earl/openvpn-install
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add compression support

Browse Source 
It is disabled by default.
This commit is contained in:
angristan 2018-09-22 14:07:51 +02:00
parent 7ed823cdf2
commit b898a99485
2 changed files with 30 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@ -43,7 +43,7 @@ In your home directory, you will have `.ovpn` files. These are the client config
- Choice to use a self-hosted resolver with Unbound (supports already existing Unboud installations) - Choice to use a self-hosted resolver with Unbound (supports already existing Unboud installations)
- Choice between TCP and UDP - Choice between TCP and UDP
- NATed IPv6 support - NATed IPv6 support
- Compression disabled to prevent VORACLE - Compression disabled by default to prevent VORACLE. LZ4 and LZ0 algorithms available otherwise.
- Unprivileged mode: run as `nobody`/`nogroup` - Unprivileged mode: run as `nobody`/`nogroup`
- Block DNS leaks on Windows 10 - Block DNS leaks on Windows 10
- Randomized server certificate name - Randomized server certificate name

29
openvpn-install.sh
View File

@ -251,6 +251,27 @@ function installOpenVPN () {
fi fi
done done
echo "" echo ""
echo "Do you want to use compression? It is not recommended since the VORACLE attack make use of it."
until [[ $COMPRESSION_ENABLED =~ (y|n) ]]; do
read -p "Enable compression? [y/n]: " -e -i n COMPRESSION_ENABLED
done
if [[ $COMPRESSION_ENABLED == "y" ]];then
echo "Choose which compression algorithm you want to use:"
echo " 1) LZ4 (faster)"
echo " 2) LZ0 (use for OpenVPN 2.3 compatibility)"
until [[ $COMPRESSION_CHOICE =~ [1-2] ]]; do
read -p "Compression algorithm [1-2]: " -e -i 1 COMPRESSION_CHOICE
done
case $COMPRESSION_CHOICE in
1)
COMPRESSION_ALG="lz4"
;;
2)
COMPRESSION_ALG="lzo"
;;
esac
fi
echo ""
echo "Do you want to customize encryption settings?" echo "Do you want to customize encryption settings?"
echo "Unless you know what you're doing, you should stick with the default parameters provided by the script." echo "Unless you know what you're doing, you should stick with the default parameters provided by the script."
echo "Note that whatever you choose, all the choices presented in the script are safe. (Unlike OpenVPN's defaults)" echo "Note that whatever you choose, all the choices presented in the script are safe. (Unlike OpenVPN's defaults)"
@ -468,6 +489,10 @@ push "route-ipv6 2000::/3"
push "redirect-gateway ipv6"' >> /etc/openvpn/server.conf push "redirect-gateway ipv6"' >> /etc/openvpn/server.conf
fi fi
if [[ $COMPRESSION_ENABLED == "y" ]]; then
echo "compress $COMPRESSION_ALG" >> /etc/openvpn/server.conf
fi
echo "crl-verify crl.pem echo "crl-verify crl.pem
ca ca.crt ca ca.crt
cert $SERVER_NAME.crt cert $SERVER_NAME.crt
@ -610,6 +635,10 @@ tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
setenv opt block-outside-dns # Prevent Windows 10 DNS leak setenv opt block-outside-dns # Prevent Windows 10 DNS leak
verb 3" >> /etc/openvpn/client-template.txt verb 3" >> /etc/openvpn/client-template.txt
if [[ $COMPRESSION_ENABLED == "y" ]]; then
echo "compress $COMPRESSION_ALG" >> /etc/openvpn/client-template.txt
fi
# Generate the custom client.ovpn # Generate the custom client.ovpn
newClient newClient
echo "If you want to add more clients, you simply need to run this script another time!" echo "If you want to add more clients, you simply need to run this script another time!"