s 10.8.0.0\/24 -j ACCEPT/d" $RCLOCAL
 					sed -i "/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT/d" $RCLOCAL
 				fi
-				sed -i '/iptables -t nat -A POSTROUTING -s 10.8.0.0\/24 -j SNAT --to /d' $RCLOCAL
+				sed -i '/iptables -t nat -A POSTROUTING -s 10.8.0.0\/24 /d' $RCLOCAL
 				if hash sestatus 2>/dev/null; then
 					if sestatus | grep "Current mode" | grep -qs "enforcing"; then
 						if [[ "$PORT" != '1194' ]]; then
@@ -204,6 +204,14 @@ else
 	echo "   5) Google"
 	read -p "DNS [1-6]: " -e -i 2 DNS
 	echo ""
+	echo "Some setups (e.g. Amazon Web Services), require use of MASQUERADE rather than SNAT"
+	echo "Which forwarding method do you want to use [if unsure, leave as default]?"
+	echo "   1) SNAT (default)"
+	echo "   2) MASQUERADE"
+	while [[ $FORWARD_TYPE !=  "1" && $FORWARD_TYPE != "2" ]]; do
+		read -p "Forwarding type: " -e -i 1 FORWARD_TYPE
+	done
+	echo ""
 	echo "Finally, tell me your name for the client cert"
 	echo "Please, use one word only, no special characters"
 	read -p "Client name: " -e -i client CLIENT
@@ -301,8 +309,7 @@ auth SHA512
 tls-version-min 1.2" > /etc/openvpn/server.conf
 	if [[ "$VARIANT" = '1' ]]; then
 		# If the user selected the fast, less hardened version
-		# Or if the user selected a non-existant variant, we fallback to fast
-		# iOS OpenVPN connect doesn't support GCM or SHA256, use next best
+		# iOS OpenVPN connect doesn't support GCM or SHA256; use next best
 		echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-CBC-SHA" >> /etc/openvpn/server.conf
 	elif [[ "$VARIANT" = '2' ]]; then
 		# If the user selected the relatively slow, ultra hardened version
@@ -356,8 +363,13 @@ tls-auth tls-auth.key 0" >> /etc/openvpn/server.conf
 	# Avoid an unneeded reboot
 	echo 1 > /proc/sys/net/ipv4/ip_forward
 	# Set NAT for the VPN subnet
-	iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP
-	sed -i "1 a\iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP" $RCLOCAL
+	if [[ "$FORWARD_TYPE" = '1' ]]; then
+		iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP
+		sed -i "1 a\iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP" $RCLOCAL
+	else
+		iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
+		sed -i "1 a\iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE" $RCLOCAL
+	fi
 	if pgrep firewalld; then
 		# We don't use --add-service=openvpn because that would only work with
 		# the default port. Using both permanent and not permanent rules to
@@ -436,7 +448,6 @@ tls-version-min 1.2
 tls-client" > /etc/openvpn/client-common.txt
 	if [[ "$VARIANT" = '1' ]]; then
 		# If the user selected the fast, less hardened version
-		# Or if the user selected a non-existant variant, we fallback to fast
 		echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-CBC-SHA" >> /etc/openvpn/client-common.txt
 	elif [[ "$VARIANT" = '2' ]]; then
 		# If the user selected the relatively slow, ultra hardened version

From de648aaa83f71c4d79da1256993457076a118af3 Mon Sep 17 00:00:00 2001
From: jtbr <jtbr@github>
Date: Tue, 12 Apr 2016 10:16:58 +0000
Subject: [PATCH 17/20] my personal preferences, and limit 3 simultaneous
 clients

---
 openvpn-install.sh | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/openvpn-install.sh b/openvpn-install.sh
index ee21c50..40970ef 100644
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@@ -348,7 +348,10 @@ persist-key
 persist-tun
 crl-verify crl.pem
 tls-server
-tls-auth tls-auth.key 0" >> /etc/openvpn/server.conf
+tls-auth tls-auth.key 0
+status openvpn-status.log
+max-clients 3
+verb 3" >> /etc/openvpn/server.conf
 	# Enable net.ipv4.ip_forward for the system
 	if [[ "$OS" = 'debian' ]]; then
 		sed -i 's|#net.ipv4.ip_forward=1|net.ipv4.ip_forward=1|' /etc/sysctl.conf
@@ -445,7 +448,8 @@ remote-cert-tls server
 cipher AES-256-CBC
 auth SHA512
 tls-version-min 1.2
-tls-client" > /etc/openvpn/client-common.txt
+tls-client
+verb 3" > /etc/openvpn/client-common.txt
 	if [[ "$VARIANT" = '1' ]]; then
 		# If the user selected the fast, less hardened version
 		echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-CBC-SHA" >> /etc/openvpn/client-common.txt

From 2d39183284e180451da00f85afd5fae2d936462d Mon Sep 17 00:00:00 2001
From: jtbr <jtbr@github>
Date: Wed, 20 Apr 2016 22:55:25 +0000
Subject: [PATCH 18/20] Revert "my personal preferences, and limit 3
 simultaneous clients"

This reverts commit 804c7aa9ed91433a83749c64ad2ec47f22fc968f.
---
 openvpn-install.sh | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/openvpn-install.sh b/openvpn-install.sh
index 40970ef..ee21c50 100644
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@@ -348,10 +348,7 @@ persist-key
 persist-tun
 crl-verify crl.pem
 tls-server
-tls-auth tls-auth.key 0
-status openvpn-status.log
-max-clients 3
-verb 3" >> /etc/openvpn/server.conf
+tls-auth tls-auth.key 0" >> /etc/openvpn/server.conf
 	# Enable net.ipv4.ip_forward for the system
 	if [[ "$OS" = 'debian' ]]; then
 		sed -i 's|#net.ipv4.ip_forward=1|net.ipv4.ip_forward=1|' /etc/sysctl.conf
@@ -448,8 +445,7 @@ remote-cert-tls server
 cipher AES-256-CBC
 auth SHA512
 tls-version-min 1.2
-tls-client
-verb 3" > /etc/openvpn/client-common.txt
+tls-client" > /etc/openvpn/client-common.txt
 	if [[ "$VARIANT" = '1' ]]; then
 		# If the user selected the fast, less hardened version
 		echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-CBC-SHA" >> /etc/openvpn/client-common.txt

From ecf2a3ed8125f689b3a34eca605fc036e3bbed22 Mon Sep 17 00:00:00 2001
From: jtbr <jtbr@github>
Date: Fri, 29 Apr 2016 20:00:09 +0000
Subject: [PATCH 19/20] Undo TLS-CIPHER changes in f376ce91 in deference to
 harvester57's pull request

---
 README.md          | 7 +++----
 openvpn-install.sh | 5 ++---
 2 files changed, 5 insertions(+), 7 deletions(-)

diff --git a/README.md b/README.md
index af65106..7d2db73 100644
--- a/README.md
+++ b/README.md
@@ -12,7 +12,6 @@ This fork includes :
 - AES-256-CBC and SHA-512 for HMAC (instead of BF-128-CBC and SHA1)
 - Run server in unprivileged mode, reducing risks to the system
 - TLS-auth to help [thwart DoS attacks](https://openvpn.net/index.php/open-source/documentation/howto.html#security) and provide a 2nd line of defense to the TLS channel.
-- [Perfect forward secrecy](http://en.wikipedia.org/wiki/Forward_secrecy)
 - [FDN's DNS Servers](http://www.fdn.fr/actions/dns/)
 - Nearest [OpenNIC DNS Servers](https://www.opennicproject.org/)
 - Up-to-date OpenVPN (2.3.11) thanks to [EPEL](http://fedoraproject.org/wiki/EPEL) and [swupdate.openvpn.net](https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos)
@@ -34,12 +33,12 @@ Features :
 - 256 bits AES-GCM
 - SHA-384 RSA certificate
 
-### Fast (lower encryption, supports openvpn connect [ios/android] clients)
+### Fast (lower encryption)
 Features :
 - 2048 bits RSA private key
 - 2048 bits Diffie-Hellman key
-- 128 bits AES-CBC
-- SHA-128 RSA certificate
+- 128 bits AES-GCM
+- SHA-256 RSA certificate
 
 ## Compatibility
 
diff --git a/openvpn-install.sh b/openvpn-install.sh
index ee21c50..7dd7e0f 100644
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@@ -309,8 +309,7 @@ auth SHA512
 tls-version-min 1.2" > /etc/openvpn/server.conf
 	if [[ "$VARIANT" = '1' ]]; then
 		# If the user selected the fast, less hardened version
-		# iOS OpenVPN connect doesn't support GCM or SHA256; use next best
-		echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-CBC-SHA" >> /etc/openvpn/server.conf
+		echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256" >> /etc/openvpn/server.conf
 	elif [[ "$VARIANT" = '2' ]]; then
 		# If the user selected the relatively slow, ultra hardened version
 		echo "tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384" >> /etc/openvpn/server.conf
@@ -448,7 +447,7 @@ tls-version-min 1.2
 tls-client" > /etc/openvpn/client-common.txt
 	if [[ "$VARIANT" = '1' ]]; then
 		# If the user selected the fast, less hardened version
-		echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-CBC-SHA" >> /etc/openvpn/client-common.txt
+		echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256" >> /etc/openvpn/client-common.txt
 	elif [[ "$VARIANT" = '2' ]]; then
 		# If the user selected the relatively slow, ultra hardened version
 		echo "tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384" >> /etc/openvpn/client-common.txt

From b910dbb9ec20142d6b7c2b3ffefe68a4b422407b Mon Sep 17 00:00:00 2001
From: jtbr <jtbr@github>
Date: Tue, 10 May 2016 22:50:58 +0000
Subject: [PATCH 20/20] clarify that the external address can be either an IP
 or a domain name

---
 openvpn-install.sh | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/openvpn-install.sh b/openvpn-install.sh
index a0b58ae..7b33f04 100644
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@@ -430,9 +430,10 @@ tls-auth tls-auth.key 0" >> /etc/openvpn/server.conf
 		echo ""
 		echo "Looks like your server is behind a NAT!"
 		echo ""
-		echo "If your server is NATed (e.g. LowEndSpirit, Scaleway), I need to know the external IP"
-		echo "If that's not the case, just ignore this and leave the next field blank"
-		read -p "External IP: " -e USEREXTERNALIP
+                echo "If your server is NATed (e.g. LowEndSpirit, Scaleway, or behind a router),"
+                echo "then I need to know the address that can be used to access it from outside."
+                echo "If that's not the case, just ignore this and leave the next field blank"
+                read -p "External IP or domain name: " -e USEREXTERNALIP
 		if [[ "$USEREXTERNALIP" != "" ]]; then
 			IP=$USEREXTERNALIP
 		fi